Fix for the upstream Bluetooth A2DP audio streaming bug:
github.com/GrapheneOS/pla
I'm often amazed at how software manages to work despite these latent bugs. The code was accidentally relying on a sorted vector based on the implicit address-based sorting for pointers in C++.
Conversation
It allocates the objects A, B and C of the same type in order, and was assuming that the address order will be A < B < C. That's obviously not the case even without a hardened allocator, but apparently the size class is not used enough elsewhere to trigger this bug in practice.
1
1
4
Since hardened_malloc chooses a random free slot with a slab, the address order is randomized even before other forms of randomization like the quarantine take effect. Disabling SLOT_RANDOMIZE made this reliable with hardened_malloc too which was discovered before this was fixed.
1
That was incredibly odd and I was worried that I had an obscure bug, but as always, it turns out to be a screwed up latent bug. Only bug discovered in hardened_malloc since deploying it is github.com/GrapheneOS/har which wrongly detected realloc of a zero size alloc as corruption.
Replying to
Since hardened_malloc takes the same approach as OpenBSD malloc to zero size allocations by using PROT_NONE memory. Believe it or not, it's an important mitigation catching serious memory corruption vulnerabilities and the dedicated regions in hardened_malloc make it very strong.
6