OLD | NEW |
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include <fcntl.h> | 5 #include <fcntl.h> |
6 #include <stdio.h> | 6 #include <stdio.h> |
7 #include <stdlib.h> | 7 #include <stdlib.h> |
8 #include <string.h> | 8 #include <string.h> |
9 #include <sys/stat.h> | 9 #include <sys/stat.h> |
10 #include <sys/types.h> | 10 #include <sys/types.h> |
11 | 11 |
12 #include <algorithm> | 12 #include <algorithm> |
13 #include <limits> | 13 #include <limits> |
14 | 14 |
15 #include "base/files/file_util.h" | 15 #include "base/files/file_util.h" |
16 #include "base/logging.h" | 16 #include "base/logging.h" |
17 #include "base/memory/scoped_ptr.h" | 17 #include "base/memory/scoped_ptr.h" |
18 #include "build/build_config.h" | 18 #include "build/build_config.h" |
19 #include "testing/gtest/include/gtest/gtest.h" | 19 #include "testing/gtest/include/gtest/gtest.h" |
20 | 20 |
21 #if defined(OS_POSIX) | 21 #if defined(OS_POSIX) |
22 #include <sys/mman.h> | 22 #include <sys/mman.h> |
23 #include <unistd.h> | 23 #include <unistd.h> |
24 #endif | 24 #endif |
25 | 25 |
| 26 #if defined(OS_WIN) |
| 27 #include <new.h> |
| 28 #endif |
| 29 |
26 using std::nothrow; | 30 using std::nothrow; |
27 using std::numeric_limits; | 31 using std::numeric_limits; |
28 | 32 |
29 namespace { | 33 namespace { |
30 | 34 |
| 35 #if defined(OS_WIN) |
| 36 // This is a permitted size but exhausts memory pretty quickly. |
| 37 const size_t kLargePermittedAllocation = 0x7FFFE000; |
| 38 |
| 39 int OnNoMemory(size_t) { |
| 40 _exit(1); |
| 41 } |
| 42 |
| 43 void ExhaustMemoryWithMalloc() { |
| 44 for (;;) { |
| 45 void* buf = malloc(kLargePermittedAllocation); |
| 46 if (!buf) |
| 47 break; |
| 48 } |
| 49 } |
| 50 |
| 51 void ExhaustMemoryWithRealloc() { |
| 52 size_t size = kLargePermittedAllocation; |
| 53 void* buf = malloc(size); |
| 54 if (!buf) |
| 55 return; |
| 56 for (;;) { |
| 57 size += kLargePermittedAllocation; |
| 58 void* new_buf = realloc(buf, size); |
| 59 if (!buf) |
| 60 break; |
| 61 buf = new_buf; |
| 62 } |
| 63 } |
| 64 #endif |
| 65 |
31 // This function acts as a compiler optimization barrier. We use it to | 66 // This function acts as a compiler optimization barrier. We use it to |
32 // prevent the compiler from making an expression a compile-time constant. | 67 // prevent the compiler from making an expression a compile-time constant. |
33 // We also use it so that the compiler doesn't discard certain return values | 68 // We also use it so that the compiler doesn't discard certain return values |
34 // as something we don't need (see the comment with calloc below). | 69 // as something we don't need (see the comment with calloc below). |
35 template <typename Type> | 70 template <typename Type> |
36 Type HideValueFromCompiler(volatile Type value) { | 71 Type HideValueFromCompiler(volatile Type value) { |
37 #if defined(__GNUC__) | 72 #if defined(__GNUC__) |
38 // In a GCC compatible compiler (GCC or Clang), make this compiler barrier | 73 // In a GCC compatible compiler (GCC or Clang), make this compiler barrier |
39 // more robust than merely using "volatile". | 74 // more robust than merely using "volatile". |
40 __asm__ volatile ("" : "+r" (value)); | 75 __asm__ volatile ("" : "+r" (value)); |
