Switch from local random address generation to kernel ASLR

base/android/linker/linker_jni.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // This is the Android-specific Chromium linker, a tiny shared library
 // implementing a custom dynamic linker that can be used to load the
 // real Chromium libraries (e.g. libcontentshell.so).
 
 // The main point of this linker is to be able to share the RELRO
 // section of libcontentshell.so (or equivalent) between the browser and
 // renderer process.
 
 // This source code *cannot* depend on anything from base/ or the C++
 // STL, to keep the final library small, and avoid ugly dependency issues.
 
 #include <android/log.h>
 #include <crazy_linker.h>
 #include <jni.h>
 #include <stdlib.h>
+#include <sys/mman.h>
 #include <unistd.h>
 
 // Set this to 1 to enable debug traces to the Android log.
 // Note that LOG() from "base/logging.h" cannot be used, since it is
 // in base/ which hasn't been loaded yet.
 #define DEBUG 0
 
 #define TAG "chromium_android_linker"
 
 #if DEBUG
@@ skipping 523 matching lines @@
            __FUNCTION__,
            lib_name.c_str());
 
   return true;
 }
 
 jboolean CanUseSharedRelro(JNIEnv* env, jclass clazz) {
   return crazy_system_can_share_relro();
 }
 
 jlong GetPageSize(JNIEnv* env, jclass clazz) {

[rmcilroy, 2014/08/14 13:19:07]

Ditto

[simonb (inactive), 2014/08/14 14:25:14]

Done.

   jlong result = static_cast<jlong>(sysconf(_SC_PAGESIZE));
   LOG_INFO("%s: System page size is %lld bytes\n", __FUNCTION__, result);
   return result;
 }
 
+jlong GetRandomBaseLoadAddress(JNIEnv* env, jclass clazz, jlong bytes) {
+  void* address =
+      mmap(NULL, bytes, PROT_NONE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+  if (address == MAP_FAILED) {
+    LOG_INFO("%s: Random base load address not determinable\n", __FUNCTION__);
+    return 0;
+  }
+  munmap(address, bytes);
+  LOG_INFO("%s: Random base load address is %p\n", __FUNCTION__, address);
+  return static_cast<jlong>(reinterpret_cast<intptr_t>(address));
+}
+
 const JNINativeMethod kNativeMethods[] = {
     {"nativeLoadLibrary",
      "("
      "Ljava/lang/String;"
      "J"
      "Lorg/chromium/base/library_loader/Linker$LibInfo;"
      ")"
      "Z",
      reinterpret_cast<void*>(&LoadLibrary)},
     {"nativeLoadLibraryInZipFile",
@@ skipping 28 matching lines @@
      reinterpret_cast<void*>(&UseSharedRelro)},
     {"nativeCanUseSharedRelro",
      "("
      ")"
      "Z",
      reinterpret_cast<void*>(&CanUseSharedRelro)},
     {"nativeGetPageSize",
      "("
      ")"
      "J",
-     reinterpret_cast<void*>(&GetPageSize)}, };
+     reinterpret_cast<void*>(&GetPageSize)},
+    {"nativeGetRandomBaseLoadAddress",
+     "("
+     "J"
+     ")"
+     "J",
+     reinterpret_cast<void*>(&GetRandomBaseLoadAddress)}, };
 
 }  // namespace
 
 // JNI_OnLoad() hook called when the linker library is loaded through
 // the regular System.LoadLibrary) API. This shall save the Java VM
 // handle and initialize LibInfo fields.
 jint JNI_OnLoad(JavaVM* vm, void* reserved) {
   LOG_INFO("%s: Entering", __FUNCTION__);
   // Get new JNIEnv
   JNIEnv* env;
@@ skipping 30 matching lines @@
   crazy_context_t* context = GetCrazyContext();
   crazy_context_set_java_vm(context, vm, JNI_VERSION_1_4);
 
   // Register the function that the crazy linker can call to post code
   // for later execution.
   crazy_context_set_callback_poster(context, &PostForLaterExecution, NULL);
 
   LOG_INFO("%s: Done", __FUNCTION__);
   return JNI_VERSION_1_4;
 }