Conversation

Question: what scenarios does zero-memory-on-free mitigate that zero-mem-on-malloc doesn't? I have hard time imagining any... For accesses via new ptr it doesn't matter. Via old ptr - most likely doesn't matter too (could have been accesses while the object is alive).

Quote Tweet

grsecurity

@grsecurity

Apr 26, 2019

I love that there have probably been about 1000 emails on this topic on the KSPP list about how they're going to build a better PAX_MEMORY_SANITIZE, and finally after 3 years they've come full circle to how PAX_MEMORY_SANITIZE has always worked: openwall.com/lists/kernel-h

Show this thread

Replying to

I haven't looked at the threads, so I don't know the specific context. One of the main benefits of zero-on-free is purging potentially sensitive data quickly. It's also often safer to read zeroed data like NULL pointers leading to reliable faults instead of stale/dangling ones.

Replying to

and

If you're willing to pay the performance cost, you can also check that the data is still zeroed on allocation, to detect write-after-free. In this case, zeroing rather than using another byte value has a major performance advantage since pages are often wanted as already zeroed.

Replying to

and

For other cases, like malloc or kmalloc, asking for zeroed data isn't nearly as common, and it's not as expensive to fill with a different value. Zero is the least aggressive since it often gets treated as NULL / empty data. Non-zero tends to uncover more bugs via more crashes.

1:55 AM · May 10, 2019Twitter Web Client

Replying to

and

It's important to pick a value that's going to guarantee faults most of the time. In userspace, that means at the kernel address space. In the kernel, at some unused region. If you fill with a value like 0xdf, the pointers are going to be 0xdfdfdfdfdfdfdfdf or offsets from it.