macOS: Shim all malloc zones.

base/allocator/allocator_interception_mac.mm

 // Copyright 2017 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // This file contains all the logic necessary to intercept allocations on
 // macOS. "malloc zones" are an abstraction that allows the process to intercept
 // all malloc-related functions.  There is no good mechanism [short of
 // interposition] to determine new malloc zones are added, so there's no clean
 // mechanism to intercept all malloc zones. This file contains logic to
 // intercept the default and purgeable zones, which always exist. A cursory
@@ skipping 10 matching lines @@
 #import <Foundation/Foundation.h>
 #include <errno.h>
 #include <mach/mach.h>
 #include <mach/mach_vm.h>
 #import <objc/runtime.h>
 #include <stddef.h>
 
 #include <new>
 
 #include "base/allocator/allocator_shim.h"
+#include "base/allocator/allocator_shim_default_dispatch_to_mac_zoned_malloc.h"

[Primiano Tucci (use gerrit), 2017/02/22 12:25:39]

What is this for? We shouldn't have cyclic logical dependencies (shim depending
on interception_mac and viceversa). Honestly can't figure out why we have even
alloctator_shim.h above?
Would be great if this this file remains a lower level building block for the
shim and the dependency is only in the shim -> interception_mac direction

[erikchen, 2017/02/22 21:03:09]

whoops, unnecessary include.

 #include "base/allocator/features.h"
 #include "base/logging.h"
 #include "base/mac/mac_util.h"
 #include "base/mac/mach_logging.h"
 #include "base/process/memory.h"
 #include "base/scoped_clear_errno.h"
 #include "build/build_config.h"
 #include "third_party/apple_apsl/CFBase.h"
 
 namespace base {
 namespace allocator {
 
 bool g_replaced_default_zone = false;
 
-MallocZoneFunctions::MallocZoneFunctions() {}
-
 namespace {
 
 bool g_oom_killer_enabled;
 
 // Starting with Mac OS X 10.7, the zone allocators set up by the system are
 // read-only, to prevent them from being overwritten in an attack. However,
 // blindly unprotecting and reprotecting the zone allocators fails with
 // GuardMalloc because GuardMalloc sets up its zone allocator using a block of
 // memory in its bss. Explicit saving/restoring of the protection is required.
 //
@@ skipping 231 matching lines @@
   if (g_old_zone.calloc) {
     *result = g_old_zone.calloc(malloc_default_zone(), num_items, size);
   } else {
     *result = calloc(num_items, size);
   }
 #endif  // defined(ADDRESS_SANITIZER)
 
   return *result != NULL;
 }
 
-void StoreZoneFunctions(ChromeMallocZone* zone,
-                        MallocZoneFunctions* functions) {
-  functions->malloc = zone->malloc;
-  functions->calloc = zone->calloc;
-  functions->valloc = zone->valloc;
-  functions->free = zone->free;
-  functions->realloc = zone->realloc;
-  functions->size = zone->size;
-  CHECK(functions->malloc && functions->calloc && functions->valloc &&
-        functions->free && functions->realloc && functions->size);
-
-  // These functions might be nullptr.
-  functions->batch_malloc = zone->batch_malloc;
-  functions->batch_free = zone->batch_free;
-
-  if (zone->version >= 5) {
-    functions->memalign = zone->memalign;
-    CHECK(functions->memalign);
-  }
-  if (zone->version >= 6) {
-    // This may be nullptr.
-    functions->free_definite_size = zone->free_definite_size;
-  }
-}
-
 void ReplaceZoneFunctions(ChromeMallocZone* zone,
                           const MallocZoneFunctions* functions) {
   // Remove protection.
   mach_vm_address_t reprotection_start = 0;
   mach_vm_size_t reprotection_length = 0;
   vm_prot_t reprotection_value = VM_PROT_NONE;
   DeprotectMallocZone(zone, &reprotection_start, &reprotection_length,
                       &reprotection_value);
 
   CHECK(functions->malloc && functions->calloc && functions->valloc &&
@@ skipping 18 matching lines @@
 
   // Restore protection if it was active.
   if (reprotection_start) {
     kern_return_t result =
         mach_vm_protect(mach_task_self(), reprotection_start,
                         reprotection_length, false, reprotection_value);
     MACH_CHECK(result == KERN_SUCCESS, result) << "mach_vm_protect";
   }
 }
 
-void StoreFunctionsForDefaultZone(MallocZoneFunctions* functions) {
+void StoreFunctionsForDefaultZone(MallocZoneAggregator* aggregator) {
   ChromeMallocZone* default_zone = reinterpret_cast<ChromeMallocZone*>(
       malloc_default_zone());
-  StoreZoneFunctions(default_zone, functions);
+  aggregator->StoreZone(default_zone);
 }
 
