From: jvoisin <email@example.com>
Subject: Re: [musl] [PATCH v2] Add a safe dequeue integrity check for mallocng
Date: Sat, 16 Sep 2023 16:58:45 +0200 [thread overview]
Message-ID: <firstname.lastname@example.org> (raw)
On 16/09/2023 09:08, James Raphael Tiovalen wrote:
> This commit adds an integrity check to allow for safer dequeuing of the
> out-of-band meta structs in mallocng. If the unlikely condition is true
> due to some sort of heap metadata corruption, we abort.
Since asserts aren't present in production code, I don't think that
this change is useful.
> This approach is similar to the safe unlinking check performed by glibc.
The metadata in musl's heap implementation are stored out-of-bound.
Should an attacker be able to locate and modify them, it's already game
over. Adding a `m->prev->next == m && m->next->prev == m` would only
impede attackers if they only have an arbitrary read and a one-shot
arbitrary write that can only overwrite one `meta` instead. This seems
pretty contrived (as in "unlikely) to me. Do you have any particular
scenario in mind?
next prev parent reply other threads:[~2023-09-16 14:59 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-16 7:08 James Raphael Tiovalen
2023-09-16 14:58 ` jvoisin [this message]
2023-09-16 16:11 ` Rich Felker
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).