Loading...
--- libmalloc/libmalloc-409.81.2/src/vm.c
+++ libmalloc/libmalloc-283/src/vm.c
@@ -24,14 +24,12 @@
#include "internal.h"
static volatile uintptr_t entropic_address = 0;
-static volatile uintptr_t entropic_base = 0;
static volatile uintptr_t entropic_limit = 0;
MALLOC_NOEXPORT
uint64_t malloc_entropy[2] = {0, 0};
#define ENTROPIC_KABILLION 0x10000000 /* 256Mb */
-#define ENTROPIC_USER_RANGE_SIZE 0x200000000ULL /* 8Gb */
// <rdar://problem/22277891> align 64bit ARM shift to 32MB PTE entries
#if MALLOC_TARGET_IOS && MALLOC_TARGET_64BIT
@@ -44,7 +42,7 @@
mvm_aslr_init(void)
{
// Prepare ASLR
-#if __i386__ || __x86_64__ || __arm64__ || TARGET_OS_DRIVERKIT || (TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR)
+#if __i386__ || __x86_64__ || __arm64__ || (TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR)
#if __i386__
uintptr_t stackbase = 0x8fe00000;
int entropic_bits = 3;
@@ -67,32 +65,7 @@
if (mvm_aslr_enabled()) {
if (0 == entropic_address) {
- uintptr_t t = stackbase - MAXSSIZ - ((uintptr_t)(malloc_entropy[1] &
- ((1 << entropic_bits) - 1)) << ENTROPIC_SHIFT);
-#if MALLOC_TARGET_IOS && MALLOC_TARGET_64BIT
- uintptr_t addr = 0;
-
- /* If kernel VM user ranges are enabled mach_vm_allocate/map will provide memory
- * in the upper VM address range. This range is randomized per process. For now
- * we do not have this metadata plumbed through so we make a single allocation
- * with the appropriate tag to determine where our heap is. If we are given an
- * allocation above where we expect then we can safely assume VM ranges are enabled.
- *
- * If so we do not need to apply further entropy but do need to ensure
- * we mask off the address to a PTE boundary.
- */
- if (KERN_SUCCESS == mach_vm_allocate(mach_task_self(), (mach_vm_address_t *)&addr,
- vm_page_quanta_size, VM_FLAGS_ANYWHERE | VM_MAKE_TAG(VM_MEMORY_MALLOC))) {
- // Fall through and use existing base if addr < stackbase
- if (addr > stackbase) {
- t = (addr + ENTROPIC_USER_RANGE_SIZE) & ~((1 << ENTROPIC_SHIFT) - 1);
- OSAtomicCompareAndSwapLong(0, addr, (volatile long *)&entropic_base);
- }
-
- mach_vm_deallocate(mach_task_self(), addr, vm_page_quanta_size);
- }
-#endif // MALLOC_TARGET_IOS && MALLOC_TARGET_64BIT
-
+ uintptr_t t = stackbase - MAXSSIZ - ((uintptr_t)(malloc_entropy[1] & ((1 << entropic_bits) - 1)) << ENTROPIC_SHIFT);
OSAtomicCompareAndSwapLong(0, t, (volatile long *)&entropic_limit);
OSAtomicCompareAndSwapLong(0, t - ENTROPIC_KABILLION, (volatile long *)&entropic_address);
}
@@ -107,12 +80,10 @@
}
void *
-mvm_allocate_pages(size_t size, unsigned char align, uint32_t debug_flags,
- int vm_page_label) {
- boolean_t add_prelude_guard_page = debug_flags & MALLOC_ADD_PRELUDE_GUARD_PAGE;
- boolean_t add_postlude_guard_page = debug_flags & MALLOC_ADD_POSTLUDE_GUARD_PAGE;
+mvm_allocate_pages(size_t size, unsigned char align, unsigned debug_flags, int vm_page_label)
+{
+ boolean_t add_guard_pages = debug_flags & MALLOC_ADD_GUARD_PAGES;
boolean_t purgeable = debug_flags & MALLOC_PURGEABLE;
- boolean_t use_entropic_range = !(debug_flags & DISABLE_ASLR);
mach_vm_address_t vm_addr;
uintptr_t addr;
mach_vm_size_t allocation_size = round_page_quanta(size);
@@ -123,13 +94,12 @@
if (!allocation_size) {
allocation_size = vm_page_quanta_size;
}
- if (add_postlude_guard_page || add_prelude_guard_page) {
- if (add_prelude_guard_page && align > vm_page_quanta_shift) {
+ if (add_guard_pages) {
+ if (align > vm_page_quanta_shift) {
/* <rdar://problem/16601499> alignment greater than pagesize needs more work */
- allocation_size += (1 << align) + large_vm_page_quanta_size;
+ allocation_size += (1 << align) + vm_page_quanta_size;
} else {
- allocation_size += add_prelude_guard_page && add_postlude_guard_page ?
