Changeset 143488 in webkit

Timestamp:

Feb 20, 2013 1:09:16 PM (11 years ago)

Author:

oliver@apple.com

Message:

Moar hardening
​https://bugs.webkit.org/show_bug.cgi?id=110275

Reviewed by Mark Hahnenberg.

We now poison objects when they get freed, and verify that
any object that is being freed is not poisoned. If the
object looks like it's poisoned we validate the freelist,
and ensure the object is not already present. If it is
we crash.

On allocation, we ensure that the object being allocated
is poisoned, then clear the poisoning fields.

• wtf/FastMalloc.cpp:

(WTF::internalEntropyValue):
(WTF):
(WTF::freedObjectStartPoison):
(WTF::freedObjectEndPoison):
(TCMalloc_ThreadCache_FreeList):
(WTF::TCMalloc_ThreadCache_FreeList::Validate):
(WTF::TCMalloc_Central_FreeList::Populate):
(WTF::TCMalloc_ThreadCache::Allocate):
(WTF::TCMalloc_ThreadCache::Deallocate):
(WTF::TCMalloc_ThreadCache::CreateCacheIfNecessary):

Location:

trunk/Source/WTF

Files:

• ChangeLog (modified) (1 diff)
• wtf/FastMalloc.cpp (modified) (9 diffs)

trunk/Source/WTF/ChangeLog

@@ +1 @@
+2013-02-20  Oliver Hunt  <oliver@apple.com>
+
+        Moar hardening
+        https://bugs.webkit.org/show_bug.cgi?id=110275
+
+        Reviewed by Mark Hahnenberg.
+
+        We now poison objects when they get freed, and verify that
+        any object that is being freed is not poisoned.  If the
+        object looks like it's poisoned we validate the freelist,
+        and ensure the object is not already present.  If it is
+        we crash.
+
+        On allocation, we ensure that the object being allocated
+        is poisoned, then clear the poisoning fields.
+
+        * wtf/FastMalloc.cpp:
+        (WTF::internalEntropyValue):
+        (WTF):
+        (WTF::freedObjectStartPoison):
+        (WTF::freedObjectEndPoison):
+        (TCMalloc_ThreadCache_FreeList):
+        (WTF::TCMalloc_ThreadCache_FreeList::Validate):
+        (WTF::TCMalloc_Central_FreeList::Populate):
+        (WTF::TCMalloc_ThreadCache::Allocate):
+        (WTF::TCMalloc_ThreadCache::Deallocate):
+        (WTF::TCMalloc_ThreadCache::CreateCacheIfNecessary):
+
 2013-02-19  Sheriff Bot  <webkit.review.bot@gmail.com>
 

trunk/Source/WTF/wtf/FastMalloc.cpp

@@ -545 +545 @@
 };
 
-static ALWAYS_INLINE uintptr_t internalEntropyValue() {
+static ALWAYS_INLINE uintptr_t internalEntropyValue() 
+{
     static uintptr_t value = EntropySource<sizeof(uintptr_t)>::value();
     ASSERT(value);
@@ -555 +556 @@
 #define XOR_MASK_PTR_WITH_KEY(ptr, key, entropy) (reinterpret_cast<typeof(ptr)>(reinterpret_cast<uintptr_t>(ptr)^(ROTATE_VALUE(reinterpret_cast<uintptr_t>(key), MaskKeyShift)^entropy)))
 
+
+static ALWAYS_INLINE uint32_t freedObjectStartPoison()
+{
+    static uint32_t value = EntropySource<sizeof(uint32_t)>::value() | 1;
+    ASSERT(value);
+    return value;
+}
+
+static ALWAYS_INLINE uint32_t freedObjectEndPoison()
+{
+    static uint32_t value = EntropySource<sizeof(uint32_t)>::value() | 1;
+    ASSERT(value);
+    return value;
+}
+
+#define PTR_TO_UINT32(ptr) static_cast<uint32_t>(reinterpret_cast<uintptr_t>(ptr))
+#define END_POISON_INDEX(allocationSize) (((allocationSize) - sizeof(uint32_t)) / sizeof(uint32_t))
+#define POISON_ALLOCATION(allocation, allocationSize) do { \
+    reinterpret_cast<uint32_t*>(allocation)[0] = 1; \
+    reinterpret_cast<uint32_t*>(allocation)[1] = 1; \
+    if (allocationSize < 4 * sizeof(uint32_t)) \
+        break; \
+    reinterpret_cast<uint32_t*>(allocation)[2] = 1; \
+    reinterpret_cast<uint32_t*>(allocation)[END_POISON_INDEX(allocationSize)] = 1; \
+} while (false);
+
+#define POISON_DEALLOCATION_EXPLICIT(allocation, allocationSize, startPoison, endPoison) do { \
+    if (allocationSize < 4 * sizeof(uint32_t)) \
+        break; \
+    reinterpret_cast<uint32_t*>(allocation)[2] = (startPoison) ^ PTR_TO_UINT32(allocation); \
+    reinterpret_cast<uint32_t*>(allocation)[END_POISON_INDEX(allocationSize)] = (endPoison) ^ PTR_TO_UINT32(allocation); \
+} while (false)
+
+#define POISON_DEALLOCATION(allocation, allocationSize) \
+    POISON_DEALLOCATION_EXPLICIT(allocation, allocationSize, freedObjectStartPoison(), freedObjectEndPoison())
+
+#define MAY_BE_POISONED(allocation, allocationSize) (((allocationSize) >= 4 * sizeof(uint32_t)) && ( \
+    (reinterpret_cast<uint32_t*>(allocation)[2] == (freedObjectStartPoison() ^ PTR_TO_UINT32(allocation))) || \
+    (reinterpret_cast<uint32_t*>(allocation)[END_POISON_INDEX(allocationSize)] == (freedObjectEndPoison() ^ PTR_TO_UINT32(allocation))) \
+))
+
+#define IS_DEFINITELY_POISONED(allocation, allocationSize) (((allocationSize) < 4 * sizeof(uint32_t)) || ( \
+    (reinterpret_cast<uint32_t*>(allocation)[2] == (freedObjectStartPoison() ^ PTR_TO_UINT32(allocation))) && \
+    (reinterpret_cast<uint32_t*>(allocation)[END_POISON_INDEX(allocationSize)] == (freedObjectEndPoison() ^ PTR_TO_UINT32(allocation))) \
+))
+
 #else
+
+#define POISON_ALLOCATION(allocation, allocationSize)
+#define POISON_DEALLOCATION(allocation, allocationSize)
+#define POISON_DEALLOCATION_EXPLICIT(allocation, allocationSize, startPoison, endPoison)
+#define MAY_BE_POISONED(allocation, allocationSize) (false)
+#define IS_DEFINITELY_POISONED(allocation, allocationSize) (true)
 #define XOR_MASK_PTR_WITH_KEY(ptr, key, entropy) (((void)entropy), ((void)key), ptr)
+
 #define HARDENING_ENTROPY 0
-#endif
-
+
+#endif
 
