зеркало из https://github.com/mozilla/gecko-dev.git
0b01745031
This allows freelist randomization on a per-arena basis, by supplying parameters to arena creation. It uses an xorshift PRNG with a 128-bit state. It is not cryptographically secure. An attacker who can observe outputs of the RNG, or read its state, is already in a position to bypass the randomization applied. At the same time we make its state 128 bit to prevent a trivial bypass if one or two outputs are observed. The way a run selects masks to check has not been modified, so the randomization is limited to at most 32 bits in the current mask being tested. It should be noted that while allocations from the same run may now be non deterministic (up to the maximum entropy as previously stated), an attacker who can perform multiple allocations will still be able to allocate a targeted free region (for example while exploiting a use after free vulnerability in the DOM). Non deterministic allocations will only impede an attacker who has less control over how they allocate a targeted free region, and may provide some benefit during exploitation of a heap based buffer overflow vulnerability where the attacker wishes to construct a precise layout of regions pre overflow. Differential Revision: https://phabricator.services.mozilla.com/D32219 --HG-- extra : moz-landing-system : lando |
||
|---|---|---|
| .. | ||
| Makefile.in | ||
| Mutex.h | ||
| Utils.h | ||
| fallback.cpp | ||
| malloc_decls.h | ||
| moz.build | ||
| mozjemalloc.cpp | ||
| mozjemalloc.h | ||
| mozjemalloc_types.h | ||
| mozmemory.h | ||
| mozmemory_wrap.cpp | ||
| mozmemory_wrap.h | ||
| rb.h | ||
| replace_malloc.h | ||
| replace_malloc_bridge.h | ||
| zone.c | ||