mailing list of musl libc
 help / color / mirror / code / Atom feed
From: Rich Felker <dalias@libc.org>
To: baiyang <baiyang@gmail.com>
Cc: musl <musl@lists.openwall.com>
Subject: Re: Re: [musl] The heap memory performance (malloc/free/realloc) is significantly degraded in musl 1.2 (compared to 1.1)
Date: Tue, 20 Sep 2022 08:16:41 -0400	[thread overview]
Message-ID: <20220920121640.GL9709@brightrain.aerifal.cx> (raw)
In-Reply-To: <20220920135610661572125@gmail.com>

On Tue, Sep 20, 2022 at 01:56:12PM +0800, baiyang wrote:
> > //     This multi-threaded access to the pagemap is safe for fairly
> > //     subtle reasons.  We basically assume that when an object X is
> > //     allocated by thread A and deallocated by thread B, there must
> > //     have been appropriate synchronization in the handoff of object
> > //     X from thread A to thread B.
> 
> Thanks for your information.
> I feel this assumption is very reasonable: you can't have one thread
> doing "free(p)" while another thread is accessing the block pointed
> to by p without any synchronization mechanism at the same time.

That's a correct assumption given that the program's behavior is
defined. The problem is that once you assume that, you've completely
lost control over what happens when the program's behavior is
undefined due to memory lifetime bugs in the application (UAF/DF/etc)
and an allocator that does this will necessarily allow bugs in the
lifetimes of objects that aren't inherently exploitable on the
application level (don't contain pointers that will be written through
that might clobber other application state, etc.) to be used to gain
control over the allocator state and eventually gain control over the
flow of execution through manipulating other allocated objects that
are attack vectors.

A hardened allocator like mallocng or hardened_malloc does not make
assumptions about the validity of data reachable for clobbering
through application bugs that haven't already yielded a high level of
control to the attacker. Instead, the metadata assumed to be valid is
at "secret locations" outside the area where application data is
stored that are intended not to be determinable without already having
some strong level of control over execution flow. And on top of that,
it's cross-validated as much as possible.

We also do validation where we can of the "in-band" data that is
easily reachable by overflows in application buffers, etc. This both
blocks a lot of potential exploits, and catches application bugs that
could be exploitable before they turn into exploits, by having them
crash on developers'/packagers' systems before they're deployed and
getting the root cause investigated and fixed.

Rich

  reply	other threads:[~2022-09-20 12:16 UTC|newest]

Thread overview: 68+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-09-19  7:53 baiyang
2022-09-19 11:08 ` Szabolcs Nagy
2022-09-19 12:36   ` Florian Weimer
2022-09-19 13:46     ` Rich Felker
2022-09-19 13:53       ` James Y Knight
2022-09-19 17:40         ` baiyang
2022-09-19 18:14           ` Szabolcs Nagy
2022-09-19 18:40             ` baiyang
2022-09-19 19:07             ` Gabriel Ravier
2022-09-19 19:21               ` Rich Felker
2022-09-19 21:02                 ` Gabriel Ravier
2022-09-19 21:47                   ` Rich Felker
2022-09-19 22:31                     ` Gabriel Ravier
2022-09-19 22:46                       ` baiyang
2022-09-19 20:46             ` Nat!
2022-09-20  8:51               ` Szabolcs Nagy
2022-09-20  0:13           ` James Y Knight
2022-09-20  0:25             ` baiyang
2022-09-20  0:38               ` Rich Felker
2022-09-20  0:47                 ` baiyang
2022-09-20  1:00                   ` Rich Felker
2022-09-20  1:18                     ` baiyang
2022-09-20  2:15                       ` Rich Felker
2022-09-20  2:35                         ` baiyang
2022-09-20  3:28                           ` Rich Felker
2022-09-20  3:53                             ` baiyang
2022-09-20  5:41                               ` Rich Felker
2022-09-20  5:56                                 ` baiyang
2022-09-20 12:16                                   ` Rich Felker [this message]
2022-09-20 17:21                                     ` baiyang
2022-09-20  8:33       ` Florian Weimer
2022-09-20 13:54         ` Siddhesh Poyarekar
2022-09-20 16:59           ` James Y Knight
2022-09-20 17:34             ` Szabolcs Nagy
2022-09-20 19:53               ` James Y Knight
2022-09-24  8:55               ` Fangrui Song
2022-09-20 17:39             ` baiyang
2022-09-20 18:12               ` Quentin Rameau
2022-09-20 18:19                 ` Rich Felker
2022-09-20 18:26                   ` Alexander Monakov
2022-09-20 18:35                     ` baiyang
2022-09-20 20:33                       ` Gabriel Ravier
2022-09-20 20:45                         ` baiyang
2022-09-21  8:42                           ` NRK
2022-09-20 18:37                     ` Quentin Rameau
2022-09-21 10:15                   ` [musl] " 王志强
2022-09-21 16:11                     ` [musl] " 王志强
2022-09-21 17:15                     ` [musl] " Rich Felker
2022-09-21 17:58                       ` Rich Felker
2022-09-22  3:34                         ` [musl] " 王志强
2022-09-22  9:10                           ` [musl] " 王志强
2022-09-22  9:39                             ` [musl] " 王志强
2022-09-20 17:28           ` baiyang
2022-09-20 17:44             ` Siddhesh Poyarekar
2022-10-10 14:13           ` Florian Weimer
2022-09-19 13:43 ` Rich Felker
2022-09-19 17:32   ` baiyang
2022-09-19 18:15     ` Rich Felker
2022-09-19 18:44       ` baiyang
2022-09-19 19:18         ` Rich Felker
2022-09-19 19:45           ` baiyang
2022-09-19 20:07             ` Rich Felker
2022-09-19 20:17               ` baiyang
2022-09-19 20:28                 ` Rich Felker
2022-09-19 20:38                   ` baiyang
2022-09-19 22:02                 ` Quentin Rameau
2022-09-19 20:17             ` Joakim Sindholt
2022-09-19 20:33               ` baiyang

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220920121640.GL9709@brightrain.aerifal.cx \
    --to=dalias@libc.org \
    --cc=baiyang@gmail.com \
    --cc=musl@lists.openwall.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.vuxu.org/mirror/musl/

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).