41 #endif // __GNUC__ | 76 #endif // __GNUC__ |
42 return value; | 77 return value; |
43 } | 78 } |
44 | 79 |
| 80 // Tcmalloc and Windows allocator shim support setting malloc limits. |
45 // - NO_TCMALLOC (should be defined if compiled with use_allocator!="tcmalloc") | 81 // - NO_TCMALLOC (should be defined if compiled with use_allocator!="tcmalloc") |
46 // - ADDRESS_SANITIZER and SYZYASAN because they have their own memory allocator | 82 // - ADDRESS_SANITIZER and SYZYASAN because they have their own memory allocator |
47 // - IOS does not use tcmalloc | 83 // - IOS does not use tcmalloc |
48 // - OS_MACOSX does not use tcmalloc | 84 // - OS_MACOSX does not use tcmalloc |
49 #if !defined(NO_TCMALLOC) && !defined(ADDRESS_SANITIZER) && \ | 85 // - Windows allocator shim defines ALLOCATOR_SHIM |
50 !defined(OS_IOS) && !defined(OS_MACOSX) && !defined(SYZYASAN) | 86 #if (!defined(NO_TCMALLOC) || defined(ALLOCATOR_SHIM)) && \ |
51 #define TCMALLOC_TEST(function) function | 87 !defined(ADDRESS_SANITIZER) && !defined(OS_IOS) && !defined(OS_MACOSX) && \ |
| 88 !defined(SYZYASAN) |
| 89 #define MALLOC_OVERFLOW_TEST(function) function |
52 #else | 90 #else |
53 #define TCMALLOC_TEST(function) DISABLED_##function | 91 #define MALLOC_OVERFLOW_TEST(function) DISABLED_##function |
54 #endif | 92 #endif |
55 | 93 |
56 // TODO(jln): switch to std::numeric_limits<int>::max() when we switch to | 94 // TODO(jln): switch to std::numeric_limits<int>::max() when we switch to |
57 // C++11. | 95 // C++11. |
58 const size_t kTooBigAllocSize = INT_MAX; | 96 const size_t kTooBigAllocSize = INT_MAX; |
59 | 97 |
60 // Detect runtime TCMalloc bypasses. | 98 // Detect runtime TCMalloc bypasses. |
61 bool IsTcMallocBypassed() { | 99 bool IsTcMallocBypassed() { |
62 #if defined(OS_LINUX) | 100 #if defined(OS_LINUX) |
63 // This should detect a TCMalloc bypass from Valgrind. | 101 // This should detect a TCMalloc bypass from Valgrind. |
64 char* g_slice = getenv("G_SLICE"); | 102 char* g_slice = getenv("G_SLICE"); |
65 if (g_slice && !strcmp(g_slice, "always-malloc")) | 103 if (g_slice && !strcmp(g_slice, "always-malloc")) |
66 return true; | 104 return true; |
67 #elif defined(OS_WIN) | |
68 // This should detect a TCMalloc bypass from setting | |
69 // the CHROME_ALLOCATOR environment variable. | |
70 char* allocator = getenv("CHROME_ALLOCATOR"); | |
71 if (allocator && strcmp(allocator, "tcmalloc")) | |
72 return true; | |
73 #endif | 105 #endif |
74 return false; | 106 return false; |
75 } | 107 } |
76 | 108 |
77 bool CallocDiesOnOOM() { | 109 bool CallocDiesOnOOM() { |
78 // The sanitizers' calloc dies on OOM instead of returning NULL. | 110 // The sanitizers' calloc dies on OOM instead of returning NULL. |
79 // The wrapper function in base/process_util_linux.cc that is used when we | 111 // The wrapper function in base/process_util_linux.cc that is used when we |
80 // compile without TCMalloc will just die on OOM instead of returning NULL. | 112 // compile without TCMalloc will just die on OOM instead of returning NULL. |
81 #if defined(ADDRESS_SANITIZER) || \ | 113 #if defined(ADDRESS_SANITIZER) || \ |
