[sanitizer] Initial implementation of a Hardened Allocator
Summary:
This is an initial implementation of a Hardened Allocator based on Sanitizer Common's CombinedAllocator.
It aims at mitigating heap based vulnerabilities by adding several features to the base allocator, while staying relatively fast.
The following were implemented:
- additional consistency checks on the allocation function parameters and on the heap chunks;
- use of checksum protected chunk header, to detect corruption;
- randomness to the allocator base;
- delayed freelist (quarantine), to mitigate use after free and overall determinism.
Additional mitigations are in the works.
Reviewers: eugenis, aizatsky, pcc, krasin, vitalybuka, glider, dvyukov, kcc
Subscribers: kubabrecka, filcab, llvm-commits
Differential Revision: http://reviews.llvm.org/D20084
llvm-svn: 271968
2016-06-07 09:20:26 +08:00
|
|
|
//===-- scudo_new_delete.cpp ------------------------------------*- C++ -*-===//
|
|
|
|
//
|
|
|
|
// The LLVM Compiler Infrastructure
|
|
|
|
//
|
|
|
|
// This file is distributed under the University of Illinois Open Source
|
|
|
|
// License. See LICENSE.TXT for details.
|
|
|
|
//
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
///
|
|
|
|
/// Interceptors for operators new and delete.
|
|
|
|
///
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
|
|
|
#include "scudo_allocator.h"
|
2018-06-16 00:45:19 +08:00
|
|
|
#include "scudo_errors.h"
|
[sanitizer] Initial implementation of a Hardened Allocator
Summary:
This is an initial implementation of a Hardened Allocator based on Sanitizer Common's CombinedAllocator.
It aims at mitigating heap based vulnerabilities by adding several features to the base allocator, while staying relatively fast.
The following were implemented:
- additional consistency checks on the allocation function parameters and on the heap chunks;
- use of checksum protected chunk header, to detect corruption;
- randomness to the allocator base;
- delayed freelist (quarantine), to mitigate use after free and overall determinism.
Additional mitigations are in the works.
Reviewers: eugenis, aizatsky, pcc, krasin, vitalybuka, glider, dvyukov, kcc
Subscribers: kubabrecka, filcab, llvm-commits
Differential Revision: http://reviews.llvm.org/D20084
llvm-svn: 271968
2016-06-07 09:20:26 +08:00
|
|
|
|
|
|
|
#include "interception/interception.h"
|
|
|
|
|
2017-08-17 00:40:48 +08:00
|
|
|
#include <stddef.h>
|
[sanitizer] Initial implementation of a Hardened Allocator
Summary:
This is an initial implementation of a Hardened Allocator based on Sanitizer Common's CombinedAllocator.
It aims at mitigating heap based vulnerabilities by adding several features to the base allocator, while staying relatively fast.
The following were implemented:
- additional consistency checks on the allocation function parameters and on the heap chunks;
- use of checksum protected chunk header, to detect corruption;
- randomness to the allocator base;
- delayed freelist (quarantine), to mitigate use after free and overall determinism.
Additional mitigations are in the works.
Reviewers: eugenis, aizatsky, pcc, krasin, vitalybuka, glider, dvyukov, kcc
Subscribers: kubabrecka, filcab, llvm-commits
Differential Revision: http://reviews.llvm.org/D20084
llvm-svn: 271968
2016-06-07 09:20:26 +08:00
|
|
|
|
|
|
|
using namespace __scudo;
|
|
|
|
|
|
|
|
#define CXX_OPERATOR_ATTRIBUTE INTERCEPTOR_ATTRIBUTE
|
|
|
|
|
|
|
|
// Fake std::nothrow_t to avoid including <new>.
|
|
|
|
namespace std {
|
|
|
|
struct nothrow_t {};
|
2018-06-12 22:42:40 +08:00
|
|
|
enum class align_val_t: size_t {};
|
[scudo] 32-bit and hardware agnostic support
Summary:
This update introduces i386 support for the Scudo Hardened Allocator, and
offers software alternatives for functions that used to require hardware
specific instruction sets. This should make porting to new architectures
easier.
