Home | History | Annotate | Download | only in process
      1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #include "base/process/memory.h"
      6 
      7 #include <new>
      8 
      9 #include "base/files/file_path.h"
     10 #include "base/files/file_util.h"
     11 #include "base/logging.h"
     12 #include "base/process/internal_linux.h"
     13 #include "base/strings/string_number_conversions.h"
     14 
     15 #if defined(USE_TCMALLOC)
     16 // Used by UncheckedMalloc. If tcmalloc is linked to the executable
     17 // this will be replaced by a strong symbol that actually implement
     18 // the semantics and don't call new handler in case the allocation fails.
     19 extern "C" {
     20 
     21 __attribute__((weak, visibility("default")))
     22 void* tc_malloc_skip_new_handler_weak(size_t size);
     23 
     24 void* tc_malloc_skip_new_handler_weak(size_t size) {
     25   return malloc(size);
     26 }
     27 
     28 }
     29 #endif
     30 
     31 namespace base {
     32 
     33 size_t g_oom_size = 0U;
     34 
     35 namespace {
     36 
     37 #if !defined(OS_ANDROID)
     38 void OnNoMemorySize(size_t size) {
     39   g_oom_size = size;
     40 
     41   if (size != 0)
     42     LOG(FATAL) << "Out of memory, size = " << size;
     43   LOG(FATAL) << "Out of memory.";
     44 }
     45 
     46 void OnNoMemory() {
     47   OnNoMemorySize(0);
     48 }
     49 #endif  // !defined(OS_ANDROID)
     50 
     51 }  // namespace
     52 
     53 #if !defined(ADDRESS_SANITIZER) && !defined(MEMORY_SANITIZER) && \
     54     !defined(THREAD_SANITIZER) && !defined(LEAK_SANITIZER)
     55 
     56 #if defined(LIBC_GLIBC) && !defined(USE_TCMALLOC)
     57 
     58 extern "C" {
     59 void* __libc_malloc(size_t size);
     60 void* __libc_realloc(void* ptr, size_t size);
     61 void* __libc_calloc(size_t nmemb, size_t size);
     62 void* __libc_valloc(size_t size);
     63 #if PVALLOC_AVAILABLE == 1
     64 void* __libc_pvalloc(size_t size);
     65 #endif
     66 void* __libc_memalign(size_t alignment, size_t size);
     67 
     68 // Overriding the system memory allocation functions:
     69 //
     70 // For security reasons, we want malloc failures to be fatal. Too much code
     71 // doesn't check for a NULL return value from malloc and unconditionally uses
     72 // the resulting pointer. If the first offset that they try to access is
     73 // attacker controlled, then the attacker can direct the code to access any
     74 // part of memory.
     75 //
     76 // Thus, we define all the standard malloc functions here and mark them as
     77 // visibility 'default'. This means that they replace the malloc functions for
     78 // all Chromium code and also for all code in shared libraries. There are tests
     79 // for this in process_util_unittest.cc.
     80 //
     81 // If we are using tcmalloc, then the problem is moot since tcmalloc handles
     82 // this for us. Thus this code is in a !defined(USE_TCMALLOC) block.
     83 //
     84 // If we are testing the binary with AddressSanitizer, we should not
     85 // redefine malloc and let AddressSanitizer do it instead.
     86 //
     87 // We call the real libc functions in this code by using __libc_malloc etc.
     88 // Previously we tried using dlsym(RTLD_NEXT, ...) but that failed depending on
     89 // the link order. Since ld.so needs calloc during symbol resolution, it
     90 // defines its own versions of several of these functions in dl-minimal.c.
     91 // Depending on the runtime library order, dlsym ended up giving us those
     92 // functions and bad things happened. See crbug.com/31809
     93 //
     94 // This means that any code which calls __libc_* gets the raw libc versions of
     95 // these functions.
