mfbt/Poison.cpp@97036ab72558
mfbt/Poison.cpp
Tue, 06 Jan 2015 21:39:09 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Tue, 06 Jan 2015 21:39:09 +0100
- branch
- TOR_BUG_9701
- changeset 8
- 97036ab72558
- permissions
- -rw-r--r--
Conditionally force memory storage according to privacy.thirdparty.isolate;
This solves Tor bug #9701, complying with disk avoidance documented in
https://www.torproject.org/projects/torbrowser/design/#disk-avoidance.
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
7 /*
8 * A poison value that can be used to fill a memory space with
9 * an address that leads to a safe crash when dereferenced.
10 */
12 #include "mozilla/Poison.h"
14 #include "mozilla/Assertions.h"
15 #ifdef _WIN32
16 # include <windows.h>
17 #elif !defined(__OS2__)
18 # include <unistd.h>
19 # include <sys/mman.h>
20 # ifndef MAP_ANON
21 # ifdef MAP_ANONYMOUS
22 # define MAP_ANON MAP_ANONYMOUS
23 # else
24 # error "Don't know how to get anonymous memory"
25 # endif
26 # endif
27 #endif
29 extern "C" {
30 uintptr_t gMozillaPoisonValue;
31 uintptr_t gMozillaPoisonBase;
32 uintptr_t gMozillaPoisonSize;
33 }
35 // Freed memory is filled with a poison value, which we arrange to
36 // form a pointer either to an always-unmapped region of the address
37 // space, or to a page that has been reserved and rendered
38 // inaccessible via OS primitives. See tests/TestPoisonArea.cpp for
39 // extensive discussion of the requirements for this page. The code
40 // from here to 'class FreeList' needs to be kept in sync with that
41 // file.
43 #ifdef _WIN32
44 static void *
45 ReserveRegion(uintptr_t region, uintptr_t size)
46 {
47 return VirtualAlloc((void *)region, size, MEM_RESERVE, PAGE_NOACCESS);
48 }
50 static void
51 ReleaseRegion(void *region, uintptr_t size)
52 {
53 VirtualFree(region, size, MEM_RELEASE);
54 }
56 static bool
57 ProbeRegion(uintptr_t region, uintptr_t size)
58 {
59 SYSTEM_INFO sinfo;
60 GetSystemInfo(&sinfo);
61 if (region >= (uintptr_t)sinfo.lpMaximumApplicationAddress &&
62 region + size >= (uintptr_t)sinfo.lpMaximumApplicationAddress) {
63 return true;
64 } else {
65 return false;
66 }
67 }
69 static uintptr_t
70 GetDesiredRegionSize()
71 {
72 SYSTEM_INFO sinfo;
73 GetSystemInfo(&sinfo);
74 return sinfo.dwAllocationGranularity;
75 }
77 #define RESERVE_FAILED 0
79 #elif defined(__OS2__)
80 static void *
81 ReserveRegion(uintptr_t region, uintptr_t size)
82 {
83 // OS/2 doesn't support allocation at an arbitrary address,
84 // so return an address that is known to be invalid.
85 return (void*)0xFFFD0000;
86 }
88 static void
89 ReleaseRegion(void *region, uintptr_t size)
90 {
91 return;
92 }
94 static bool
95 ProbeRegion(uintptr_t region, uintptr_t size)
96 {
97 // There's no reliable way to probe an address in the system
98 // arena other than by touching it and seeing if a trap occurs.
99 return false;
100 }
102 static uintptr_t
103 GetDesiredRegionSize()
104 {
105 // Page size is fixed at 4k.
106 return 0x1000;
107 }
109 #define RESERVE_FAILED 0
111 #else // Unix
113 static void *
114 ReserveRegion(uintptr_t region, uintptr_t size)
115 {
116 return mmap(reinterpret_cast<void*>(region), size, PROT_NONE, MAP_PRIVATE|MAP_ANON, -1, 0);
117 }
119 static void
120 ReleaseRegion(void *region, uintptr_t size)
121 {
122 munmap(region, size);
123 }
125 static bool
126 ProbeRegion(uintptr_t region, uintptr_t size)
127 {
128 if (madvise(reinterpret_cast<void*>(region), size, MADV_NORMAL)) {
129 return true;
130 } else {
131 return false;
132 }
133 }
135 static uintptr_t
136 GetDesiredRegionSize()
137 {
138 return sysconf(_SC_PAGESIZE);
139 }
141 #define RESERVE_FAILED MAP_FAILED
143 #endif // system dependencies
145 static_assert(sizeof(uintptr_t) == 4 || sizeof(uintptr_t) == 8, "");
146 static_assert(sizeof(uintptr_t) == sizeof(void *), "");
148 static uintptr_t
149 ReservePoisonArea(uintptr_t rgnsize)
150 {
151 if (sizeof(uintptr_t) == 8) {
152 // Use the hardware-inaccessible region.
153 // We have to avoid 64-bit constants and shifts by 32 bits, since this
154 // code is compiled in 32-bit mode, although it is never executed there.
155 return
156 (((uintptr_t(0x7FFFFFFFu) << 31) << 1 | uintptr_t(0xF0DEAFFFu))
157 & ~(rgnsize-1));
159 } else {
160 // First see if we can allocate the preferred poison address from the OS.
161 uintptr_t candidate = (0xF0DEAFFF & ~(rgnsize-1));
162 void *result = ReserveRegion(candidate, rgnsize);
163 if (result == (void *)candidate) {
164 // success - inaccessible page allocated
165 return candidate;
166 }
168 // That didn't work, so see if the preferred address is within a range
169 // of permanently inacessible memory.
170 if (ProbeRegion(candidate, rgnsize)) {
171 // success - selected page cannot be usable memory
172 if (result != RESERVE_FAILED)
173 ReleaseRegion(result, rgnsize);
174 return candidate;
175 }
177 // The preferred address is already in use. Did the OS give us a
178 // consolation prize?
179 if (result != RESERVE_FAILED) {
180 return uintptr_t(result);
181 }
183 // It didn't, so try to allocate again, without any constraint on
184 // the address.
185 result = ReserveRegion(0, rgnsize);
186 if (result != RESERVE_FAILED) {
187 return uintptr_t(result);
188 }
190 // no usable poison region identified
191 MOZ_CRASH();
192 return 0;
193 }
194 }
196 void
197 mozPoisonValueInit()
198 {
199 gMozillaPoisonSize = GetDesiredRegionSize();
200 gMozillaPoisonBase = ReservePoisonArea(gMozillaPoisonSize);
202 if (gMozillaPoisonSize == 0) // can't happen
203 return;
205 gMozillaPoisonValue = gMozillaPoisonBase + gMozillaPoisonSize/2 - 1;
206 }
