|  | Commit message (Collapse) | Author | Age | Files | Lines | 
|---|
| | 
| 
| 
| | expanded, but not enough due to precedence error. Spotted by Thorsten Glaser. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | unmapping of freed allocations without disabling chunk randomisation
like the "Freeguard" ('F') option does. Make security 'S' option
use 'U' and not 'F'.
Rationale: guarding with no chunk randomisation is great for debugging
use-after-free, but chunk randomisation offers better defence against
"heap feng shui" style attacks that depend on carefully constructing a
particular heap layout so we should leave this enabled when requesting
security options. | 
| | 
| 
| 
| 
| 
| | Okay otto@.
Found by Michal Mazurek <akfaew at jasminek dot net>, thanks! | 
| | 
| 
| 
| 
| | param.h symbol reduction.
ok guenther | 
| | 
| 
| 
| 
| 
| | scanning for free space if the hint isn't available.
also, on further inspection, this will prevent pmap_prefer from "improving"
our hint. | 
| | 
| 
| 
| 
| 
| | clear out the entire requested area, not just a perfect fit.  second,
use mquery to check for room to avoid getting an address we don't like
and having to send it back. | 
| | 
| 
| 
| 
| 
| | in order to span the the entire cache.  second, on free use the same offset
to put things in the cache instead of always starting at zero.
ok otto | 
| | 
| 
| 
| 
| 
| | overallocating and then releasing unneeded memory pages.
ok otto | 
| | 
| 
| 
| 
| 
| | into an bogus pointer error instead of a segfault.
- Document that we use the assumption that a non-MAP_FIXED mmap() with
  hint 0 never returns NULL. | 
| | 
| 
| 
| 
| | space for meta data by only allocating space actually needed for
the bitmap (modulo alignment requirements). ok deraadt@ | 
| | 
| 
| 
| | use-after-free bugs; ok krw@ dlg@ pirofti@ | 
| | 
| 
| 
| 
| | no security, for consistency.  use of this option is discouraged. :)
ok deraadt guenther millert | 
| | |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| | cases. | 
| | |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | position zero, skipping a random number of free slots and then
picking the next free one. This slowed things down, especially if
the number of full slots increases.
This changes the scannning to start at a random position in the
bitmap and then taking the first available free slot, wrapping if
the end of the bitmap is reached. Of course we'll still scan more
if the bitmap becomes more full, but the extra iterations skipping
free slots and then some full slots are avoided.
The random number is derived from a global, which is incremented
by a few random bits every time a chunk is needed (with a small optimization
if only one free slot is left).
Thanks to the testers! | 
| | 
| 
| 
| | 1UL to 1U. | 
| | 
| 
| 
| | thanks to all testers. | 
| | 
| 
| 
| 
| 
| | tested for a while by me.
ok otto@ | 
| | 
| 
| 
| | deraadt@ nicm@ (on an earlier version) | 
| | 
| 
| 
| 
| | brad and millert, with hints from guenther, jmc, and otto I think.
ok previous. | 
| | 
| 
| 
| | extra safeguard (FGJ). Idea from deraadt@; ok deraadt@ dlg@ | 
| | 
| 
| 
| 
| | arc4random() is slow, but it induces getpid() calls; also saves a
bit on stirring efforts | 
| | 
| 
| 
| | actual kernel page size. | 
| | 
| 
| 
| 
| 
| | macros for them. Avoids walking the lists and greatly enhances speed
of freeing chunks in reverse or random order at the cost of a little
space. Suggested by Fabien Romano and Jonathan Armani; ok djm@ | 
| | 
| 
| 
| | from Fabien Romano and Jonathan Armani | 
| | 
| 
| 
| | Armani | 
| | 
| 
| 
| 
| | noticed by Jonathan Armani & Fabien Romano
ugh+ok otto@ | 
| | 
| 
| 
| | Okay deraadt@, otto@. | 
| | 
| 
| 
| 
| | to u_int32_t to do integer math with (in a situation where that is legit)
ok otto millert | 
| | 
| 
| 
| 
| 
| | PAGE_(SIZE|SHIFT|MASK) defines that evaluate to variables on the
sparc architecture;
ok otto@ tested on my reanimated ss20 | 
| | 
| 
| 
| 
| 
| 
| | on sparc, it expands to something that just plain does not work,
because the page size can be variable.  Sorry we didn't spot this
before.  Backing it all out to allow sparc to build; please find a
different way to fix it. | 
| | 
| 
| 
| 
| 
| 
| | (MALLOC_OPTIONS=L). It was too slow to turn on by default, and we
don't do optional security.
requested by deraadt@ grumbling ok otto@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | Move all runtime options into a structure that is made read-only
(via mprotect) after initialisation to protect against attacks that
overwrite options to turn off malloc protections (e.g. use-after-free)
Allocate the main bookkeeping data (struct dir_info) using mmap(),
thereby giving it an unpredictable address. Place a PROT_NONE guard
page on either side to further frustrate attacks on it.
Add a new 'L' option that maps struct dir_info PROT_NONE except when
in the allocator code itself. Makes attacks on it basically impossible.
feedback tedu deraadt otto canacar
ok otto | 
| | 
| 
| 
| | as static const | 
| | 
| 
| 
| 
| | the page as possible (i.e. make malloc option P a default).
ok art@ millert@ krw@ | 
| | 
| 
| 
| 
| | a page to 0. P default will be changed in a separate commit.
ok millert@ art@ krw@ | 
| | 
| 
| 
| 
| | a separate symbolic constant for the leeway we allow when moving
allocations towards the end of a page. No functional change. | 
| | |  | 
| | 
| 
| 
| 
| 
| | (might catch errors closer to the trouble spot) and junk fill pages just
before reuse instead of immediate (we can't access the page anyway)
since we set PROT_NONE in the F case. ok djm@ | 
| | |  | 
| | 
| 
| 
| | tried and how many actually succeeded. | 
| | |  | 
| | 
| 
| 
| | threaded case) but much smaller working set; prompted by and ok deraadt@ | 
| | 
| 
| 
| 
| | non-syscalls, there's just too much code not doing the right thing on
error paths; prompted by and ok deraadt@ | 
| | 
| 
| 
| 
| | mapping the region next to the existing one first; there's a pretty
high chance there's a hole there we can use; ok deraadt@ tedu@ |