I’ve been working on adding buffer overflow checking to common block operation functions in hardened_malloc the past few days.
main
← SkewedZeppelin:memcpy-sanity
opened 10:51PM - 21 Mar 25 UTC
for https://github.com/GrapheneOS/hardened_malloc/issues/231
- largely works … system wide on fedora 41 & 42
## task list
- [X] gcc compiler doing weird things
- no longer an issue with using real underlying functions
- [ ] clang compiler doing weird things
- it runs now, but size checks are always max
- [X] whole object size checks (fast path)
- [X] object remaining size checks (non-fast path)
- [X] optimized assembly functions
- [X] memcpy
- [X] memmove
- [X] memset
- [X] wmemcpy
- [X] wmemmove
- [X] wmemset
- [X] bypass overrides for self
- [X] licensing
- [X] makefile bits
- [X] readme
- could be expanded on
- [X] test case for memcpy
- [ ] overlap test
- [X] test case for memmove
- [X] test case for memset
- [ ] test case for wmemcpy
- [ ] test case for wmemmove
- [ ] test case for wmemset
- [ ] run all the test cases
- the feature is default disabled so they can't be run without failing
- [ ] figure out why test cases fail under CI when enabled
- they all pass on my end
- still not working on latest patchset
- [X] figure out why so many gnome apps crash
- `fatal allocator error: invalid malloc_object_size`
- conflict with gjs/mozjs?
- crashes under f42, but not f41: clocks, calculator, baobab, fileroller, logs
- crashes under f41, but not f42: gnome-shell when clicking top bar controls
- can't reproduce anymore, unsure why
- [X] figure out how to handle chromium/electron crash/conflict
- can't reproduce anymore, only happens on fast path
- [X] figure out if it is possible to use the real underlying functions for better per-arch performance
- dlsym doesn't seem to work with all program such as mutter-x11-frames
- can't reproduce anymore
- this doesn't necessarily pull from libc, but can pull from other libraries
- it feels unsafe
It is stable in my testing but more real world testing would be nice.
In the past I’d ask this in one of my chat rooms, but I closed those months ago.
You can either patch and compile it yourself or use my Fedora prebuilts (Arch is available if you compile yourself):
Unofficial micro-architecture optimized hardened_malloc package
12 Likes
What is the goal with this one? What this would be used for?
To mitigate some buffer overflows.
Microsoft had some numbers when they made it :
We did some analysis of the Microsoft Security Response Center data to look at the out-of-bounds heap corruption, and found a common culprit: memcpy
. Of the OOB writes that were categorised as leading to remote code execution (RCE), 1/3 of them had a block copy operation like memcpy as the initial source of corruption. This makes any mitigation to memcpy
extremely high-value.
MTE can mitigate them already but not all devices have it, especially x86 which is my usecase. The slab canaries can maybe detect it but only after corrupted. This can catch them before they happen.
This isn’t something that’d be shipped in GrapheneOS, because that is better done integrated directly into bionic.
3 Likes
@RoyalOughtness thoughts on making this available (for testing) in Secureblue?
3 Likes
To generate a secureblue test build for this, it should be as simple as forking secureblue and replacing this line with your repo’s link:
Once you have that built you can just paste in a ghcr link that folks can rebase their VMs to to test. Something like:
rpm-ostree rebase ostree-unverified-registry://ghcr.io/SkewedZeppelin/silverblue-main-hardened:sometag
1 Like