isoalloc

isoalloc copied to clipboard

Currently, isoalloc has zones in increasing power of two, for performance reasons.

Unfortunately, this means that an attacker aiming at exploiting an UAF against an object of size N only needs to find an object of size between the previous and the next power of two, to be able to get it allocated with reasonable confidence (quarantine notwithstanding).

Introducing a bit of randomness in the granularity will make the life of an attacker without the ability to leak too much data a bit harder, since they would have no way to be sure that they managed to allocate the object of their choosing in the same zone as the freed-and-to-be-reused object.

Chunk sizes are no longer powers of 2 after #216, they are now multiples of 64. I think the scenario you described above is less likely now but still possible.

>>> import itertools
>>> len(list(itertools.takewhile(lambda x: x<4096, (64*i for i in itertools.count(0)))))
64
>>> len(list(itertools.takewhile(lambda x: x<4096, (2**i for i in itertools.count(0)))))
12
>>> 

this indeed significantely increases granularity, nice!

But wouldn't it increase memory fragmentation as well?

Yes. I don't think theres an optimum general solution here. It's full of tradeoffs all the way down.