summaryrefslogtreecommitdiff
path: root/libc/stdlib/malloc-standard
AgeCommit message (Collapse)Author
2020-02-16Add Safe-Linking to fastbinsEyal Itkin
Safe-Linking is a security mechanism that protects single-linked lists (such as the fastbins) from being tampered by attackers. The mechanism makes use of randomness from ASLR (mmap_base), and when combined with chunk alignment integrity checks, it protects the pointers from being hijacked by an attacker. While Safe-Unlinking protects double-linked lists (such as the small bins), there wasn't any similar protection for attacks against single-linked lists. This solution protects against 3 common attacks: * Partial pointer override: modifies the lower bytes (Little Endian) * Full pointer override: hijacks the pointer to an attacker's location * Unaligned chunks: pointing the list to an unaligned address The design assumes an attacker doesn't know where the heap is located, and uses the ASLR randomness to "sign" the single-linked pointers. We mark the pointer as P and the location in which it is stored as L, and the calculation will be: * PROTECT(P) := (L >> PAGE_SHIFT) XOR (P) * *L = PROTECT(P) This way, the random bits from the address L (which start at the bits in the PAGE_SHIFT position), will be merged with the LSB of the stored protected pointer. This protection layer prevents an attacker from modifying the pointer into a controlled value. An additional check that the chunks are MALLOC_ALIGNed adds an important layer: * Attackers can't point to illegal (unaligned) memory addresses * Attackers must guess correctly the alignment bits On standard 32 bit Linux machines, an attacker will directly fail 7 out of 8 times, and on 64 bit machines it will fail 15 out of 16 times. The proposed solution adds 3-4 asm instructions per malloc()/free() and therefore has only minor performance implications if it has any. A similar protection was added to Chromium's version of TCMalloc in 2013, and according to their documentation the performance overhead was less than 2%. Signed-off-by: Eyal Itkin <eyalit@checkpoint.com>
2018-01-31malloc: add glibc compat symbolsWaldemar Brodkorb
2018-01-31malloc: add malloc_usable_size()Waldemar Brodkorb
2017-11-03malloc-standard/malloc.h: use getpagesizeYitai Schwartz
sysconf creates a lot of code dependencies. getpagesize dosen't. staticly linked code that calls malloc is now much smaller. Signed-off-by: Waldemar Brodkorb <wbx@uclibc-ng.org>
2016-12-20remove __MALLOC_GLIBC_COMPAT__ optionWaldemar Brodkorb
This option is enabled for a long time and I see no useful case where we should be incompatible to glibc here.
2016-11-27add aligned_alloc required for latest gcc libstdc++Waldemar Brodkorb
2016-05-18remove linuxthreads.new, rename linuxthreads.oldWaldemar Brodkorb
Linuxthreads.new isn't really useful with the existence of NPTL/TLS for well supported architectures. There is no reason to use LT.new for ARM/MIPS or other architectures supporting NPTL/TLS. It is not available for noMMU architectures like Blackfin or FR-V. To simplify the live of the few uClibc-ng developers, LT.new is removed and LT.old is renamed to LT. LINUXTHREADS_OLD -> UCLIBC_HAS_LINUXTHREADS
2015-12-09Make malloc_stats() GNU libc compatibleWaldemar Brodkorb
This fix commit 76dfc7ce8c "Some requested additional malloc entry points" from 2004's Signed-off-by: Leonid Lisovskiy <lly.dev@gmail.com> Signed-off-by: Waldemar Brodkorb <wbx@uclibc-ng.org>
2015-03-18malloc-standard: Add locking to malloc_trimBernhard Reutner-Fischer
Closes bugzilla #4586 Signed-off-by: Bernhard Reutner-Fischer <rep.dot.nop@gmail.com>
2015-03-18malloc: checked_request2size failure deadlocksZhiqiang Zhang
For some rarely cases(almost App bugs), calling malloc with a very largre size, checked_request2size check will fail,set ENOMEM, and return 0 to caller. But this will let __malloc_lock futex locked and owned by the caller. In multithread circumstance, other thread calling malloc/calloc will NOT succeed and get locked. Signed-off-by: Zhiqiang Zhang <zhangzhiqiang.zhang@huawei.com> Signed-off-by: Bernhard Reutner-Fischer <rep.dot.nop@gmail.com>
2015-01-22libc: Avoid redundant setting of ENOMEMBernhard Reutner-Fischer
Signed-off-by: Bernhard Reutner-Fischer <rep.dot.nop@gmail.com>
2013-04-03stdlib: avoid relocationBernhard Reutner-Fischer
valloc uses memalign Signed-off-by: Bernhard Reutner-Fischer <rep.dot.nop@gmail.com>
2013-02-05mman: rename MAP_UNINITIALIZE to MAP_UNINITIALIZEDBernhard Reutner-Fischer
The name was changed to include a trailing 'D' when it went into the kernel. Signed-off-by: Bernhard Reutner-Fischer <rep.dot.nop@gmail.com>
2013-02-05buildsys: switch libc to kbuild-styleBernhard Reutner-Fischer
