|  | Commit message (Collapse) | Author | Age | Files | Lines | 
|---|
| ... |  | 
| | 
| 
| 
| 
| 
| | tested for a while by me.
ok otto@ | 
| | 
| 
| 
| | deraadt@ nicm@ (on an earlier version) | 
| | 
| 
| 
| 
| | brad and millert, with hints from guenther, jmc, and otto I think.
ok previous. | 
| | 
| 
| 
| | extra safeguard (FGJ). Idea from deraadt@; ok deraadt@ dlg@ | 
| | 
| 
| 
| 
| | arc4random() is slow, but it induces getpid() calls; also saves a
bit on stirring efforts | 
| | 
| 
| 
| | actual kernel page size. | 
| | 
| 
| 
| 
| 
| | macros for them. Avoids walking the lists and greatly enhances speed
of freeing chunks in reverse or random order at the cost of a little
space. Suggested by Fabien Romano and Jonathan Armani; ok djm@ | 
| | 
| 
| 
| | from Fabien Romano and Jonathan Armani | 
| | 
| 
| 
| | Armani | 
| | 
| 
| 
| 
| | noticed by Jonathan Armani & Fabien Romano
ugh+ok otto@ | 
| | 
| 
| 
| | Okay deraadt@, otto@. | 
| | 
| 
| 
| 
| | to u_int32_t to do integer math with (in a situation where that is legit)
ok otto millert | 
| | 
| 
| 
| 
| 
| | PAGE_(SIZE|SHIFT|MASK) defines that evaluate to variables on the
sparc architecture;
ok otto@ tested on my reanimated ss20 | 
| | 
| 
| 
| 
| 
| 
| | on sparc, it expands to something that just plain does not work,
because the page size can be variable.  Sorry we didn't spot this
before.  Backing it all out to allow sparc to build; please find a
different way to fix it. | 
| | 
| 
| 
| 
| 
| 
| | (MALLOC_OPTIONS=L). It was too slow to turn on by default, and we
don't do optional security.
requested by deraadt@ grumbling ok otto@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | Move all runtime options into a structure that is made read-only
(via mprotect) after initialisation to protect against attacks that
overwrite options to turn off malloc protections (e.g. use-after-free)
Allocate the main bookkeeping data (struct dir_info) using mmap(),
thereby giving it an unpredictable address. Place a PROT_NONE guard
page on either side to further frustrate attacks on it.
Add a new 'L' option that maps struct dir_info PROT_NONE except when
in the allocator code itself. Makes attacks on it basically impossible.
feedback tedu deraadt otto canacar
ok otto | 
| | 
| 
| 
| | as static const | 
| | 
| 
| 
| 
| | the page as possible (i.e. make malloc option P a default).
ok art@ millert@ krw@ | 
| | 
| 
| 
| 
| | a page to 0. P default will be changed in a separate commit.
ok millert@ art@ krw@ | 
| | 
| 
| 
| 
| | a separate symbolic constant for the leeway we allow when moving
allocations towards the end of a page. No functional change. | 
| | |  | 
| | 
| 
| 
| 
| 
| | (might catch errors closer to the trouble spot) and junk fill pages just
before reuse instead of immediate (we can't access the page anyway)
since we set PROT_NONE in the F case. ok djm@ | 
| | |  | 
| | 
| 
| 
| | tried and how many actually succeeded. | 
| | |  | 
| | 
| 
| 
| | threaded case) but much smaller working set; prompted by and ok deraadt@ | 
| | 
| 
| 
| 
| | non-syscalls, there's just too much code not doing the right thing on
error paths; prompted by and ok deraadt@ | 
| | 
| 
| 
| 
| | mapping the region next to the existing one first; there's a pretty
high chance there's a hole there we can use; ok deraadt@ tedu@ | 
| | 
| 
| 
| | too much pressure on the amaps. ok tedu@ deraadt@ | 
| | 
| 
| 
| | effort as possible in most cases; ok djm@ | 
| | 
| 
| 
| | slightly kludgey solution for until otto fixes it properly; ok otto@ | 
| | 
| 
| 
| 
| | the freshly mmaped pages disrupting their pure zeroness;
ok otto@ deraadt@ | 
| | 
| 
| 
| | case spotted by beck, one by me; ok deraadt@ beck@ | 
| | 
| 
| 
| 
| | returns zero filled pages; remember to replace this function as well if you
provide your own malloc implementation; ok djm@ deraadt@ | 
| | |  | 
| | 
| 
| 
| 
| 
| | structure of tracking pages returned by mmap(). Lots of testing by
lots of people, thanks to you all.
ok djm@ (for a slighly earlier version) deraadt@ | 
| | |  | 
| | 
| 
| 
| | costs; ok jmc@ for the man page bits; ok millert@ deraadt@ | 
| | 
| 
| 
| 
| 
| 
| | Use arc4random_uniform() when the desired random number upper bound
is not a power of two
ok deraadt@ millert@ | 
| | 
| 
| 
| 
| | prevents a few "cannot free mem because i need mem to free mem"
scenarios (one found by weingart@). ok weingart@ millert@ miod@ | 
| | |  | 
| | 
| 
| 
| | done by arc4random(); ok millert@ deraadt@ | 
| | 
| 
| 
| | in low-mem conditions; ok dim@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | create special allocators for pginfo and pgfree structs instead of imalloc.
this keeps them separated from application memory.
for chunks, to prevent deterministic reuse, keep a small array
and swizzle the to be freed chunk with a random previously freed chunk.
this last bit only for chunks because keeping arbitrarily large regions
of pages around may cause out of memory issues (and pages are, to some
extent, returned in random order).
all changes enabled by default.
thanks to ben for pointing out these issues.
ok tech@ | 
| | 
| 
| 
| 
| 
| | requires memory; try to make sure we have it. If all fails, leak
instead of crash. Test case originally found by cloder@, fix tested
by many. | 
| | 
| 
| 
| 
| 
| 
| | region succeeds, but allocation a required page dir failed. This
can happen if we're really close to ulimit after allocation the
region of the size requested.  See malloc_ulimit1 regress test.
Tested by many; thanks. | 
| | 
| 
| 
| | tested by quite a few developers. ok deraadt@ | 
| | 
| 
| 
| | `looks to be safe' millert, okay tedu. | 
| | 
| 
| 
| 
| | Patch by Leonardo Chiquitto Filho <leonardo@iken.com.br>
Thanks. | 
| | |  |