 //-------------------------------------------------------------------
@@ -2531 +2585 @@
   }
 
+    // Runs through the linked list to ensure that
+    // we can do that, and ensures that 'missing'
+    // is not present
+    NEVER_INLINE void Validate(HardenedSLL missing) {
+        HardenedSLL node = list_;
+        while (node) {
+            RELEASE_ASSERT(node != missing);
+            node = SLL_Next(node, entropy_);
+        }
+    }
+
 #ifdef WTF_CHANGES
   template <class Finder, class Reader>
@@ -3042 +3107 @@
   char* ptr = start + (npages << kPageShift) - ((npages << kPageShift) % size);
   int num = 0;
+#if ENABLE(TCMALLOC_HARDENING)
+  uint32_t startPoison = freedObjectStartPoison();
+  uint32_t endPoison = freedObjectEndPoison();
+#endif
+
   while (ptr > start) {
     ptr -= size;
     HardenedSLL node = HardenedSLL::create(ptr);
+    POISON_DEALLOCATION_EXPLICIT(ptr, size, startPoison, endPoison);
     SLL_SetNext(node, head, entropy_);
     head = node;
@@ -3051 +3122 @@
   ASSERT(ptr == start);
   ASSERT(ptr == head.value());
+  POISON_DEALLOCATION_EXPLICIT(ptr, size, startPoison, endPoison);
   span->objects = head;
   ASSERT(span->objects.value() == head.value());
@@ -3116 +3188 @@
   }
   size_ -= allocationSize;
-  return list->Pop();
+  void* result = list->Pop();
+  if (!result)
+      return 0;
+  RELEASE_ASSERT(IS_DEFINITELY_POISONED(result, allocationSize));
+  POISON_ALLOCATION(result, allocationSize);
+  return result;
 }
 
 inline void TCMalloc_ThreadCache::Deallocate(HardenedSLL ptr, size_t cl) {
-  size_ += ByteSizeForClass(cl);
+  size_t allocationSize = ByteSizeForClass(cl);
+  size_ += allocationSize;
   FreeList* list = &list_[cl];
+  if (MAY_BE_POISONED(ptr.value(), allocationSize))
+      list->Validate(ptr);
+
+  POISON_DEALLOCATION(ptr.value(), allocationSize);
   list->Push(ptr);
   // If enough data is free, put back into central cache
@@ -3816 +3898 @@
   ASSERT_SPAN_COMMITTED(span);
   pageheap->CacheSizeClass(span->start, 0);
-  return
-      CheckedMallocResult(reinterpret_cast<void*>(span->start << kPageShift));
+  void* result = reinterpret_cast<void*>(span->start << kPageShift);
+  POISON_ALLOCATION(result, span->length << kPageShift);
+  return CheckedMallocResult(result);
 }
 
@@ -3884 +3967 @@
     } else {
       // Delete directly into central cache
+      size_t allocationSize = ByteSizeForClass(cl);
+      POISON_DEALLOCATION(ptr, allocationSize);
       SLL_SetNext(HardenedSLL::create(ptr), HardenedSLL::null(), central_cache[cl].entropy());
       central_cache[cl].InsertRange(HardenedSLL::create(ptr), HardenedSLL::create(ptr), 1);
@@ -3898 +3983 @@
     }
 #endif
+
+    POISON_DEALLOCATION(ptr, span->length << kPageShift);
     pageheap->Delete(span);
   }