2013-05-07 18:48:59 +00:00
|
|
|
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
|
|
|
|
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
|
|
|
|
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
|
|
|
|
|
|
/*
|
|
|
|
* A poison value that can be used to fill a memory space with
|
|
|
|
* an address that leads to a safe crash when dereferenced.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include "mozilla/Poison.h"
|
|
|
|
|
|
|
|
#include "mozilla/Assertions.h"
|
|
|
|
#ifdef _WIN32
|
|
|
|
# include <windows.h>
|
|
|
|
#elif !defined(__OS2__)
|
|
|
|
# include <unistd.h>
|
|
|
|
# include <sys/mman.h>
|
|
|
|
# ifndef MAP_ANON
|
|
|
|
# ifdef MAP_ANONYMOUS
|
|
|
|
# define MAP_ANON MAP_ANONYMOUS
|
|
|
|
# else
|
|
|
|
# error "Don't know how to get anonymous memory"
|
|
|
|
# endif
|
|
|
|
# endif
|
|
|
|
#endif
|
|
|
|
|
|
|
|
extern "C" {
|
|
|
|
uintptr_t gMozillaPoisonValue;
|
|
|
|
uintptr_t gMozillaPoisonBase;
|
|
|
|
uintptr_t gMozillaPoisonSize;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Freed memory is filled with a poison value, which we arrange to
|
|
|
|
// form a pointer either to an always-unmapped region of the address
|
|
|
|
// space, or to a page that has been reserved and rendered
|
|
|
|
// inaccessible via OS primitives. See tests/TestPoisonArea.cpp for
|
|
|
|
// extensive discussion of the requirements for this page. The code
|
|
|
|
// from here to 'class FreeList' needs to be kept in sync with that
|
|
|
|
// file.
|
|
|
|
|
|
|
|
#ifdef _WIN32
|
2014-07-11 02:10:17 +00:00
|
|
|
static void*
|
2014-06-13 06:34:08 +00:00
|
|
|
ReserveRegion(uintptr_t aRegion, uintptr_t aSize)
|
2013-05-07 18:48:59 +00:00
|
|
|
{
|
2014-07-11 02:10:17 +00:00
|
|
|
return VirtualAlloc((void*)aRegion, aSize, MEM_RESERVE, PAGE_NOACCESS);
|
2013-05-07 18:48:59 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
2014-07-11 02:10:17 +00:00
|
|
|
ReleaseRegion(void* aRegion, uintptr_t aSize)
|
2013-05-07 18:48:59 +00:00
|
|
|
{
|
2014-06-13 06:34:08 +00:00
|
|
|
VirtualFree(aRegion, aSize, MEM_RELEASE);
|
2013-05-07 18:48:59 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
static bool
|
2014-06-13 06:34:08 +00:00
|
|
|
ProbeRegion(uintptr_t aRegion, uintptr_t aSize)
|
2013-05-07 18:48:59 +00:00
|
|
|
{
|
|
|
|
SYSTEM_INFO sinfo;
|
|
|
|
GetSystemInfo(&sinfo);
|
2014-06-13 06:34:08 +00:00
|
|
|
if (aRegion >= (uintptr_t)sinfo.lpMaximumApplicationAddress &&
|
|
|
|
aRegion + aSize >= (uintptr_t)sinfo.lpMaximumApplicationAddress) {
|
2013-05-07 18:48:59 +00:00
|
|
|
return true;
|
|
|
|
} else {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static uintptr_t
|
|
|
|
GetDesiredRegionSize()
|
|
|
|
{
|
|
|
|
SYSTEM_INFO sinfo;
|
|
|
|
GetSystemInfo(&sinfo);
|
|
|
|
return sinfo.dwAllocationGranularity;
|
|
|
|
}
|
|
|
|
|
|
|
|
#define RESERVE_FAILED 0
|
|
|
|
|
|
|
|
#elif defined(__OS2__)
|
2014-07-11 02:10:17 +00:00
|
|
|
static void*
|
2014-06-13 06:34:08 +00:00
|
|
|
ReserveRegion(uintptr_t aRegion, uintptr_t aSize)
|
2013-05-07 18:48:59 +00:00
|
|
|
{
|
|
|
|
// OS/2 doesn't support allocation at an arbitrary address,
|
|
|
|
// so return an address that is known to be invalid.
