From: Florian Weimer <fweimer@redhat.com>
To: Carlos O'Donell via Libc-alpha <libc-alpha@sourceware.org>
Subject: Re: RFC: malloc and secure memory.
Date: Fri, 25 Sep 2020 08:39:13 +0200 [thread overview]
Message-ID: <874knmicmm.fsf@oldenburg2.str.redhat.com> (raw)
In-Reply-To: <58adb753-aecf-d367-6dbe-bb475c4c4d2c@redhat.com> (Carlos O'Donell via Libc-alpha's message of "Thu, 24 Sep 2020 16:56:59 -0400")
* Carlos O'Donell via Libc-alpha:
> I wonder if we can't do this in some generic way:
>
> - Make arenas a first class construct.
>
> /* Get arena with special properties. */
> malloc_arena *secure_arena = NULL;
> /* Get a handle to an arena that has secure heaps. If glibc can make this
> kind of arena and heap then it does, otherwise it returns NULL. */
> secure_arena = malloc_arena_get (HEAP_SECURE);
> /* Does this glibc support his kind of arena? */
> if (secure_arena == NULL)
> abort();
>
> - Bind the malloc call site to a specific arena with specific properties.
>
> For example:
>
> /* malloc_arena takes an opaque arena pointer that is a global
> variable that the implementation provides, a function pointer
> the memory allocator routine e.g. malloc, and a size. */
> password_storage = malloc_arena (secure_arena, malloc, size);
> ...
> /* Completely different TU, or scope... */
> free (password_storage);
How is this going to work with existing out-of-tree mallocs? Do you
want them all to change? Why would these implementations want to add
the overhead to support memory they have not allocated? How would they
discover the actual implementation of free to call?
If we want to add new allocator interfaces, they need to have completely
separate names, and should follow an existing, well-understood design
(e.g., the APR pool interfaces, libtalloc with its pointers-as-pools,
the Windows 2.x heap interfaces with its handles).
Thanks,
Florian
--
Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael O'Neill
next prev parent reply other threads:[~2020-09-25 6:39 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-24 20:56 Carlos O'Donell
2020-09-25 6:39 ` Florian Weimer [this message]
2020-09-25 16:10 ` Carlos O'Donell
2020-09-25 23:39 ` Stefan O'Rear
2020-09-27 12:39 ` Carlos O'Donell
2020-09-26 17:07 ` Rich Felker
2020-09-27 14:04 ` Carlos O'Donell
2020-09-27 20:29 ` Florian Weimer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=874knmicmm.fsf@oldenburg2.str.redhat.com \
--to=fweimer@redhat.com \
--cc=libc-alpha@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).