OOB protection of BRP

245 views
Skip to first unread message

Bartek Nowierski

unread,
Jan 16, 2024, 11:24:53 PMJan 16
to memory-safety-dev, Bartek Nowierski, michae...@intel.com
Hi,

In the spirit of trying to do a better job communicating externally, I thought I'd share this little known fact about BRP here too...


BRP has a built-in OOB protection to ensure the algorithm integrity. Specifically, we must ensure that operators ++/--/+=/-= stay within the PA slot, and crash otherwise. Without it, an attacker could shift the pointer to the next slot, thus forever leaking the original slot and, worse, stripping BRP protection from the next slot when the pointer gets destructed.

We've extended this protection to operators +/-/[], not because BRP needs it, but because it was easy.

OOB_POISON_BIT (contribution from @michae...@intel.com) extends the protection further by poisoning pointers to the end of an allocation (or near the end of the allocation, less than sizeof(T) away). This is currently off by default.


Note that boundary detection is precise only for larger allocations (single-slot spans and direct map, so 64kB+ on most systems), where we can store allocation request size. For smaller allocations we approximate it with slot size (minus extras).

Note2, even for larger allocations, we are helpless in cases like vector, where extra capacity can be allocated, but only a smaller size of this is available for use.


Cheers,
Bartek

Reply all
Reply to author
Forward
0 new messages