summaryrefslogtreecommitdiff
path: root/libc/stdlib/malloc-standard/malloc.c
AgeCommit message (Collapse)Author
2024-02-20libc: Fix some unused parameter warningsSven Linker
2020-02-16Add Safe-Linking to fastbinsEyal Itkin
Safe-Linking is a security mechanism that protects single-linked lists (such as the fastbins) from being tampered by attackers. The mechanism makes use of randomness from ASLR (mmap_base), and when combined with chunk alignment integrity checks, it protects the pointers from being hijacked by an attacker. While Safe-Unlinking protects double-linked lists (such as the small bins), there wasn't any similar protection for attacks against single-linked lists. This solution protects against 3 common attacks: * Partial pointer override: modifies the lower bytes (Little Endian) * Full pointer override: hijacks the pointer to an attacker's location * Unaligned chunks: pointing the list to an unaligned address The design assumes an attacker doesn't know where the heap is located, and uses the ASLR randomness to "sign" the single-linked pointers. We mark the pointer as P and the location in which it is stored as L, and the calculation will be: * PROTECT(P) := (L >> PAGE_SHIFT) XOR (P) * *L = PROTECT(P) This way, the random bits from the address L (which start at the bits in the PAGE_SHIFT position), will be merged with the LSB of the stored protected pointer. This protection layer prevents an attacker from modifying the pointer into a controlled value. An additional check that the chunks are MALLOC_ALIGNed adds an important layer: * Attackers can't point to illegal (unaligned) memory addresses * Attackers must guess correctly the alignment bits On standard 32 bit Linux machines, an attacker will directly fail 7 out of 8 times, and on 64 bit machines it will fail 15 out of 16 times. The proposed solution adds 3-4 asm instructions per malloc()/free() and therefore has only minor performance implications if it has any. A similar protection was added to Chromium's version of TCMalloc in 2013, and according to their documentation the performance overhead was less than 2%. Signed-off-by: Eyal Itkin <eyalit@checkpoint.com>
2018-01-31malloc: add glibc compat symbolsWaldemar Brodkorb
2016-12-20remove __MALLOC_GLIBC_COMPAT__ optionWaldemar Brodkorb
This option is enabled for a long time and I see no useful case where we should be incompatible to glibc here.
2015-03-18malloc: checked_request2size failure deadlocksZhiqiang Zhang
For some rarely cases(almost App bugs), calling malloc with a very largre size, checked_request2size check will fail,set ENOMEM, and return 0 to caller. But this will let __malloc_lock futex locked and owned by the caller. In multithread circumstance, other thread calling malloc/calloc will NOT succeed and get locked. Signed-off-by: Zhiqiang Zhang <zhangzhiqiang.zhang@huawei.com> Signed-off-by: Bernhard Reutner-Fischer <rep.dot.nop@gmail.com>
2015-01-22libc: Avoid redundant setting of ENOMEMBernhard Reutner-Fischer
Signed-off-by: Bernhard Reutner-Fischer <rep.dot.nop@gmail.com>
2007-04-02POSIX requires that errno be set whenever 0 is returned by malloc()Mike Frysinger
2006-12-17rename local "brk" var so it doesnt namespace collide with the brk() functionMike Frysinger
2006-12-07Major cleanup of internal mutex locking. Be more consistant in how we doEric Andersen
things, and avoid potential deadlocks caused when a thread holding a uClibc internal lock get canceled and terminates without releasing the lock. This change also provides a single place, bits/uClibc_mutex.h, for thread libraries to modify to change all instances of internal locking.
2006-08-25fix from psm: makes use of the malloc debug option in malloc-standard as wellMike Frysinger
2006-03-10Remove all non-constant libc_hidden_data_def(), it is too unreliable, sorry, ↵Peter S. Mazinger
most of global data relocations are back
2006-02-01Go __malloc_lock, go ...Peter S. Mazinger
2006-01-22Enable _GNU_SOURCE build wide, trying to get consistent interfaces, else IMA ↵Peter S. Mazinger
is a useless attempt
2005-07-06add support for __MALLOC_GLIBC_COMPAT__ (malloc(0) == NULL) so the malloc ↵Mike Frysinger
test wont fail
2004-07-15Use MAP_PRIVATE whenever __ARCH_HAS_MMU__ is set.Eric Andersen
Only use MAP_SHARED when mmu-less.
2003-12-30Rework malloc. The new default implementation is based on dlmalloc from DougEric Andersen
Lea. It is about 2x faster than the old malloc-930716, and behave itself much better -- it will properly release memory back to the system, and it uses a combination of brk() for small allocations and mmap() for larger allocations. -Erik