> It may also be viable as a security feature in some situations, not just
> a way of finding bugs. Depends on how far away the UAF is from the free
> call since one other free is all that's needed to lose reliable
> detection. It might work better with a FIFO ring buffer rather than the
> current
On 02/11/15 06:40 AM, Theo Buehler wrote:
> Sorry for this rather long mail:
>
> I have three small comments on the patch itself
> (starting 80 lines below).
>
> For those who want to try both new features, I attached a patch against
> -current that merges the three parts of Daniel's diff (plus t
Sorry for this rather long mail:
I have three small comments on the patch itself
(starting 80 lines below).
For those who want to try both new features, I attached a patch against
-current that merges the three parts of Daniel's diff (plus the trivial
two of the nits below) at the very end of thi
(without mangling it this time...)
diff --git a/stdlib/malloc.c b/stdlib/malloc.c
index 424dd77..c408594 100644
--- a/stdlib/malloc.c
+++ b/stdlib/malloc.c
@@ -182,6 +182,7 @@ struct malloc_readonly {
int malloc_freeunmap; /* mprotect free pages PROT_NONE? */
int mall
On Fri, Oct 30, 2015 at 11:51:17PM -0400, Daniel Micay wrote:
> On 26/10/15 04:19 PM, Daniel Micay wrote:
> > This is an improved revision of my earlier patch.
> >
> > It now validates the junk data in the delayed_chunks array in an atexit
> > handler
> > too, rather than just when allocations a
On 26/10/15 04:19 PM, Daniel Micay wrote:
> This is an improved revision of my earlier patch.
>
> It now validates the junk data in the delayed_chunks array in an atexit
> handler
> too, rather than just when allocations are swapped out.
>
> It will now catch this simple UAF 100% of the time:
>
This is an improved revision of my earlier patch.
It now validates the junk data in the delayed_chunks array in an atexit handler
too, rather than just when allocations are swapped out.
It will now catch this simple UAF 100% of the time:
#include
#include
int main(void) {
size_t i;
char *
Er, here it is without the screwed up whitespace (whoops):
diff --git a/stdlib/malloc.c b/stdlib/malloc.c
index 424dd77..7c33a7a 100644
--- a/stdlib/malloc.c
+++ b/stdlib/malloc.c
@@ -182,6 +182,7 @@ struct malloc_readonly {
int malloc_freeunmap; /* mprotect free pages PROT_NONE?
This patch adds a form of use-after-free detection based on validating that
the junk data is still in place when swapping out an allocation from the
delayed chunk cache. It will probably nearly double the cost of the junk free
feature that's enabled by default since it needs to do a whole extra pas