RESOLVED FIXED302808
[libpas] Implement Previous-Tag-Exclusion for MTE allocations 
https://bugs.webkit.org/show_bug.cgi?id=302808
Summary [libpas] Implement Previous-Tag-Exclusion for MTE allocations
Marcus Plutowski
Reported 2025-11-19 11:21:01 PST
rdar://152167632 In a similar vein to Adjacent-Tag-Exclusion, we can impair the ability of attackers to 'get lucky' with MTE tags by ensuring that 'local' (for ATE spatially local, for PTE temporally local) allocations have different tags. In this case that means that when we retag an object in a slot that previously had some tag A, we make sure to use a tag other than A. This does not provide as hard of a guarantee as ATE does, as ATE deterministically ensures that adjacent allocations will not have the same tag -- whereas in theory heap grooming could be used to re-reallocate on a given slot, thus dodging the prior tag. This is however still an added layer of difficulty and worth considering as a hardening option.
Attachments
Add attachment proposed patch, testcase, etc.
Marcus Plutowski
Comment 1 2025-11-19 12:09:17 PST
Pull request: https://github.com/WebKit/WebKit/pull/54200
Marcus Plutowski
Comment 2 2026-04-01 15:01:23 PDT
Pull request: https://github.com/WebKit/WebKit/pull/61853
EWS
Comment 3 2026-04-07 11:08:47 PDT
Committed 310726@main (569d28c26a9b): <https://commits.webkit.org/310726@main> Reviewed commits have been landed. Closing PR #61853 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.