BSDSec

deadsimple BSD Security Advisories and Announcements

FreeBSD Errata Notice FreeBSD-EN-24:13.libc++

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-EN-24:13.libc++                                         Errata Notice
                                                          The FreeBSD Project

Topic:          Incorrect size passed to heap allocated std::string delete

Category:       contrib
Module:         libc++
Announced:      2024-06-19
Affects:        FreeBSD 14.1
Corrected:      2024-06-07 07:29:25 UTC (stable/14, 14.1-STABLE)
                2024-06-19 20:36:50 UTC (releng/14.1, 14.1-RELEASE-p1)
                2024-06-07 07:29:30 UTC (stable/13, 13.3-STABLE)

For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.

I.   Background

libc++ is an implementation of the C++ Standard Library, provided by the LLVM
project. It is used by C++ programs in the base system, and also by many C++
programs in the ports collection. 

II.  Problem Description

C++14 and later supports size-aware deletion of heap objects, when the compiler
is able to determine at compile time what the exact size of a particular object
is. For this purpose, there are specific variants of "operator delete" that take
an additional size_t argument. If such a variant is called, the size is passed
through to the underlying allocator, which can optionally utilize this size for
for more efficient deallocation.

A recent change in libc++'s implementation of std::string has introduced a
potential mismatch between the actual size allocated on the heap for the
contained string, and the size that is passed to "operator delete" when the
string is eventually destroyed.

III. Impact

The default allocator in FreeBSD does not leverage the size_t argument and is
unaffected.

When std::string objects of a known size are deleted, and the size passed
through to the deallocation function does not match the actual size on the heap,
the underlying allocator can potentially produce unexpected results. In case of
allocators that are used for heap debugging or profiling, such as with Google's
gperftools (aka tcmalloc) this can lead to runtime warnings about incorrect
deallocations.

IV.  Workaround

No workaround is available. Systems using the default memory allocator are
not affected.

V.   Solution

Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.

Perform one of the following:

1) To update your system via a binary patch:

Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
utility:

# freebsd-update fetch
# freebsd-update install

No reboot is necessary, but programs compiled against the old version of the
<string> header should be rebuilt to fully fix the problem.

2) To update your system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/EN-24:13/libc++.patch
# fetch https://security.FreeBSD.org/patches/EN-24:13/libc++.patch.asc
# gpg --verify libc++.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.

No reboot is necessary, but programs compiled against the old version of the
<string> header should be rebuilt to fully fix the problem.

VI.  Correction details

This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:

Branch/path                             Hash                     Revision
- -------------------------------------------------------------------------
stable/14/                              55c5dad2f305    stable/14-n267917
releng/14.1/                            8e0e6b428cb8  releng/14.1-n267681
stable/13/                              ef4d145057c1    stable/13-n257958
- -------------------------------------------------------------------------

Run the following command to see which files were modified by a
particular commit:

# git show --stat <commit hash>

Or visit the following URL, replacing NNNNNN with the hash:

<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>

To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:

# git rev-list --count --first-parent HEAD

VII. References

<other info on the problem>

<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id'9560>

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-24:13.libc++.asc>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmZzRT0ACgkQbljekB8A
Gu/HpQ//Xkz6NMBUg4CdmV1ElSP+dTUfh8YpNfD/X//4RgngKoz9DKt6CM78KSWI
68JfNrn6XRGdhjG0Mn/YvRCe8xzGBGpvcd1lcun7mAw5yqpsbSAUKvFmywjX+oxs
bQpCJRloBLZJE6NoZgBmhw2K2HzfmvApPin3TjLGa/u/ovsK+pD7SvDynbR5VsxH
Bey21H2+3LOqyBPaiTe6ccJ4JXCOX9+oAK5byhMLPrnRqLyvh3IV2jttWurbtNki
nFMYhqoBq6cWoAba3gVD0ZM7S5C+P5VDeMMIBOPKQVRwIl9eDS/UKICXrMbaMNqL
002egG7Oia22H0dpYuYX6dl7cAtn/M3NcBEwDDvqNuHncbGVeaYA8qXHAh+eeA3R
gBK2NkltdDvZbk8Uv9hgHwIrdJyENhWGoT1OQ1JqgaIKo7tIvlhIA/HtpTygeyMA
F/TgFvg+K42/kWQ/N1UTwUFbEH6jgDu1BGTZzkMMyQf3rymdQ1VM6Z1p7dxppVI7
uw2+80BePzDbnV9naXMzlhr/YjYgytRRQFbVR2ZlPM+rEGyfMAM/XvtCWfdlstwY
3bZXo/vPRZPXg/sd/AFEKqIiz1ZvVTJroMUCnnDvsDKcRzAHgIIHfMK1mMpSizna
LNDS/vvyQszgINWPUMZOZaALQzUY9SAmm0eNqIz3uV4o0qM6DQE=7Qxx
-----END PGP SIGNATURE-----