merge from dev-win

2024-12-27 13:33:18 +08:00 · 2019-10-28 12:33:01 -07:00 · 2019-10-28 12:33:01 -07:00 · 9d4f57abf3
commit 9d4f57abf3
parent 4b15e2ed97 1a36ca3eb9
11 changed files with 147 additions and 64 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -67,7 +67,7 @@ endif()

 if(MI_SECURE MATCHES "ON")
  message(STATUS "Set secure build (MI_SECURE=ON)")
-  list(APPEND mi_defines MI_SECURE=2)
+  list(APPEND mi_defines MI_SECURE=3)
 endif()

 if(MI_SEE_ASM MATCHES "ON")
--- a/ide/vs2019/mimalloc.vcxproj
+++ b/ide/vs2019/mimalloc.vcxproj
@ -116,7 +116,7 @@
      <SDLCheck>true</SDLCheck>
      <ConformanceMode>true</ConformanceMode>
      <AdditionalIncludeDirectories>../../include</AdditionalIncludeDirectories>
-      <PreprocessorDefinitions>MI_DEBUG=3;%(PreprocessorDefinitions);</PreprocessorDefinitions>
+      <PreprocessorDefinitions>MI_DEBUG=1;%(PreprocessorDefinitions);</PreprocessorDefinitions>
      <CompileAs>CompileAsCpp</CompileAs>
      <SupportJustMyCode>false</SupportJustMyCode>
      <LanguageStandard>stdcpp17</LanguageStandard>
--- a/include/mimalloc-internal.h
+++ b/include/mimalloc-internal.h
@ -20,6 +20,18 @@ terms of the MIT license. A copy of the license can be found in the file
 #define mi_trace_message(...)
 #endif

+#if defined(_MSC_VER)
+#define mi_decl_noinline   __declspec(noinline)
+#define mi_attr_noreturn 
+#elif defined(__GNUC__) || defined(__clang__)
+#define mi_decl_noinline   __attribute__((noinline))
+#define mi_attr_noreturn   __attribute__((noreturn))
+#else
+#define mi_decl_noinline
+#define mi_attr_noreturn   
+#endif
+
+
 // "options.c"
 void       _mi_fputs(mi_output_fun* out, const char* prefix, const char* message);
 void       _mi_fprintf(mi_output_fun* out, const char* fmt, ...);
@ -28,12 +40,12 @@ void       _mi_warning_message(const char* fmt, ...);
 void       _mi_verbose_message(const char* fmt, ...);
 void       _mi_trace_message(const char* fmt, ...);
 void       _mi_options_init(void);
+void       _mi_fatal_error(const char* fmt, ...) mi_attr_noreturn;

 // "init.c"
 extern mi_stats_t       _mi_stats_main;
 extern const mi_page_t  _mi_page_empty;
 bool       _mi_is_main_thread(void);
-uintptr_t  _mi_ptr_cookie(const void* p);
 uintptr_t  _mi_random_shuffle(uintptr_t x);
 uintptr_t  _mi_random_init(uintptr_t seed /* can be zero */);
 bool       _mi_preloading();  // true while the C runtime is not ready
@ -135,13 +147,6 @@ bool        _mi_page_is_valid(mi_page_t* page);
 #define __has_builtin(x)  0
 #endif

-#if defined(_MSC_VER)
-#define mi_decl_noinline   __declspec(noinline)
-#elif defined(__GNUC__) || defined(__clang__)
-#define mi_decl_noinline   __attribute__((noinline))
-#else
-#define mi_decl_noinline
-#endif


 /* -----------------------------------------------------------
@ -254,6 +259,10 @@ static inline bool mi_heap_is_initialized(mi_heap_t* heap) {
  return (heap != &_mi_heap_empty);
 }

+static inline uintptr_t _mi_ptr_cookie(const void* p) {
+  return ((uintptr_t)p ^ _mi_heap_main.cookie);
+}
+
 /* -----------------------------------------------------------
  Pages
 ----------------------------------------------------------- */
@ -401,7 +410,11 @@ static inline void mi_page_set_has_aligned(mi_page_t* page, bool has_aligned) {
 // Encoding/Decoding the free list next pointers
 // -------------------------------------------------------------------

-static inline mi_block_t* mi_block_nextx( uintptr_t cookie, mi_block_t* block ) {
+static inline bool mi_is_in_same_segment(const void* p, const void* q) {
+  return (_mi_ptr_segment(p) == _mi_ptr_segment(q));
+}
+
+static inline mi_block_t* mi_block_nextx( uintptr_t cookie, const mi_block_t* block ) {
  #if MI_SECURE 
  return (mi_block_t*)(block->next ^ cookie);
  #else
@ -410,7 +423,7 @@ static inline mi_block_t* mi_block_nextx( uintptr_t cookie, mi_block_t* block )
  #endif
 }

