From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-3.3 required=5.0 tests=MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 23665 invoked from network); 16 Sep 2023 16:11:50 -0000 Received: from second.openwall.net (193.110.157.125) by inbox.vuxu.org with ESMTPUTF8; 16 Sep 2023 16:11:50 -0000 Received: (qmail 9500 invoked by uid 550); 16 Sep 2023 16:11:46 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: musl@lists.openwall.com Received: (qmail 9466 invoked from network); 16 Sep 2023 16:11:45 -0000 Date: Sat, 16 Sep 2023 12:11:39 -0400 From: Rich Felker To: jvoisin Cc: musl@lists.openwall.com, James Raphael Tiovalen Message-ID: <20230916161139.GF4163@brightrain.aerifal.cx> References: <20230916070824.124528-1-jamestiotio@gmail.com> <448715ac-5282-4345-af34-ae48a4af947f@dustri.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <448715ac-5282-4345-af34-ae48a4af947f@dustri.org> User-Agent: Mutt/1.5.21 (2010-09-15) Subject: Re: [musl] [PATCH v2] Add a safe dequeue integrity check for mallocng On Sat, Sep 16, 2023 at 04:58:45PM +0200, jvoisin wrote: > On 16/09/2023 09:08, James Raphael Tiovalen wrote: > > This commit adds an integrity check to allow for safer dequeuing of the > > out-of-band meta structs in mallocng. If the unlikely condition is true > > due to some sort of heap metadata corruption, we abort. > > Since asserts aren't present in production code[1], I don't think that > this change is useful. Did you read the previous (v1 patch) thread or the code? In mallocng, assert expands to a lightweight assertion check. > > This approach is similar to the safe unlinking check performed by glibc. > > The metadata in musl's heap implementation are stored out-of-bound. > Should an attacker be able to locate and modify them, it's already game > over. Adding a `m->prev->next == m && m->next->prev == m` would only > impede attackers if they only have an arbitrary read and a one-shot > arbitrary write that can only overwrite one `meta` instead. This seems > pretty contrived (as in "unlikely) to me. Do you have any particular > scenario in mind? > > > 1. https://git.musl-libc.org/cgit/musl/tree/include/assert.h Indeed, I'm still mildly unsure of the usefulness of this check, but not really opposed to it unless it turns out to be costly. (Note: many of the others already there *are* moderately costly, but are based on very plausible attack models where the data being checked is easily reachable via application bugs.) Has anyone checked if this measurably affects performance? Rich