Bug 302808
| Summary: | [libpas] Implement Previous-Tag-Exclusion for MTE allocations | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Marcus Plutowski <marcus_plutowski> |
| Component: | New Bugs | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Marcus Plutowski
rdar://152167632
In a similar vein to Adjacent-Tag-Exclusion, we can impair the ability of attackers to 'get lucky' with MTE tags by ensuring that 'local' (for ATE spatially local, for PTE temporally local) allocations have different tags. In this case that means that when we retag an object in a slot that previously had some tag A, we make sure to use a tag other than A. This does not provide as hard of a guarantee as ATE does, as ATE deterministically ensures that adjacent allocations will not have the same tag -- whereas in theory heap grooming could be used to re-reallocate on a given slot, thus dodging the prior tag. This is however still an added layer of difficulty and worth considering as a hardening option.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Marcus Plutowski
Pull request: https://github.com/WebKit/WebKit/pull/54200
Marcus Plutowski
Pull request: https://github.com/WebKit/WebKit/pull/61853
EWS
Committed 310726@main (569d28c26a9b): <https://commits.webkit.org/310726@main>
Reviewed commits have been landed. Closing PR #61853 and removing active labels.