Re: random malloc junk

Thu, 15 Sep 2016 07:09:47 -0700 

Otto Moerbeek wrote:
> On Wed, Sep 14, 2016 at 12:53:05PM -0400, Ted Unangst wrote:
> 
> > Daniel Micay wrote:
> > > 
> > > The current OpenBSD code only wipes up to MALLOC_MAXCHUNK with junk @ 1,
> > > and it similarly doesn't wipe at all with 'U' (even though junk-on-free
> > > also serves the purpose of preventing information leaks, not just
> > > mitigating use-after-free). IMO, optimizing large allocation perf like
> > > this isn't worthwhile.
> > 
> > this requires some analysis of what programs do in the wild. some programs
> > preemptively malloc large buffers, but don't touch them. it would be a 
> > serious
> > reqression for free to fault in new pages, just to ditry them, then turn
> > around and unmap them. some of this is because i believe the code is doing
> > things at the wrong time. if you want to dirty whole pages, it should be 
> > when
> > they go on the freelist, not immediately.
> 
> Something like this?

didn't look too closely, but looks good from a distance. :)

> 
>       -Otto
> 
> Index: malloc.c
> ===================================================================
> RCS file: /cvs/src/lib/libc/stdlib/malloc.c,v
> retrieving revision 1.195
> diff -u -p -r1.195 malloc.c
> --- malloc.c  1 Sep 2016 10:41:02 -0000       1.195
> +++ malloc.c  15 Sep 2016 06:09:28 -0000
> @@ -376,6 +376,12 @@ unmap(struct dir_info *d, void *p, size_
>       for (i = 0; i < mopts.malloc_cache; i++) {
>               r = &d->free_regions[(i + offset) & (mopts.malloc_cache - 1)];
>               if (r->p == NULL) {
> +                     if (mopts.malloc_junk && !mopts.malloc_freeunmap) {
> +                             size_t amt = mopts.malloc_junk == 1 ?
> +                                 MALLOC_MAXCHUNK :
> +                                 PAGEROUND(sz) - mopts.malloc_guard;
> +                             memset(p, SOME_FREEJUNK, amt);
> +                     }
>                       if (mopts.malloc_hint)
>                               madvise(p, sz, MADV_FREE);
>                       if (mopts.malloc_freeunmap)
> @@ -1335,11 +1341,6 @@ ofree(struct dir_info *argpool, void *p)
>                                       wrterror(pool, "mprotect", NULL);
>                       }
>                       STATS_SUB(pool->malloc_guarded, mopts.malloc_guard);
> -             }
> -             if (mopts.malloc_junk && !mopts.malloc_freeunmap) {
> -                     size_t amt = mopts.malloc_junk == 1 ? MALLOC_MAXCHUNK :
> -                         PAGEROUND(sz) - mopts.malloc_guard;
> -                     memset(p, SOME_FREEJUNK, amt);
>               }
>               unmap(pool, p, PAGEROUND(sz));
>               delete(pool, r);
> 
>

Reply via email to