- 2 * large_vm_page_quanta_size : large_vm_page_quanta_size;
+ allocation_size += 2 * vm_page_quanta_size;
}
}
@@ -140,56 +110,17 @@
return NULL;
}
-retry:
- vm_addr = use_entropic_range ? entropic_address : vm_page_quanta_size;
- kr = mach_vm_map(mach_task_self(), &vm_addr, allocation_size,
- allocation_mask, alloc_flags, MEMORY_OBJECT_NULL, 0, FALSE,
- VM_PROT_DEFAULT, VM_PROT_ALL, VM_INHERIT_DEFAULT);
- if (kr == KERN_NO_SPACE && use_entropic_range) {
- vm_addr = vm_page_quanta_size;
- kr = mach_vm_map(mach_task_self(), &vm_addr, allocation_size,
- allocation_mask, alloc_flags, MEMORY_OBJECT_NULL, 0, FALSE,
- VM_PROT_DEFAULT, VM_PROT_ALL, VM_INHERIT_DEFAULT);
- }
+ vm_addr = vm_page_quanta_size;
+ kr = mach_vm_map(mach_task_self(), &vm_addr, allocation_size, allocation_mask, alloc_flags, MEMORY_OBJECT_NULL, 0, FALSE,
+ VM_PROT_DEFAULT, VM_PROT_ALL, VM_INHERIT_DEFAULT);
if (kr) {
- if (kr != KERN_NO_SPACE) {
- malloc_zone_error(debug_flags, false, "can't allocate region\n:"
- "*** mach_vm_map(size=%lu, flags: %x) failed (error code=%d)\n",
- size, debug_flags, kr);
- }
+ malloc_zone_error(debug_flags, false, "can't allocate region\n*** mach_vm_map(size=%lu) failed (error code=%d)\n", size, kr);
return NULL;
}
addr = (uintptr_t)vm_addr;
- if (use_entropic_range) {
- // Don't allow allocation to rise above entropic_limit (for tidiness).
- if (addr + allocation_size > entropic_limit) { // Exhausted current range?
- uintptr_t t = entropic_address;
- uintptr_t u = t - ENTROPIC_KABILLION;
-
- // provided we don't wrap, deallocate and retry, in theexpanded
- // entropic range
- if (u < t && u >= entropic_base) {
- mach_vm_deallocate(mach_task_self(), vm_addr, allocation_size);
- OSAtomicCompareAndSwapLong(t, u,
- (volatile long *)&entropic_address); // Just one reduction please
- goto retry;
- }
- // fall through to use what we got
- }
-
- if (addr < entropic_address) { // we wrapped to find this allocation, expand the entropic range
- uintptr_t t = entropic_address;
- uintptr_t u = t - ENTROPIC_KABILLION;
- if (u < t && u >= entropic_base) {
- OSAtomicCompareAndSwapLong(t, u, (volatile long *)&entropic_address); // Just one reduction please
- }
- // fall through to use what we got
- }
- }
-
- if (add_postlude_guard_page || add_prelude_guard_page) {
- if (add_prelude_guard_page && align > vm_page_quanta_shift) {
+ if (add_guard_pages) {
+ if (align > vm_page_quanta_shift) {
/* <rdar://problem/16601499> calculate the first address inside the alignment padding
* where we can place the guard page and still be aligned.