|
|
|
|
return (void*)0xFFFD0000;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
2014-07-11 02:10:17 +00:00
|
|
|
ReleaseRegion(void* aRegion, uintptr_t aSize)
|
2013-05-07 18:48:59 +00:00
|
|
|
{
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
static bool
|
2014-06-13 06:34:08 +00:00
|
|
|
ProbeRegion(uintptr_t aRegion, uintptr_t aSize)
|
2013-05-07 18:48:59 +00:00
|
|
|
{
|
|
|
|
// There's no reliable way to probe an address in the system
|
|
|
|
// arena other than by touching it and seeing if a trap occurs.
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
static uintptr_t
|
|
|
|
GetDesiredRegionSize()
|
|
|
|
{
|
|
|
|
// Page size is fixed at 4k.
|
|
|
|
return 0x1000;
|
|
|
|
}
|
|
|
|
|
|
|
|
#define RESERVE_FAILED 0
|
|
|
|
|
|
|
|
#else // Unix
|
|
|
|
|
2014-06-17 15:55:00 +00:00
|
|
|
#include "mozilla/TaggedAnonymousMemory.h"
|
|
|
|
|
2014-07-11 02:10:17 +00:00
|
|
|
static void*
|
2014-06-13 06:34:08 +00:00
|
|
|
ReserveRegion(uintptr_t aRegion, uintptr_t aSize)
|
2013-05-07 18:48:59 +00:00
|
|
|
{
|
2014-06-13 06:34:08 +00:00
|
|
|
return MozTaggedAnonymousMmap(reinterpret_cast<void*>(aRegion), aSize,
|
|
|
|
PROT_NONE, MAP_PRIVATE|MAP_ANON, -1, 0,
|
|
|
|
"poison");
|
2013-05-07 18:48:59 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
2014-07-11 02:10:17 +00:00
|
|
|
ReleaseRegion(void* aRegion, uintptr_t aSize)
|
2013-05-07 18:48:59 +00:00
|
|
|
{
|
2014-06-13 06:34:08 +00:00
|
|
|
munmap(aRegion, aSize);
|
2013-05-07 18:48:59 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
static bool
|
2014-06-13 06:34:08 +00:00
|
|
|
ProbeRegion(uintptr_t aRegion, uintptr_t aSize)
|
2013-05-07 18:48:59 +00:00
|
|
|
{
|
2014-06-13 06:34:08 +00:00
|
|
|
if (madvise(reinterpret_cast<void*>(aRegion), aSize, MADV_NORMAL)) {
|
2013-05-07 18:48:59 +00:00
|
|
|
return true;
|
|
|
|
} else {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static uintptr_t
|
|
|
|
GetDesiredRegionSize()
|
|
|
|
{
|
|
|
|
return sysconf(_SC_PAGESIZE);
|
|
|
|
}
|
|
|
|
|
|
|
|
#define RESERVE_FAILED MAP_FAILED
|
|
|
|
|
|
|
|
#endif // system dependencies
|
|
|
|
|
2013-07-18 17:59:53 +00:00
|
|
|
static_assert(sizeof(uintptr_t) == 4 || sizeof(uintptr_t) == 8, "");
|
2014-07-11 02:10:17 +00:00
|
|
|
static_assert(sizeof(uintptr_t) == sizeof(void*), "");
|
2013-05-07 18:48:59 +00:00
|
|
|
|
|
|
|
static uintptr_t
|
|
|
|
ReservePoisonArea(uintptr_t rgnsize)
|
|
|
|
{
|
|
|
|
if (sizeof(uintptr_t) == 8) {
|
|
|
|
// Use the hardware-inaccessible region.
