OLD | NEW |
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
| 5 #include <fcntl.h> |
5 #include <stdio.h> | 6 #include <stdio.h> |
6 #include <stdlib.h> | 7 #include <stdlib.h> |
7 #include <string.h> | 8 #include <string.h> |
| 9 #include <sys/stat.h> |
| 10 #include <sys/types.h> |
8 | 11 |
9 #include <algorithm> | 12 #include <algorithm> |
10 #include <limits> | 13 #include <limits> |
11 | 14 |
| 15 #include "base/file_util.h" |
12 #include "base/logging.h" | 16 #include "base/logging.h" |
13 #include "base/memory/scoped_ptr.h" | 17 #include "base/memory/scoped_ptr.h" |
14 #include "testing/gtest/include/gtest/gtest.h" | 18 #include "testing/gtest/include/gtest/gtest.h" |
15 | 19 |
16 using std::nothrow; | 20 using std::nothrow; |
17 | 21 |
18 namespace { | 22 namespace { |
19 | 23 |
20 // Check that we can not allocate a memory range that cannot be indexed | 24 // Check that we can not allocate a memory range that cannot be indexed |
21 // via an int. This is used to mitigate vulnerabilities in libraries that use | 25 // via an int. This is used to mitigate vulnerabilities in libraries that use |
(...skipping 71 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
93 } | 97 } |
94 } | 98 } |
95 | 99 |
96 TEST(SecurityTest, ALLOC_TEST(MemoryAllocationRestrictionsNewArray)) { | 100 TEST(SecurityTest, ALLOC_TEST(MemoryAllocationRestrictionsNewArray)) { |
97 if (!IsTcMallocBypassed()) { | 101 if (!IsTcMallocBypassed()) { |
98 scoped_ptr<char[]> ptr(new (nothrow) char[kTooBigAllocSize]); | 102 scoped_ptr<char[]> ptr(new (nothrow) char[kTooBigAllocSize]); |
99 ASSERT_TRUE(ptr == NULL); | 103 ASSERT_TRUE(ptr == NULL); |
100 } | 104 } |
101 } | 105 } |
102 | 106 |
| 107 #if (defined(OS_LINUX) || defined(OS_CHROMEOS)) && defined(__x86_64__) |
| 108 // Useful for debugging. |
| 109 void PrintProcSelfMaps() { |
| 110 int fd = open("/proc/self/maps", O_RDONLY); |
| 111 file_util::ScopedFD fd_closer(&fd); |
| 112 ASSERT_GE(fd, 0); |
| 113 char buffer[1<<13]; |
| 114 int ret; |
| 115 ret = read(fd, buffer, sizeof(buffer) - 1); |
| 116 ASSERT_GT(ret, 0); |
| 117 buffer[ret - 1] = 0; |
| 118 fprintf(stdout, "%s\n", buffer); |
| 119 } |
| 120 |
| 121 // Check if TCMalloc uses an underlying random memory allocator. |
| 122 TEST(SecurityTest, ALLOC_TEST(RandomMemoryAllocations)) { |
| 123 if (IsTcMallocBypassed()) |
| 124 return; |
| 125 // Two successsive calls to mmap() have roughly one chance out of 2^6 to |
| 126 // have the same two high order nibbles, which is what we are looking at in |
| 127 // this test. (In the implementation, we mask these two nibbles with 0x3f, |
| 128 // hence the 6 bits). |
| 129 // With 32 allocations, we see ~16 that end-up in different buckets (i.e. |
| 130 // zones mapped via mmap(), so the chances of this test flaking is roughly |
| 131 // 2^-(6*15). |
| 132 const int kAllocNumber = 32; |
| 133 // Make kAllocNumber successive allocations of growing size and compare the |
| 134 // successive pointers to detect adjacent mappings. We grow the size because |
| 135 // TCMalloc can sometimes over-allocate. |
| 136 scoped_ptr<char, base::FreeDeleter> ptr[kAllocNumber]; |
| 137 for (int i = 0; i < kAllocNumber; ++i) { |
| 138 // Grow the Malloc size slightly sub-exponentially. |
| 139 const size_t kMallocSize = 1 << (12 + (i>>1)); |
| 140 ptr[i].reset(static_cast<char*>(malloc(kMallocSize))); |
| 141 ASSERT_TRUE(ptr[i] != NULL); |
| 142 if (i > 0) { |
| 143 // Without mmap randomization, the two high order nibbles |
| 144 // of a 47 bits userland address address will be identical. |
| 145 // We're only watching the 6 bits that we actually do touch |
| 146 // in our implementation. |
| 147 const uintptr_t kHighOrderMask = 0x3f0000000000ULL; |
| 148 bool pointer_have_same_high_order = |
| 149 (reinterpret_cast<size_t>(ptr[i].get()) & kHighOrderMask) == |
| 150 (reinterpret_cast<size_t>(ptr[i - 1].get()) & kHighOrderMask); |
| 151 if (!pointer_have_same_high_order) { |
| 152 // PrintProcSelfMaps(); |
| 153 return; // Test passes. |
| 154 } |
| 155 } |
| 156 } |
| 157 ASSERT_TRUE(false); // NOTREACHED(); |
| 158 } |
| 159 |
| 160 #endif // (defined(OS_LINUX) || defined(OS_CHROMEOS)) && defined(__x86_64__) |
| 161 |
103 } // namespace | 162 } // namespace |
OLD | NEW |