| OLD | NEW |
|---|
| 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <fcntl.h> | 5 #include <fcntl.h> |
| 6 #include <new.h> |
| 6 #include <stdio.h> | 7 #include <stdio.h> |
| 7 #include <stdlib.h> | 8 #include <stdlib.h> |
| 8 #include <string.h> | 9 #include <string.h> |
| 9 #include <sys/stat.h> | 10 #include <sys/stat.h> |
| 10 #include <sys/types.h> | 11 #include <sys/types.h> |
| 11 | 12 |
| 12 #include <algorithm> | 13 #include <algorithm> |
| 13 #include <limits> | 14 #include <limits> |
| 14 | 15 |
| 15 #include "base/files/file_util.h" | 16 #include "base/files/file_util.h" |
| 16 #include "base/logging.h" | 17 #include "base/logging.h" |
| 17 #include "base/memory/scoped_ptr.h" | 18 #include "base/memory/scoped_ptr.h" |
| 18 #include "build/build_config.h" | 19 #include "build/build_config.h" |
| 19 #include "testing/gtest/include/gtest/gtest.h" | 20 #include "testing/gtest/include/gtest/gtest.h" |
| 20 | 21 |
| 21 #if defined(OS_POSIX) | 22 #if defined(OS_POSIX) |
| 22 #include <sys/mman.h> | 23 #include <sys/mman.h> |
| 23 #include <unistd.h> | 24 #include <unistd.h> |
| 24 #endif | 25 #endif |
| 25 | 26 |
| 26 using std::nothrow; | 27 using std::nothrow; |
| 27 using std::numeric_limits; | 28 using std::numeric_limits; |
| 28 | 29 |
| 29 namespace { | 30 namespace { |
| 30 | 31 |
| 32 int OnNoMemory(size_t) { |
| 33 _exit(1); |
| 34 } |
| 35 |
| 31 // This function acts as a compiler optimization barrier. We use it to | 36 // This function acts as a compiler optimization barrier. We use it to |
| 32 // prevent the compiler from making an expression a compile-time constant. | 37 // prevent the compiler from making an expression a compile-time constant. |
| 33 // We also use it so that the compiler doesn't discard certain return values | 38 // We also use it so that the compiler doesn't discard certain return values |
| 34 // as something we don't need (see the comment with calloc below). | 39 // as something we don't need (see the comment with calloc below). |
| 35 template <typename Type> | 40 template <typename Type> |
| 36 Type HideValueFromCompiler(volatile Type value) { | 41 Type HideValueFromCompiler(volatile Type value) { |
| 37 #if defined(__GNUC__) | 42 #if defined(__GNUC__) |
| 38 // In a GCC compatible compiler (GCC or Clang), make this compiler barrier | 43 // In a GCC compatible compiler (GCC or Clang), make this compiler barrier |
| 39 // more robust than merely using "volatile". | 44 // more robust than merely using "volatile". |
| 40 __asm__ volatile ("" : "+r" (value)); | 45 __asm__ volatile ("" : "+r" (value)); |
| 41 #endif // __GNUC__ | 46 #endif // __GNUC__ |
| 42 return value; | 47 return value; |
| 43 } | 48 } |
| 44 | 49 |
| 50 // Tcmalloc and Windows allocator shim support setting malloc limits. |
| 45 // - NO_TCMALLOC (should be defined if compiled with use_allocator!="tcmalloc") | 51 // - NO_TCMALLOC (should be defined if compiled with use_allocator!="tcmalloc") |
| 46 // - ADDRESS_SANITIZER and SYZYASAN because they have their own memory allocator | 52 // - ADDRESS_SANITIZER and SYZYASAN because they have their own memory allocator |
