5.10 Merge window, part 1
5.10 Merge window, part 1
Posted Oct 17, 2020 18:46 UTC (Sat) by jrtc27 (subscriber, #107748)Parent article: 5.10 Merge window, part 1
It's worth noting that this is only probabilistic (for use-after-free the memory tag will eventually cycle back round and be usable again with an old pointer, and for buffer overflows you in general have a 1/16 chance of the out-of-bounds memory having a matching tag), with the exception that you can catch overflows into adjacent memory deterministically by choosing your tags such that adjacent allocations' are always different, and that using the tags for both simultaneously multiplies the constraints together such that both mitigations become weaker (higher probability of an invalid memory access not being detected) compared with exclusively enabling one.
Posted Oct 18, 2020 8:43 UTC (Sun)
by Jandar (subscriber, #85683)
[Link] (2 responses)
One could reserve 1 of the 16 tags for un-allocated or freed memory, so no cycling required.
> for buffer overflows you in general have a 1/16 chance of the out-of-bounds memory having a matching tag
If the n tags used for this are assigned in a cycling pattern, than small overflows are detected reliable, and if n isn't divisible by 2 all offsets by any x-order page are detected.
While this doesn't detect overflows to 100% it's nevertheless a good defense.
Posted Oct 18, 2020 18:01 UTC (Sun)
by jrtc27 (subscriber, #107748)
[Link] (1 responses)
So, the important thing about use-after-free is that it's actually not the real problem. If you free memory but continue to use it whilst it's still free, so long as the entire page isn't unmapped by the allocator (and so long as your allocator doesn't go and pattern-fill the memory to try and catch these things), you don't actually have a vulnerability. Where the vulnerabilities come from is use-after-*reallocation*, i.e. when you continue to use memory that has since been allocated to someone else. That allows you to then read and/or write to whatever their data structures are and do things like rewrite C++ vtables or conduct data-oriented attacks. Using a reserved tag for unallocated memory doesn't solve that problem, as when malloc reuses freed memory it needs to assign it a different tag from whatever you've reserved, which it can't do forever without eventually re-tagging that region of memory with the same as the original tag.
> > for buffer overflows you in general have a 1/16 chance of the out-of-bounds memory having a matching tag
Yeah, you can do things like that, but once you get significantly out-of-bounds there won't be much of a useful pattern any more, both because the offset is likely fairly arbitrary and because you may be crossing into an allocation pool for a different bucket size, so for anything that's a few pages out of bounds it's highly likely to just degrade into a 1/n probability. It's better than nothing, but it doesn't solve the problem, it just creates additional work for attackers to ensure they get an offset that lands on a correctly-tagged region.
Posted Oct 18, 2020 21:45 UTC (Sun)
by roc (subscriber, #30627)
[Link]
5.10 Merge window, part 1
5.10 Merge window, part 1
>
> One could reserve 1 of the 16 tags for un-allocated or freed memory, so no cycling required.
>
> If the n tags used for this are assigned in a cycling pattern, than small overflows are detected reliable, and if n isn't divisible by 2 all offsets by any x-order page are detected.
>
> While this doesn't detect overflows to 100% it's nevertheless a good defense.
5.10 Merge window, part 1