|
|
|
|
// We have to avoid 64-bit constants and shifts by 32 bits, since this
|
|
|
|
// code is compiled in 32-bit mode, although it is never executed there.
|
|
|
|
return
|
|
|
|
(((uintptr_t(0x7FFFFFFFu) << 31) << 1 | uintptr_t(0xF0DEAFFFu))
|
|
|
|
& ~(rgnsize-1));
|
2014-06-13 06:34:08 +00:00
|
|
|
}
|
2013-05-07 18:48:59 +00:00
|
|
|
|
2014-06-13 06:34:08 +00:00
|
|
|
// First see if we can allocate the preferred poison address from the OS.
|
|
|
|
uintptr_t candidate = (0xF0DEAFFF & ~(rgnsize-1));
|
2014-07-11 02:10:17 +00:00
|
|
|
void* result = ReserveRegion(candidate, rgnsize);
|
|
|
|
if (result == (void*)candidate) {
|
2014-06-13 06:34:08 +00:00
|
|
|
// success - inaccessible page allocated
|
|
|
|
return candidate;
|
|
|
|
}
|
2013-05-07 18:48:59 +00:00
|
|
|
|
2014-06-13 06:34:08 +00:00
|
|
|
// That didn't work, so see if the preferred address is within a range
|
|
|
|
// of permanently inacessible memory.
|
|
|
|
if (ProbeRegion(candidate, rgnsize)) {
|
|
|
|
// success - selected page cannot be usable memory
|
2013-05-07 18:48:59 +00:00
|
|
|
if (result != RESERVE_FAILED) {
|
2014-06-13 06:34:08 +00:00
|
|
|
ReleaseRegion(result, rgnsize);
|
2013-05-07 18:48:59 +00:00
|
|
|
}
|
2014-06-13 06:34:08 +00:00
|
|
|
return candidate;
|
|
|
|
}
|
2013-05-07 18:48:59 +00:00
|
|
|
|
2014-06-13 06:34:08 +00:00
|
|
|
// The preferred address is already in use. Did the OS give us a
|
|
|
|
// consolation prize?
|
|
|
|
if (result != RESERVE_FAILED) {
|
|
|
|
return uintptr_t(result);
|
|
|
|
}
|
2013-05-07 18:48:59 +00:00
|
|
|
|
2014-06-13 06:34:08 +00:00
|
|
|
// It didn't, so try to allocate again, without any constraint on
|
|
|
|
// the address.
|
|
|
|
result = ReserveRegion(0, rgnsize);
|
|
|
|
if (result != RESERVE_FAILED) {
|
|
|
|
return uintptr_t(result);
|
2013-05-07 18:48:59 +00:00
|
|
|
}
|
2014-06-13 06:34:08 +00:00
|
|
|
|
|
|
|
// no usable poison region identified
|
|
|
|
MOZ_CRASH();
|
|
|
|
return 0;
|
2013-05-07 18:48:59 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
mozPoisonValueInit()
|
|
|
|
{
|
|
|
|
gMozillaPoisonSize = GetDesiredRegionSize();
|
|
|
|
gMozillaPoisonBase = ReservePoisonArea(gMozillaPoisonSize);
|
|
|
|
|
2014-06-13 06:34:08 +00:00
|
|
|
if (gMozillaPoisonSize == 0) { // can't happen
|
2013-05-07 18:48:59 +00:00
|
|
|
return;
|
2014-06-13 06:34:08 +00:00
|
|
|
}
|
|
|
|
gMozillaPoisonValue = gMozillaPoisonBase + gMozillaPoisonSize / 2 - 1;
|
2013-05-07 18:48:59 +00:00
|
|
|
}
|