[compiler-rt] [scudo] Update header without read-modify-write operation (PR #66955)
Kostya Kortchinsky via llvm-commits
llvm-commits at lists.llvm.org
Wed Sep 20 17:33:25 PDT 2023
cryptoad wrote:
This is risky.
This is a race detection mechanism where we detect if 2 chunks are modified concurrently. There is a window of time where 2 threads can free the same chunk, both headers will be read, pass the check and written as a free chunk header. If we do not detect this, then the free chunk will be added to 2 caches, and further badness will ensue.
I agree this is an expensive check, and I initially considered both options (cmpxchg vs read-store). If you look for "race on chunk header at address" in Google, you'll find stuff like https://github.com/Instabug/Instabug-Android/issues/435. So those races do happen in the wild, and while it would be complicated to exploit, I wouldn't think it to be impossible.
If you do want to remove this - at the cost of security - you might want to remove reportHeaderRace as well though.
https://github.com/llvm/llvm-project/pull/66955
More information about the llvm-commits
mailing list