Best Regards BaiYang baiyang@gmail.com http://i.baiy.cn |
From: Rich FelkerDate: 2022-09-20 20:16To: baiyangCC: muslSubject: Re: Re: [musl] The heap memory performance (malloc/free/realloc) is significantly degraded in musl 1.2 (compared to 1.1)On Tue, Sep 20, 2022 at 01:56:12PM +0800, baiyang wrote:> > // This multi-threaded access to the pagemap is safe for fairly> > // subtle reasons. We basically assume that when an object X is> > // allocated by thread A and deallocated by thread B, there must> > // have been appropriate synchronization in the handoff of object> > // X from thread A to thread B.>> Thanks for your information.> I feel this assumption is very reasonable: you can't have one thread> doing "free(p)" while another thread is accessing the block pointed> to by p without any synchronization mechanism at the same time.That's a correct assumption given that the program's behavior isdefined. The problem is that once you assume that, you've completelylost control over what happens when the program's behavior isundefined due to memory lifetime bugs in the application (UAF/DF/etc)and an allocator that does this will necessarily allow bugs in thelifetimes of objects that aren't inherently exploitable on theapplication level (don't contain pointers that will be written throughthat might clobber other application state, etc.) to be used to gaincontrol over the allocator state and eventually gain control over theflow of execution through manipulating other allocated objects thatare attack vectors.A hardened allocator like mallocng or hardened_malloc does not makeassumptions about the validity of data reachable for clobberingthrough application bugs that haven't already yielded a high level ofcontrol to the attacker. Instead, the metadata assumed to be valid isat "secret locations" outside the area where application data isstored that are intended not to be determinable without already havingsome strong level of control over execution flow. And on top of that,it's cross-validated as much as possible.We also do validation where we can of the "in-band" data that iseasily reachable by overflows in application buffers, etc. This bothblocks a lot of potential exploits, and catches application bugs thatcould be exploitable before they turn into exploits, by having themcrash on developers'/packagers' systems before they're deployed andgetting the root cause investigated and fixed.Rich