Conversation

Dmitry Vyukov
@dvyukov
Question: what scenarios does zero-memory-on-free mitigate that zero-mem-on-malloc doesn't? I have hard time imagining any... For accesses via new ptr it doesn't matter. Via old ptr - most likely doesn't matter too (could have been accesses while the object is alive).
Quote Tweet
grsecurity
@grsecurity
I love that there have probably been about 1000 emails on this topic on the KSPP list about how they're going to build a better PAX_MEMORY_SANITIZE, and finally after 3 years they've come full circle to how PAX_MEMORY_SANITIZE has always worked: openwall.com/lists/kernel-h
Show this thread
4
4
Daniel Micay
@DanielMicay
Replying to
@dvyukov
I haven't looked at the threads, so I don't know the specific context. One of the main benefits of zero-on-free is purging potentially sensitive data quickly. It's also often safer to read zeroed data like NULL pointers leading to reliable faults instead of stale/dangling ones.
2
1
Dmitry Vyukov
@dvyukov
Replying to
@DanielMicay
Well, yes. But is it pure hypothetical? Is it just all else being equal zeroing early is probably better? Zero-on-malloc prevents very clear class of vulns/bugs -- using/leaking uninit data. Zero-on-free does not seem to prevent _anything_ on top of this. Or not?
1
Daniel Micay
@DanielMicay
Replying to
@DanielMicay
and
@dvyukov
It's also not theoretical that some use-after-free bugs are mitigated by making the pointers that are read from the freed allocation NULL. If it's combined with checking for non-zero data on allocation, it can detect an ongoing use-after-free based on non-zero data being written.
1
1
Daniel Micay
@DanielMicay
Replying to
@DanielMicay
and
@dvyukov
Having a quarantine to delay memory reuse is also related. That's part of how ASan is able to detect lots of use-after-free and double-free, but it also has an application in allocator hardening. A quarantine also doesn't have to be only FIFO. It can have some randomization too.
1
1
Show replies