| 47 // - IOS does not use tcmalloc | 53 // - IOS does not use tcmalloc |
| 48 // - OS_MACOSX does not use tcmalloc | 54 // - OS_MACOSX does not use tcmalloc |
| 49 #if !defined(NO_TCMALLOC) && !defined(ADDRESS_SANITIZER) && \ | 55 // - Windows allocator shim defines ALLOCATOR_SHIM |
| 50 !defined(OS_IOS) && !defined(OS_MACOSX) && !defined(SYZYASAN) | 56 #if (!defined(NO_TCMALLOC) || defined(ALLOCATOR_SHIM)) && \ |
| 51 #define TCMALLOC_TEST(function) function | 57 !defined(ADDRESS_SANITIZER) && !defined(OS_IOS) && !defined(OS_MACOSX) && \ |
| 58 !defined(SYZYASAN) |
| 59 #define MALLOC_OVERFLOW_TEST(function) function |
| 52 #else | 60 #else |
| 53 #define TCMALLOC_TEST(function) DISABLED_##function | 61 #define MALLOC_OVERFLOW_TEST(function) DISABLED_##function |
| 54 #endif | 62 #endif |
| 55 | 63 |
| 56 // TODO(jln): switch to std::numeric_limits<int>::max() when we switch to | 64 // TODO(jln): switch to std::numeric_limits<int>::max() when we switch to |
| 57 // C++11. | 65 // C++11. |
| 58 const size_t kTooBigAllocSize = INT_MAX; | 66 const size_t kTooBigAllocSize = INT_MAX; |
| 59 | 67 |
| 60 // Detect runtime TCMalloc bypasses. | 68 // Detect runtime TCMalloc bypasses. |
| 61 bool IsTcMallocBypassed() { | 69 bool IsTcMallocBypassed() { |
| 62 #if defined(OS_LINUX) | 70 #if defined(OS_LINUX) |
| 63 // This should detect a TCMalloc bypass from Valgrind. | 71 // This should detect a TCMalloc bypass from Valgrind. |
| 64 char* g_slice = getenv("G_SLICE"); | 72 char* g_slice = getenv("G_SLICE"); |
| 65 if (g_slice && !strcmp(g_slice, "always-malloc")) | 73 if (g_slice && !strcmp(g_slice, "always-malloc")) |
| 66 return true; | 74 return true; |
| 67 #elif defined(OS_WIN) | |
| 68 // This should detect a TCMalloc bypass from setting | |
| 69 // the CHROME_ALLOCATOR environment variable. | |
| 70 char* allocator = getenv("CHROME_ALLOCATOR"); | |
| 71 if (allocator && strcmp(allocator, "tcmalloc")) | |
| 72 return true; | |
| 73 #endif | 75 #endif |
| 74 return false; | 76 return false; |
| 75 } | 77 } |
| 76 | 78 |
| 77 bool CallocDiesOnOOM() { | 79 bool CallocDiesOnOOM() { |
| 78 // The sanitizers' calloc dies on OOM instead of returning NULL. | 80 // The sanitizers' calloc dies on OOM instead of returning NULL. |
| 79 // The wrapper function in base/process_util_linux.cc that is used when we | 81 // The wrapper function in base/process_util_linux.cc that is used when we |
| 80 // compile without TCMalloc will just die on OOM instead of returning NULL. | 82 // compile without TCMalloc will just die on OOM instead of returning NULL. |
| 81 #if defined(ADDRESS_SANITIZER) || \ | 83 #if defined(ADDRESS_SANITIZER) || \ |
| 82 defined(MEMORY_SANITIZER) || \ | 84 defined(MEMORY_SANITIZER) || \ |
| 83 defined(THREAD_SANITIZER) || \ | 85 defined(THREAD_SANITIZER) || \ |
| 84 (defined(OS_LINUX) && defined(NO_TCMALLOC)) | 86 (defined(OS_LINUX) && defined(NO_TCMALLOC)) |
| 85 return true; | 87 return true; |
| 86 #else | 88 #else |
