From: James R T <jamestiotio@gmail.com>
To: Rich Felker <dalias@libc.org>, Joakim Sindholt <opensource@zhasha.com>
Cc: musl@lists.openwall.com
Subject: Re: [musl] [PATCH] Add a safe dequeue integrity check for mallocng
Date: Sat, 16 Sep 2023 14:53:35 +0800 [thread overview]
Message-ID: <CAA_Li+up0SuDAAiqg98mWxd75aH6ifZ65Gi5XkW43bcuETw6iw@mail.gmail.com> (raw)
In-Reply-To: <20230914121834.GE4163@brightrain.aerifal.cx>
On Thu, Sep 14, 2023 at 5:23 PM Joakim Sindholt <opensource@zhasha.com> wrote:
>
> It's a little confusing but assert() in mallocng is not real assert():
> http://git.musl-libc.org/cgit/musl/tree/src/malloc/mallocng/glue.h#n33
> The issue is that if memory is under control of an attacker then doing
> anything at all, especially running the stdio machinery, is unsafe. To
> that end musl uses a_crash() here which expands to a minimal set of
> instructions to crash the process:
> http://git.musl-libc.org/cgit/musl/tree/arch/x86_64/atomic_arch.h#n106
>
> Furthermore, musl doesn't use any of thosed tagged branch tricks and I
> personally doubt it would make any difference.
>
Ah okay, got it.
On Thu, Sep 14, 2023 at 8:18 PM Rich Felker <dalias@libc.org> wrote:
>
> Yes. mallocng is written such that you could use the normal assert
> with it, but presently it's just expanding to a_crash(). At some point
> this might be revamped to crash with a message string in a particular
> register or argument slot or something so that you get a bit more
> meaningful information if looking at it in a debugger. And indeed, the
> reason not to do any message printing, etc. is that you're running in
> a known-compromised process state where any further complex execution
> is unsafe (e.g. if the out-of-band malloc metadata was clobbered, the
> function pointers in stderr might also have been clobbered, since the
> latter are *easier to reach* than the OOB metadata).
>
Hmm sure, that makes sense.
>
> Yes, the only reason libm.h has them is because nsz is using the code
> in other environments that want them, and it made sense to avoid
> gratuitous differences. We don't generally use those in musl. If the
> compiler isn't generating good code and puts the failure path as a hot
> path, we probably should explore whether the compiler is missing that
> it's a does-not-return thing (which should always be treated as cold).
> But indeed I doubt it makes a difference.
>
Got it. I will send in a new patch to simply use an assertion instead then.
Thank you for the detailed explanations!
Best regards,
James Raphael Tiovalen
prev parent reply other threads:[~2023-09-16 6:54 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-08 17:49 James Raphael Tiovalen
2023-09-09 0:48 ` Rich Felker
2023-09-14 5:13 ` James R T
2023-09-14 9:23 ` Joakim Sindholt
2023-09-14 12:18 ` Rich Felker
2023-09-16 6:53 ` James R T [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAA_Li+up0SuDAAiqg98mWxd75aH6ifZ65Gi5XkW43bcuETw6iw@mail.gmail.com \
--to=jamestiotio@gmail.com \
--cc=dalias@libc.org \
--cc=musl@lists.openwall.com \
--cc=opensource@zhasha.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).