From c2f9a0271169166b38060ef5e36ef203765e45dd Mon Sep 17 00:00:00 2001
From: djm <>
Date: Mon, 29 Dec 2008 22:25:50 +0000
Subject: extra paranoia for malloc(3):

Move all runtime options into a structure that is made read-only
(via mprotect) after initialisation to protect against attacks that
overwrite options to turn off malloc protections (e.g. use-after-free)

Allocate the main bookkeeping data (struct dir_info) using mmap(),
thereby giving it an unpredictable address. Place a PROT_NONE guard
page on either side to further frustrate attacks on it.

Add a new 'L' option that maps struct dir_info PROT_NONE except when
in the allocator code itself. Makes attacks on it basically impossible.

feedback tedu deraadt otto canacar
ok otto
---
 src/lib/libc/stdlib/malloc.3 | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

(limited to 'src/lib/libc/stdlib/malloc.3')

diff --git a/src/lib/libc/stdlib/malloc.3 b/src/lib/libc/stdlib/malloc.3
index edcd748ed9..2458834302 100644
--- a/src/lib/libc/stdlib/malloc.3
+++ b/src/lib/libc/stdlib/malloc.3
@@ -30,9 +30,9 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\"	$OpenBSD: malloc.3,v 1.58 2008/11/26 12:06:54 pedro Exp $
+.\"	$OpenBSD: malloc.3,v 1.59 2008/12/29 22:25:50 djm Exp $
 .\"
-.Dd $Mdocdate: November 26 2008 $
+.Dd $Mdocdate: December 29 2008 $
 .Dt MALLOC 3
 .Os
 .Sh NAME
@@ -249,6 +249,13 @@ Currently junk is bytes of 0xd0 when allocating; this is pronounced
 .Dq Duh .
 \&:-)
 Freed chunks are filled with 0xdf.
+.It Cm L
+.Dq Lock .
+Lock critical data structures using
+.Xr mprotect 2
+to protect against modification except by
+.Nm
+and related routines.
 .It Cm P
 .Dq Move allocations within a page.
 Allocations larger than half a page but smaller than a page
-- 
cgit v1.2.3-55-g6feb