| 87 return false; | 89 return false; |
| 88 #endif | 90 #endif |
| 89 } | 91 } |
| 90 | 92 |
| 91 // Fake test that allow to know the state of TCMalloc by looking at bots. | 93 // Fake test that allow to know the state of TCMalloc by looking at bots. |
| 92 TEST(SecurityTest, TCMALLOC_TEST(IsTCMallocDynamicallyBypassed)) { | 94 TEST(SecurityTest, MALLOC_OVERFLOW_TEST(IsTCMallocDynamicallyBypassed)) { |
| 93 printf("Malloc is dynamically bypassed: %s\n", | 95 printf("Malloc is dynamically bypassed: %s\n", |
| 94 IsTcMallocBypassed() ? "yes." : "no."); | 96 IsTcMallocBypassed() ? "yes." : "no."); |
| 95 } | 97 } |
| 96 | 98 |
| 97 // The MemoryAllocationRestrictions* tests test that we can not allocate a | 99 // The MemoryAllocationRestrictions* tests test that we can not allocate a |
| 98 // memory range that cannot be indexed via an int. This is used to mitigate | 100 // memory range that cannot be indexed via an int. This is used to mitigate |
| 99 // vulnerabilities in libraries that use int instead of size_t. See | 101 // vulnerabilities in libraries that use int instead of size_t. See |
| 100 // crbug.com/169327. | 102 // crbug.com/169327. |
| 101 | 103 |
| 102 TEST(SecurityTest, TCMALLOC_TEST(MemoryAllocationRestrictionsMalloc)) { | 104 TEST(SecurityTest, MALLOC_OVERFLOW_TEST(MemoryAllocationRestrictionsMalloc)) { |
| 103 if (!IsTcMallocBypassed()) { | 105 if (!IsTcMallocBypassed()) { |
| 104 scoped_ptr<char, base::FreeDeleter> ptr(static_cast<char*>( | 106 scoped_ptr<char, base::FreeDeleter> ptr(static_cast<char*>( |
| 105 HideValueFromCompiler(malloc(kTooBigAllocSize)))); | 107 HideValueFromCompiler(malloc(kTooBigAllocSize)))); |
| 106 ASSERT_TRUE(!ptr); | 108 ASSERT_TRUE(!ptr); |
| 107 } | 109 } |
| 108 } | 110 } |
| 109 | 111 |
| 110 TEST(SecurityTest, TCMALLOC_TEST(MemoryAllocationRestrictionsCalloc)) { | 112 #if defined(GTEST_HAS_DEATH_TEST) |
| 113 TEST(SecurityTest, MALLOC_OVERFLOW_TEST(MemoryAllocationDeathMalloc)) { |
| 114 if (!IsTcMallocBypassed()) { |
| 115 _set_new_handler(&OnNoMemory); |
| 116 _set_new_mode(1); |
| 117 { |
| 118 scoped_ptr<char, base::FreeDeleter> ptr; |
| 119 EXPECT_DEATH(ptr.reset(static_cast<char*>( |
| 120 HideValueFromCompiler(malloc(kTooBigAllocSize)))), |
| 121 ""); |
| 122 ASSERT_TRUE(!ptr); |
| 123 } |
| 124 _set_new_handler(NULL); |
| 125 _set_new_mode(0); |
| 126 } |
| 127 } |
| 128 #endif |
| 129 |
| 130 TEST(SecurityTest, MALLOC_OVERFLOW_TEST(MemoryAllocationRestrictionsCalloc)) { |
| 111 if (!IsTcMallocBypassed()) { | 131 if (!IsTcMallocBypassed()) { |
| 112 scoped_ptr<char, base::FreeDeleter> ptr(static_cast<char*>( | 132 scoped_ptr<char, base::FreeDeleter> ptr(static_cast<char*>( |
| 113 HideValueFromCompiler(calloc(kTooBigAllocSize, 1)))); | 133 HideValueFromCompiler(calloc(kTooBigAllocSize, 1)))); |
| 114 ASSERT_TRUE(!ptr); | 134 ASSERT_TRUE(!ptr); |
| 115 } | 135 } |
| 116 } | 136 } |
| 117 | 137 |
| 118 TEST(SecurityTest, TCMALLOC_TEST(MemoryAllocationRestrictionsRealloc)) { | 138 TEST(SecurityTest, MALLOC_OVERFLOW_TEST(MemoryAllocationRestrictionsRealloc)) { |
