Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <448715ac-5282-4345-af34-ae48a4af947f@dustri.org>
Date: Sat, 16 Sep 2023 16:58:45 +0200
From: jvoisin <julien.voisin@...tri.org>
To: musl@...ts.openwall.com
Subject: Re: [PATCH v2] Add a safe dequeue integrity check for mallocng

On 16/09/2023 09:08, James Raphael Tiovalen wrote:
> This commit adds an integrity check to allow for safer dequeuing of the
> out-of-band meta structs in mallocng. If the unlikely condition is true
> due to some sort of heap metadata corruption, we abort.

Since asserts aren't present in production code[1], I don't think that
this change is useful.


> This approach is similar to the safe unlinking check performed by glibc.

The metadata in musl's heap implementation are stored out-of-bound.
Should an attacker be able to locate and modify them, it's already game
over. Adding a `m->prev->next == m && m->next->prev == m` would only
impede attackers if they only have an arbitrary read and a one-shot
arbitrary write that can only overwrite one `meta` instead. This seems
pretty contrived (as in "unlikely) to me. Do you have any particular
scenario in mind?


1. https://git.musl-libc.org/cgit/musl/tree/include/assert.h

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.