Among the changes:
- The chunk header has been changed to accomodate the size limitations
encountered on 32-bit architectures. We now fit everything in 64-bit. This
was achieved by storing the amount of unused bytes in an allocation rather
than the size itself, as one can be deduced from the other with the help
of the GetActuallyAllocatedSize function. As it turns out, this header can
be used for both 64 and 32 bit, and as such we dropped the requirement for
the 128-bit compare and exchange instruction support (cmpxchg16b).
- Add 32-bit support for the checksum and the PRNG functions: if the SSE 4.2
instruction set is supported, use the 32-bit CRC32 instruction, and in the
XorShift128, use a 32-bit based state instead of 64-bit.
- Add software support for CRC32: if SSE 4.2 is not supported, fallback on a
software implementation.
- Modify tests that were not 32-bit compliant, and expand them to cover more
allocation and alignment sizes. The random shuffle test has been deactivated
for linux-i386 & linux-i686 as the 32-bit sanitizer allocator doesn't
currently randomize chunks.
Reviewers: alekseyshl, kcc
Subscribers: filcab, llvm-commits, tberghammer, danalbert, srhines, mgorny, modocache
Differential Revision: https://reviews.llvm.org/D26358
llvm-svn: 288255
2016-12-01 01:32:20 +08:00
|
|
|
} // namespace std
|
[sanitizer] Initial implementation of a Hardened Allocator
Summary:
This is an initial implementation of a Hardened Allocator based on Sanitizer Common's CombinedAllocator.
It aims at mitigating heap based vulnerabilities by adding several features to the base allocator, while staying relatively fast.
The following were implemented:
- additional consistency checks on the allocation function parameters and on the heap chunks;
- use of checksum protected chunk header, to detect corruption;
- randomness to the allocator base;
- delayed freelist (quarantine), to mitigate use after free and overall determinism.
Additional mitigations are in the works.
Reviewers: eugenis, aizatsky, pcc, krasin, vitalybuka, glider, dvyukov, kcc
Subscribers: kubabrecka, filcab, llvm-commits
Differential Revision: http://reviews.llvm.org/D20084
llvm-svn: 271968
2016-06-07 09:20:26 +08:00
|
|
|
|
2017-06-29 05:58:57 +08:00
|
|
|
// TODO(alekseys): throw std::bad_alloc instead of dying on OOM.
|
2018-06-12 22:42:40 +08:00
|
|
|
#define OPERATOR_NEW_BODY_ALIGN(Type, Align, NoThrow) \
|
|
|
|
void *Ptr = scudoAllocate(size, static_cast<uptr>(Align), Type); \
|
2018-06-16 00:45:19 +08:00
|
|
|
if (!NoThrow && UNLIKELY(!Ptr)) reportOutOfMemory(size); \
|
2018-06-12 22:42:40 +08:00
|
|
|
return Ptr;
|
|
|
|
#define OPERATOR_NEW_BODY(Type, NoThrow) \
|
|
|
|
OPERATOR_NEW_BODY_ALIGN(Type, 0, NoThrow)
|
|
|
|
|
|
|
|
CXX_OPERATOR_ATTRIBUTE
|
|
|
|
void *operator new(size_t size)
|
|
|
|
{ OPERATOR_NEW_BODY(FromNew, /*NoThrow=*/false); }
|
|
|
|
CXX_OPERATOR_ATTRIBUTE
|
|
|
|
void *operator new[](size_t size)
|
|
|
|
{ OPERATOR_NEW_BODY(FromNewArray, /*NoThrow=*/false); }
|
|
|
|
CXX_OPERATOR_ATTRIBUTE
|
|
|
|
void *operator new(size_t size, std::nothrow_t const&)
|
|
|
|
{ OPERATOR_NEW_BODY(FromNew, /*NoThrow=*/true); }
|
|
|
|
CXX_OPERATOR_ATTRIBUTE
|
|
|
|
void *operator new[](size_t size, std::nothrow_t const&)
|
|
|
|
{ OPERATOR_NEW_BODY(FromNewArray, /*NoThrow=*/true); }
|
|
|
|
CXX_OPERATOR_ATTRIBUTE
|
|
|
|
void *operator new(size_t size, std::align_val_t align)
|
|
|
|
{ OPERATOR_NEW_BODY_ALIGN(FromNew, align, /*NoThrow=*/false); }
|
|
|
|
CXX_OPERATOR_ATTRIBUTE
|
|
|
|
void *operator new[](size_t size, std::align_val_t align)
|
|
|
|
{ OPERATOR_NEW_BODY_ALIGN(FromNewArray, align, /*NoThrow=*/false); }
|
|
|
|
CXX_OPERATOR_ATTRIBUTE
|
|
|
|
void *operator new(size_t size, std::align_val_t align, std::nothrow_t const&)
|
|
|
|
{ OPERATOR_NEW_BODY_ALIGN(FromNew, align, /*NoThrow=*/true); }
|
[sanitizer] Initial implementation of a Hardened Allocator
Summary:
This is an initial implementation of a Hardened Allocator based on Sanitizer Common's CombinedAllocator.
