Open
Bug 1446046
Opened 7 years ago
Updated 2 years ago
Prevent pages from being recycled across arenas
Categories
(Core :: Memory Allocator, enhancement, P3)
Core
Memory Allocator
Tracking
()
NEW
| Tracking | Status | |
|---|---|---|
| firefox61 | --- | affected |
People
(Reporter: tjr, Unassigned)
References
(Blocks 2 open bugs)
Details
(Keywords: parity-chrome, sec-want)
Bug 1402174 provided a way to allocate into different arenas. A concern is that an attacker can trigger an entire page's worth of data to be de-allocated, and eventually reused between partitions. This would allow bypassing the partition protection.
|
||
Comment 1•7 years ago
|
||
There is no useful data in a chunk by the time it's been recycled. The only risk would be in the face of UAF, is it what this is meant to guard against?
|
Reporter | |
Comment 2•7 years ago
|
||
(In reply to Mike Hommey [:glandium] from comment #1)
> There is no useful data in a chunk by the time it's been recycled. The only
> risk would be in the face of UAF, is it what this is meant to guard against?
Yea; one of the main goals of partitioning is to make exploiting UAFs more difficult; so reusing chunks between partitions would bring that back to the table.
|
|
||
Updated•5 years ago
|
Priority: -- → P3
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•