From 611f21aa60c60f91295ec5451b469b73684b666a Mon Sep 17 00:00:00 2001
From: djm <>
Date: Tue, 30 Dec 2008 07:44:51 +0000
Subject: Remove mprotecting of struct dir_info introduced in previous commit
 (MALLOC_OPTIONS=L). It was too slow to turn on by default, and we don't do
 optional security.

requested by deraadt@ grumbling ok otto@
---
 src/lib/libc/stdlib/malloc.3 | 11 ++---------
 src/lib/libc/stdlib/malloc.c | 39 ++-------------------------------------
 2 files changed, 4 insertions(+), 46 deletions(-)

diff --git a/src/lib/libc/stdlib/malloc.3 b/src/lib/libc/stdlib/malloc.3
index 2458834302..c3566e37e8 100644
--- a/src/lib/libc/stdlib/malloc.3
+++ b/src/lib/libc/stdlib/malloc.3
@@ -30,9 +30,9 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\"	$OpenBSD: malloc.3,v 1.59 2008/12/29 22:25:50 djm Exp $
+.\"	$OpenBSD: malloc.3,v 1.60 2008/12/30 07:44:51 djm Exp $
 .\"
-.Dd $Mdocdate: December 29 2008 $
+.Dd $Mdocdate: December 30 2008 $
 .Dt MALLOC 3
 .Os
 .Sh NAME
@@ -249,13 +249,6 @@ Currently junk is bytes of 0xd0 when allocating; this is pronounced
 .Dq Duh .
 \&:-)
 Freed chunks are filled with 0xdf.
-.It Cm L
-.Dq Lock .
-Lock critical data structures using
-.Xr mprotect 2
-to protect against modification except by
-.Nm
-and related routines.
 .It Cm P
 .Dq Move allocations within a page.
 Allocations larger than half a page but smaller than a page
diff --git a/src/lib/libc/stdlib/malloc.c b/src/lib/libc/stdlib/malloc.c
index e15a64ac72..3d2e3dd29a 100644
--- a/src/lib/libc/stdlib/malloc.c
+++ b/src/lib/libc/stdlib/malloc.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: malloc.c,v 1.112 2008/12/29 22:25:50 djm Exp $	*/
+/*	$OpenBSD: malloc.c,v 1.113 2008/12/30 07:44:51 djm Exp $	*/
 /*
  * Copyright (c) 2008 Otto Moerbeek <otto@drijf.net>
  *
@@ -88,23 +88,6 @@
 #define MMAPA(a,sz)	mmap((a), (size_t)(sz), PROT_READ | PROT_WRITE, \
     MAP_ANON | MAP_PRIVATE, -1, (off_t) 0)
 
-/* Protect and unprotect g_pool structure as we enter/exit the allocator */
-#define DIR_INFO_RSZ	((sizeof(struct dir_info) + PAGE_MASK) & ~PAGE_MASK)
-#define PROTECT_G_POOL() \
-	do { \
-		if (g_pool != NULL && mopts.malloc_poolprot) { \
-			mprotect((void *)((uintptr_t)g_pool & ~PAGE_MASK), \
-			    DIR_INFO_RSZ, PROT_NONE); \
-		} \
-	} while (0)
-#define UNPROTECT_G_POOL() \
-	do { \
-		if (g_pool != NULL && mopts.malloc_poolprot) { \
-			mprotect((void *)((uintptr_t)g_pool & ~PAGE_MASK), \
-			    DIR_INFO_RSZ, PROT_READ | PROT_WRITE); \
-		} \
-	} while (0)
-
 struct region_info {
 	void *p;		/* page; low bits used to mark chunks */
 	uintptr_t size;		/* size for pages, or chunk_info pointer */
@@ -142,7 +125,7 @@ struct dir_info {
 #endif /* MALLOC_STATS */
 	u_int32_t canary2;
 };
-
+#define DIR_INFO_RSZ	((sizeof(struct dir_info) + PAGE_MASK) & ~PAGE_MASK)
 
