This is the mail archive of the mailing list for the glibc project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Additional malloc hardening

On Mon, Aug 18, 2014 at 03:53:29PM +0200, Florian Weimer wrote:
> I would like to add a few more heap consistency checks to the malloc
> implementation.
> My initial focus is on allocation from the unsorted_chunks list.
> There seem to be a few invariants which are cheap to check for each
> chunk:
> - The PREV_INUSE bit is set.
> - The PREV_INUSE bit of the chunk after the foot is unset.
> - The size in the foot is equal to the size in the head.
> - The size of a chunk not in the main arena is less than HEAP_MAX_SIZE.
> The first two might not actually be true at the borders.  Is it
> possible to cheaply identify these conditions?

You do not need for detecting userspace errors. A better way is to add a
checksum that will detect corruption. Even if it takes one byte with
randomization it could detect error 50% of time after ten errors its
1/1024 chance.

You could make much stronger checks but its tradeoff between that and

For example you could if request does not fill entire chunk write to
remaining bytes a pseudorandom sequence and check if its same on free.
That will detect off-by one writes. Disadvantage is that you need extra
byte to save exact size.

Or if you do not mind minor slowdown you could detect any invalid writes
and probably cause crash with invalid reads, when you free a chunk write
a psuedorandom sequence into it and check if its intact when you do
allocation. Finally at end of program check remaining chunks.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]