| 119 if (!IsTcMallocBypassed()) { | 139 if (!IsTcMallocBypassed()) { |
| 120 char* orig_ptr = static_cast<char*>(malloc(1)); | 140 char* orig_ptr = static_cast<char*>(malloc(1)); |
| 121 ASSERT_TRUE(orig_ptr); | 141 ASSERT_TRUE(orig_ptr); |
| 122 scoped_ptr<char, base::FreeDeleter> ptr(static_cast<char*>( | 142 scoped_ptr<char, base::FreeDeleter> ptr(static_cast<char*>( |
| 123 HideValueFromCompiler(realloc(orig_ptr, kTooBigAllocSize)))); | 143 HideValueFromCompiler(realloc(orig_ptr, kTooBigAllocSize)))); |
| 124 ASSERT_TRUE(!ptr); | 144 ASSERT_TRUE(!ptr); |
| 125 // If realloc() did not succeed, we need to free orig_ptr. | 145 // If realloc() did not succeed, we need to free orig_ptr. |
| 126 free(orig_ptr); | 146 free(orig_ptr); |
| 127 } | 147 } |
| 128 } | 148 } |
| 129 | 149 |
| 130 typedef struct { | 150 typedef struct { |
| 131 char large_array[kTooBigAllocSize]; | 151 char large_array[kTooBigAllocSize]; |
| 132 } VeryLargeStruct; | 152 } VeryLargeStruct; |
| 133 | 153 |
| 134 TEST(SecurityTest, TCMALLOC_TEST(MemoryAllocationRestrictionsNew)) { | 154 TEST(SecurityTest, MALLOC_OVERFLOW_TEST(MemoryAllocationRestrictionsNew)) { |
| 135 if (!IsTcMallocBypassed()) { | 155 if (!IsTcMallocBypassed()) { |
| 136 scoped_ptr<VeryLargeStruct> ptr( | 156 scoped_ptr<VeryLargeStruct> ptr( |
| 137 HideValueFromCompiler(new (nothrow) VeryLargeStruct)); | 157 HideValueFromCompiler(new (nothrow) VeryLargeStruct)); |
| 138 ASSERT_TRUE(!ptr); | 158 ASSERT_TRUE(!ptr); |
| 139 } | 159 } |
| 140 } | 160 } |
| 141 | 161 |
| 142 TEST(SecurityTest, TCMALLOC_TEST(MemoryAllocationRestrictionsNewArray)) { | 162 #if defined(GTEST_HAS_DEATH_TEST) |
| 163 TEST(SecurityTest, MALLOC_OVERFLOW_TEST(MemoryAllocationDeathNew)) { |
| 164 if (!IsTcMallocBypassed()) { |
| 165 _set_new_handler(&OnNoMemory); |
| 166 { |
| 167 scoped_ptr<VeryLargeStruct> ptr; |
| 168 EXPECT_DEATH( |
| 169 ptr.reset(HideValueFromCompiler(new (nothrow) VeryLargeStruct)), ""); |
| 170 ASSERT_TRUE(!ptr); |
| 171 } |
| 172 _set_new_handler(NULL); |
| 173 } |
| 174 } |
| 175 #endif |
| 176 |
| 177 TEST(SecurityTest, MALLOC_OVERFLOW_TEST(MemoryAllocationRestrictionsNewArray)) { |
| 143 if (!IsTcMallocBypassed()) { | 178 if (!IsTcMallocBypassed()) { |
| 144 scoped_ptr<char[]> ptr( | 179 scoped_ptr<char[]> ptr( |
| 145 HideValueFromCompiler(new (nothrow) char[kTooBigAllocSize])); | 180 HideValueFromCompiler(new (nothrow) char[kTooBigAllocSize])); |
| 146 ASSERT_TRUE(!ptr); | 181 ASSERT_TRUE(!ptr); |
| 147 } | 182 } |
| 148 } | 183 } |
| 149 | 184 |
| 150 // The tests bellow check for overflows in new[] and calloc(). | 185 // The tests bellow check for overflows in new[] and calloc(). |
| 151 | 186 |
| 152 // There are platforms where these tests are known to fail. We would like to | 187 // There are platforms where these tests are known to fail. We would like to |
| (...skipping 82 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 235 | 270 |
| 236 #if defined(OS_LINUX) && defined(__x86_64__) | 271 #if defined(OS_LINUX) && defined(__x86_64__) |
