summaryrefslogtreecommitdiff
path: root/libc/stdlib/malloc-standard/malloc.h
AgeCommit message (Collapse)Author
2020-02-16Add Safe-Linking to fastbinsEyal Itkin
Safe-Linking is a security mechanism that protects single-linked lists (such as the fastbins) from being tampered by attackers. The mechanism makes use of randomness from ASLR (mmap_base), and when combined with chunk alignment integrity checks, it protects the pointers from being hijacked by an attacker. While Safe-Unlinking protects double-linked lists (such as the small bins), there wasn't any similar protection for attacks against single-linked lists. This solution protects against 3 common attacks: * Partial pointer override: modifies the lower bytes (Little Endian) * Full pointer override: hijacks the pointer to an attacker's location * Unaligned chunks: pointing the list to an unaligned address The design assumes an attacker doesn't know where the heap is located, and uses the ASLR randomness to "sign" the single-linked pointers. We mark the pointer as P and the location in which it is stored as L, and the calculation will be: * PROTECT(P) := (L >> PAGE_SHIFT) XOR (P) * *L = PROTECT(P) This way, the random bits from the address L (which start at the bits in the PAGE_SHIFT position), will be merged with the LSB of the stored protected pointer. This protection layer prevents an attacker from modifying the pointer into a controlled value. An additional check that the chunks are MALLOC_ALIGNed adds an important layer: * Attackers can't point to illegal (unaligned) memory addresses * Attackers must guess correctly the alignment bits On standard 32 bit Linux machines, an attacker will directly fail 7 out of 8 times, and on 64 bit machines it will fail 15 out of 16 times. The proposed solution adds 3-4 asm instructions per malloc()/free() and therefore has only minor performance implications if it has any. A similar protection was added to Chromium's version of TCMalloc in 2013, and according to their documentation the performance overhead was less than 2%. Signed-off-by: Eyal Itkin <eyalit@checkpoint.com>
2017-11-03malloc-standard/malloc.h: use getpagesizeYitai Schwartz
sysconf creates a lot of code dependencies. getpagesize dosen't. staticly linked code that calls malloc is now much smaller. Signed-off-by: Waldemar Brodkorb <wbx@uclibc-ng.org>
2016-05-18remove linuxthreads.new, rename linuxthreads.oldWaldemar Brodkorb
Linuxthreads.new isn't really useful with the existence of NPTL/TLS for well supported architectures. There is no reason to use LT.new for ARM/MIPS or other architectures supporting NPTL/TLS. It is not available for noMMU architectures like Blackfin or FR-V. To simplify the live of the few uClibc-ng developers, LT.new is removed and LT.old is renamed to LT. LINUXTHREADS_OLD -> UCLIBC_HAS_LINUXTHREADS
2015-02-14Revert "resolve merge"Waldemar Brodkorb
This reverts commit 6b6ede3d15f04fe825cfa9f697507457e3640344.
2015-02-14resolve mergeWaldemar Brodkorb
2015-01-22libc: Avoid redundant setting of ENOMEMBernhard Reutner-Fischer
Signed-off-by: Bernhard Reutner-Fischer <rep.dot.nop@gmail.com>
2013-02-05mman: rename MAP_UNINITIALIZE to MAP_UNINITIALIZEDBernhard Reutner-Fischer
The name was changed to include a trailing 'D' when it went into the kernel. Signed-off-by: Bernhard Reutner-Fischer <rep.dot.nop@gmail.com>
2012-06-15malloc.h: hide internal functions (mainly debug related)Peter S. Mazinger
Signed-off-by: Peter S. Mazinger <ps.m@gmx.net> Signed-off-by: Bernhard Reutner-Fischer <rep.dot.nop@gmail.com>
2010-07-27malloc: simplify MAP_UNINITIALIZE ifdef logicMike Frysinger
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
2009-11-23nommu: use MAP_UNINITIALIZE for mallocsMike Frysinger
Now that the kernel supports MAP_UNINITIALIZE, have the malloc places use it to get real uninitialized memory on no-mmu systems. This avoids a lot of normally useless overhead involved in zeroing out all of the memory (sometimes multiple times). Signed-off-by: Mike Frysinger <vapier@gentoo.org>
2009-09-18trim Experimentally off and uncommented hiddenBernhard Reutner-Fischer
sed -i -e '/Experimentally off - /d' $(grep -rl "Experimentally off - " *) sed -i -e '/^\/\*[[:space:]]*libc_hidden_proto(/d' $(grep -rl "libc_hidden_proto" *) should be a nop Signed-off-by: Bernhard Reutner-Fischer <rep.dot.nop@gmail.com>
2008-11-20Last portion of libc_hidden_proto removal.Denis Vlasenko
Appears to build fine (several .configs tried)
2008-11-20next portion of libc_hidden_proto removalDenis Vlasenko
2008-11-18libc_hidden_proto removal, just a few functionsDenis Vlasenko
2008-07-23- trim any trailing whitespaceBernhard Reutner-Fischer
2006-12-07Major cleanup of internal mutex locking. Be more consistant in how we doEric Andersen
things, and avoid potential deadlocks caused when a thread holding a uClibc internal lock get canceled and terminates without releasing the lock. This change also provides a single place, bits/uClibc_mutex.h, for thread libraries to modify to change all instances of internal locking.
2006-08-25fix from psm: makes use of the malloc debug option in malloc-standard as wellMike Frysinger
2006-03-10Remove all non-constant libc_hidden_data_def(), it is too unreliable, sorry, ↵Peter S. Mazinger
most of global data relocations are back
2006-02-18tweak the idea between having a MMU and actually using itMike Frysinger
2006-02-01Go __malloc_lock, go ...Peter S. Mazinger
2006-01-14hidden_def/hidden_proto: convert all users (I hope) termios split, add some ↵Peter S. Mazinger
missing headers, other jump relocs removed
2005-12-13__malloc_consolidate is only libc internal, enable use of __sbrkPeter S. Mazinger
2005-12-08mmap/mremap/socket/rewind gonePeter S. Mazinger
2005-12-06macro out the thread funcs in libc if threading is disabledMike Frysinger
2005-11-29Hiding againPeter S. Mazinger
2004-08-25Mike Frysinger writes:Eric Andersen
this was sent earlier in a different form: http://www.uclibc.org/lists/uclibc/2004-January/008136.html find attached a smaller version ... perhaps adding a fprintf to stderr before calling abort would be nice like in the glibc patch, but whatever glibc has since adopted a similar fix for their malloc (third hunk, line 1970) http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/malloc/malloc.c.diff?r1=1.121&r2=1.122&cvsroot=glibc&f=h -mike
2004-07-15_SC_PAGESIZE is standard. Some ancient legacy unix variants used _SC_PAGE_SIZEEric Andersen
instead, but we are not such a system and should not propagate such things.
2004-07-15Use MAP_PRIVATE whenever __ARCH_HAS_MMU__ is set.Eric Andersen
Only use MAP_SHARED when mmu-less.
2003-12-30Rework malloc. The new default implementation is based on dlmalloc from DougEric Andersen
Lea. It is about 2x faster than the old malloc-930716, and behave itself much better -- it will properly release memory back to the system, and it uses a combination of brk() for small allocations and mmap() for larger allocations. -Erik