I've made a huge amount of progress on my hardened allocator since the work was funded on October 3rd. Here's what has already landed since then:
github.com/AndroidHardeni
I also found 6 memory corruption bugs in userspace along with kernel MAP_FIXED_NOREPLACE clobbering bug.
Conversation
Most of the planned security features are implemented and the remaining work is primarily optimization, extending the internal randomization and further hardening the fully out-of-line metadata. The small allocation quarantine is the only significant feature that's fully missing.
Replying to
The small allocation quarantine will be similar to the large allocation (mapping) quarantine implemented at github.com/AndroidHardeni, but it will need to track which allocations are in the quarantine to preserve the existing double-free detection and integrate well with purging.
1
2
The small and large quarantines will each have 2 components: a queue implemented as a ring buffer and a randomized delay provided by swapping with a random slot in an array. The randomized array for delayed free comes from OpenBSD, although it's only for small allocations there.
1
1
For small allocations, a quarantine will delay updating the bitmaps, so needs a set implementation (open-addressed hash table) or secondary bitmaps tracking the quarantine state for each slot. It's one of the improvements that I made in my previous work extending OpenBSD malloc.
1
2
The malloc_object_size implementation also to be fleshed out, but it's a low priority since it has no benefit without integration work like my previous work on dynamic system call overflow checks in Bionic. This time around, there's also malloc_object_size_fast for broader use.
1
3