On Thu, Sep 08, 2016 at 07:47:58PM -0400, Daniel Micay wrote: > A nice security property of 0xdf filling is that a use-after-free of a > pointer is guaranteed to fault in a typical environment since it ends up > pointing outside userspace (I assume that's the case on OpenBSD). A heap > spray could potentially allow exploiting a random pointer. Perhaps it > would be better if only the byte range guaranteeing faults for pointers > was used? Less random, but strictly better than the current situation > rather than losing a nice guarantee.
AFAIK 0xdf...df it is not guaranteed, just often outside the address space. I selected 0xdf a long time ago as an alternative to the 0xd0 (Duh) byte used for new chunks. Both as a mnemonic for "free" and because it is likely to cause segfaults. A pointer ending in 0xdf often will be unaligned. Of course that won't work on all archs or all pointers. Random patterns are also likely to produce segfaults, using them as a pointer has a big chance of being unaligned or pointing to an unmapped page. -Otto