Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20220920085117.GD2158779@port70.net>
Date: Tue, 20 Sep 2022 10:51:17 +0200
From: Szabolcs Nagy <nsz@...t70.net>
To: Nat! <nat@...le-kybernetik.com>
Cc: musl@...ts.openwall.com
Subject: Re: The heap memory performance (malloc/free/realloc) is
 significantly degraded in musl 1.2 (compared to 1.1)

* Nat! <nat@...le-kybernetik.com> [2022-09-19 22:46:20 +0200]:
> 
> On 19.09.22 20:14, Szabolcs Nagy wrote:
> > * baiyang <baiyang@...il.com> [2022-09-20 01:40:48 +0800]:
> > > I looked at the code of tcmalloc, but I didn't find any of the problems you mentioned in the implementation of malloc_usable_size (see: https://github.com/google/tcmalloc/blob/9179bb884848c30616667ba129bcf9afee114c32/tcmalloc/tcmalloc.cc#L1099 ).
> > > 
> > > On the contrary, similar to musl, tcmalloc also directly uses the return value of malloc_usable_size in its realloc implementation to determine whether memory needs to be reallocated: https://github.com/google/tcmalloc/blob/9179bb884848c30616667ba129bcf9afee114c32/tcmalloc/tcmalloc.cc#L1499
> > > 
> > > I think this is enough to show that the return value of malloc_usable_size in tcmalloc is accurate and reliable, otherwise its own realloc will cause a segment fault.
> > obviously internally the implementation can use the internal chunk size...
> > 
> > GetSize(p) is not the exact size (that the user allocated) but an internal
> > size (which may be larger) and that must not be exposed *outside* of the
> > malloc implementation (other than for diagnostic purposes).
> > 
> > you can have 2 views:
> > 
> > (1) tcmalloc and jemalloc are buggy because they expose an internal
> >      that must not be exposed (becaues it can break user code).
> > 
> > (2) user code is buggy if it uses malloc_usable_size for any purpose
> >      other than diagnostic/statistics (because other uses are broken
> >      on many implementations).
> > 
> > either way the brokenness you want to support is a security hazard
> > and you are lucky that musl saves the day: it works hard not to
> > expose internal sizes so the code you seem to care about can operate
> > safely (which is not true on tcmalloc and jemalloc: the compiler
> > may break that code).
> > 
> You can also have the third view, that malloc is allocating "at least" the
> amount of size requested (as it technically it is likely to do). That you
> can use "malloc_usable_size" to get the actually available size. That the
> code that is enforcing the semantics, that only the "at least" bytes should
> be accessed is in error, unless the error checking code modifies
> "malloc_usable_size" to only return the size as requested by the user.
> 
> Surely not a popular opinion :D :D

that third option is

(3) the compiler must not optimize based on the malloc interface
    contract. (just treat it like a normal extern call.)

which currently only happens at -O0 or -fno-builtin-malloc.
(although it seems those dont affect __builtin_dynamic_object_size)

note: the compiler cannot know about all non-standard extensions
and even if it did it cannot prove the absence of their call if
a pointer escapes. this means lot of malloc related optimizations
and diagnostics have to be turned off for everyone just in case
there is a m_u_s call. while this is a valid option it's not on
the libc to implement but on the compiler, which we cant control.
even if compiler devs agree with (3) we still cannot expose users
to security risk who use older compilers for some time. i think
it's not likely gcc or clang would accept (3) by default.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.