Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(996)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: base/security_unittest.cc

Issue 11857007: TCMalloc: restrict maximum size of memory ranges (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Don't modify any system allocator, just GrowHeap. Created 7 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « base/base.gyp ('k') | third_party/tcmalloc/chromium/src/common.h » ('j') | third_party/tcmalloc/chromium/src/page_heap.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include <algorithm>
6 #include <limits>
7
8 #include "base/logging.h"
9 #include "base/memory/scoped_ptr.h"
10 #include "testing/gtest/include/gtest/gtest.h"
11
12 namespace {
13
14 // TODO(jln): list instead the known cases that fail (ASAN etc), so that
15 // we can positively check that we support the cases we care about.
16 #if !defined(NO_TCMALLOC) && !defined(ADDRESS_SANITIZER)
17 #define MAYBE(function) function
18 #else
19 #define MAYBE(function) DISABLED_##function
20 #endif
21
22 // Check that we can not allocate a memory range that cannot be indexed
23 // via an int. This is used to mitigate vulnerabilities in libraries that use
24 // int instead of size_t.
25 // See crbug.com/169327.
26
27 // TODO(jln): make this a static constant when we switch to C++11.
28 size_t MaximumAllocSize() {
29 return std::numeric_limits<int>::max();
30 }
31
32 TEST(SecurityTest, MAYBE(MemoryAllocationRestrictionsOneAlloc)) {
33 scoped_ptr<char, base::FreeDeleter>
34 ptr(static_cast<char*>(malloc(MaximumAllocSize())));
35 ASSERT_TRUE(ptr == NULL);
36 }
37
38 // This would be a test for a much stricter restriction preventing a contiguous
39 // memory area of size MaximumAllocSize to be allocated via malloc.
40 // Implementing this requires more effort and the test is disabled.
41 TEST(SecurityTest, DISABLED_MemoryAllocationRestrictionsStepped) {
42 const int kAllocNumber = 8;
43 const size_t kSteppedAllocSize = MaximumAllocSize() / kAllocNumber;
44 // Allow 1/32th for MetaData and padding.
45 const size_t kExpectedExtra = kSteppedAllocSize >> 5;
46
47 bool is_contiguous = true;
48 // Make kAllocNumber successive allocations and compare the successive
49 // pointers to detect adjacent mappings.
50 scoped_ptr<char, base::FreeDeleter> ptr[kAllocNumber];
51 for (int i = 0; i < kAllocNumber; ++i) {
52 ptr[i].reset(static_cast<char*>(malloc(kSteppedAllocSize)));
53 if (ptr[i] == NULL) {
54 is_contiguous = false;
55 break;
56 }
57 if (i > 0) {
58 size_t pointer_diff = static_cast<size_t>(
59 std::max(ptr[i].get(), ptr[i - 1].get()) -
60 std::min(ptr[i].get(), ptr[i - 1].get()));
61 if (pointer_diff > (kSteppedAllocSize + kExpectedExtra)) {
62 is_contiguous = false;
63 break;
64 }
65 }
66 }
67 ASSERT_FALSE(is_contiguous);
68 }
69
70 } // namespace
OLDNEW
« no previous file with comments | « base/base.gyp ('k') | third_party/tcmalloc/chromium/src/common.h » ('j') | third_party/tcmalloc/chromium/src/page_heap.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698