| 237 // Check if ptr1 and ptr2 are separated by less than size chars. | 272 // Check if ptr1 and ptr2 are separated by less than size chars. |
| 238 bool ArePointersToSameArea(void* ptr1, void* ptr2, size_t size) { | 273 bool ArePointersToSameArea(void* ptr1, void* ptr2, size_t size) { |
| 239 ptrdiff_t ptr_diff = reinterpret_cast<char*>(std::max(ptr1, ptr2)) - | 274 ptrdiff_t ptr_diff = reinterpret_cast<char*>(std::max(ptr1, ptr2)) - |
| 240 reinterpret_cast<char*>(std::min(ptr1, ptr2)); | 275 reinterpret_cast<char*>(std::min(ptr1, ptr2)); |
| 241 return static_cast<size_t>(ptr_diff) <= size; | 276 return static_cast<size_t>(ptr_diff) <= size; |
| 242 } | 277 } |
| 243 | 278 |
| 244 // Check if TCMalloc uses an underlying random memory allocator. | 279 // Check if TCMalloc uses an underlying random memory allocator. |
| 245 TEST(SecurityTest, TCMALLOC_TEST(RandomMemoryAllocations)) { | 280 TEST(SecurityTest, MALLOC_OVERFLOW_TEST(RandomMemoryAllocations)) { |
| 246 if (IsTcMallocBypassed()) | 281 if (IsTcMallocBypassed()) |
| 247 return; | 282 return; |
| 248 size_t kPageSize = 4096; // We support x86_64 only. | 283 size_t kPageSize = 4096; // We support x86_64 only. |
| 249 // Check that malloc() returns an address that is neither the kernel's | 284 // Check that malloc() returns an address that is neither the kernel's |
| 250 // un-hinted mmap area, nor the current brk() area. The first malloc() may | 285 // un-hinted mmap area, nor the current brk() area. The first malloc() may |
| 251 // not be at a random address because TCMalloc will first exhaust any memory | 286 // not be at a random address because TCMalloc will first exhaust any memory |
| 252 // that it has allocated early on, before starting the sophisticated | 287 // that it has allocated early on, before starting the sophisticated |
| 253 // allocators. | 288 // allocators. |
| 254 void* default_mmap_heap_address = | 289 void* default_mmap_heap_address = |
| 255 mmap(0, kPageSize, PROT_READ|PROT_WRITE, | 290 mmap(0, kPageSize, PROT_READ|PROT_WRITE, |
| (...skipping 29 matching lines...) Expand all Loading... |
| 285 // kRandomMask, so we use it as an additional detection mechanism. | 320 // kRandomMask, so we use it as an additional detection mechanism. |
| 286 const uintptr_t kRandomMask = 0x3fffffffffffULL; | 321 const uintptr_t kRandomMask = 0x3fffffffffffULL; |
| 287 bool impossible_random_address = | 322 bool impossible_random_address = |
| 288 reinterpret_cast<uintptr_t>(ptr.get()) & ~kRandomMask; | 323 reinterpret_cast<uintptr_t>(ptr.get()) & ~kRandomMask; |
| 289 EXPECT_FALSE(impossible_random_address); | 324 EXPECT_FALSE(impossible_random_address); |
| 290 } | 325 } |
| 291 | 326 |
| 292 #endif // defined(OS_LINUX) && defined(__x86_64__) | 327 #endif // defined(OS_LINUX) && defined(__x86_64__) |
| 293 | 328 |
| 294 } // namespace | 329 } // namespace |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 774683003:
Remove tcmalloc when not being used. Restore shim on Windows. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master