It aims at mitigating heap based vulnerabilities by adding several features to the base allocator, while staying relatively fast.
The following were implemented:
- additional consistency checks on the allocation function parameters and on the heap chunks;
- use of checksum protected chunk header, to detect corruption;
- randomness to the allocator base;
- delayed freelist (quarantine), to mitigate use after free and overall determinism.
Additional mitigations are in the works.
Reviewers: eugenis, aizatsky, pcc, krasin, vitalybuka, glider, dvyukov, kcc
Subscribers: kubabrecka, filcab, llvm-commits
Differential Revision: http://reviews.llvm.org/D20084
llvm-svn: 271968
2016-06-07 09:20:26 +08:00
|
|
|
CXX_OPERATOR_ATTRIBUTE
|
2018-06-12 22:42:40 +08:00
|
|
|
void *operator new[](size_t size, std::align_val_t align, std::nothrow_t const&)
|
|
|
|
{ OPERATOR_NEW_BODY_ALIGN(FromNewArray, align, /*NoThrow=*/true); }
|
[sanitizer] Initial implementation of a Hardened Allocator
Summary:
This is an initial implementation of a Hardened Allocator based on Sanitizer Common's CombinedAllocator.
It aims at mitigating heap based vulnerabilities by adding several features to the base allocator, while staying relatively fast.
The following were implemented:
- additional consistency checks on the allocation function parameters and on the heap chunks;
- use of checksum protected chunk header, to detect corruption;
- randomness to the allocator base;
- delayed freelist (quarantine), to mitigate use after free and overall determinism.
Additional mitigations are in the works.
Reviewers: eugenis, aizatsky, pcc, krasin, vitalybuka, glider, dvyukov, kcc
Subscribers: kubabrecka, filcab, llvm-commits
Differential Revision: http://reviews.llvm.org/D20084
llvm-svn: 271968
2016-06-07 09:20:26 +08:00
|
|
|
|
2018-06-12 22:42:40 +08:00
|
|
|
#define OPERATOR_DELETE_BODY(Type) \
|
|
|
|
scudoDeallocate(ptr, 0, 0, Type);
|
|
|
|
#define OPERATOR_DELETE_BODY_SIZE(Type) \
|
|
|
|
scudoDeallocate(ptr, size, 0, Type);
|
|
|
|
#define OPERATOR_DELETE_BODY_ALIGN(Type) \
|
|
|
|
scudoDeallocate(ptr, 0, static_cast<uptr>(align), Type);
|
|
|
|
#define OPERATOR_DELETE_BODY_SIZE_ALIGN(Type) \
|
|
|
|
scudoDeallocate(ptr, size, static_cast<uptr>(align), Type);
|
|
|
|
|
|
|
|
CXX_OPERATOR_ATTRIBUTE
|
|
|
|
void operator delete(void *ptr) NOEXCEPT
|
|
|
|
{ OPERATOR_DELETE_BODY(FromNew); }
|
|
|
|
CXX_OPERATOR_ATTRIBUTE
|
|
|
|
void operator delete[](void *ptr) NOEXCEPT
|
|
|
|
{ OPERATOR_DELETE_BODY(FromNewArray); }
|
|
|
|
CXX_OPERATOR_ATTRIBUTE
|
|
|
|
void operator delete(void *ptr, std::nothrow_t const&)
|
|
|
|
{ OPERATOR_DELETE_BODY(FromNew); }
|
|
|
|
CXX_OPERATOR_ATTRIBUTE
|
|
|
|
void operator delete[](void *ptr, std::nothrow_t const&)
|
|
|
|
{ OPERATOR_DELETE_BODY(FromNewArray); }
|
|
|
|
CXX_OPERATOR_ATTRIBUTE
|
|
|
|
void operator delete(void *ptr, size_t size) NOEXCEPT
|
|
|
|
{ OPERATOR_DELETE_BODY_SIZE(FromNew); }
