Loading...
--- libmalloc/libmalloc-140.40.1/src/vm.c
+++ libmalloc/libmalloc-283.100.5/src/vm.c
@@ -42,7 +42,7 @@
mvm_aslr_init(void)
{
// Prepare ASLR
-#if __i386__ || __x86_64__ || __arm64__ || TARGET_OS_EMBEDDED
+#if __i386__ || __x86_64__ || __arm64__ || (TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR)
#if __i386__
uintptr_t stackbase = 0x8fe00000;
int entropic_bits = 3;
@@ -50,8 +50,13 @@
uintptr_t stackbase = USRSTACK64;
int entropic_bits = 16;
#elif __arm64__
+#if __LP64__
uintptr_t stackbase = USRSTACK64;
int entropic_bits = 7;
+#else // __LP64__
+ uintptr_t stackbase = USRSTACK;
+ int entropic_bits = 3;
+#endif
#else
uintptr_t stackbase = USRSTACK;
int entropic_bits = 3;
@@ -69,16 +74,18 @@
malloc_entropy[0] = 0;
malloc_entropy[1] = 0;
}
-#else
+#else // TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR
#error ASLR unhandled on this platform
-#endif
+#endif // TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR
}
void *
-mvm_allocate_pages(size_t size, unsigned char align, unsigned debug_flags, int vm_page_label)
-{
- boolean_t add_guard_pages = debug_flags & MALLOC_ADD_GUARD_PAGES;
+mvm_allocate_pages(size_t size, unsigned char align, uint32_t debug_flags,
+ int vm_page_label) {
+ boolean_t add_prelude_guard_page = debug_flags & MALLOC_ADD_PRELUDE_GUARD_PAGE;
+ boolean_t add_postlude_guard_page = debug_flags & MALLOC_ADD_POSTLUDE_GUARD_PAGE;
boolean_t purgeable = debug_flags & MALLOC_PURGEABLE;
+ boolean_t use_entropic_range = !(debug_flags & DISABLE_ASLR);
mach_vm_address_t vm_addr;
uintptr_t addr;
mach_vm_size_t allocation_size = round_page_quanta(size);
@@ -89,12 +96,13 @@
if (!allocation_size) {
allocation_size = vm_page_quanta_size;
}
- if (add_guard_pages) {
- if (align > vm_page_quanta_shift) {
+ if (add_postlude_guard_page || add_prelude_guard_page) {
+ if (add_prelude_guard_page && align > vm_page_quanta_shift) {
/* <rdar://problem/16601499> alignment greater than pagesize needs more work */
allocation_size += (1 << align) + vm_page_quanta_size;
} else {
- allocation_size += 2 * vm_page_quanta_size;
+ allocation_size += add_prelude_guard_page && add_postlude_guard_page ?
+ 2 * vm_page_quanta_size : vm_page_quanta_size;
}
}
@@ -105,17 +113,54 @@
return NULL;
}
- vm_addr = vm_page_quanta_size;
- kr = mach_vm_map(mach_task_self(), &vm_addr, allocation_size, allocation_mask, alloc_flags, MEMORY_OBJECT_NULL, 0, FALSE,
- VM_PROT_DEFAULT, VM_PROT_ALL, VM_INHERIT_DEFAULT);
+retry:
+ vm_addr = use_entropic_range ? entropic_address : vm_page_quanta_size;
+ kr = mach_vm_map(mach_task_self(), &vm_addr, allocation_size,
+ allocation_mask, alloc_flags, MEMORY_OBJECT_NULL, 0, FALSE,
+ VM_PROT_DEFAULT, VM_PROT_ALL, VM_INHERIT_DEFAULT);
+ if (kr == KERN_NO_SPACE && use_entropic_range) {
+ vm_addr = vm_page_quanta_size;
+ kr = mach_vm_map(mach_task_self(), &vm_addr, allocation_size,
+ allocation_mask, alloc_flags, MEMORY_OBJECT_NULL, 0, FALSE,
+ VM_PROT_DEFAULT, VM_PROT_ALL, VM_INHERIT_DEFAULT);
+ }
if (kr) {
- szone_error(debug_flags, 0, "can't allocate region", NULL, "*** mach_vm_map(size=%lu) failed (error code=%d)\n", size, kr);
+ malloc_zone_error(debug_flags, false, "can't allocate region\n:"
+ "*** mach_vm_map(size=%lu, flags: %x) failed (error code=%d)\n",
+ size, debug_flags, kr);
return NULL;
}
addr = (uintptr_t)vm_addr;
- if (add_guard_pages) {
- if (align > vm_page_quanta_shift) {
+ if (use_entropic_range) {
+ // Don't allow allocation to rise above entropic_limit (for tidiness).
