gecko-dev/memory
Tom Ritter 0b01745031 Bug 1376408 - Randomize free region selection for small allocations in a run r=glandium
This allows freelist randomization on a per-arena basis, by supplying parameters to
arena creation.

It uses an xorshift PRNG with a 128-bit state. It is not cryptographically secure. An
attacker who can observe outputs of the RNG, or read its state, is already in a position
to bypass the randomization applied. At the same time we make its state 128 bit to prevent
a trivial bypass if one or two outputs are observed.

The way a run selects masks to check has not been modified, so the randomization is limited
to at most 32 bits in the current mask being tested. It should be noted that while allocations
from the same run may now be non deterministic (up to the maximum entropy as previously
stated), an attacker who can perform multiple allocations will still be able to allocate
a targeted free region (for example while exploiting a use after free vulnerability in the
DOM). Non deterministic allocations will only impede an attacker who has less control over
how they allocate a targeted free region, and may provide some benefit during exploitation
of a heap based buffer overflow vulnerability where the attacker wishes to construct a
precise layout of regions pre overflow.

Differential Revision: https://phabricator.services.mozilla.com/D32219

--HG--
extra : moz-landing-system : lando
2019-06-18 21:18:23 +00:00
..
build Bug 1376408 - Randomize free region selection for small allocations in a run r=glandium 2019-06-18 21:18:23 +00:00
fallible
gtest Bug 1558365 - Simplify PtrInfoTag. r=glandium 2019-06-12 07:38:30 +00:00
mozalloc Bug 1553363 - Generalize the *_impl goop for allocation functions in mozglue. r=froydnj 2019-05-29 22:49:42 +00:00
replace Bug 1533240 - Replace DMD's custom TLS code with use of mozilla/ThreadLocal.h. r=erahm 2019-03-22 20:07:30 +00:00
volatile Bug 1542146 - Apply the change with the option StatementMacros from clang-format-8 r=andi 2019-04-05 21:42:17 +00:00
app.mozbuild
moz.build
moz.configure