I added a section to the hardened malloc documentation on the chosen approach to memory tagging for slab allocations:
github.com/AndroidHardeni
In addition to guaranteed linear overflow detection, it will guarantee that use-after-free is detected until the tag wraps all the way.
Conversation
This Tweet was deleted by the Tweet author. Learn more
Yeah, it's a very similar architecture feature and my plan for using it closely matches how they do it. The ARM architecture documentation is currently missing detailed documentation on it so there are details that I won't be able to figure out about the design until I see more.
1
I'm particularly interested in how it interacts with other features since some are going to be almost entire useless (write-after-free check) or far less useful (canaries) along with other features gaining some useful properties mixed with the tags (quarantine, randomization).
1
Canaries also get basically useless, as they don't add value once you have tagging
1
They stop having value for catching linear overflows but they aren't great at that in the heap scenario since they catch the corruption on free rather than promptly anyway. I see their main purpose as just adding some padding between allocations, which becomes a lot less useful.