+ if (addr + allocation_size > entropic_limit) { // Exhausted current range?
+ uintptr_t t = entropic_address;
+ uintptr_t u = t - ENTROPIC_KABILLION;
+
+ // provided we don't wrap, deallocate and retry, in theexpanded
+ // entropic range
+ if (u < t) {
+ mach_vm_deallocate(mach_task_self(), vm_addr, allocation_size);
+ OSAtomicCompareAndSwapLong(t, u,
+ (volatile long *)&entropic_address); // Just one reduction please
+ goto retry;
+ }
+ // fall through to use what we got
+ }
+
+ if (addr < entropic_address) { // we wrapped to find this allocation, expand the entropic range
+ uintptr_t t = entropic_address;
+ uintptr_t u = t - ENTROPIC_KABILLION;
+ if (u < t) {
+ OSAtomicCompareAndSwapLong(t, u, (volatile long *)&entropic_address); // Just one reduction please
+ }
+ // fall through to use what we got
+ }
+ }
+
+ if (add_postlude_guard_page || add_prelude_guard_page) {
+ if (add_prelude_guard_page && align > vm_page_quanta_shift) {
/* <rdar://problem/16601499> calculate the first address inside the alignment padding
* where we can place the guard page and still be aligned.
*
@@ -130,85 +175,27 @@
/* Unmap the excess area. */
kr = mach_vm_deallocate(mach_task_self(), addr, leading);
if (kr) {
- szone_error(debug_flags, 0, "can't unmap excess guard region", NULL,
- "*** mach_vm_deallocate(addr=%p, size=%lu) failed (code=%d)", (void *)addr, leading, kr);
+ malloc_zone_error(debug_flags, false, "can't unmap excess guard region\n"
+ "*** mach_vm_deallocate(addr=%p, size=%lu) failed (code=%d)\n",
+ (void *)addr, leading, kr);
return NULL;
}
- kr = mach_vm_deallocate(mach_task_self(), addr + allocation_size - trailing, trailing);
- if (kr) {
- szone_error(debug_flags, 0, "can't unmap excess trailing guard region", NULL,
- "*** mach_vm_deallocate(addr=%p, size=%lu) failed (code=%d)", (void *)(addr + allocation_size - trailing),
- trailing, kr);
- return NULL;
+ if (trailing) {
+ kr = mach_vm_deallocate(mach_task_self(), addr + allocation_size - trailing, trailing);
+ if (kr) {
+ malloc_zone_error(debug_flags, false, "can't unmap excess trailing guard region\n"
+ "*** mach_vm_deallocate(addr=%p, size=%lu) failed (code=%d)\n",
+ (void *)(addr + allocation_size - trailing), trailing, kr);
+ return NULL;
+ }
}
addr = alignaddr;
- } else {
+ } else if (add_prelude_guard_page) {
addr += vm_page_quanta_size;
}
mvm_protect((void *)addr, size, PROT_NONE, debug_flags);
- }
- return (void *)addr;
-}
-
-void *
-mvm_allocate_pages_securely(size_t size, unsigned char align, int vm_page_label, uint32_t debug_flags)
-{
- mach_vm_address_t vm_addr;
- uintptr_t addr;
- mach_vm_size_t allocation_size = round_page_quanta(size);
- mach_vm_offset_t allocation_mask = ((mach_vm_offset_t)1 << align) - 1;
- int alloc_flags = VM_FLAGS_ANYWHERE | VM_MAKE_TAG(vm_page_label);
- kern_return_t kr;
-
- if (debug_flags & DISABLE_ASLR) {
- return mvm_allocate_pages(size, align, 0, vm_page_label);
- }
-
- if (!allocation_size) {
- allocation_size = vm_page_quanta_size;
- }
- if (allocation_size < size) { // size_t arithmetic wrapped!
