I've made a huge amount of progress on my hardened allocator since the work was funded on October 3rd. Here's what has already landed since then:
github.com/AndroidHardeni
I also found 6 memory corruption bugs in userspace along with kernel MAP_FIXED_NOREPLACE clobbering bug.
Conversation
Most of the planned security features are implemented and the remaining work is primarily optimization, extending the internal randomization and further hardening the fully out-of-line metadata. The small allocation quarantine is the only significant feature that's fully missing.
1
3
The small allocation quarantine will be similar to the large allocation (mapping) quarantine implemented at github.com/AndroidHardeni, but it will need to track which allocations are in the quarantine to preserve the existing double-free detection and integrate well with purging.
Replying to
The small and large quarantines will each have 2 components: a queue implemented as a ring buffer and a randomized delay provided by swapping with a random slot in an array. The randomized array for delayed free comes from OpenBSD, although it's only for small allocations there.
1
1
For small allocations, a quarantine will delay updating the bitmaps, so needs a set implementation (open-addressed hash table) or secondary bitmaps tracking the quarantine state for each slot. It's one of the improvements that I made in my previous work extending OpenBSD malloc.
1
2
The malloc_object_size implementation also to be fleshed out, but it's a low priority since it has no benefit without integration work like my previous work on dynamic system call overflow checks in Bionic. This time around, there's also malloc_object_size_fast for broader use.
1
3