From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-1.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FROM,HTML_FONT_FACE_BAD,HTML_MESSAGE, MAILING_LIST_MULTI,RCVD_IN_MSPIKE_H2,T_KAM_HTML_FONT_INVALID autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 30983 invoked from network); 20 Sep 2022 17:21:28 -0000 Received: from second.openwall.net (193.110.157.125) by inbox.vuxu.org with ESMTPUTF8; 20 Sep 2022 17:21:28 -0000 Received: (qmail 23914 invoked by uid 550); 20 Sep 2022 17:21:25 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: musl@lists.openwall.com Received: (qmail 23878 invoked from network); 20 Sep 2022 17:21:24 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:mime-version:references:subject:cc:to:from:date:from:to :cc:subject:date; bh=F5aZKGvMPc7rGV3Bk/eg3W1dFzb/OUa9P4Mc4Y2OzPE=; b=op3A8Ixi4k4S+q8ix6cpPWue3sHDzUeV/E0KbMgHZC9Rq00B261wSuTbFWn40OfKhJ qqgdvbL7eEynuieyaR8RRYEZgBrN3v+iepqnE6AmBl3mk/b/DbOjHszVWD/Su8zkmSMt SK0YCsj9VtknAKJd2DXupqUmud7dzDsTh8ZKPa3nnpj2TfzwGKgl2VnMtP/yMOiiu0zT DJCdddvlv+INZSRb9NmDvluoB9RAoSYdiVCaPVV3bA61ju253JlAUEiGAfbtOCDn/NT7 fp4X/vRp5wSpTdrNM7wyujCWOzAZy18KmuwZixSxmm+IIoY8NmoCGxRBCQOT4fICHCUc +KCA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=message-id:mime-version:references:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date; bh=F5aZKGvMPc7rGV3Bk/eg3W1dFzb/OUa9P4Mc4Y2OzPE=; b=N+TSC5h4C4efR03nxebawkfVkWY7RvjFGxllFNQHUJUgApMOCvL8a40hLxxbk+VSCd enAfry//2El8SzIQnJ33lbZVwKxYO/CeXHRSVBQITsQXIpdhRADsjtK/ICPaS4jMXGXV ZJKKhlT3z3OpV49eDu7KcKugExd3DJXQ4w34f+ymQq8Uuoodue9psP7Ssq8rRuiYQIru CcLvYlW8aT1RmH+x6TFOzGuKoPIlIK4j1ZokYfF1uTFdMBQV8zJSyQJU37lUE1qWbKb+ Wbd3U/0c9eaCZHUuTpVmYOQ+cWAwmW4OBj9SltEmnoaawrQ0l1B5XpQiMUnq8g3o3c/f JQeQ== X-Gm-Message-State: ACrzQf04RPPhxA0FhbFTpf2AELX68nBulKyTl+rIRIIJeZYterOox0Vk aGg1Gx6dhdXysXoypuP51CA= X-Google-Smtp-Source: AMsMyM7P3/VrGYLNj6M+fGxmN8EaAp9hLniXAmPLC/oX9XiCCFoGAade3mXau0vB2T4nZYzHqZOzpA== X-Received: by 2002:a63:354e:0:b0:439:837:692f with SMTP id