[PATCH] D32310: [scudo] Bypass Quarantine if its size is set to 0
Kostya Kortchinsky via Phabricator via llvm-commits
llvm-commits at lists.llvm.org
Fri Apr 21 08:45:03 PDT 2017
cryptoad added a comment.
In https://reviews.llvm.org/D32310#733329, @dvyukov wrote:
> If we actually plan to use such configuration, does it make sense to check header for corruption when we reallocate a block (in allocate)? That will give us at least some windows for UAF detection.
I thought about this at some point and I think it wasn't reasonably achievable for a few reasons.
IIRC the main issue was that when a chunk is returned to the backend, we basically lose control over it's header.
If it's in the quarantine-batch size-class or transfer-batch size-class it could be overwritten by whatever is at the start of those structures.
The first allocation of a chunk being all 0 is also problematic, it could be a special case, but then wouldn't be distinguishable from an all 0 overwrite.
> Also, we place header before user block, but buffer overruns are more common than underruns. Does it make sense to also check end of block for corruption (either add another checksum at the end, or move header to the end of block).
With the current implementation, we rely on the fact that what comes after chunk will also have a header (if in use), which will be checked in due time.
This is not 100% true due to batches, and is a weakness that is to be addressed.
The initial reasoning was that it was computationally cheaper to get the header before the chunk rather than behind (simple subtraction vs getting the size of the chunk each time).
Having an additional checksum or marker at the end of the chunk is a possibility.
I think it would be better as an option, since it would come with an additional performance hit, which at this point in time I am trying to avoid.
https://reviews.llvm.org/D32310
More information about the llvm-commits
mailing list