-static inline void mi_block_set_nextx(uintptr_t cookie, mi_block_t* block, mi_block_t* next) {
+static inline void mi_block_set_nextx(uintptr_t cookie, mi_block_t* block, const mi_block_t* next) {  
  #if MI_SECURE
  block->next = (mi_encoded_t)next ^ cookie;
  #else
@ -419,16 +432,25 @@ static inline void mi_block_set_nextx(uintptr_t cookie, mi_block_t* block, mi_bl
  #endif
 }

-static inline mi_block_t* mi_block_next(mi_page_t* page, mi_block_t* block) {
+static inline mi_block_t* mi_block_next(const mi_page_t* page, const mi_block_t* block) {
  #if MI_SECURE
-  return mi_block_nextx(page->cookie,block);
+  mi_block_t* next = mi_block_nextx(page->cookie,block);
+    #if MI_SECURE >= 4
+    // check if next is at least in our segment range
+    // TODO: it is better to check if it is actually inside our page but that is more expensive 
+    // to calculate. Perhaps with a relative free list this becomes feasible?
+    if (next!=NULL && !mi_is_in_same_segment(block, next)) {
+      _mi_fatal_error("corrupted free list entry at %p: %zx\n", block, (uintptr_t)next);
+    }
+    #endif
+  return next;
  #else
  UNUSED(page);
  return mi_block_nextx(0, block);
  #endif
 }

-static inline void mi_block_set_next(mi_page_t* page, mi_block_t* block, mi_block_t* next) {
+static inline void mi_block_set_next(const mi_page_t* page, mi_block_t* block, const mi_block_t* next) {
  #if MI_SECURE
  mi_block_set_nextx(page->cookie,block,next);
  #else
--- a/include/mimalloc-types.h
+++ b/include/mimalloc-types.h
@ -22,8 +22,11 @@ terms of the MIT license. A copy of the license can be found in the file
 // Define MI_STAT as 1 to maintain statistics; set it to 2 to have detailed statistics (but costs some performance).
 // #define MI_STAT 1

-// Define MI_SECURE as 1 to encode free lists
-// #define MI_SECURE 1
+// Define MI_SECURE to enable security mitigations
+// #define MI_SECURE 1  // guard page around metadata
+// #define MI_SECURE 2  // guard page around each mimalloc page
+// #define MI_SECURE 3  // encode free lists
+// #define MI_SECURE 4  // all security enabled (checks for double free, corrupted free list and invalid pointer free)

 #if !defined(MI_SECURE)
 #define MI_SECURE 0
--- a/src/alloc.c
+++ b/src/alloc.c
@ -124,10 +124,54 @@ mi_decl_allocator void* mi_zalloc(size_t size) mi_attr_noexcept {
 }


+// ------------------------------------------------------
+// Check for double free in secure mode
+// ------------------------------------------------------
+
+#if MI_SECURE>=4
+static bool mi_list_contains(const mi_page_t* page, const mi_block_t* list, const mi_block_t* elem) {
+  while (list != NULL) {
+    if (elem==list) return true;
+    list = mi_block_next(page, list);
+  }
+  return false;
+}
+
+static mi_decl_noinline bool mi_check_double_freex(const mi_page_t* page, const mi_block_t* block, const mi_block_t* n) {
+  size_t psize;
+  uint8_t* pstart = _mi_page_start(_mi_page_segment(page), page, &psize);
+  if (n == NULL || ((uint8_t*)n >= pstart && (uint8_t*)n < (pstart + psize))) {
+    // Suspicious: the decoded value is in the same page (or NULL).
+    // Walk the free lists to see if it is already freed
+    if (mi_list_contains(page, page->free, block) ||
+      mi_list_contains(page, page->local_free, block) ||
+      mi_list_contains(page, (const mi_block_t*)mi_atomic_read_ptr_relaxed(mi_atomic_cast(void*,&page->thread_free)), block)) 
+    {
+      _mi_fatal_error("double free detected of block %p with size %zu\n", block, page->block_size);
+      return true;
+    }
+  }
+  return false;
+}
+
+static inline bool mi_check_double_free(const mi_page_t* page, const mi_block_t* block) {
+  mi_block_t* n = (mi_block_t*)(block->next ^ page->cookie);
+  if (((uintptr_t)n & (MI_INTPTR_SIZE-1))==0 &&       // quick check 
+      (n==NULL || mi_is_in_same_segment(block, n))) 
+  { 
+    // Suspicous: decoded value in block is in the same segment (or NULL) -- maybe a double free?
+    return mi_check_double_freex(page, block, n);
+  }  
+  return false;
+}
+#endif
+
+
 // ------------------------------------------------------
 // Free
 // ------------------------------------------------------

