On Thu, 5 Mar 2020, Kees Cook wrote: > Instead of having the freelist pointer at the very beginning of an > allocation (offset 0) or at the very end of an allocation (effectively > offset -sizeof(void *) from the next allocation), move it away from > the edges of the allocation and into the middle. This provides some > protection against small-sized neighboring overflows (or underflows), > for which the freelist pointer is commonly the target. (Large or well > controlled overwrites are much more likely to attack live object contents, > instead of attempting freelist corruption.) Sounds good. You could even randomize the position to avoid attacks on via the freelist pointer. Acked-by: Christoph Lameter <cl@xxxxxxxxx>
