[PATCH] D70762: scudo: Add initial memory tagging support.

[Evgenii Stepanov via Phabricator via llvm-commits]

eugenis added a comment.

In D70762#1762272 <https://reviews.llvm.org/D70762#1762272>, @pcc wrote:

> In the case where the granule on the right is not in the current chunk, there are two possibilities:
>
> - We are at the next chunk, which will have a tag 0 at the beginning for the header granule.
> - We are at the end of the mapping. Either way we will get a SEGV when we access the next granule.


Yes, of course. SG.

> Interesting. So:
> 
> - On mmap we do a separate IRG for each block and tag the entire block except for first granule.
> - On free we IRG and tag the entire block except first granule.
> - On malloc we tag the granule before and after (modulo end-of-block) with 0.
> 
>   So we would do about 1.5x the amount of work (because we don't know how big the malloc is going to be), with additional upfront work. Maybe the upfront work is fine on Android because of the zygote.
> 
>   That said, maybe we could cut the 1.5x down to about 1x by only tagging max(half block size, usable size) on free, and the remainder on malloc.

We don't need the upfront work if we can track the "has never been tagged" state of the chunk somewhere. Ideally, not in the chunk header to avoid paging everything in too early.
Maybe we can optimize for size of malloc <= size of the previous free by storing the size of the free() in the header.

Anyway, this beats the 2x amount of work needed to catch UAF by tagging in both malloc and free.


Repository:
  rG LLVM Github Monorepo

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D70762/new/

https://reviews.llvm.org/D70762