     96 
     97 #define DIE_ON_OOM_1(function_name) \
     98   void* function_name(size_t) __attribute__ ((visibility("default"))); \
     99   \
    100   void* function_name(size_t size) { \
    101     void* ret = __libc_##function_name(size); \
    102     if (ret == NULL && size != 0) \
    103       OnNoMemorySize(size); \
    104     return ret; \
    105   }
    106 
    107 #define DIE_ON_OOM_2(function_name, arg1_type) \
    108   void* function_name(arg1_type, size_t) \
    109       __attribute__ ((visibility("default"))); \
    110   \
    111   void* function_name(arg1_type arg1, size_t size) { \
    112     void* ret = __libc_##function_name(arg1, size); \
    113     if (ret == NULL && size != 0) \
    114       OnNoMemorySize(size); \
    115     return ret; \
    116   }
    117 
    118 DIE_ON_OOM_1(malloc)
    119 DIE_ON_OOM_1(valloc)
    120 #if PVALLOC_AVAILABLE == 1
    121 DIE_ON_OOM_1(pvalloc)
    122 #endif
    123 
    124 DIE_ON_OOM_2(calloc, size_t)
    125 DIE_ON_OOM_2(realloc, void*)
    126 DIE_ON_OOM_2(memalign, size_t)
    127 
    128 // posix_memalign has a unique signature and doesn't have a __libc_ variant.
    129 int posix_memalign(void** ptr, size_t alignment, size_t size)
    130     __attribute__ ((visibility("default")));
    131 
    132 int posix_memalign(void** ptr, size_t alignment, size_t size) {
    133   // This will use the safe version of memalign, above.
    134   *ptr = memalign(alignment, size);
    135   return 0;
    136 }
    137 
    138 }  // extern C
    139 
    140 #else
    141 
    142 // TODO(mostynb (at) opera.com): dlsym dance
    143 
    144 #endif  // LIBC_GLIBC && !USE_TCMALLOC
    145 
    146 #endif  // !*_SANITIZER
    147 
    148 void EnableTerminationOnHeapCorruption() {
    149   // On Linux, there nothing to do AFAIK.
    150 }
    151 
    152 void EnableTerminationOnOutOfMemory() {
    153 #if defined(OS_ANDROID)
    154   // Android doesn't support setting a new handler.
    155   DLOG(WARNING) << "Not feasible.";
    156 #else
    157   // Set the new-out of memory handler.
    158   std::set_new_handler(&OnNoMemory);
    159   // If we're using glibc's allocator, the above functions will override
    160   // malloc and friends and make them die on out of memory.
    161 #endif
    162 }
    163 
    164 // NOTE: This is not the only version of this function in the source:
    165 // the setuid sandbox (in process_util_linux.c, in the sandbox source)
    166 // also has its own C version.
    167 bool AdjustOOMScore(ProcessId process, int score) {
    168   if (score < 0 || score > kMaxOomScore)
    169     return false;
    170 
    171   FilePath oom_path(internal::GetProcPidDir(process));
    172 
    173   // Attempt to write the newer oom_score_adj file first.
    174   FilePath oom_file = oom_path.AppendASCII("oom_score_adj");
    175   if (PathExists(oom_file)) {
    176     std::string score_str = IntToString(score);
    177     DVLOG(1) << "Adjusting oom_score_adj of " << process << " to "
    178              << score_str;
    179     int score_len = static_cast<int>(score_str.length());
    180     return (score_len == WriteFile(oom_file, score_str.c_str(), score_len));
    181   }
    182 
    183   // If the oom_score_adj file doesn't exist, then we write the old
    184   // style file and translate the oom_adj score to the range 0-15.
    185   oom_file = oom_path.AppendASCII("oom_adj");
    186   if (PathExists(oom_file)) {
    187     // Max score for the old oom_adj range.  Used for conversion of new
    188     // values to old values.
    189     const int kMaxOldOomScore = 15;
    190 
    191     int converted_score = score * kMaxOldOomScore / kMaxOomScore;
    192     std::string score_str = IntToString(converted_score);
    193     DVLOG(1) << "Adjusting oom_adj of " << process << " to " << score_str;
    194     int score_len = static_cast<int>(score_str.length());
    195     return (score_len == WriteFile(oom_file, score_str.c_str(), score_len));
    196   }
    197 
    198   return false;
    199 }
    200 
    201 bool UncheckedMalloc(size_t size, void** result) {
    202 #if defined(MEMORY_TOOL_REPLACES_ALLOCATOR) || \
    203     (!defined(LIBC_GLIBC) && !defined(USE_TCMALLOC))
    204   *result = malloc(size);
    205 #elif defined(LIBC_GLIBC) && !defined(USE_TCMALLOC)
    206   *result = __libc_malloc(size);
    207 #elif defined(USE_TCMALLOC)
    208   *result = tc_malloc_skip_new_handler_weak(size);
    209 #endif
    210   return *result != NULL;
    211 }
    212 
    213 }  // namespace base
    214