From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=MAILING_LIST_MULTI, RCVD_IN_MSPIKE_H2 autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 27933 invoked from network); 20 Sep 2022 12:16:57 -0000 Received: from second.openwall.net (193.110.157.125) by inbox.vuxu.org with ESMTPUTF8; 20 Sep 2022 12:16:57 -0000 Received: (qmail 1252 invoked by uid 550); 20 Sep 2022 12:16:54 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: musl@lists.openwall.com Received: (qmail 1220 invoked from network); 20 Sep 2022 12:16:53 -0000 Date: Tue, 20 Sep 2022 08:16:41 -0400 From: Rich Felker To: baiyang Cc: musl Message-ID: <20220920121640.GL9709@brightrain.aerifal.cx> References: <20220920003811.GF9709@brightrain.aerifal.cx> <2022092008470636285288@gmail.com> <20220920010056.GG9709@brightrain.aerifal.cx> <2022092009180277847194@gmail.com> <20220920021511.GH9709@brightrain.aerifal.cx> <20220920103500598557106@gmail.com> <20220920032806.GI9709@brightrain.aerifal.cx> <20220920115350521974120@gmail.com> <20220920054149.GK9709@brightrain.aerifal.cx> <20220920135610661572125@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220920135610661572125@gmail.com> User-Agent: Mutt/1.5.21 (2010-09-15) Subject: Re: Re: [musl] The heap memory performance (malloc/free/realloc) is significantly degraded in musl 1.2 (compared to 1.1) On Tue, Sep 20, 2022 at 01:56:12PM +0800, baiyang wrote: > > // This multi-threaded access to the pagemap is safe for fairly > > // subtle reasons. We basically assume that when an object X is > > // allocated by thread A and deallocated by thread B, there must > > // have been appropriate synchronization in the handoff of object > > // X from thread A to thread B. > > Thanks for your information. > I feel this assumption is very reasonable: you can't have one thread > doing "free(p)" while another thread is accessing the block pointed > to by p without any synchronization mechanism at the same time. That's a correct assumption given that the program's behavior is defined. The problem is that once you assume that, you've completely lost control over what happens when the program's behavior is undefined due to memory lifetime bugs in the application (UAF/DF/etc) and an allocator that does this will necessarily allow bugs in the lifetimes of objects that aren't inherently exploitable on the application level (don't contain pointers that will be written through that might clobber other application state, etc.) to be used to gain control over the allocator state and eventually gain control over the flow of execution through manipulating other allocated objects that are attack vectors. A hardened allocator like mallocng or hardened_malloc does not make assumptions about the validity of data reachable for clobbering through application bugs that haven't already yielded a high level of control to the attacker. Instead, the metadata assumed to be valid is at "secret locations" outside the area where application data is stored that are intended not to be determinable without already having some strong level of control over execution flow. And on top of that, it's cross-validated as much as possible. We also do validation where we can of the "in-band" data that is easily reachable by overflows in application buffers, etc. This both blocks a lot of potential exploits, and catches application bugs that could be exploitable before they turn into exploits, by having them crash on developers'/packagers' systems before they're deployed and getting the root cause investigated and fixed. Rich