c75-20020a63354e000000b004390837692fmr21588925pga.74.1663694472575; Tue, 20 Sep 2022 10:21:12 -0700 (PDT) Date: Wed, 21 Sep 2022 01:21:15 +0800 From: baiyang To: "Rich Felker" Cc: musl References: <20220920003811.GF9709@brightrain.aerifal.cx>, <2022092008470636285288@gmail.com>, <20220920010056.GG9709@brightrain.aerifal.cx>, <2022092009180277847194@gmail.com>, <20220920021511.GH9709@brightrain.aerifal.cx>, <20220920103500598557106@gmail.com>, <20220920032806.GI9709@brightrain.aerifal.cx>, <20220920115350521974120@gmail.com>, <20220920054149.GK9709@brightrain.aerifal.cx>, <20220920135610661572125@gmail.com>, <20220920121640.GL9709@brightrain.aerifal.cx> X-Priority: 3 X-GUID: 933ED473-A46A-413C-BA48-1C7375BE83C9 X-Has-Attach: no X-Mailer: Foxmail 7.2.23.116[cn] Mime-Version: 1.0 Message-ID: <202209210121127486426@gmail.com> Content-Type: multipart/alternative; boundary="----=_001_NextPart338013756513_=----" Subject: Re: Re: [musl] The heap memory performance (malloc/free/realloc) is significantly degraded in musl 1.2 (compared to 1.1) This is a multi-part message in MIME format. ------=_001_NextPart338013756513_=---- Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 PiBUaGUgcHJvYmxlbSBpcyB0aGF0IG9uY2UgeW91IGFzc3VtZSB0aGF0LCB5b3UndmUgY29tcGxl dGVseQ0KPiBsb3N0IGNvbnRyb2wgb3ZlciB3aGF0IGhhcHBlbnMgd2hlbiB0aGUgcHJvZ3JhbSdz IGJlaGF2aW9yIGlzDQo+IHVuZGVmaW5lZCBkdWUgdG8gbWVtb3J5IGxpZmV0aW1lIGJ1Z3MgaW4g dGhlIGFwcGxpY2F0aW9uIChVQUYvREYvZXRjKSANCg0KWWVzLCBidXQgdGhhdCdzIGV4YWN0bHkg dGhlIGNvbnRyYWN0IGJldHdlZW4gdGhlIEMgbGFuZ3VhZ2UgYW5kIHRoZSBwcm9ncmFtbWVyOiB0 byBsZWF2ZSBldmVyeXRoaW5nIGluIHRoZSBoYW5kcyBvZiBwZW9wbGUgZm9yIG1heGltdW0gY29u dHJvbCBhbmQgZWZmaWNpZW5jeS4NCg0KSWYgd2UgbmVlZCBtb3JlICJwcm90ZWN0aW9uIiwgdGhl biB3ZSBjYW4ganVzdCB1c2Ugb3RoZXIgbW9yZSBhZHZhbmNlZCAoYW5kIGluZWZmaWNpZW50KSBs YW5ndWFnZXMuDQoNCkFsc28sIGJlY2F1c2Ugb2YgdGhlIGVub3Jtb3VzIGZsZXhpYmlsaXR5IHRo YXQgQyBnaXZlcyB0aGUgcHJvZ3JhbW1lciAoYW5kIGFsc28gaHVnZWx5IGRlc3RydWN0aXZlIHdo ZW4gdXNlZCBpbmNvcnJlY3RseSkuIFNvIEknbSBhZnJhaWQgdGhhdCB0aGUgdmFyaW91cyBjaGVj