> On Thu, Jul 04, 2013 at 05:24:20PM +0200, Mark Kettenis wrote:
> > > From: Theo de Raadt <dera...@cvs.openbsd.org>
> > > Date: Thu, 04 Jul 2013 09:04:54 -0600
> > > 
> > > I suspect the best approach would be a hybrid value.  The upper half
> > > of the address should try to land in an unmapped zone, or into the zero
> > > page, or into some address space hole, ir into super high memory above
> > > the stack which is gauranteed unmapped.
> > 
> > Don't forget strict alignment architectures, where it is beneficial
> > to have the lowest bit set to trigger alignment traps.
>
> You also want the highest bit set. This makes sure signed indexes get
> interpreted as negative, which should more often detect problems than
> positive ones. There are not only pointers in the heap. 

A while ago someone hit a bug in my code that I hadn't (and wouldn't ever
have) triggered with MALLOC_OPTIONS=S because the Duh pattern always sets
the high bit, giving a negative integer which just so happened to be
harmless.  Back then I wished malloc would've used all random bits instead.

If you test run your code more than a couple times (as one obviously should,
before going into release), then I'd say randomness (which will likely
soon produce a bug-trigger value) is better than a fixed pattern that attempts
to be useful in some (common?) scenarios but will reliably fail to make a
difference in other cases.

I do see the value in having the option to use fixed patterns though, so
perhaps the hybrid value with a configurable mask as Theo proposed is a
good idea.

Reply via email to