[PATCH] D32310: [scudo] Bypass Quarantine if its size is set to 0
Kostya Kortchinsky via Phabricator via llvm-commits
llvm-commits at lists.llvm.org
Fri Apr 21 10:53:39 PDT 2017
cryptoad added a comment.
In https://reviews.llvm.org/D32310#733792, @dvyukov wrote:
> It's not checked until the object is freed, which may not happen at all. Attackers are good at laying out objects in the required order, so they place something long-living afterwards it won't be freed.
I am in agreement with you.
I can also see that happening for both chunk A and B, whether the checksum is at the end of A or be beginning on B, eg: overflowing A into B without A or B getting freed for a long time.
I think this is a tough problem to solve with an allocator only, and hopefully the randomness of the chunks layout will help making harder to have B after A (though not impossible).
https://reviews.llvm.org/D32310
More information about the llvm-commits
mailing list