1446045 - Move heap metadata out of line

Status: NEW

(Core :: Memory Allocator, enhancement, P3)

Description

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

Currently, the heap metadata for allocations is in-line with the allocations. Linear heap buffer overflows and array indexing issues could allow corruption of heap metadata. (parity-chrome)

Guard Pages (Bug 1446040) between structures will be necessary for this protection to be effective.


Short term or partial solutions are possible:

We could be to offset/pad heap metadata by 1, 4, or 8 bytes to prevent off-by-one exploitation. It may be sufficient to re-arrange the metadata to ensure that the values present in those slots aren't useful for exploitation. 

We could add additional corruption checks (parity-edge), by testing that our linked list/red-black tree is not corrupted [0,1].

We could encode inline metadata (parity-edge, parity-chrome) using a runtime key.

[0]  https://www.blackhat.com/docs/us-16/materials/us-16-Yason-Windows-10-Segment-Heap-Internals-wp.pdf Sections 3.1 and 3.2
[1] https://blogs.technet.microsoft.com/srd/2009/08/04/preventing-the-exploitation-of-user-mode-heap-corruption-vulnerabilities/

Comment 1

[Mike Hommey [:glandium]]

(In reply to Tom Ritter [:tjr] from comment #0)
> Guard Pages (Bug 1446040) between structures will be necessary for this
> protection to be effective.

I don't see why. If heap metadata is out of line, guard pages around chunks are not going to protect it. And they won't be reachable from overflowing a data pointer either.