+
 // multi-threaded free
 static mi_decl_noinline void _mi_free_block_mt(mi_page_t* page, mi_block_t* block)
 {
@ -251,14 +295,16 @@ void mi_free(void* p) mi_attr_noexcept

 #if (MI_DEBUG>0)
  if (mi_unlikely(!mi_is_in_heap_region(p))) {
-    _mi_warning_message("possibly trying to mi_free a pointer that does not point to a valid heap region: 0x%p\n"
+    _mi_warning_message("possibly trying to free a pointer that does not point to a valid heap region: 0x%p\n"
      "(this may still be a valid very large allocation (over 64MiB))\n", p);
    if (mi_likely(_mi_ptr_cookie(segment) == segment->cookie)) {
      _mi_warning_message("(yes, the previous pointer 0x%p was valid after all)\n", p);
    }
  }
+#endif
+#if (MI_DEBUG>0 || MI_SECURE>=4)
  if (mi_unlikely(_mi_ptr_cookie(segment) != segment->cookie)) {
-    _mi_error_message("trying to mi_free a pointer that does not point to a valid heap space: %p\n", p);
+    _mi_error_message("trying to free a pointer that does not point to a valid heap space: %p\n", p);
    return;
  }
 #endif
@ -278,6 +324,9 @@ void mi_free(void* p) mi_attr_noexcept
  if (mi_likely(tid == segment->thread_id && page->flags.full_aligned == 0)) {  // the thread id matches and it is not a full page, nor has aligned blocks
    // local, and not full or aligned
    mi_block_t* block = (mi_block_t*)p;
+    #if MI_SECURE>=4 
+    if (mi_check_double_free(page,block)) return;
+    #endif
    mi_block_set_next(page, block, page->local_free);
    page->local_free = block;
    page->used--;
--- a/src/init.c
+++ b/src/init.c
@ -208,10 +208,6 @@ uintptr_t _mi_random_init(uintptr_t seed /* can be zero */) {
  return x;
 }

-uintptr_t _mi_ptr_cookie(const void* p) {
-  return ((uintptr_t)p ^ _mi_heap_main.cookie);
-}
-
 /* -----------------------------------------------------------
  Initialization and freeing of the thread local heaps
 ----------------------------------------------------------- */
--- a/src/options.c
+++ b/src/options.c
@ -285,6 +285,14 @@ void _mi_assert_fail(const char* assertion, const char* fname, unsigned line, co
 }
 #endif

+mi_attr_noreturn void _mi_fatal_error(const char* fmt, ...) {
+  va_list args;
+  va_start(args, fmt);
+  mi_vfprintf(NULL, "mimalloc: fatal: ", fmt, args);
+  va_end(args);
+  exit(99);
+}
+
 // --------------------------------------------------------
 // Initialize options by checking the environment
 // --------------------------------------------------------
--- a/src/os.c
+++ b/src/os.c
@ -282,7 +282,7 @@ static void* mi_win_virtual_alloc(void* addr, size_t size, size_t try_alignment,
    p = mi_win_virtual_allocx(addr, size, try_alignment, flags);
  }
  if (p == NULL) {
-    _mi_warning_message("unable to alloc mem error: err: %i size: 0x%x \n", GetLastError(), size);
+    _mi_warning_message("unable to allocate memory: error code: %i, addr: %p, size: 0x%x, large only: %d, allow_large: %d\n", GetLastError(), addr, size, large_only, allow_large);
  }
  return p;
 }
@ -946,4 +946,3 @@ int mi_reserve_huge_os_pages( size_t pages, double max_secs, size_t* pages_reser
  return 0;
 }
 #endif
-
--- a/test/main-override-static.c
+++ b/test/main-override-static.c
@ -2,6 +2,7 @@
 #include <stdio.h>
 #include <assert.h>
 #include <string.h>
+#include <stdint.h>

 #include <mimalloc.h>
 #include <mimalloc-override.h>  // redefines malloc etc.
@ -172,6 +173,7 @@ void mi_bins() {
 int main() {
  mi_version();
  mi_bins();
+
  void* p1 = malloc(78);
  void* p2 = malloc(24);
  free(p1);
@ -194,3 +196,4 @@ int main() {
  mi_stats_print(NULL);
  return 0;
 }
+
--- a/test/main-override.cpp
+++ b/test/main-override.cpp
@ -2,6 +2,7 @@
 #include <stdio.h>
 #include <assert.h>
 #include <string.h>
+#include <stdint.h>

 #include <mimalloc.h>
 #include <new>
@ -66,3 +67,5 @@ public:
 };

 static Static s = Static();
+
+