Conversation

Daniel Micay

@DanielMicay

·

Oct 5, 2018

Have found a few C++14 sized deallocation bugs in the wild due by using it for adding an extra sanity check in https://github.com/AndroidHardening/hardened_malloc…. It's meant to be used as an optimization... fatal allocator error: sized deallocation mismatch (small) 0x787cfeb14c00, real: 192, claimed: 32

github.com

GitHub - GrapheneOS/hardened_malloc: Hardened allocator designed for modern systems. It has...

Hardened allocator designed for modern systems. It has integration into Android's Bionic libc and can be used externally with musl and glibc as a dynamic library for use on other Linux-base...

1

5

12

Daniel Micay

@DanielMicay

A mismatch like this is a memory corruption bug. However, libc++ / libstdc++ don't pass the hint through to the default system allocator and many would have no use for it. It's used by jemalloc to avoid reading out-of-line metadata for sizes as intended: https://github.com/jemalloc/jemalloc/blob/115ce93562ab76f90a2509bf0640bc7df6b2d48f/src/jemalloc_cpp.cpp#L124-L141…

5:53 AM · Oct 5, 2018·Twitter Web Client

1

Retweet

6

Likes

Daniel Micay

@DanielMicay

·

Oct 5, 2018

Replying to

@DanielMicay

This case happens when Krita exits and would lead to the allocation ending up in the wrong thread cache. It would be harmless in jemalloc since an 192 byte allocation could pass as 32 bytes. It might handle it correctly as 192 bytes if it gets flushed out of the thread cache...

2