From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-3.3 required=5.0 tests=MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 8259 invoked from network); 10 Jun 2020 09:19:59 -0000 Received: from mother.openwall.net (195.42.179.200) by inbox.vuxu.org with ESMTPUTF8; 10 Jun 2020 09:19:59 -0000 Received: (qmail 7838 invoked by uid 550); 10 Jun 2020 09:19:55 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: musl@lists.openwall.com Received: (qmail 7820 invoked from network); 10 Jun 2020 09:19:55 -0000 Date: Wed, 10 Jun 2020 11:19:43 +0200 From: Szabolcs Nagy To: Rich Felker Cc: musl@lists.openwall.com Message-ID: <20200610091943.GE871552@port70.net> Mail-Followup-To: Rich Felker , musl@lists.openwall.com References: <20200609035010.GE1079@brightrain.aerifal.cx> <20200609110914.GC871552@port70.net> <20200609200800.GG1079@brightrain.aerifal.cx> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200609200800.GG1079@brightrain.aerifal.cx> Subject: Re: [musl] mallocng switchover - opportunity to test * Rich Felker [2020-06-09 16:08:00 -0400]: > On Tue, Jun 09, 2020 at 01:09:14PM +0200, Szabolcs Nagy wrote: > > - reclaim_gaps is not usable (in linux, file content may be in > > memory that does not support mte, even for private CoW maps, > > this can be changed in principle but to use reclaim_gaps elf > > changes will be needed anyway so a loader knows it has to > > use PROT_MTE and there is no elf abi design for that yet) > > Sometimes (often) the gaps will be in bss outside p_filesz, so those > should be usable even without fixing this on the kernel side. But > indeed it would be best to just have it always work right. > > Probably __malloc_donate should, if built for MTE, attempt to mprotect > with PROT_MTE and decline to use the memory if it can't. yeah checking mprotect return value works. > > - madvise MADV_FREE means naive tagging of internal/freed memory > > with a reseved internal tag does not work: internal pointers > > cannot access memory after they are zeroed by the kernel. > > this can be fixed in various ways i haven't decided what's > > best yet. enabling mte will cause various regressions and > > different behaviour (e.g. because all pages are written to on > > malloc, calloc, realloc, free) this will be one of them. > > Can you clarify what goes wrong here? There shouldn't be access to > memory that's been freed except at time of enframe, and enframe should > be able to set a new tag at the same time it performs the access. the simplest model i could come up with was just tagging right after mmap/mprotect everything with a reserved tag and all metadata pointers use that tag. then user allocations get a different tag and only the user owned range (plus padding at the end) uses that tag which is cleared on free (back to the reserved tag). this means internal pointer handling does not need to deal with tagging at all: all metadata pointers have the right tag to access all mapped non-user memory. this model breaks if tags can be zeroed after free so metadata allocation has to ensure it retags before accessing memory, but that requires more changes (e.g. enframe does various accesses in freed memory when that is reused but with a different offset, now we don't know what is the right tag for such access: is it 0 or the reserved tag? we can just always retag but then enframe will always tag which is more code change) if the 'reserved tag' is the 0 tag then the model still works, but meta data is less protected against invalid access with non-heap pointers (which will have 0 tag). > > if support for this is interesting i can work on patches > > that can be upstreamed (e.g. macros conditional on mte > > support etc) > > There is interest, at least from me, and I hope we can also influence > improvement of things on the ELF and kernel sides. > > I think it would be helpful to see patches even if they're a total > hack, before you work on polishing them for inclusion, since I might > have ideas how to change things to make the patches simpler and make > MTE less invasive. ok.