 /*
  * This structure describes a page worth of chunks.
@@ -165,7 +148,6 @@ struct chunk_info {
 struct malloc_readonly {
 	struct dir_info *g_pool;	/* Main bookkeeping information */
 	int	malloc_abort;		/* abort() on error */
-	int	malloc_poolprot;	/* mprotect heap PROT_NONE? */
 	int	malloc_freeprot;	/* mprotect free pages PROT_NONE? */
 	int	malloc_hint;		/* call madvice on free pages?  */
 	int	malloc_junk;		/* junk fill? */
@@ -653,12 +635,6 @@ omalloc_init(struct dir_info **dp)
 			case 'J':
 				mopts.malloc_junk = 1;
 				break;
-			case 'l':
-				mopts.malloc_poolprot = 0;
-				break;
-			case 'L':
-				mopts.malloc_poolprot = 1;
-				break;
 			case 'n':
 			case 'N':
 				break;
@@ -1214,7 +1190,6 @@ malloc_recurse(void)
 		wrterror("recursive call");
 	}
 	malloc_active--;
-	PROTECT_G_POOL();
 	_MALLOC_UNLOCK();
 	errno = EDEADLK;
 }
@@ -1223,7 +1198,6 @@ static void
 malloc_global_corrupt(void)
 {
 	wrterror("global malloc data corrupt");
-	PROTECT_G_POOL();
 	_MALLOC_UNLOCK();
 	errno = EINVAL;
 }
@@ -1248,7 +1222,6 @@ malloc(size_t size)
 	int saved_errno = errno;
 
 	_MALLOC_LOCK();
-	UNPROTECT_G_POOL();
 	malloc_func = " in malloc():";
 	if (g_pool == NULL) {
 		if (malloc_init() != 0)
@@ -1260,7 +1233,6 @@ malloc(size_t size)
 	}
 	r = omalloc(size, mopts.malloc_zero);
 	malloc_active--;
-	PROTECT_G_POOL();
 	_MALLOC_UNLOCK();
 	if (r == NULL && mopts.malloc_xmalloc) {
 		wrterror("out of memory");
@@ -1349,7 +1321,6 @@ free(void *ptr)
 		return;
 
 	_MALLOC_LOCK();
-	UNPROTECT_G_POOL();
 	malloc_func = " in free():";  
 	if (g_pool == NULL) {
 		_MALLOC_UNLOCK();
@@ -1362,7 +1333,6 @@ free(void *ptr)
 	}
 	ofree(ptr);
 	malloc_active--;
-	PROTECT_G_POOL();
 	_MALLOC_UNLOCK();
 	errno = saved_errno;
 }
@@ -1466,7 +1436,6 @@ realloc(void *ptr, size_t size)
 	int saved_errno = errno;
   
 	_MALLOC_LOCK();
-	UNPROTECT_G_POOL();
 	malloc_func = " in realloc():";  
 	if (g_pool == NULL) {
 		if (malloc_init() != 0)
@@ -1479,7 +1448,6 @@ realloc(void *ptr, size_t size)
 	r = orealloc(ptr, size);
   
 	malloc_active--;
-	PROTECT_G_POOL();
 	_MALLOC_UNLOCK();
 	if (r == NULL && mopts.malloc_xmalloc) {
 		wrterror("out of memory");
@@ -1500,7 +1468,6 @@ calloc(size_t nmemb, size_t size)
 	int saved_errno = errno;
 
 	_MALLOC_LOCK();
-	UNPROTECT_G_POOL();
 	malloc_func = " in calloc():";  
 	if (g_pool == NULL) {
 		if (malloc_init() != 0)
@@ -1508,7 +1475,6 @@ calloc(size_t nmemb, size_t size)
 	}
 	if ((nmemb >= MUL_NO_OVERFLOW || size >= MUL_NO_OVERFLOW) &&
 	    nmemb > 0 && SIZE_MAX / nmemb < size) {
-		PROTECT_G_POOL();
 		_MALLOC_UNLOCK();
 		if (mopts.malloc_xmalloc)
 			wrterror("out of memory");
@@ -1525,7 +1491,6 @@ calloc(size_t nmemb, size_t size)
 	r = omalloc(size, 1);
   
 	malloc_active--;
-	PROTECT_G_POOL();
 	_MALLOC_UNLOCK();
 	if (r == NULL && mopts.malloc_xmalloc) {
 		wrterror("out of memory");
-- 
cgit v1.2.3-55-g6feb