- return NULL;
- }
-
-retry:
- vm_addr = entropic_address;
- kr = mach_vm_map(mach_task_self(), &vm_addr, allocation_size, allocation_mask, alloc_flags, MEMORY_OBJECT_NULL, 0, FALSE,
- VM_PROT_DEFAULT, VM_PROT_ALL, VM_INHERIT_DEFAULT);
- if (kr == KERN_NO_SPACE) {
- vm_addr = vm_page_quanta_size;
- kr = mach_vm_map(mach_task_self(), &vm_addr, allocation_size, allocation_mask, alloc_flags, MEMORY_OBJECT_NULL, 0, FALSE,
- VM_PROT_DEFAULT, VM_PROT_ALL, VM_INHERIT_DEFAULT);
- }
- if (kr) {
- szone_error(debug_flags, 0, "can't allocate region securely",
- NULL, "*** mach_vm_map(size=%lu) failed (error code=%d)\n", size, kr);
- return NULL;
- }
- addr = (uintptr_t)vm_addr;
-
- // Don't allow allocation to rise above entropic_limit (for tidiness).
- if (addr + allocation_size > entropic_limit) { // Exhausted current range?
- uintptr_t t = entropic_address;
- uintptr_t u = t - ENTROPIC_KABILLION;
-
- if (u < t) { // provided we don't wrap, deallocate and retry, in the expanded entropic range
- mach_vm_deallocate(mach_task_self(), vm_addr, allocation_size);
- OSAtomicCompareAndSwapLong(t, u, (volatile long *)&entropic_address); // Just one reduction please
- goto retry;
- }
- // fall through to use what we got
- }
-
- if (addr < entropic_address) { // we wrapped to find this allocation, expand the entropic range
- uintptr_t t = entropic_address;
- uintptr_t u = t - ENTROPIC_KABILLION;
- if (u < t) {
- OSAtomicCompareAndSwapLong(t, u, (volatile long *)&entropic_address); // Just one reduction please
- }
- // fall through to use what we got
}
return (void *)addr;
}
@@ -216,18 +203,22 @@
void
mvm_deallocate_pages(void *addr, size_t size, unsigned debug_flags)
{
- boolean_t add_guard_pages = debug_flags & MALLOC_ADD_GUARD_PAGES;
+ boolean_t added_prelude_guard_page = debug_flags & MALLOC_ADD_PRELUDE_GUARD_PAGE;
+ boolean_t added_postlude_guard_page = debug_flags & MALLOC_ADD_POSTLUDE_GUARD_PAGE;
mach_vm_address_t vm_addr = (mach_vm_address_t)addr;
mach_vm_size_t allocation_size = size;
kern_return_t kr;
- if (add_guard_pages) {
+ if (added_prelude_guard_page) {
vm_addr -= vm_page_quanta_size;
- allocation_size += 2 * vm_page_quanta_size;
+ allocation_size += vm_page_quanta_size;
+ }
+ if (added_postlude_guard_page) {
+ allocation_size += vm_page_quanta_size;
}
kr = mach_vm_deallocate(mach_task_self(), vm_addr, allocation_size);
if (kr) {
- szone_error(debug_flags, 0, "Can't deallocate_pages region", addr, NULL);
+ malloc_zone_error(debug_flags, false, "Can't deallocate_pages region at %p\n", addr);
}
}
@@ -236,32 +227,33 @@
{
kern_return_t err;
- if (!(debug_flags & MALLOC_DONT_PROTECT_PRELUDE)) {
+ if ((debug_flags & MALLOC_ADD_PRELUDE_GUARD_PAGE) && !(debug_flags & MALLOC_DONT_PROTECT_PRELUDE)) {
err = mprotect((void *)((uintptr_t)address - vm_page_quanta_size), vm_page_quanta_size, protection);
