[release/7.0-staging] Zlib: Add some protections to the allocator used by zlib #89532
Conversation
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
…r Compression.Native dir - Update pal_zlib includes, use calloc instead of malloc - Remove custom typedefs from zlib unix allocator
|
Tagging subscribers to this area: @dotnet/area-system-io-compression Issue DetailsBackport of #84604 to release/7.0-staging Customer ImpactTestingRiskIMPORTANT: If this backport is for a servicing release, please verify that:
|
|
Thanks for backporting. Approving as area owner. Please fill out the template, add the servicing-consider label, and send email to Tactics for approval. |
GrabYourPitchforks
added
the
NO-MERGE
|
Marked no-merge since Tactics wanted a compat switch before this PR went in. |
|
Most recent two commits add the environment variable for Win & Unix, respectively. You can set either of these two values to disable the mitigations:
Testing was accomplished by attaching a debugger and stepping through, ensuring that the correct paths were taken depending on the environment variable. For Unix testing, I created a custom build with the Ideally I'd be able to use pal.h across both files so that I have a common implementation of |
- Mono defines HOST_WIN32, not CLR_CMAKE_HOST_WIN32 - Follow same pattern from src\native\eventpipe\CMakeLists.txt
|
I might want to cherry-pick 21113a1 back into main so that mono on Windows gets the same benefit CoreCLR does. |
|
Friendly reminder: if you want this servicing fix to be included in the September 2023 Release, you'll have to merge this PR before August 14th. |
GrabYourPitchforks
added
Servicing-consider
jeffhandley
added
api-approved
ghost
locked as resolved and limited conversation to collaborators
Backport of #84604 to release/7.0-staging
/cc @GrabYourPitchforks
Customer Impact
This adds defense-in-depth protections to the allocator used by zlib to help mitigate the risk posed by potential future CVEs against this library. Basic defenses against use-of-uninitialized-memory bugs, local buffer overruns, and double-free bugs are provided. The overall goal is that should a future CVE be found that fits one of those categories, the CVE's nominal severity can drop from Critical -> Important or from Important -> Moderate because of the difficulty of successful exploit.
See #84604 for more information.
Testing
We have a full suite of unit tests and performance tests. Additionally, this change has been baking in the 8.0 preview branches for several months. No regressions have yet been reported.
Risk
Low. This has been baking in the 8.0 branches for a while and no regressions have been reported. Additionally, at Tactics's request, an opt-out switch is provided.
Note: coreclr on Linux does not use the internal zlib implementation anyway. It's instead used in wasm and some mono scenarios.
IMPORTANT: If this backport is for a servicing release, please verify that:
The PR target branch is
release/X.0-staging, notrelease/X.0.If the change touches code that ships in a NuGet package, you have added the necessary package authoring and gotten it explicitly reviewed.