82 defined(MEMORY_SANITIZER) || \ | 114 defined(MEMORY_SANITIZER) || \ |
83 defined(THREAD_SANITIZER) || \ | 115 defined(THREAD_SANITIZER) || \ |
84 (defined(OS_LINUX) && defined(NO_TCMALLOC)) | 116 (defined(OS_LINUX) && defined(NO_TCMALLOC)) |
85 return true; | 117 return true; |
86 #else | 118 #else |
87 return false; | 119 return false; |
88 #endif | 120 #endif |
89 } | 121 } |
90 | 122 |
91 // Fake test that allow to know the state of TCMalloc by looking at bots. | 123 // Fake test that allow to know the state of TCMalloc by looking at bots. |
92 TEST(SecurityTest, TCMALLOC_TEST(IsTCMallocDynamicallyBypassed)) { | 124 TEST(SecurityTest, MALLOC_OVERFLOW_TEST(IsTCMallocDynamicallyBypassed)) { |
93 printf("Malloc is dynamically bypassed: %s\n", | 125 printf("Malloc is dynamically bypassed: %s\n", |
94 IsTcMallocBypassed() ? "yes." : "no."); | 126 IsTcMallocBypassed() ? "yes." : "no."); |
95 } | 127 } |
96 | 128 |
97 // The MemoryAllocationRestrictions* tests test that we can not allocate a | 129 // The MemoryAllocationRestrictions* tests test that we can not allocate a |
98 // memory range that cannot be indexed via an int. This is used to mitigate | 130 // memory range that cannot be indexed via an int. This is used to mitigate |
99 // vulnerabilities in libraries that use int instead of size_t. See | 131 // vulnerabilities in libraries that use int instead of size_t. See |
100 // crbug.com/169327. | 132 // crbug.com/169327. |
101 | 133 |
102 TEST(SecurityTest, TCMALLOC_TEST(MemoryAllocationRestrictionsMalloc)) { | 134 TEST(SecurityTest, MALLOC_OVERFLOW_TEST(MemoryAllocationRestrictionsMalloc)) { |
103 if (!IsTcMallocBypassed()) { | 135 if (!IsTcMallocBypassed()) { |
104 scoped_ptr<char, base::FreeDeleter> ptr(static_cast<char*>( | 136 scoped_ptr<char, base::FreeDeleter> ptr(static_cast<char*>( |
105 HideValueFromCompiler(malloc(kTooBigAllocSize)))); | 137 HideValueFromCompiler(malloc(kTooBigAllocSize)))); |
106 ASSERT_TRUE(!ptr); | 138 ASSERT_TRUE(!ptr); |
107 } | 139 } |
108 } | 140 } |
109 | 141 |
110 TEST(SecurityTest, TCMALLOC_TEST(MemoryAllocationRestrictionsCalloc)) { | 142 #if defined(GTEST_HAS_DEATH_TEST) && defined(OS_WIN) |
| 143 TEST(SecurityTest, MALLOC_OVERFLOW_TEST(MemoryAllocationMallocDeathTest)) { |
| 144 _set_new_handler(&OnNoMemory); |
| 145 _set_new_mode(1); |
| 146 { |
| 147 scoped_ptr<char, base::FreeDeleter> ptr; |
| 148 EXPECT_DEATH(ptr.reset(static_cast<char*>( |
| 149 HideValueFromCompiler(malloc(kTooBigAllocSize)))), |
| 150 ""); |
| 151 ASSERT_TRUE(!ptr); |
| 152 } |
| 153 _set_new_handler(NULL); |
| 154 _set_new_mode(0); |
| 155 } |
| 156 |
| 157 TEST(SecurityTest, MALLOC_OVERFLOW_TEST(MemoryAllocationExhaustDeathTest)) { |
| 158 _set_new_handler(&OnNoMemory); |
| 159 _set_new_mode(1); |
| 160 { |
| 161 ASSERT_DEATH(ExhaustMemoryWithMalloc(), ""); |
| 162 } |
| 163 _set_new_handler(NULL); |
| 164 _set_new_mode(0); |
| 165 } |
| 166 |
| 167 TEST(SecurityTest, MALLOC_OVERFLOW_TEST(MemoryReallocationExhaustDeathTest)) { |
| 168 _set_new_handler(&OnNoMemory); |
| 169 _set_new_mode(1); |
| 170 { |
| 171 ASSERT_DEATH(ExhaustMemoryWithRealloc(), ""); |
| 172 } |
| 173 _set_new_handler(NULL); |
| 174 _set_new_mode(0); |
| 175 } |
| 176 #endif |
| 177 |