a3Mgd2UgZG8gYXQgc3VjaCBhIGhpZ2ggY29zdCBtYXkgYWxzbyBiZSAiYmV0dGVyIHRoYW4gbm90 aGluZyIgdG8gcHJldmVudCBidWdzPw0KIA0KT2YgY291cnNlLCB0aGVzZSB0cmFkZW9mZnMgYXJl IGluZGVlZCBhIGRlbGljYXRlIG1hdHRlci4gSXQncyBoYXJkIHRvIGhhdmUgYSBkZWZpbml0aXZl IGFuc3dlci4NCg0KLS0NCg0KICAgQmVzdCBSZWdhcmRzDQogIEJhaVlhbmcNCiAgYmFpeWFuZ0Bn bWFpbC5jb20NCiAgaHR0cDovL2kuYmFpeS5jbg0KKioqKiA8IEVORCBPRiBFTUFJTCA+ICoqKiog DQogDQogDQpGcm9tOiBSaWNoIEZlbGtlcg0KRGF0ZTogMjAyMi0wOS0yMCAyMDoxNg0KVG86IGJh aXlhbmcNCkNDOiBtdXNsDQpTdWJqZWN0OiBSZTogUmU6IFttdXNsXSBUaGUgaGVhcCBtZW1vcnkg cGVyZm9ybWFuY2UgKG1hbGxvYy9mcmVlL3JlYWxsb2MpIGlzIHNpZ25pZmljYW50bHkgZGVncmFk ZWQgaW4gbXVzbCAxLjIgKGNvbXBhcmVkIHRvIDEuMSkNCk9uIFR1ZSwgU2VwIDIwLCAyMDIyIGF0 IDAxOjU2OjEyUE0gKzA4MDAsIGJhaXlhbmcgd3JvdGU6DQo+ID4gLy8gICAgIFRoaXMgbXVsdGkt dGhyZWFkZWQgYWNjZXNzIHRvIHRoZSBwYWdlbWFwIGlzIHNhZmUgZm9yIGZhaXJseQ0KPiA+IC8v ICAgICBzdWJ0bGUgcmVhc29ucy4gIFdlIGJhc2ljYWxseSBhc3N1bWUgdGhhdCB3aGVuIGFuIG9i amVjdCBYIGlzDQo+ID4gLy8gICAgIGFsbG9jYXRlZCBieSB0aHJlYWQgQSBhbmQgZGVhbGxvY2F0 ZWQgYnkgdGhyZWFkIEIsIHRoZXJlIG11c3QNCj4gPiAvLyAgICAgaGF2ZSBiZWVuIGFwcHJvcHJp YXRlIHN5bmNocm9uaXphdGlvbiBpbiB0aGUgaGFuZG9mZiBvZiBvYmplY3QNCj4gPiAvLyAgICAg WCBmcm9tIHRocmVhZCBBIHRvIHRocmVhZCBCLg0KPiANCj4gVGhhbmtzIGZvciB5b3VyIGluZm9y bWF0aW9uLg0KPiBJIGZlZWwgdGhpcyBhc3N1bXB0aW9uIGlzIHZlcnkgcmVhc29uYWJsZTogeW91 IGNhbid0IGhhdmUgb25lIHRocmVhZA0KPiBkb2luZyAiZnJlZShwKSIgd2hpbGUgYW5vdGhlciB0 aHJlYWQgaXMgYWNjZXNzaW5nIHRoZSBibG9jayBwb2ludGVkDQo+IHRvIGJ5IHAgd2l0aG91dCBh bnkgc3luY2hyb25pemF0aW9uIG1lY2hhbmlzbSBhdCB0aGUgc2FtZSB0aW1lLg0KIA0KVGhhdCdz IGEgY29ycmVjdCBhc3N1bXB0aW9uIGdpdmVuIHRoYXQgdGhlIHByb2dyYW0ncyBiZWhhdmlvciBp cw0KZGVmaW5lZC4gVGhlIHByb2JsZW0gaXMgdGhhdCBvbmNlIHlvdSBhc3N1bWUgdGhhdCwgeW91 J3ZlIGNvbXBsZXRlbHkNCmxvc3QgY29udHJvbCBvdmVyIHdoYXQgaGFwcGVucyB3aGVuIHRoZSBw cm9ncmFtJ3MgYmVoYXZpb3IgaXMNCnVuZGVmaW5lZCBkdWUgdG8gbWVtb3J5IGxpZmV0aW1lIGJ1 Z3MgaW4gdGhlIGFwcGxpY2F0aW9uIChVQUYvREYvZXRjKQ0KYW5kIGFuIGFsbG9jYXRvciB0aGF0 IGRvZXMgdGhpcyB3aWxsIG5lY2Vzc2FyaWx5IGFsbG93IGJ1Z3MgaW4gdGhlDQpsaWZldGltZXMg