On Thu, Jul 04, 2013 at 05:24:20PM +0200, Mark Kettenis wrote:
> > From: Theo de Raadt <dera...@cvs.openbsd.org>
> > Date: Thu, 04 Jul 2013 09:04:54 -0600
> >
> > I suspect the best approach would be a hybrid value. The upper half
> > of the address should try to land in an unmapped zone, or into the zero
> > page, or into some address space hole, ir into super high memory above
> > the stack which is gauranteed unmapped.
>
> Don't forget strict alignment architectures, where it is beneficial
> to have the lowest bit set to trigger alignment traps.
You also want the highest bit set. This makes sure signed indexes get
interpreted as negative, which should more often detect problems than
positive ones. There are not only pointers in the heap.
I very much prefer the values te be easily recognizable in a debugger
and to keep a clear distinction between "uninitialized" and "freed"
chunks. Too much random is not good thing in this case. I picked 0xdf
a few years ago to mark free'd memory. The f is supposed to help you
remember that when you see it in a debugger.
Maybe put a fixed pattern in the low nibbles and a random in the high
nibble. Together with the lowest and highest bit set this would go
like:
0x8e0d0e0f || 0xr0r0r0r0
(pick another lhs for free'ed mem)
Wondering if that would produce easily recognizable patterns that
still trigger enough faults.
-Otto
