rinon
commented
9 months ago Allocator metadata should be protected by partition-alloc as of #280
Open ayrtonm opened 2 years ago
rinon
commented
9 months ago Allocator metadata should be protected by partition-alloc as of #280
fw-immunant
commented
9 months ago Now that we have the syscall filtering runtime, we can straightforwardly define a protocol to make pages immutable, which should solve the shim half of things. If multiple threads can be present, we need to do an ABA type sequence of first writing data, then making the page immutable, then verifying that the data was not modified concurrently. Otherwise it's fine to simply write the data and freeze it.
PR #164 added protected heaps to the compartment-aware allocator. This now works as expected for both private and shared allocations, but we left the shim and allocator's metadata unprotected. I haven't looked very much into what needs to be done for PA's metadata, but an easy place to start would be with the shim's data.
The allocator shim defines an array of pointers to the objects managing the different partitions which is completely unprotected. We should do something relro-like where we initialize it then make the page read-only. Alternatively we could put the pointers on separate pages and tag them accordingly but that may be tricky for the shared
PartitionRoot. I only mention the second option because we have a similar issue with the compartment stack pointers #67. There we have another array of pointers which will almost certainly have to be on separate pages (stack pointers can't easily be marked read-only), so it may make sense to combine the allocator shim and stack metadata at some point.