-void ReplaceFunctionsForDefaultZone(const MallocZoneFunctions* functions) {
-  CHECK(!g_replaced_default_zone);
+void StoreFunctionsForAllZones(MallocZoneAggregator* aggregator) {
+  // This ensures that the default zone is always at the front of the
+  // aggregator, which is important for performance.
+  StoreFunctionsForDefaultZone(aggregator);
+
+  vm_address_t* zones;
+  unsigned int count;
+  kern_return_t kr = malloc_get_all_zones(mach_task_self(), 0, &zones, &count);
+  if (kr != KERN_SUCCESS)
+    return;
+  for (unsigned int i = 0; i < count; ++i) {
+    ChromeMallocZone* zone = reinterpret_cast<ChromeMallocZone*>(zones[i]);
+    aggregator->StoreZone(zone);
+  }
+}
+
+void ReplaceFunctionsForStoredZones(const MallocZoneFunctions* functions) {
+  vm_address_t* zones;
+  unsigned int count;
+  kern_return_t kr = malloc_get_all_zones(mach_task_self(), 0, &zones, &count);
+  if (kr != KERN_SUCCESS)
+    return;
+  for (unsigned int i = 0; i < count; ++i) {
+    ChromeMallocZone* zone = reinterpret_cast<ChromeMallocZone*>(zones[i]);
+    if (!MallocZoneAggregator::GetMallocZoneAggregator()->IsZoneAlreadyStored(
+            zone)) {
+      continue;
+    }
+    if (zone->malloc == functions->malloc)
+      continue;
+    ReplaceZoneFunctions(zone, functions);
+  }
   g_replaced_default_zone = true;
-#if !defined(ADDRESS_SANITIZER)
-  StoreFunctionsForDefaultZone(&g_old_zone);
-#endif
-  ChromeMallocZone* default_zone = reinterpret_cast<ChromeMallocZone*>(
-      malloc_default_zone());
-  ReplaceZoneFunctions(default_zone, functions);
 }
 
 void InterceptAllocationsMac() {
   if (g_oom_killer_enabled)
     return;
 
   g_oom_killer_enabled = true;
 
 // === C malloc/calloc/valloc/realloc/posix_memalign ===
 
 // This approach is not perfect, as requests for amounts of memory larger than
 // MALLOC_ABSOLUTE_MAX_SIZE (currently SIZE_T_MAX - (2 * PAGE_SIZE)) will
 // still fail with a NULL rather than dying (see
 // http://opensource.apple.com/source/Libc/Libc-583/gen/malloc.c for details).
 // Unfortunately, it's the best we can do. Also note that this does not affect
 // allocations from non-default zones.
 
 #if !defined(ADDRESS_SANITIZER)
   // Don't do anything special on OOM for the malloc zones replaced by
   // AddressSanitizer, as modifying or protecting them may not work correctly.
-  if (!g_replaced_default_zone) {
-    StoreFunctionsForDefaultZone(&g_old_zone);
+  ChromeMallocZone* default_zone =
+      reinterpret_cast<ChromeMallocZone*>(malloc_default_zone());
+  if (!MallocZoneAggregator::GetMallocZoneAggregator()->IsZoneAlreadyStored(
+          default_zone)) {
+    StoreZoneFunctions(default_zone, &g_old_zone);
     MallocZoneFunctions new_functions;
     new_functions.malloc = oom_killer_malloc;
     new_functions.calloc = oom_killer_calloc;
     new_functions.valloc = oom_killer_valloc;
     new_functions.free = oom_killer_free;
     new_functions.realloc = oom_killer_realloc;
     new_functions.memalign = oom_killer_memalign;
-    ReplaceFunctionsForDefaultZone(&new_functions);
+
+    ReplaceZoneFunctions(default_zone, &new_functions);
+    g_replaced_default_zone = true;
   }
 
   ChromeMallocZone* purgeable_zone =
       reinterpret_cast<ChromeMallocZone*>(malloc_default_purgeable_zone());
-  if (purgeable_zone) {
+  if (purgeable_zone &&
+      !MallocZoneAggregator::GetMallocZoneAggregator()->IsZoneAlreadyStored(
+          purgeable_zone)) {
     StoreZoneFunctions(purgeable_zone, &g_old_purgeable_zone);
     MallocZoneFunctions new_functions;
     new_functions.malloc = oom_killer_malloc_purgeable;
     new_functions.calloc = oom_killer_calloc_purgeable;
     new_functions.valloc = oom_killer_valloc_purgeable;
     new_functions.free = oom_killer_free_purgeable;
     new_functions.realloc = oom_killer_realloc_purgeable;
     new_functions.memalign = oom_killer_memalign_purgeable;
     ReplaceZoneFunctions(purgeable_zone, &new_functions);
   }
@@ skipping 71 matching lines @@
   g_old_allocWithZone =
       reinterpret_cast<allocWithZone_t>(method_getImplementation(orig_method));
   CHECK(g_old_allocWithZone)
       << "Failed to get allocWithZone allocation function.";
   method_setImplementation(orig_method,
                            reinterpret_cast<IMP>(oom_killer_allocWithZone));
 }
 
 }  // namespace allocator
 }  // namespace base