1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "base/process/memory.h" 6 7 #include <new> 8 9 #include "base/files/file_path.h" 10 #include "base/files/file_util.h" 11 #include "base/logging.h" 12 #include "base/process/internal_linux.h" 13 #include "base/strings/string_number_conversions.h" 14 15 #if defined(USE_TCMALLOC) 16 // Used by UncheckedMalloc. If tcmalloc is linked to the executable 17 // this will be replaced by a strong symbol that actually implement 18 // the semantics and don't call new handler in case the allocation fails. 19 extern "C" { 20 21 __attribute__((weak, visibility("default"))) 22 void* tc_malloc_skip_new_handler_weak(size_t size); 23 24 void* tc_malloc_skip_new_handler_weak(size_t size) { 25 return malloc(size); 26 } 27 28 } 29 #endif 30 31 namespace base { 32 33 size_t g_oom_size = 0U; 34 35 namespace { 36 37 #if !defined(OS_ANDROID) 38 void OnNoMemorySize(size_t size) { 39 g_oom_size = size; 40 41 if (size != 0) 42 LOG(FATAL) << "Out of memory, size = " << size; 43 LOG(FATAL) << "Out of memory."; 44 } 45 46 void OnNoMemory() { 47 OnNoMemorySize(0); 48 } 49 #endif // !defined(OS_ANDROID) 50 51 } // namespace 52 53 #if !defined(ADDRESS_SANITIZER) && !defined(MEMORY_SANITIZER) && \ 54 !defined(THREAD_SANITIZER) && !defined(LEAK_SANITIZER) 55 56 #if defined(LIBC_GLIBC) && !defined(USE_TCMALLOC) 57 58 extern "C" { 59 void* __libc_malloc(size_t size); 60 void* __libc_realloc(void* ptr, size_t size); 61 void* __libc_calloc(size_t nmemb, size_t size); 62 void* __libc_valloc(size_t size); 63 #if PVALLOC_AVAILABLE == 1 64 void* __libc_pvalloc(size_t size); 65 #endif 66 void* __libc_memalign(size_t alignment, size_t size); 67 68 // Overriding the system memory allocation functions: 69 // 70 // For security reasons, we want malloc failures to be fatal. Too much code 71 // doesn't check for a NULL return value from malloc and unconditionally uses 72 // the resulting pointer. If the first offset that they try to access is 73 // attacker controlled, then the attacker can direct the code to access any 74 // part of memory. 75 // 76 // Thus, we define all the standard malloc functions here and mark them as 77 // visibility 'default'. This means that they replace the malloc functions for 78 // all Chromium code and also for all code in shared libraries. There are tests 79 // for this in process_util_unittest.cc. 80 // 81 // If we are using tcmalloc, then the problem is moot since tcmalloc handles 82 // this for us. Thus this code is in a !defined(USE_TCMALLOC) block. 83 // 84 // If we are testing the binary with AddressSanitizer, we should not 85 // redefine malloc and let AddressSanitizer do it instead. 86 // 87 // We call the real libc functions in this code by using __libc_malloc etc. 88 // Previously we tried using dlsym(RTLD_NEXT, ...) but that failed depending on 89 // the link order. Since ld.so needs calloc during symbol resolution, it 90 // defines its own versions of several of these functions in dl-minimal.c. 91 // Depending on the runtime library order, dlsym ended up giving us those 92 // functions and bad things happened. See crbug.com/31809 93 // 94 // This means that any code which calls __libc_* gets the raw libc versions of 95 // these functions. 