Conversation

Dmitry Vyukov
@dvyukov
Question: what scenarios does zero-memory-on-free mitigate that zero-mem-on-malloc doesn't? I have hard time imagining any... For accesses via new ptr it doesn't matter. Via old ptr - most likely doesn't matter too (could have been accesses while the object is alive).
Quote Tweet
grsecurity
@grsecurity
I love that there have probably been about 1000 emails on this topic on the KSPP list about how they're going to build a better PAX_MEMORY_SANITIZE, and finally after 3 years they've come full circle to how PAX_MEMORY_SANITIZE has always worked: openwall.com/lists/kernel-h
Show this thread
4
4
Daniel Micay
@DanielMicay
Replying to
@DanielMicay
and
@dvyukov
If you're willing to pay the performance cost, you can also check that the data is still zeroed on allocation, to detect write-after-free. In this case, zeroing rather than using another byte value has a major performance advantage since pages are often wanted as already zeroed.
1
Daniel Micay
@DanielMicay
Replying to
@DanielMicay
and
@dvyukov
For other cases, like malloc or kmalloc, asking for zeroed data isn't nearly as common, and it's not as expensive to fill with a different value. Zero is the least aggressive since it often gets treated as NULL / empty data. Non-zero tends to uncover more bugs via more crashes.
1
Show replies
Dmitry Vyukov
@dvyukov
Replying to
@DanielMicay
Well, yes. But is it pure hypothetical? Is it just all else being equal zeroing early is probably better? Zero-on-malloc prevents very clear class of vulns/bugs -- using/leaking uninit data. Zero-on-free does not seem to prevent _anything_ on top of this. Or not?
1
Daniel Micay
@DanielMicay
Replying to
@dvyukov
It's not hypothetical that eliminating sensitive data from memory earlier is helpful. That's not about preventing a class of vulnerabilities but rather reducing the impact of a compromise at a later point. It minimizes the lifetime of sensitive data. It's often done case-by-case.
1
1
Show replies