MFC r324243:

Remove an unneeded and incorrect memset().

On Variant I TLS architectures (aarch64, arm, mips, powerpc, and riscv)
the __libc_allocate_tls function allocates thread local storage memory
with calloc(). It then copies initialization data over the portions with
non-zero initial values. Before this change it would then pointlessly
zero the already zeroed remainder of the storage. Unfortunately the
calculation was wrong and it would zero TLS_TCB_SIZE (2*sizeof(void *))
additional bytes.

In practice, this overflow only matters if the TLS segment is sized such
that calloc() allocates less than TLS_TCB_SIZE extra memory. Even
then, the likely result will be zeroing part of the next bucket. This
coupled with the impact being confined to Tier II platforms means there
will be no security advisory for this issue.

Reviewed by:	kib, dfr
Discussed with:	security-officer (delphij)
Found by:	CHERI
Sponsored by:	DARPA, AFRL
Differential Revision:	https://reviews.freebsd.org/D12547

1 files changed, 0 insertions, 3 deletions

diff --git a/lib/libc/gen/tls.c b/lib/libc/gen/tls.c
index 6cba47f..5d74c59 100644
--- a/lib/libc/gen/tls.c
+++ b/lib/libc/gen/tls.c
@@ -160,9 +160,6 @@ __libc_allocate_tls(void *oldtcb, size_t tcbsize, size_t tcbalign __unused)
 
 		if (tls_init_size > 0)
 			memcpy((void*)dtv[2], tls_init, tls_init_size);
-		if (tls_static_space > tls_init_size)
-			memset((void*)(dtv[2] + tls_init_size), 0,
-			    tls_static_space - tls_init_size);
 	}
 
 	return(tcb);