*
@@ -197,9 +128,9 @@
* |leading|gp| alloc |gp| t |
* |-----------------------------------------------------------|
*/
- uintptr_t alignaddr = ((addr + large_vm_page_quanta_size) + (1 << align) - 1) & ~((1 << align) - 1);
- size_t leading = alignaddr - addr - large_vm_page_quanta_size;
- size_t trailing = (1 << align) - large_vm_page_quanta_size - leading;
+ uintptr_t alignaddr = ((addr + vm_page_quanta_size) + (1 << align) - 1) & ~((1 << align) - 1);
+ size_t leading = alignaddr - addr - vm_page_quanta_size;
+ size_t trailing = (1 << align) - vm_page_quanta_size - leading;
/* Unmap the excess area. */
kr = mach_vm_deallocate(mach_task_self(), addr, leading);
@@ -210,21 +141,80 @@
return NULL;
}
- if (trailing) {
- kr = mach_vm_deallocate(mach_task_self(), addr + allocation_size - trailing, trailing);
- if (kr) {
- malloc_zone_error(debug_flags, false, "can't unmap excess trailing guard region\n"
- "*** mach_vm_deallocate(addr=%p, size=%lu) failed (code=%d)\n",
- (void *)(addr + allocation_size - trailing), trailing, kr);
- return NULL;
- }
+ kr = mach_vm_deallocate(mach_task_self(), addr + allocation_size - trailing, trailing);
+ if (kr) {
+ malloc_zone_error(debug_flags, false, "can't unmap excess trailing guard region\n"
+ "*** mach_vm_deallocate(addr=%p, size=%lu) failed (code=%d)\n",
+ (void *)(addr + allocation_size - trailing), trailing, kr);
+ return NULL;
}
addr = alignaddr;
- } else if (add_prelude_guard_page) {
- addr += large_vm_page_quanta_size;
+ } else {
+ addr += vm_page_quanta_size;
}
mvm_protect((void *)addr, size, PROT_NONE, debug_flags);
+ }
+ return (void *)addr;
+}
+
+void *
+mvm_allocate_pages_securely(size_t size, unsigned char align, int vm_page_label, uint32_t debug_flags)
+{
+ mach_vm_address_t vm_addr;
+ uintptr_t addr;
+ mach_vm_size_t allocation_size = round_page_quanta(size);
+ mach_vm_offset_t allocation_mask = ((mach_vm_offset_t)1 << align) - 1;
+ int alloc_flags = VM_FLAGS_ANYWHERE | VM_MAKE_TAG(vm_page_label);
+ kern_return_t kr;
+
+ if (debug_flags & DISABLE_ASLR) {
+ return mvm_allocate_pages(size, align, 0, vm_page_label);
+ }
+
+ if (!allocation_size) {
+ allocation_size = vm_page_quanta_size;
+ }
+ if (allocation_size < size) { // size_t arithmetic wrapped!
+ return NULL;
+ }
+
+retry:
+ vm_addr = entropic_address;
+ kr = mach_vm_map(mach_task_self(), &vm_addr, allocation_size, allocation_mask, alloc_flags, MEMORY_OBJECT_NULL, 0, FALSE,
+ VM_PROT_DEFAULT, VM_PROT_ALL, VM_INHERIT_DEFAULT);
+ if (kr == KERN_NO_SPACE) {
+ vm_addr = vm_page_quanta_size;
+ kr = mach_vm_map(mach_task_self(), &vm_addr, allocation_size, allocation_mask, alloc_flags, MEMORY_OBJECT_NULL, 0, FALSE,
+ VM_PROT_DEFAULT, VM_PROT_ALL, VM_INHERIT_DEFAULT);
+ }
+ if (kr) {
+ malloc_zone_error(debug_flags, false, "can't allocate region securely\n",
+ "*** mach_vm_map(size=%lu) failed (error code=%d)\n", size, kr);
+ return NULL;
+ }
+ addr = (uintptr_t)vm_addr;
+
+ // Don't allow allocation to rise above entropic_limit (for tidiness).
+ if (addr + allocation_size > entropic_limit) { // Exhausted current range?
+ uintptr_t t = entropic_address;
+ uintptr_t u = t - ENTROPIC_KABILLION;
+
+ if (u < t) { // provided we don't wrap, deallocate and retry, in the expanded entropic range
+ mach_vm_deallocate(mach_task_self(), vm_addr, allocation_size);
+ OSAtomicCompareAndSwapLong(t, u, (volatile long *)&entropic_address); // Just one reduction please
+ goto retry;
+ }
+ // fall through to use what we got
+ }
+
+ if (addr < entropic_address) { // we wrapped to find this allocation, expand the entropic range
+ uintptr_t t = entropic_address;
+ uintptr_t u = t - ENTROPIC_KABILLION;
+ if (u < t) {
+ OSAtomicCompareAndSwapLong(t, u, (volatile long *)&entropic_address); // Just one reduction please
+ }
+ // fall through to use what we got
}
return (void *)addr;
}
@@ -232,18 +222,14 @@
void
mvm_deallocate_pages(void *addr, size_t size, unsigned debug_flags)
{
- boolean_t added_prelude_guard_page = debug_flags & MALLOC_ADD_PRELUDE_GUARD_PAGE;
- boolean_t added_postlude_guard_page = debug_flags & MALLOC_ADD_POSTLUDE_GUARD_PAGE;