|
|
|
|
CXX_OPERATOR_ATTRIBUTE
|
|
|
|
void operator delete[](void *ptr, size_t size) NOEXCEPT
|
|
|
|
{ OPERATOR_DELETE_BODY_SIZE(FromNewArray); }
|
[sanitizer] Initial implementation of a Hardened Allocator
Summary:
This is an initial implementation of a Hardened Allocator based on Sanitizer Common's CombinedAllocator.
It aims at mitigating heap based vulnerabilities by adding several features to the base allocator, while staying relatively fast.
The following were implemented:
- additional consistency checks on the allocation function parameters and on the heap chunks;
- use of checksum protected chunk header, to detect corruption;
- randomness to the allocator base;
- delayed freelist (quarantine), to mitigate use after free and overall determinism.
Additional mitigations are in the works.
Reviewers: eugenis, aizatsky, pcc, krasin, vitalybuka, glider, dvyukov, kcc
Subscribers: kubabrecka, filcab, llvm-commits
Differential Revision: http://reviews.llvm.org/D20084
llvm-svn: 271968
2016-06-07 09:20:26 +08:00
|
|
|
CXX_OPERATOR_ATTRIBUTE
|
2018-06-12 22:42:40 +08:00
|
|
|
void operator delete(void *ptr, std::align_val_t align) NOEXCEPT
|
|
|
|
{ OPERATOR_DELETE_BODY_ALIGN(FromNew); }
|
[sanitizer] Initial implementation of a Hardened Allocator
Summary:
This is an initial implementation of a Hardened Allocator based on Sanitizer Common's CombinedAllocator.
It aims at mitigating heap based vulnerabilities by adding several features to the base allocator, while staying relatively fast.
The following were implemented:
- additional consistency checks on the allocation function parameters and on the heap chunks;
- use of checksum protected chunk header, to detect corruption;
- randomness to the allocator base;
- delayed freelist (quarantine), to mitigate use after free and overall determinism.
Additional mitigations are in the works.
Reviewers: eugenis, aizatsky, pcc, krasin, vitalybuka, glider, dvyukov, kcc
Subscribers: kubabrecka, filcab, llvm-commits
Differential Revision: http://reviews.llvm.org/D20084
llvm-svn: 271968
2016-06-07 09:20:26 +08:00
|
|
|
CXX_OPERATOR_ATTRIBUTE
|
2018-06-12 22:42:40 +08:00
|
|
|
void operator delete[](void *ptr, std::align_val_t align) NOEXCEPT
|
|
|
|
{ OPERATOR_DELETE_BODY_ALIGN(FromNewArray); }
|
[sanitizer] Initial implementation of a Hardened Allocator
Summary:
This is an initial implementation of a Hardened Allocator based on Sanitizer Common's CombinedAllocator.
It aims at mitigating heap based vulnerabilities by adding several features to the base allocator, while staying relatively fast.
The following were implemented:
- additional consistency checks on the allocation function parameters and on the heap chunks;
- use of checksum protected chunk header, to detect corruption;
- randomness to the allocator base;
- delayed freelist (quarantine), to mitigate use after free and overall determinism.
Additional mitigations are in the works.
