undefined | Better HN

0 pointsphkamp6y ago0 comments

The particular problem they boast about having solved,does simply not exist in the malloc(3) I wrote 23 years ago, because it does not have the silly linked list to begin with.

In addition to all the security problems inherent in mingling metadata directly next to user-data, the linked list gives O(Nalloc) performance on free(3) and realloc(3) whereas my malloc had O(1) performance.

That may not seem like a lot, but when the 'O' is a page-in from disk, and Nalloc is from C++ code, it is nothing to sneeze at.

Not only did that make my malloc faster, but it would, not "could", but "would" detect several classes of malloc-usage errors, double-free etc, unconditionally.

Over the next 10-ish years, that practically eliminated entire classes of malloc-mistakes, making a lot of FOSS software safer, no matter which malloc you used it with.

Given the definition of the malloc(3) family API, there is no way you can detect all corruption without hardware support, but there are people working on that too, notably Robert Watsons CHERI project at Cambridge.

So yeah, nice pointer arithmetic, but how about people solved the real problem instead ?

(On big memory and multi-core systems use jemalloc, on small memory and single-core systems use phkmalloc.)

0 comments

2 comments · 1 top-level

armitron6y ago· 1 in thread

That there are entire guides (see below) and even games written on phkmalloc exploitation proves kazinator's point rather than yours.

[1] http://www.ouah.org/BSD-heap-smashing.txt

[2] https://events.ccc.de/congress/2005/fahrplan/attachments/636...

[3] https://overthewire.org/wargames/vortex/vortex11.html

[4] https://www.usenix.org/legacy/events/woot11/tech/final_files...

phkampOP6y ago

No ?

The only problem OP has solved is detecting overwriting of metadata inadvisably comingled with the user data.

That problem does simply not exist in phkmalloc, or jemalloc for that matter, writing past the end or before the beginning of an allocation does not automatically give you the ability to violate the internal integrity of the malloc implementation.

If you actually read the first link you pasted carefully, you will see what an amazing tour-de-force it was to exploit CVE-2003-0015, which was a run-of-the-mill double-free mistake in CVS.

As I remember it, there were proof-of-concept exploits against list-based mallocs in a matter of days, it took months before bbp's article appeared.

When I wrote phkmalloc, most of the exploitable malloc-related problems were usage problems, double frees, freeing modified pointers, writing past start or end of allocation etc.

If you had seen my presentation in New Orleans 1998, you would undoubtedly remember my handwritten slide with around 20 setuid programs phkmalloc had found issues in within the first year.

That is the primary reason why there are so few malloc(3) related exploits these days: phkmalloc and later jemalloc complained about them.

Those are mistakes which list-based mallocs do not find, because it is too expensive to walk the list all the time, and on top of that, they run slower, because the list is O(n)!

There is neither a reason, nor an excuse for using a list-based malloc in this day and age.

Neither OP nor I claim to have solved the "big" malloc problem, because, as I already explained: That takes hardware support.

j / k navigate · click thread line to collapse