Why does hardened memory allocator not catch memory corruptions caught by MTE?

DeletedUser88

Basically as title says.

de0u

DeletedUser88 Why does hardened memory allocator not catch memory corruptions caught by MTE?

In a sense MTE inserts a little program into every store operation, that looks like:

If the tag bits of the pointer used for the store operation match the tag bits of the target memory word, take no action
Otherwise, set a flag (or: if a different configuration is used, take an exception)

This change to the meaning of memory-store operations has the effect of rewriting all programs running on the processor so that the programs check every store operation, without actually rewriting any of them. In principle it would be possible to actually rewrite the programs, but for some programs the rewriting would break the program and for others it would slow the program down noticeably.

The hardened memory allocator does detect some mistakes that MTE detects, but it can't detect all of them without pointer coloring, plus which the detection is inherently much later than with MTE; MTE thus helps developers zero in on the problem much faster.

GrapheneOS

DeletedUser88 MTE doesn't do anything through simply being supported by the hardware. It catches memory corruption bugs on GrapheneOS due to the integration into our hardened malloc implementation which is much better than the standard implementation available via ADB for debugging on the stock Pixel OS. We also enable Chromium's PartitionAlloc implementation in Vanadium which is not nearly as good and we haven't had time to improve that yet.