Reviewers: eugenis, aizatsky, pcc, krasin, vitalybuka, glider, dvyukov, kcc
Subscribers: kubabrecka, filcab, llvm-commits
Differential Revision: http://reviews.llvm.org/D20084
llvm-svn: 271968
2016-06-07 09:20:26 +08:00
|
|
|
CXX_OPERATOR_ATTRIBUTE
|
2018-06-12 22:42:40 +08:00
|
|
|
void operator delete(void *ptr, std::align_val_t align, std::nothrow_t const&)
|
|
|
|
{ OPERATOR_DELETE_BODY_ALIGN(FromNew); }
|
[sanitizer] Initial implementation of a Hardened Allocator
Summary:
This is an initial implementation of a Hardened Allocator based on Sanitizer Common's CombinedAllocator.
It aims at mitigating heap based vulnerabilities by adding several features to the base allocator, while staying relatively fast.
The following were implemented:
- additional consistency checks on the allocation function parameters and on the heap chunks;
- use of checksum protected chunk header, to detect corruption;
- randomness to the allocator base;
- delayed freelist (quarantine), to mitigate use after free and overall determinism.
Additional mitigations are in the works.
Reviewers: eugenis, aizatsky, pcc, krasin, vitalybuka, glider, dvyukov, kcc
Subscribers: kubabrecka, filcab, llvm-commits
Differential Revision: http://reviews.llvm.org/D20084
llvm-svn: 271968
2016-06-07 09:20:26 +08:00
|
|
|
CXX_OPERATOR_ATTRIBUTE
|
2018-06-12 22:42:40 +08:00
|
|
|
void operator delete[](void *ptr, std::align_val_t align, std::nothrow_t const&)
|
|
|
|
{ OPERATOR_DELETE_BODY_ALIGN(FromNewArray); }
|
[sanitizer] Initial implementation of a Hardened Allocator
Summary:
This is an initial implementation of a Hardened Allocator based on Sanitizer Common's CombinedAllocator.
It aims at mitigating heap based vulnerabilities by adding several features to the base allocator, while staying relatively fast.
The following were implemented:
- additional consistency checks on the allocation function parameters and on the heap chunks;
- use of checksum protected chunk header, to detect corruption;
- randomness to the allocator base;
- delayed freelist (quarantine), to mitigate use after free and overall determinism.
Additional mitigations are in the works.
Reviewers: eugenis, aizatsky, pcc, krasin, vitalybuka, glider, dvyukov, kcc
Subscribers: kubabrecka, filcab, llvm-commits
Differential Revision: http://reviews.llvm.org/D20084
llvm-svn: 271968
2016-06-07 09:20:26 +08:00
|
|
|
CXX_OPERATOR_ATTRIBUTE
|
2018-06-12 22:42:40 +08:00
|
|
|
void operator delete(void *ptr, size_t size, std::align_val_t align) NOEXCEPT
|
|
|
|
{ OPERATOR_DELETE_BODY_SIZE_ALIGN(FromNew); }
|
[sanitizer] Initial implementation of a Hardened Allocator
Summary:
This is an initial implementation of a Hardened Allocator based on Sanitizer Common's CombinedAllocator.
It aims at mitigating heap based vulnerabilities by adding several features to the base allocator, while staying relatively fast.
The following were implemented:
- additional consistency checks on the allocation function parameters and on the heap chunks;
- use of checksum protected chunk header, to detect corruption;
- randomness to the allocator base;
- delayed freelist (quarantine), to mitigate use after free and overall determinism.
Additional mitigations are in the works.
Reviewers: eugenis, aizatsky, pcc, krasin, vitalybuka, glider, dvyukov, kcc
Subscribers: kubabrecka, filcab, llvm-commits
Differential Revision: http://reviews.llvm.org/D20084
llvm-svn: 271968
2016-06-07 09:20:26 +08:00
|
|
|
CXX_OPERATOR_ATTRIBUTE
|
2018-06-12 22:42:40 +08:00
|
|
|
void operator delete[](void *ptr, size_t size, std::align_val_t align) NOEXCEPT
|
|
|
|
{ OPERATOR_DELETE_BODY_SIZE_ALIGN(FromNewArray); }
|