Open
Bug 1446045
Opened 6 years ago
Updated 2 years ago
Move heap metadata out of line
Categories
(Core :: Memory Allocator, enhancement, P3)
Core
Memory Allocator
Tracking
()
NEW
Tracking | Status | |
---|---|---|
firefox61 | --- | affected |
People
(Reporter: tjr, Unassigned)
References
(Depends on 1 open bug, Blocks 1 open bug)
Details
(Keywords: parity-chrome, parity-edge, sec-want)
Currently, the heap metadata for allocations is in-line with the allocations. Linear heap buffer overflows and array indexing issues could allow corruption of heap metadata. (parity-chrome) Guard Pages (Bug 1446040) between structures will be necessary for this protection to be effective. Short term or partial solutions are possible: We could be to offset/pad heap metadata by 1, 4, or 8 bytes to prevent off-by-one exploitation. It may be sufficient to re-arrange the metadata to ensure that the values present in those slots aren't useful for exploitation. We could add additional corruption checks (parity-edge), by testing that our linked list/red-black tree is not corrupted [0,1]. We could encode inline metadata (parity-edge, parity-chrome) using a runtime key. [0] https://www.blackhat.com/docs/us-16/materials/us-16-Yason-Windows-10-Segment-Heap-Internals-wp.pdf Sections 3.1 and 3.2 [1] https://blogs.technet.microsoft.com/srd/2009/08/04/preventing-the-exploitation-of-user-mode-heap-corruption-vulnerabilities/
Comment 1•6 years ago
|
||
(In reply to Tom Ritter [:tjr] from comment #0) > Guard Pages (Bug 1446040) between structures will be necessary for this > protection to be effective. I don't see why. If heap metadata is out of line, guard pages around chunks are not going to protect it. And they won't be reachable from overflowing a data pointer either.
Reporter | ||
Updated•6 years ago
|
Updated•5 years ago
|
Priority: -- → P3
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•