From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-3.3 required=5.0 tests=MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 18685 invoked from network); 18 May 2020 18:54:10 -0000 Received: from mother.openwall.net (195.42.179.200) by inbox.vuxu.org with ESMTPUTF8; 18 May 2020 18:54:10 -0000 Received: (qmail 28297 invoked by uid 550); 18 May 2020 18:54:05 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: musl@lists.openwall.com Received: (qmail 28277 invoked from network); 18 May 2020 18:54:04 -0000 Date: Mon, 18 May 2020 14:53:52 -0400 From: Rich Felker To: musl@lists.openwall.com Message-ID: <20200518185351.GF21576@brightrain.aerifal.cx> References: <20200510180934.GV21576@brightrain.aerifal.cx> <20200516002912.GN21576@brightrain.aerifal.cx> <20200516032901.GO21576@brightrain.aerifal.cx> <20200517033025.GQ21576@brightrain.aerifal.cx> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200517033025.GQ21576@brightrain.aerifal.cx> User-Agent: Mutt/1.5.21 (2010-09-15) Subject: Re: [musl] mallocng progress and growth chart On Sat, May 16, 2020 at 11:30:25PM -0400, Rich Felker wrote: > Another alternative for avoiding eagar commit at low usage, which > works for all but nommu: when adding groups with nontrivial slot count > at low usage, don't activate all the slots right away. Reserve vm > space for 7 slots for a 7x4672, but only unprotect the first 2 pages, > and treat it as a group of just 1 slot until there are no slots free > and one is needed. Then, unprotect another page (or more if needed to > fit another slot, as would be needed at larger sizes) and adjust the > slot count to match. (Conceptually; implementation-wise, the slot > count would be fixed, and there would just be a limit on the number of > slots made avilable when transformed from "freed" to "available" for > activation.) > > Note that this is what happens anyway with physical memory as clean > anonymous pages are first touched, but (1) doing it without explicit > unprotect over-counts the not-yet-used slots for commit charge > purposes and breaks tightly-memory-constrained environments (global > commit limit or cgroup) and (2) when all slots are initially available > as they are now, repeated free/malloc cycles for the same size will > round-robin all the slots, touching them all. > > Here, property (2) is of course desirable for hardening at moderate to > high usage, but at low usage UAF tends to be less of a concern > (because you don't have complex data structures with complex lifetimes > if you hardly have any malloc). > > Note also that (2) could be solved without addressing (1) just by > skipping the protection aspect of this idea and only using the > available-slot-limiting part. One abstract way of thinking about the above is that it's just a per-size-class bump allocator, pre-reserving enough virtual address space to end sufficiently close to a page boundary that there's no significant memory waste. This is actually fairly elegant, and might obsolete some of the other measures taken to avoid overly eagar allocation. So this might be a worthwhile direction to pursue.