struct
commented
9 months ago Chunk sizes are no longer powers of 2 after #216, they are now multiples of 64. I think the scenario you described above is less likely now but still possible.
Open jvoisin opened 2 years ago
struct
commented
9 months ago Chunk sizes are no longer powers of 2 after #216, they are now multiples of 64. I think the scenario you described above is less likely now but still possible.
jvoisin
commented
9 months ago >>> import itertools
>>> len(list(itertools.takewhile(lambda x: x<4096, (64*i for i in itertools.count(0)))))
64
>>> len(list(itertools.takewhile(lambda x: x<4096, (2**i for i in itertools.count(0)))))
12
>>> this indeed significantely increases granularity, nice!
But wouldn't it increase memory fragmentation as well?
struct
commented
9 months ago Yes. I don't think theres an optimum general solution here. It's full of tradeoffs all the way down.
Currently, isoalloc has zones in increasing power of two, for performance reasons.
Unfortunately, this means that an attacker aiming at exploiting an UAF against an object of size
Nonly needs to find an object of size between the previous and the next power of two, to be able to get it allocated with reasonable confidence (quarantine notwithstanding).Introducing a bit of randomness in the granularity will make the life of an attacker without the ability to leak too much data a bit harder, since they would have no way to be sure that they managed to allocate the object of their choosing in the same zone as the freed-and-to-be-reused object.