Signed-off-by: Bernhard Reutner-Fischer <rep.dot.nop@gmail.com>
2012-06-15malloc.h: hide internal functions (mainly debug related)Peter S. Mazinger
Signed-off-by: Peter S. Mazinger <ps.m@gmx.net> Signed-off-by: Bernhard Reutner-Fischer <rep.dot.nop@gmail.com>
2010-07-27malloc: simplify MAP_UNINITIALIZE ifdef logicMike Frysinger
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
2010-03-25prettify make cleanBernhard Reutner-Fischer
Signed-off-by: Bernhard Reutner-Fischer <rep.dot.nop@gmail.com>
2009-11-23nommu: use MAP_UNINITIALIZE for mallocsMike Frysinger
Now that the kernel supports MAP_UNINITIALIZE, have the malloc places use it to get real uninitialized memory on no-mmu systems. This avoids a lot of normally useless overhead involved in zeroing out all of the memory (sometimes multiple times). Signed-off-by: Mike Frysinger <vapier@gentoo.org>
2009-09-18trim Experimentally off and uncommented hiddenBernhard Reutner-Fischer
sed -i -e '/Experimentally off - /d' $(grep -rl "Experimentally off - " *) sed -i -e '/^\/\*[[:space:]]*libc_hidden_proto(/d' $(grep -rl "libc_hidden_proto" *) should be a nop Signed-off-by: Bernhard Reutner-Fischer <rep.dot.nop@gmail.com>
2009-08-17support building out-of-treeBernhard Reutner-Fischer
Handle O= Signed-off-by: Bernhard Reutner-Fischer <rep.dot.nop@gmail.com>
2008-11-20Last portion of libc_hidden_proto removal.Denis Vlasenko
Appears to build fine (several .configs tried)
2008-11-20next portion of libc_hidden_proto removalDenis Vlasenko
2008-11-18libc_hidden_proto removal, a few more functionsDenis Vlasenko
2008-11-18libc_hidden_proto removal, just a few functionsDenis Vlasenko
2008-11-07- less verbose make cleanBernhard Reutner-Fischer
2008-07-23- trim any trailing whitespaceBernhard Reutner-Fischer
2008-05-19Moving libc_hidden_proto's into #ifdef UCLIBC_INTERNAL blockDenis Vlasenko
in string.h and strings.h. This caught unguarded string ops in libc/inet/ethers.c __ether_line_w() function. I will wait for fallout reports for a week or so, then continue converting more libc_hidden_proto's.
2007-04-02POSIX requires that errno be set whenever 0 is returned by malloc()Mike Frysinger
2006-12-17rename local "brk" var so it doesnt namespace collide with the brk() functionMike Frysinger
2006-12-07Major cleanup of internal mutex locking. Be more consistant in how we doEric Andersen
things, and avoid potential deadlocks caused when a thread holding a uClibc internal lock get canceled and terminates without releasing the lock. This change also provides a single place, bits/uClibc_mutex.h, for thread libraries to modify to change all instances of internal locking.
2006-08-25fix from psm: makes use of the malloc debug option in malloc-standard as wellMike Frysinger
2006-07-05fixup my copyright notice, trim stale remnants of older notices whichEric Andersen
I had clearly run search/replace on that were cluttering things up.
2006-03-17Fix 'realloc' and revert previous changes to tests. malloc tests all pass ↵"Steven J. Hill"
regardless of the setting of MALLOC_GLIBC_COMPAT.
2006-03-10Remove all non-constant libc_hidden_data_def(), it is too unreliable, sorry, ↵Peter S. Mazinger
most of global data relocations are back
2006-02-18tweak the idea between having a MMU and actually using itMike Frysinger
2006-02-13libc-{a,so,multi}-y replaced by libc-y covering common objects both in ↵Peter S. Mazinger
libc.a/libc.so, the diffs go into libc-static-y/libc-shared-y exclusively, add IMA to libc, don't use any MSRC anymore
2006-02-09just drop all of the debug codeMike Frysinger
2006-02-08Bernhard Fischer says: get rid of local ret variableMike Frysinger
2006-02-01Go __malloc_lock, go ...Peter S. Mazinger
2006-01-31rename local var brk to _brkMike Frysinger
2006-01-22Enable _GNU_SOURCE build wide, trying to get consistent interfaces, else IMA ↵Peter S. Mazinger
is a useless attempt
2006-01-16Last relocs jump and global data, (even locales) that I could remove are ↵Peter S. Mazinger
gone from libc. The remaining are left as exercise for others ;-)
2006-01-14make DODEBUG=y happy, update sysdeps/common/* copyrightPeter S. Mazinger
2006-01-14hidden_def/hidden_proto: convert all users (I hope) termios split, add some ↵Peter S. Mazinger
missing headers, other jump relocs removed
2005-12-27fix signed/unsigned warningMike Frysinger
2005-12-13__malloc_consolidate is only libc internal, enable use of __sbrkPeter S. Mazinger
2005-12-08mmap/mremap/socket/rewind gonePeter S. Mazinger
2005-12-08Hide mallinfoPeter S. Mazinger
2005-12-06macro out the thread funcs in libc if threading is disabledMike Frysinger
2005-12-04More hiding, 300 leftPeter S. Mazinger