| 178 TEST(SecurityTest, MALLOC_OVERFLOW_TEST(MemoryAllocationRestrictionsCalloc)) { |
111 if (!IsTcMallocBypassed()) { | 179 if (!IsTcMallocBypassed()) { |
112 scoped_ptr<char, base::FreeDeleter> ptr(static_cast<char*>( | 180 scoped_ptr<char, base::FreeDeleter> ptr(static_cast<char*>( |
113 HideValueFromCompiler(calloc(kTooBigAllocSize, 1)))); | 181 HideValueFromCompiler(calloc(kTooBigAllocSize, 1)))); |
114 ASSERT_TRUE(!ptr); | 182 ASSERT_TRUE(!ptr); |
115 } | 183 } |
116 } | 184 } |
117 | 185 |
118 TEST(SecurityTest, TCMALLOC_TEST(MemoryAllocationRestrictionsRealloc)) { | 186 TEST(SecurityTest, MALLOC_OVERFLOW_TEST(MemoryAllocationRestrictionsRealloc)) { |
119 if (!IsTcMallocBypassed()) { | 187 if (!IsTcMallocBypassed()) { |
120 char* orig_ptr = static_cast<char*>(malloc(1)); | 188 char* orig_ptr = static_cast<char*>(malloc(1)); |
121 ASSERT_TRUE(orig_ptr); | 189 ASSERT_TRUE(orig_ptr); |
122 scoped_ptr<char, base::FreeDeleter> ptr(static_cast<char*>( | 190 scoped_ptr<char, base::FreeDeleter> ptr(static_cast<char*>( |
123 HideValueFromCompiler(realloc(orig_ptr, kTooBigAllocSize)))); | 191 HideValueFromCompiler(realloc(orig_ptr, kTooBigAllocSize)))); |
124 ASSERT_TRUE(!ptr); | 192 ASSERT_TRUE(!ptr); |
125 // If realloc() did not succeed, we need to free orig_ptr. | 193 // If realloc() did not succeed, we need to free orig_ptr. |
126 free(orig_ptr); | 194 free(orig_ptr); |
127 } | 195 } |
128 } | 196 } |
129 | 197 |
130 typedef struct { | 198 typedef struct { |
131 char large_array[kTooBigAllocSize]; | 199 char large_array[kTooBigAllocSize]; |
132 } VeryLargeStruct; | 200 } VeryLargeStruct; |
133 | 201 |
134 TEST(SecurityTest, TCMALLOC_TEST(MemoryAllocationRestrictionsNew)) { | 202 TEST(SecurityTest, MALLOC_OVERFLOW_TEST(MemoryAllocationRestrictionsNew)) { |
135 if (!IsTcMallocBypassed()) { | 203 if (!IsTcMallocBypassed()) { |
136 scoped_ptr<VeryLargeStruct> ptr( | 204 scoped_ptr<VeryLargeStruct> ptr( |
137 HideValueFromCompiler(new (nothrow) VeryLargeStruct)); | 205 HideValueFromCompiler(new (nothrow) VeryLargeStruct)); |
138 ASSERT_TRUE(!ptr); | 206 ASSERT_TRUE(!ptr); |
139 } | 207 } |
140 } | 208 } |
141 | 209 |
142 TEST(SecurityTest, TCMALLOC_TEST(MemoryAllocationRestrictionsNewArray)) { | 210 #if defined(GTEST_HAS_DEATH_TEST) && defined(OS_WIN) |
| 211 TEST(SecurityTest, MALLOC_OVERFLOW_TEST(MemoryAllocationNewDeathTest)) { |
| 212 _set_new_handler(&OnNoMemory); |
| 213 { |
| 214 scoped_ptr<VeryLargeStruct> ptr; |
| 215 EXPECT_DEATH( |
| 216 ptr.reset(HideValueFromCompiler(new (nothrow) VeryLargeStruct)), ""); |
| 217 ASSERT_TRUE(!ptr); |
| 218 } |
| 219 _set_new_handler(NULL); |
| 220 } |
| 221 #endif |
| 222 |
| 223 TEST(SecurityTest, MALLOC_OVERFLOW_TEST(MemoryAllocationRestrictionsNewArray)) { |
143 if (!IsTcMallocBypassed()) { | 224 if (!IsTcMallocBypassed()) { |
144 scoped_ptr<char[]> ptr( | 225 scoped_ptr<char[]> ptr( |
145 HideValueFromCompiler(new (nothrow) char[kTooBigAllocSize])); | 226 HideValueFromCompiler(new (nothrow) char[kTooBigAllocSize])); |
146 ASSERT_TRUE(!ptr); | 227 ASSERT_TRUE(!ptr); |
147 } | 228 } |
148 } | 229 } |
149 | 230 |
150 // The tests bellow check for overflows in new[] and calloc(). | 231 // The tests bellow check for overflows in new[] and calloc(). |
