Closed Bug 1446044 Opened 8 years ago Closed 8 years ago

Zero allocations upon free

Categories

(Core :: Memory Allocator, enhancement)

Product:
Core
Component:
Memory Allocator
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID
Tracking Flags:
Tracking Status
firefox61 --- affected

People

(Reporter: tjr, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: sec-want)

If performance is acceptable, we might zero allocations upon free(). This could prevent UAF exploitation in some situations (where the freed object is referenced before the attacker is able to replace the vtable.) When Partitioning Support is robust/in-use, we could only apply this to certain partitions.
We already do poison freed blocks of memory with 0xe5. See kAllocPoison. Is this something different than that?
As Andrew says, we're poisoning freed blocks already.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.