Page MenuHomePhabricator

[scudo][standalone] Add chunk ownership function
ClosedPublic

Authored by cryptoad on Dec 2 2019, 8:50 AM.

Details

Summary

In order to be compliant with tcmalloc's extension ownership
determination function, we have to expose a function that will
say if a chunk was allocated by us.

As to whether or not this has security consequences: someone
able to call this function repeatedly could use it to determine
secrets (cookie) or craft a valid header. So this should not be
exposed directly to untrusted user input.

Add related tests.

Additionally clang-format caught a few things to change.

Diff Detail

Event Timeline

cryptoad created this revision.Dec 2 2019, 8:50 AM
Herald added projects: Restricted Project, Restricted Project. · View Herald TranscriptDec 2 2019, 8:50 AM
Herald added subscribers: Restricted Project, jfb, JDevlieghere. · View Herald Transcript
hctim added a comment.Dec 2 2019, 11:45 AM

So the model presented asserts that if the chunk header is truncated, the pointer is not owned by us. Is this WAI? I can forsee that a chunk header was truncated, and then the pointer to the associated allocation is checked for ownership, which the ownership will fail as the chunk header check didn't succeed.

compiler-rt/lib/scudo/standalone/combined.h
483

Why blank assert log here?

cryptoad marked an inline comment as done.Dec 2 2019, 1:21 PM

So the model presented asserts that if the chunk header is truncated, the pointer is not owned by us. Is this WAI? I can forsee that a chunk header was truncated, and then the pointer to the associated allocation is checked for ownership, which the ownership will fail as the chunk header check didn't succeed.

I think that not claiming ownership of a corrupted chunk is something we can live with.
The ownership concept for tcmalloc has strong requirements, which I think are fulfilled by this implementation.

cryptoad updated this revision to Diff 231772.Dec 2 2019, 1:21 PM

Adding a log for the new static_assert.

hctim accepted this revision.Dec 2 2019, 1:27 PM

I think that not claiming ownership of a corrupted chunk is something we can live with.
The ownership concept for tcmalloc has strong requirements, which I think are fulfilled by this implementation.

Ack - would you mind mentioning this decision in the function description comment?

Otherwise LGTM.

This revision is now accepted and ready to land.Dec 2 2019, 1:27 PM
cryptoad updated this revision to Diff 231778.Dec 2 2019, 2:08 PM

Adding a comment saying that a corrupted chunk won't be reported
as owned (well technically it might be "owned"), but that it's WAI.

This revision was automatically updated to reflect the committed changes.