b2Ygb2JqZWN0cyB0aGF0IGFyZW4ndCBpbmhlcmVudGx5IGV4cGxvaXRhYmxlIG9uIHRoZQ0KYXBw bGljYXRpb24gbGV2ZWwgKGRvbid0IGNvbnRhaW4gcG9pbnRlcnMgdGhhdCB3aWxsIGJlIHdyaXR0 ZW4gdGhyb3VnaA0KdGhhdCBtaWdodCBjbG9iYmVyIG90aGVyIGFwcGxpY2F0aW9uIHN0YXRlLCBl dGMuKSB0byBiZSB1c2VkIHRvIGdhaW4NCmNvbnRyb2wgb3ZlciB0aGUgYWxsb2NhdG9yIHN0YXRl IGFuZCBldmVudHVhbGx5IGdhaW4gY29udHJvbCBvdmVyIHRoZQ0KZmxvdyBvZiBleGVjdXRpb24g dGhyb3VnaCBtYW5pcHVsYXRpbmcgb3RoZXIgYWxsb2NhdGVkIG9iamVjdHMgdGhhdA0KYXJlIGF0 dGFjayB2ZWN0b3JzLg0KIA0KQSBoYXJkZW5lZCBhbGxvY2F0b3IgbGlrZSBtYWxsb2NuZyBvciBo YXJkZW5lZF9tYWxsb2MgZG9lcyBub3QgbWFrZQ0KYXNzdW1wdGlvbnMgYWJvdXQgdGhlIHZhbGlk aXR5IG9mIGRhdGEgcmVhY2hhYmxlIGZvciBjbG9iYmVyaW5nDQp0aHJvdWdoIGFwcGxpY2F0aW9u IGJ1Z3MgdGhhdCBoYXZlbid0IGFscmVhZHkgeWllbGRlZCBhIGhpZ2ggbGV2ZWwgb2YNCmNvbnRy b2wgdG8gdGhlIGF0dGFja2VyLiBJbnN0ZWFkLCB0aGUgbWV0YWRhdGEgYXNzdW1lZCB0byBiZSB2 YWxpZCBpcw0KYXQgInNlY3JldCBsb2NhdGlvbnMiIG91dHNpZGUgdGhlIGFyZWEgd2hlcmUgYXBw bGljYXRpb24gZGF0YSBpcw0Kc3RvcmVkIHRoYXQgYXJlIGludGVuZGVkIG5vdCB0byBiZSBkZXRl cm1pbmFibGUgd2l0aG91dCBhbHJlYWR5IGhhdmluZw0Kc29tZSBzdHJvbmcgbGV2ZWwgb2YgY29u dHJvbCBvdmVyIGV4ZWN1dGlvbiBmbG93LiBBbmQgb24gdG9wIG9mIHRoYXQsDQppdCdzIGNyb3Nz LXZhbGlkYXRlZCBhcyBtdWNoIGFzIHBvc3NpYmxlLg0KIA0KV2UgYWxzbyBkbyB2YWxpZGF0aW9u IHdoZXJlIHdlIGNhbiBvZiB0aGUgImluLWJhbmQiIGRhdGEgdGhhdCBpcw0KZWFzaWx5IHJlYWNo YWJsZSBieSBvdmVyZmxvd3MgaW4gYXBwbGljYXRpb24gYnVmZmVycywgZXRjLiBUaGlzIGJvdGgN CmJsb2NrcyBhIGxvdCBvZiBwb3RlbnRpYWwgZXhwbG9pdHMsIGFuZCBjYXRjaGVzIGFwcGxpY2F0 aW9uIGJ1Z3MgdGhhdA0KY291bGQgYmUgZXhwbG9pdGFibGUgYmVmb3JlIHRoZXkgdHVybiBpbnRv IGV4cGxvaXRzLCBieSBoYXZpbmcgdGhlbQ0KY3Jhc2ggb24gZGV2ZWxvcGVycycvcGFja2FnZXJz JyBzeXN0ZW1zIGJlZm9yZSB0aGV5J3JlIGRlcGxveWVkIGFuZA0KZ2V0dGluZyB0aGUgcm9vdCBj YXVzZSBpbnZlc3RpZ2F0ZWQgYW5kIGZpeGVkLg0KIA0KUmljaA0K ------=_001_NextPart338013756513_=---- Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable =0A
> The problem is that once you assume that, you've completely
> lost = control over what happens when the program's behavior is
> undefined due to memory lifetime bugs in the application (UAF/DF= /etc) 