96 97 #define DIE_ON_OOM_1(function_name) \ 98 void* function_name(size_t) __attribute__ ((visibility("default"))); \ 99 \ 100 void* function_name(size_t size) { \ 101 void* ret = __libc_##function_name(size); \ 102 if (ret == NULL && size != 0) \ 103 OnNoMemorySize(size); \ 104 return ret; \ 105 } 106 107 #define DIE_ON_OOM_2(function_name, arg1_type) \ 108 void* function_name(arg1_type, size_t) \ 109 __attribute__ ((visibility("default"))); \ 110 \ 111 void* function_name(arg1_type arg1, size_t size) { \ 112 void* ret = __libc_##function_name(arg1, size); \ 113 if (ret == NULL && size != 0) \ 114 OnNoMemorySize(size); \ 115 return ret; \ 116 } 117 118 DIE_ON_OOM_1(malloc) 119 DIE_ON_OOM_1(valloc) 120 #if PVALLOC_AVAILABLE == 1 121 DIE_ON_OOM_1(pvalloc) 122 #endif 123 124 DIE_ON_OOM_2(calloc, size_t) 125 DIE_ON_OOM_2(realloc, void*) 126 DIE_ON_OOM_2(memalign, size_t) 127 128 // posix_memalign has a unique signature and doesn't have a __libc_ variant. 129 int posix_memalign(void** ptr, size_t alignment, size_t size) 130 __attribute__ ((visibility("default"))); 131 132 int posix_memalign(void** ptr, size_t alignment, size_t size) { 133 // This will use the safe version of memalign, above. 134 *ptr = memalign(alignment, size); 135 return 0; 136 } 137 138 } // extern C 139 140 #else 141 142 // TODO(mostynb (at) opera.com): dlsym dance 143 144 #endif // LIBC_GLIBC && !USE_TCMALLOC 145 146 #endif // !*_SANITIZER 147 148 void EnableTerminationOnHeapCorruption() { 149 // On Linux, there nothing to do AFAIK. 150 } 151 152 void EnableTerminationOnOutOfMemory() { 153 #if defined(OS_ANDROID) 154 // Android doesn't support setting a new handler. 155 DLOG(WARNING) << "Not feasible."; 156 #else 157 // Set the new-out of memory handler. 158 std::set_new_handler(&OnNoMemory); 159 // If we're using glibc's allocator, the above functions will override 160 // malloc and friends and make them die on out of memory. 161 #endif 162 } 163 164 // NOTE: This is not the only version of this function in the source: 165 // the setuid sandbox (in process_util_linux.c, in the sandbox source) 166 // also has its own C version. 167 bool AdjustOOMScore(ProcessId process, int score) { 168 if (score < 0 || score > kMaxOomScore) 169 return false; 170 171 FilePath oom_path(internal::GetProcPidDir(process)); 172 173 // Attempt to write the newer oom_score_adj file first. 174 FilePath oom_file = oom_path.AppendASCII("oom_score_adj"); 175 if (PathExists(oom_file)) { 176 std::string score_str = IntToString(score); 177 DVLOG(1) << "Adjusting oom_score_adj of " << process << " to " 178 << score_str; 179 int score_len = static_cast<int>(score_str.length()); 180 return (score_len == WriteFile(oom_file, score_str.c_str(), score_len)); 181 } 182 183 // If the oom_score_adj file doesn't exist, then we write the old 184 // style file and translate the oom_adj score to the range 0-15. 185 oom_file = oom_path.AppendASCII("oom_adj"); 186 if (PathExists(oom_file)) { 187 // Max score for the old oom_adj range. Used for conversion of new 188 // values to old values. 189 const int kMaxOldOomScore = 15; 190 191 int converted_score = score * kMaxOldOomScore / kMaxOomScore; 192 std::string score_str = IntToString(converted_score); 193 DVLOG(1) << "Adjusting oom_adj of " << process << " to " << score_str; 194 int score_len = static_cast<int>(score_str.length()); 195 return (score_len == WriteFile(oom_file, score_str.c_str(), score_len)); 196 } 197 198 return false; 199 } 200 201 bool UncheckedMalloc(size_t size, void** result) { 202 #if defined(MEMORY_TOOL_REPLACES_ALLOCATOR) || \ 203 (!defined(LIBC_GLIBC) && !defined(USE_TCMALLOC)) 204 *result = malloc(size); 205 #elif defined(LIBC_GLIBC) && !defined(USE_TCMALLOC) 206 *result = __libc_malloc(size); 207 #elif defined(USE_TCMALLOC) 208 *result = tc_malloc_skip_new_handler_weak(size); 209 #endif 210 return *result != NULL; 211 } 212 213 } // namespace base 214
