GitLab

One thing we can do to improve security of TBB is to build it with an alternate semi-hardened malloc implementation that attempts to randomize the allocation pattern and performs some minimal checks to guard against heap overflows an reference count issues in Firefox (perhaps by also enabling some additional reference count debugging features already in Firefox).

Such allocator behavior may make exploitation of various use-after-free vulnerabilities more difficult, as it would be harder to predict the location of reallocated regions during exploitation in order to get a target object to overlay an incorrectly freed object.

The downside is this will likely come at the performance costs of loss of locality, increased fragmentation, and additional overhead of reference count checks, but this may be an acceptable cost for improved hardening against exploits.

The first question is: are there any existing drop-in replacement memory allocators we can use in place of Firefox's current jemalloc implementation?

The second question is will any of the Firefox refcounting checks actually help, or will they just increase runtime for no real benefit?