+ boolean_t add_guard_pages = debug_flags & MALLOC_ADD_GUARD_PAGES;
mach_vm_address_t vm_addr = (mach_vm_address_t)addr;
mach_vm_size_t allocation_size = size;
kern_return_t kr;
- if (added_prelude_guard_page) {
- vm_addr -= large_vm_page_quanta_size;
- allocation_size += large_vm_page_quanta_size;
- }
- if (added_postlude_guard_page) {
- allocation_size += large_vm_page_quanta_size;
+ if (add_guard_pages) {
+ vm_addr -= vm_page_quanta_size;
+ allocation_size += 2 * vm_page_quanta_size;
}
kr = mach_vm_deallocate(mach_task_self(), vm_addr, allocation_size);
if (kr) {
@@ -256,15 +242,15 @@
{
kern_return_t err;
- if ((debug_flags & MALLOC_ADD_PRELUDE_GUARD_PAGE) && !(debug_flags & MALLOC_DONT_PROTECT_PRELUDE)) {
- err = mprotect((void *)((uintptr_t)address - large_vm_page_quanta_size), large_vm_page_quanta_size, protection);
+ if (!(debug_flags & MALLOC_DONT_PROTECT_PRELUDE)) {
+ err = mprotect((void *)((uintptr_t)address - vm_page_quanta_size), vm_page_quanta_size, protection);
if (err) {
malloc_report(ASL_LEVEL_ERR, "*** can't mvm_protect(%u) region for prelude guard page at %p\n", protection,
- (void *)((uintptr_t)address - large_vm_page_quanta_size));
- }
- }
- if ((debug_flags & MALLOC_ADD_POSTLUDE_GUARD_PAGE) && !(debug_flags & MALLOC_DONT_PROTECT_POSTLUDE)) {
- err = mprotect((void *)(round_page_quanta(((uintptr_t)address + size))), large_vm_page_quanta_size, protection);
+ (void *)((uintptr_t)address - vm_page_quanta_size));
+ }
+ }
+ if (!(debug_flags & MALLOC_DONT_PROTECT_POSTLUDE)) {
+ err = mprotect((void *)(round_page_quanta(((uintptr_t)address + size))), vm_page_quanta_size, protection);
if (err) {
malloc_report(ASL_LEVEL_ERR, "*** can't mvm_protect(%u) region for postlude guard page at %p\n", protection,
(void *)((uintptr_t)address + size));
@@ -278,11 +264,11 @@
if (pgHi > pgLo) {
size_t len = pgHi - pgLo;
- if (scribble && malloc_zero_policy != MALLOC_ZERO_ON_FREE) {
+ if (scribble) {
memset((void *)pgLo, SCRUBBLE_BYTE, len); // Scribble on MADV_FREEd memory
}
-#if MALLOC_TARGET_IOS
+#if TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR
if (last) {
if (*last == pgLo) {
return 0;
@@ -290,7 +276,7 @@
*last = pgLo;
}
-#endif // MALLOC_TARGET_IOS
+#endif // TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR
MAGMALLOC_MADVFREEREGION(rack, r, (void *)pgLo, (int)len); // DTrace USDT Probe
if (-1 == madvise((void *)pgLo, len, CONFIG_MADVISE_STYLE)) {
@@ -307,57 +293,3 @@
}
return 0;
}
-
-#if CONFIG_DEFERRED_RECLAIM
-static struct mach_vm_reclaim_ringbuffer_v1_s reclaim_buffer;
-static _malloc_lock_s reclaim_buffer_lock = _MALLOC_LOCK_INIT;
-
-kern_return_t
-mvm_deferred_reclaim_init(void)
-{
- return mach_vm_reclaim_ringbuffer_init(&reclaim_buffer);
-}
-
-
-bool
-mvm_reclaim_mark_used(uint64_t id, mach_vm_address_t ptr, uint32_t size, unsigned int debug_flags)
-{
- bool used;
- if (debug_flags & MALLOC_ADD_GUARD_PAGE_FLAGS) {
- if (os_add_overflow(size, 2 * large_vm_page_quanta_size, &size)) {
- return false;
- }
- ptr -= large_vm_page_quanta_size;
- }
- _malloc_lock_lock(&reclaim_buffer_lock);
- used = mach_vm_reclaim_mark_used(&reclaim_buffer, id, ptr, size);
- _malloc_lock_unlock(&reclaim_buffer_lock);
- return used;
-}
-
-uint64_t
-mvm_reclaim_mark_free(vm_address_t ptr, uint32_t size, unsigned int debug_flags)
-{
- uint64_t id;
- bool should_update_kernel_accounting = false;
- if (debug_flags & MALLOC_ADD_GUARD_PAGE_FLAGS) {
- if (os_add_overflow(size, 2 * large_vm_page_quanta_size, &size)) {
- return VM_RECLAIM_INDEX_NULL;
- }
- ptr -= large_vm_page_quanta_size;
- }
- _malloc_lock_lock(&reclaim_buffer_lock);
- id = mach_vm_reclaim_mark_free(&reclaim_buffer, ptr, size, &should_update_kernel_accounting);
- _malloc_lock_unlock(&reclaim_buffer_lock);
- if (should_update_kernel_accounting) {
- mach_vm_reclaim_update_kernel_accounting(&reclaim_buffer);
- }
- return id;
-}
-
-bool
-mvm_reclaim_is_available(uint64_t id)
-{
- return mach_vm_reclaim_is_available(&reclaim_buffer, id);
-}
-#endif // CONFIG_DEFERRED_RECLAIM