Yes, but that's exactly the contract between the C language and the p= rogrammer: to leave everything in the hands of people for maximum control = and efficiency.

If we need more "protection", then we can just use other = more advanced (and inefficient) languages.

<= font face=3D"=E6=96=B0=E5=AE=8B=E4=BD=93">Also, because of the enormous fl= exibility that C gives the programmer (and also hugely destructive when us= ed incorrectly). So I'm af= raid that the various checks we do at such a high cost may also be "better= than nothing" to prevent bugs?
=0A
 
Of course, these tradeoffs are indeed a delicate= matter. It's hard to have a definitive answer.

=0A
--

 <= img src=3D"http://baiy.cn/image/portrait_100px.jpg" border=3D"0">  Best Regards
  BaiYang
 =  baiyang@gmail.com
 =  http://i.baiy.cn
**** < END OF EMAIL > **= ** 
 
<= div> 
Date: 2022-= 09-20 20:16
To: baiyang
CC: musl
Subject: Re: Re: [musl] The he= ap memory performance (malloc/free/realloc) is significantly degraded in m= usl 1.2 (compared to 1.1)
On Tue, Sep 20, 2022 = at 01:56:12PM +0800, baiyang wrote:
=0A
> > //  &= nbsp;  This multi-threaded access to the pagemap is safe for fairly=0A
> > //     subtle reasons.  We = basically assume that when an object X is
=0A
> > // &= nbsp;   allocated by thread A and deallocated by thread B, there= must
=0A
> > //     have been appropri= ate synchronization in the handoff of object
=0A
> > //&nbs= p;    X from thread A to thread B.
=0A
>
= =0A
> Thanks for your information.
=0A
> I feel this as= sumption is very reasonable: you can't have one thread
=0A
> d= oing "free(p)" while another thread is accessing the block pointed
= =0A
> to by p without any synchronization mechanism at the same tim= e.
=0A
 
=0A
That's a correct assumption given that= the program's behavior is
=0A
defined. The problem is that once = you assume that, you've completely
=0A
lost control over what hap= pens when the program's behavior is
=0A
undefined due to memory l= ifetime bugs in the application (UAF/DF/etc)
=0A
and an allocator= that does this will necessarily allow bugs in the
=0A
lifetimes = of objects that aren't inherently exploitable on the
=0A
applicat= ion level (don't contain pointers that will be written through
=0Athat might clobber other application state, etc.) to be used to gain=0A
control over the allocator state and eventually gain control ove= r the
=0A
flow of execution through manipulating other allocated = objects that
=0A
are attack vectors.
=0A
 
=0A=
A hardened allocator like mallocng or hardened_malloc does not make=0A
assumptions about the validity of data reachable for clobberin= g
=0A
through application bugs that haven't already yielded a hig= h level of
=0A
control to the attacker. Instead, the metadata ass= umed to be valid is
=0A
at "secret locations" outside the area wh= ere application data is
=0A
stored that are intended not to be de= terminable without already having
=0A
some strong level of contro= l over execution flow. And on top of that,
=0A
it's cross-validat= ed as much as possible.
=0A
 
=0A
We also do valida= tion where we can of the "in-band" data that is
=0A
easily reacha= ble by overflows in application buffers, etc. This both
=0A
block= s a lot of potential exploits, and catches application bugs that
=0A<= div>could be exploitable before they turn into exploits, by having them=0A
crash on developers'/packagers' systems before they're deployed= and
=0A
getting the root cause investigated and fixed.
=0A<= div> 
=0A
Rich
=0A
=0A ------=_001_NextPart338013756513_=------