Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 10 Jun 2020 12:41:04 -0400
From: Rich Felker <dalias@...c.org>
To: musl@...ts.openwall.com
Subject: Re: mallocng switchover - opportunity to test

On Wed, Jun 10, 2020 at 11:19:43AM +0200, Szabolcs Nagy wrote:
> * Rich Felker <dalias@...c.org> [2020-06-09 16:08:00 -0400]:
> > On Tue, Jun 09, 2020 at 01:09:14PM +0200, Szabolcs Nagy wrote:
> > > - reclaim_gaps is not usable (in linux, file content may be in
> > >   memory that does not support mte, even for private CoW maps,
> > >   this can be changed in principle but to use reclaim_gaps elf
> > >   changes will be needed anyway so a loader knows it has to
> > >   use PROT_MTE and there is no elf abi design for that yet)
> > 
> > Sometimes (often) the gaps will be in bss outside p_filesz, so those
> > should be usable even without fixing this on the kernel side. But
> > indeed it would be best to just have it always work right.
> > 
> > Probably __malloc_donate should, if built for MTE, attempt to mprotect
> > with PROT_MTE and decline to use the memory if it can't.
> 
> yeah checking mprotect return value works.
> 
> > > - madvise MADV_FREE means naive tagging of internal/freed memory
> > >   with a reseved internal tag does not work: internal pointers
> > >   cannot access memory after they are zeroed by the kernel.
> > >   this can be fixed in various ways i haven't decided what's
> > >   best yet. enabling mte will cause various regressions and
> > >   different behaviour (e.g. because all pages are written to on
> > >   malloc, calloc, realloc, free) this will be one of them.
> > 
> > Can you clarify what goes wrong here? There shouldn't be access to
> > memory that's been freed except at time of enframe, and enframe should
> > be able to set a new tag at the same time it performs the access.
> 
> the simplest model i could come up with was just tagging
> right after mmap/mprotect everything with a reserved tag
> and all metadata pointers use that tag.
> 
> then user allocations get a different tag and only the
> user owned range (plus padding at the end) uses that tag
> which is cleared on free (back to the reserved tag).
> 
> this means internal pointer handling does not need to
> deal with tagging at all: all metadata pointers have
> the right tag to access all mapped non-user memory.
> 
> this model breaks if tags can be zeroed after free so
> metadata allocation has to ensure it retags before
> accessing memory, but that requires more changes
> (e.g. enframe does various accesses in freed memory
> when that is reused but with a different offset, now
> we don't know what is the right tag for such access:
> is it 0 or the reserved tag? we can just always retag
> but then enframe will always tag which is more code
> change)

Yes, you can just always retag there. At that point the caller owns
the entire slot and nothing else can observe/touch it except debug
code in dump.c which doesn't need to work. (FWIW the ownership model
here is sufficiently strong that enframe is even called without the
lock held.)

> if the 'reserved tag' is the 0 tag then the model still
> works, but meta data is less protected against invalid
> access with non-heap pointers (which will have 0 tag).

Yes exactly. However I'm not sure it's really that big an issue, and
it might be the best solution. If you never use tag 0 for valid heap
allocations, only freed heap space, then any UAF/DF attempts will trap
due to the tag 0 not matching the nonzero tag in the dangling pointer.
Of course fixed-offset-from-mmapped-library accesses are still
possible and won't trap, but I'm not sure they're valuable in attacks.
The only threat here is probably information leak from freed memory,
and if we're going to retag freed memory with tag zero maybe it makes
sense to just memset it all to zero at the same time (is memset any
slower than "memset just the tag"?).

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.