if (err) {
- malloc_printf("*** can't mvm_protect(%p) region for prelude guard page at %p\n", protection,
- (uintptr_t)address - vm_page_quanta_size);
- }
- }
- if (!(debug_flags & MALLOC_DONT_PROTECT_POSTLUDE)) {
+ malloc_report(ASL_LEVEL_ERR, "*** can't mvm_protect(%u) region for prelude guard page at %p\n", protection,
+ (void *)((uintptr_t)address - vm_page_quanta_size));
+ }
+ }
+ if ((debug_flags & MALLOC_ADD_POSTLUDE_GUARD_PAGE) && !(debug_flags & MALLOC_DONT_PROTECT_POSTLUDE)) {
err = mprotect((void *)(round_page_quanta(((uintptr_t)address + size))), vm_page_quanta_size, protection);
if (err) {
- malloc_printf("*** can't mvm_protect(%p) region for postlude guard page at %p\n", protection, (uintptr_t)address + size);
+ malloc_report(ASL_LEVEL_ERR, "*** can't mvm_protect(%u) region for postlude guard page at %p\n", protection,
+ (void *)((uintptr_t)address + size));
}
}
}
int
-mvm_madvise_free(rack_t *rack, region_t r, uintptr_t pgLo, uintptr_t pgHi, uintptr_t *last)
+mvm_madvise_free(void *rack, void *r, uintptr_t pgLo, uintptr_t pgHi, uintptr_t *last, boolean_t scribble)
{
if (pgHi > pgLo) {
size_t len = pgHi - pgLo;
- if (rack->debug_flags & MALLOC_DO_SCRIBBLE) {
+ if (scribble) {
memset((void *)pgLo, SCRUBBLE_BYTE, len); // Scribble on MADV_FREEd memory
}
-#if TARGET_OS_EMBEDDED
+#if TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR
if (last) {
if (*last == pgLo) {
return 0;
@@ -269,33 +261,20 @@
*last = pgLo;
}
-#endif
-
- MAGMALLOC_MADVFREEREGION((void *)rack, (void *)r, (void *)pgLo, (int)len); // DTrace USDT Probe
+#endif // TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR
+
+ MAGMALLOC_MADVFREEREGION(rack, r, (void *)pgLo, (int)len); // DTrace USDT Probe
if (-1 == madvise((void *)pgLo, len, CONFIG_MADVISE_STYLE)) {
/* -1 return: VM map entry change makes this unfit for reuse. Something evil lurks. */
#if DEBUG_MADVISE
- szone_error(NULL, 0, "madvise_free_range madvise(..., MADV_FREE_REUSABLE) failed", (void *)pgLo, "length=%d\n", len);
-#endif
+ malloc_zone_error(NULL, false,
+ "madvise_free_range madvise(..., MADV_FREE_REUSABLE) failed for %p, length=%d\n",
+ (void *)pgLo, len);
+#endif
+ return 1;
+ } else {
+ MALLOC_TRACE(TRACE_madvise, (uintptr_t)r, (uintptr_t)pgLo, len, CONFIG_MADVISE_STYLE);
}
}
return 0;
}
-
-int
-mvm_madvise_reuse(region_t r, uintptr_t pgLo, uintptr_t phHi, uint32_t debug_flags)
-{
- if (phHi > pgLo) {
- size_t len = phHi - pgLo;
-
- if (madvise((void *)pgLo, len, MADV_FREE_REUSE) == -1) {
- /* -1 return: VM map entry change makes this unfit for reuse. Something evil lurks. */
-#if DEBUG_MADVISE
- szone_error(debug_flags, 0, "madvise_reuse_range madvise(..., MADV_FREE_REUSE) failed", sparse_region, "length=%d\n",
- TINY_REGION_PAYLOAD_BYTES);
-#endif
- return 1;
- }
- }
- return 0;
-}