[PATCH] D70762: scudo: Add initial memory tagging support.

[Peter Collingbourne via Phabricator via llvm-commits]

pcc added a comment.

In D70762#1762254 <https://reviews.llvm.org/D70762#1762254>, @eugenis wrote:

> > The granules either side of the allocation are tagged with tag 0
>
> But only if the granule on the right is within the current chunk, right?


In the case where the granule on the right is not in the current chunk, there are two possibilities:

- We are at the next chunk, which will have a tag 0 at the beginning for the header granule.
- We are at the end of the mapping.

Either way we will get a SEGV when we access the next granule.

> This patch does not retag memory on free, so it would not catch use-after-free. Unless I'm missing something.

Correct. We won't catch UAF unless we happen to reuse the chunk in the right way. I was originally planning to do tag on free later.

> It looks like a better strategy would be tagging memory _only_ on free (and realloc, and when new memory is requested from the system, too).

Interesting. So:

- On mmap we do a separate IRG for each block and tag the entire block except for first granule.
- On free we IRG and tag the entire block except first granule.
- On malloc we tag the granule before and after (modulo end-of-block) with 0.

So we would do about 1.5x the amount of work (because we don't know how big the malloc is going to be), with additional upfront work. Maybe the upfront work is fine on Android because of the zygote.

That said, maybe we could cut the 1.5x down to about 1x by only tagging max(half block size, usable size) on free, and the remainder on malloc.


Repository:
  rG LLVM Github Monorepo

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D70762/new/

https://reviews.llvm.org/D70762