Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAA_Li+up0SuDAAiqg98mWxd75aH6ifZ65Gi5XkW43bcuETw6iw@mail.gmail.com>
Date: Sat, 16 Sep 2023 14:53:35 +0800
From: James R T <jamestiotio@...il.com>
To: Rich Felker <dalias@...c.org>, Joakim Sindholt <opensource@...sha.com>
Cc: musl@...ts.openwall.com
Subject: Re: [PATCH] Add a safe dequeue integrity check for mallocng

On Thu, Sep 14, 2023 at 5:23 PM Joakim Sindholt <opensource@...sha.com> wrote:
>
> It's a little confusing but assert() in mallocng is not real assert():
> http://git.musl-libc.org/cgit/musl/tree/src/malloc/mallocng/glue.h#n33
> The issue is that if memory is under control of an attacker then doing
> anything at all, especially running the stdio machinery, is unsafe. To
> that end musl uses a_crash() here which expands to a minimal set of
> instructions to crash the process:
> http://git.musl-libc.org/cgit/musl/tree/arch/x86_64/atomic_arch.h#n106
>
> Furthermore, musl doesn't use any of thosed tagged branch tricks and I
> personally doubt it would make any difference.
>

Ah okay, got it.

On Thu, Sep 14, 2023 at 8:18 PM Rich Felker <dalias@...c.org> wrote:
>
> Yes. mallocng is written such that you could use the normal assert
> with it, but presently it's just expanding to a_crash(). At some point
> this might be revamped to crash with a message string in a particular
> register or argument slot or something so that you get a bit more
> meaningful information if looking at it in a debugger. And indeed, the
> reason not to do any message printing, etc. is that you're running in
> a known-compromised process state where any further complex execution
> is unsafe (e.g. if the out-of-band malloc metadata was clobbered, the
> function pointers in stderr might also have been clobbered, since the
> latter are *easier to reach* than the OOB metadata).
>

Hmm sure, that makes sense.

>
> Yes, the only reason libm.h has them is because nsz is using the code
> in other environments that want them, and it made sense to avoid
> gratuitous differences. We don't generally use those in musl. If the
> compiler isn't generating good code and puts the failure path as a hot
> path, we probably should explore whether the compiler is missing that
> it's a does-not-return thing (which should always be treated as cold).
> But indeed I doubt it makes a difference.
>

Got it. I will send in a new patch to simply use an assertion instead then.

Thank you for the detailed explanations!

Best regards,
James Raphael Tiovalen

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.