diff options
| author | Kostya Kortchinsky <kostyak@google.com> | 2018-01-23 23:07:42 +0000 |
|---|---|---|
| committer | Kostya Kortchinsky <kostyak@google.com> | 2018-01-23 23:07:42 +0000 |
| commit | 1ebebde8b7b9f9636bc0d8556a2a1903ef3b7e88 (patch) | |
| tree | c2543e49f1bafb04539590405d6ab253fbfb9a9b /compiler-rt/lib/scudo | |
| parent | cbce2f02e9df04a1f7f292c4a2b8b50321f14fae (diff) | |
| download | bcm5719-llvm-1ebebde8b7b9f9636bc0d8556a2a1903ef3b7e88.tar.gz bcm5719-llvm-1ebebde8b7b9f9636bc0d8556a2a1903ef3b7e88.zip | |
[scudo] Allow for weak hooks, gated by a define
Summary:
Hooks in the allocation & deallocation paths can be a security risk (see for an
example https://scarybeastsecurity.blogspot.com/2016/11/0day-exploit-advancing-exploitation.html
which used the glibc's __free_hook to complete exploitation).
But some users have expressed a need for them, even if only for tests and
memory benchmarks. So allow for `__sanitizer_malloc_hook` &
`__sanitizer_free_hook` to be called if defined, and gate them behind a global
define `SCUDO_CAN_USE_HOOKS` defaulting to 0.
Reviewers: alekseyshl
Reviewed By: alekseyshl
Subscribers: #sanitizers, llvm-commits
Differential Revision: https://reviews.llvm.org/D42430
llvm-svn: 323278
Diffstat (limited to 'compiler-rt/lib/scudo')
| -rw-r--r-- | compiler-rt/lib/scudo/scudo_allocator.cpp | 6 | ||||
| -rw-r--r-- | compiler-rt/lib/scudo/scudo_platform.h | 6 |
2 files changed, 10 insertions, 2 deletions
diff --git a/compiler-rt/lib/scudo/scudo_allocator.cpp b/compiler-rt/lib/scudo/scudo_allocator.cpp index 0e18141f48c..31317b7cf9f 100644 --- a/compiler-rt/lib/scudo/scudo_allocator.cpp +++ b/compiler-rt/lib/scudo/scudo_allocator.cpp @@ -430,7 +430,8 @@ struct ScudoAllocator { } void *Ptr = reinterpret_cast<void *>(UserPtr); Chunk::storeHeader(Ptr, &Header); - // if (&__sanitizer_malloc_hook) __sanitizer_malloc_hook(Ptr, Size); + if (SCUDO_CAN_USE_HOOKS && &__sanitizer_malloc_hook) + __sanitizer_malloc_hook(Ptr, Size); return Ptr; } @@ -480,7 +481,8 @@ struct ScudoAllocator { // the TLS destructors, ending up in initialized thread specific data never // being destroyed properly. Any other heap operation will do a full init. initThreadMaybe(/*MinimalInit=*/true); - // if (&__sanitizer_free_hook) __sanitizer_free_hook(Ptr); + if (SCUDO_CAN_USE_HOOKS && &__sanitizer_free_hook) + __sanitizer_free_hook(Ptr); if (UNLIKELY(!Ptr)) return; if (UNLIKELY(!Chunk::isAligned(Ptr))) { diff --git a/compiler-rt/lib/scudo/scudo_platform.h b/compiler-rt/lib/scudo/scudo_platform.h index 31498efcf39..9837d55f1a0 100644 --- a/compiler-rt/lib/scudo/scudo_platform.h +++ b/compiler-rt/lib/scudo/scudo_platform.h @@ -55,6 +55,12 @@ # define SCUDO_CAN_USE_PUBLIC_INTERFACE 1 #endif +// Hooks in the allocation & deallocation paths can become a security concern if +// implemented improperly, or if overwritten by an attacker. Use with caution. +#ifndef SCUDO_CAN_USE_HOOKS +# define SCUDO_CAN_USE_HOOKS 0 +#endif + namespace __scudo { #if SANITIZER_CAN_USE_ALLOCATOR64 |
