> It may also be viable as a security feature in some situations, not just
> a way of finding bugs. Depends on how far away the UAF is from the free
> call since one other free is all that's needed to lose reliable
> detection. It might work better with a FIFO ring buffer rather than the
> current
On 02/11/15 06:40 AM, Theo Buehler wrote:
> Sorry for this rather long mail:
>
> I have three small comments on the patch itself
> (starting 80 lines below).
>
> For those who want to try both new features, I attached a patch against
> -current that merges the three parts of Daniel's diff (plus t
Sorry for this rather long mail:
I have three small comments on the patch itself
(starting 80 lines below).
For those who want to try both new features, I attached a patch against
-current that merges the three parts of Daniel's diff (plus the trivial
two of the nits below) at the very end of thi
(without mangling it this time...)
diff --git a/stdlib/malloc.c b/stdlib/malloc.c
index 424dd77..c408594 100644
--- a/stdlib/malloc.c
+++ b/stdlib/malloc.c
@@ -182,6 +182,7 @@ struct malloc_readonly {
int malloc_freeunmap; /* mprotect free pages PROT_NONE? */
int mall
On Fri, Oct 30, 2015 at 11:51:17PM -0400, Daniel Micay wrote:
> On 26/10/15 04:19 PM, Daniel Micay wrote:
> > This is an improved revision of my earlier patch.
> >
> > It now validates the junk data in the delayed_chunks array in an atexit
> > handler
> > too, rather than just when allocations a
On 26/10/15 04:19 PM, Daniel Micay wrote:
> This is an improved revision of my earlier patch.
>
> It now validates the junk data in the delayed_chunks array in an atexit
> handler
> too, rather than just when allocations are swapped out.
>
> It will now catch this simple UAF 100% of the time:
>
This is an improved revision of my earlier patch.
It now validates the junk data in the delayed_chunks array in an atexit handler
too, rather than just when allocations are swapped out.
It will now catch this simple UAF 100% of the time:
#include
#include
int main(void) {
size_t i;
char *