151 | 232 |
152 // There are platforms where these tests are known to fail. We would like to | 233 // There are platforms where these tests are known to fail. We would like to |
(...skipping 82 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
235 | 316 |
236 #if defined(OS_LINUX) && defined(__x86_64__) | 317 #if defined(OS_LINUX) && defined(__x86_64__) |
237 // Check if ptr1 and ptr2 are separated by less than size chars. | 318 // Check if ptr1 and ptr2 are separated by less than size chars. |
238 bool ArePointersToSameArea(void* ptr1, void* ptr2, size_t size) { | 319 bool ArePointersToSameArea(void* ptr1, void* ptr2, size_t size) { |
239 ptrdiff_t ptr_diff = reinterpret_cast<char*>(std::max(ptr1, ptr2)) - | 320 ptrdiff_t ptr_diff = reinterpret_cast<char*>(std::max(ptr1, ptr2)) - |
240 reinterpret_cast<char*>(std::min(ptr1, ptr2)); | 321 reinterpret_cast<char*>(std::min(ptr1, ptr2)); |
241 return static_cast<size_t>(ptr_diff) <= size; | 322 return static_cast<size_t>(ptr_diff) <= size; |
242 } | 323 } |
243 | 324 |
244 // Check if TCMalloc uses an underlying random memory allocator. | 325 // Check if TCMalloc uses an underlying random memory allocator. |
245 TEST(SecurityTest, TCMALLOC_TEST(RandomMemoryAllocations)) { | 326 TEST(SecurityTest, MALLOC_OVERFLOW_TEST(RandomMemoryAllocations)) { |
246 if (IsTcMallocBypassed()) | 327 if (IsTcMallocBypassed()) |
247 return; | 328 return; |
248 size_t kPageSize = 4096; // We support x86_64 only. | 329 size_t kPageSize = 4096; // We support x86_64 only. |
249 // Check that malloc() returns an address that is neither the kernel's | 330 // Check that malloc() returns an address that is neither the kernel's |
250 // un-hinted mmap area, nor the current brk() area. The first malloc() may | 331 // un-hinted mmap area, nor the current brk() area. The first malloc() may |
251 // not be at a random address because TCMalloc will first exhaust any memory | 332 // not be at a random address because TCMalloc will first exhaust any memory |
252 // that it has allocated early on, before starting the sophisticated | 333 // that it has allocated early on, before starting the sophisticated |
253 // allocators. | 334 // allocators. |
254 void* default_mmap_heap_address = | 335 void* default_mmap_heap_address = |
255 mmap(0, kPageSize, PROT_READ|PROT_WRITE, | 336 mmap(0, kPageSize, PROT_READ|PROT_WRITE, |
(...skipping 29 matching lines...) Expand all Loading... |
285 // kRandomMask, so we use it as an additional detection mechanism. | 366 // kRandomMask, so we use it as an additional detection mechanism. |
286 const uintptr_t kRandomMask = 0x3fffffffffffULL; | 367 const uintptr_t kRandomMask = 0x3fffffffffffULL; |
287 bool impossible_random_address = | 368 bool impossible_random_address = |
288 reinterpret_cast<uintptr_t>(ptr.get()) & ~kRandomMask; | 369 reinterpret_cast<uintptr_t>(ptr.get()) & ~kRandomMask; |
289 EXPECT_FALSE(impossible_random_address); | 370 EXPECT_FALSE(impossible_random_address); |
290 } | 371 } |
291 | 372 |
292 #endif // defined(OS_LINUX) && defined(__x86_64__) | 373 #endif // defined(OS_LINUX) && defined(__x86_64__) |
293 | 374 |
294 } // namespace | 375 } // namespace |
OLD | NEW |