[PATCH v2 2/5] hardening: support zeroing all malloc buffers by default
Ahmad Fatoum
a.fatoum at pengutronix.de
Mon Dec 2 00:18:12 PST 2024
dummy malloc doesn't free and all allocations are in freshly sbrk()'d
memory, which already zero.
Signed-off-by: Ahmad Fatoum <a.fatoum at pengutronix.de>
---
common/calloc.c | 7 +++----
common/dlmalloc.c | 7 +++++++
common/tlsf.c | 6 ++++++
include/malloc.h | 10 ++++++++++
lib/Kconfig.hardening | 23 +++++++++++++++++++++++
5 files changed, 49 insertions(+), 4 deletions(-)
diff --git a/common/calloc.c b/common/calloc.c
index 12f18474a4c8..17cbd9beefee 100644
--- a/common/calloc.c
+++ b/common/calloc.c
@@ -2,6 +2,7 @@
#include <common.h>
#include <malloc.h>
+#include <memory.h>
#include <linux/overflow.h>
/*
@@ -12,10 +13,8 @@ void *calloc(size_t n, size_t elem_size)
size_t size = size_mul(elem_size, n);
void *r = malloc(size);
- if (!r)
- return r;
-
- memset(r, 0x0, size);
+ if (r && !want_init_on_alloc())
+ memset(r, 0x0, size);
return r;
}
diff --git a/common/dlmalloc.c b/common/dlmalloc.c
index 821a193af6bc..731c46b584b0 100644
--- a/common/dlmalloc.c
+++ b/common/dlmalloc.c
@@ -7,6 +7,7 @@
#include <dlmalloc.h>
#include <linux/overflow.h>
#include <linux/build_bug.h>
+#include <linux/compiler.h>
#include <stdio.h>
#include <module.h>
@@ -1368,6 +1369,8 @@ void dlfree(void *mem)
p = mem2chunk(mem);
hd = p->size;
+ if (want_init_on_free())
+ memzero_explicit(mem, chunksize(p));
sz = hd & ~PREV_INUSE;
next = chunk_at_offset(p, sz);
@@ -1952,7 +1955,11 @@ void malloc_stats(void)
*/
#ifdef CONFIG_MALLOC_DLMALLOC
+#ifdef CONFIG_INIT_ON_ALLOC_DEFAULT_ON
+void *malloc(size_t bytes) { return dlcalloc(1, bytes); }
+#else
void *malloc(size_t) __alias(dlmalloc);
+#endif
EXPORT_SYMBOL(malloc);
void *calloc(size_t, size_t) __alias(dlcalloc);
EXPORT_SYMBOL(calloc);
diff --git a/common/tlsf.c b/common/tlsf.c
index ba2ed367c0b9..4cd90e150de2 100644
--- a/common/tlsf.c
+++ b/common/tlsf.c
@@ -3,6 +3,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <malloc.h>
#include <tlsf.h>
#include "tlsfbits.h"
#include <linux/kasan.h>
@@ -615,6 +616,9 @@ static void* block_prepare_used(control_t* control, block_header_t* block,
kasan_poison_shadow(&block->size, size + 2 * sizeof(size_t),
KASAN_KMALLOC_REDZONE);
kasan_unpoison_shadow(p, used);
+
+ if (want_init_on_alloc())
+ memzero_explicit(p, size);
}
return p;
}
@@ -1023,6 +1027,8 @@ void tlsf_free(tlsf_t tlsf, void* ptr)
control_t* control = tlsf_cast(control_t*, tlsf);
block_header_t* block = block_from_ptr(ptr);
tlsf_assert(!block_is_free(block) && "block already marked as free");
+ if (want_init_on_free())
+ memzero_explicit(ptr, block_size(block));
kasan_poison_shadow(ptr, block_size(block), 0xff);
block_mark_as_free(block);
block = block_merge_prev(control, block);
diff --git a/include/malloc.h b/include/malloc.h
index a823ce8c8462..7bee03dab236 100644
--- a/include/malloc.h
+++ b/include/malloc.h
@@ -54,4 +54,14 @@ static inline int mem_malloc_is_initialized(void)
}
#endif
+static inline bool want_init_on_alloc(void)
+{
+ return IS_ENABLED(CONFIG_INIT_ON_ALLOC_DEFAULT_ON);
+}
+
+static inline bool want_init_on_free(void)
+{
+ return IS_ENABLED(CONFIG_INIT_ON_FREE_DEFAULT_ON);
+}
+
#endif /* __MALLOC_H */
diff --git a/lib/Kconfig.hardening b/lib/Kconfig.hardening
index 28be42a27465..7a177840a5a1 100644
--- a/lib/Kconfig.hardening
+++ b/lib/Kconfig.hardening
@@ -10,6 +10,29 @@ config BUG_ON_DATA_CORRUPTION
If unsure, say N.
+menu "Memory initialization"
+
+config INIT_ON_ALLOC_DEFAULT_ON
+ bool "Enable heap memory zeroing on allocation by default"
+ depends on !MALLOC_LIBC
+ help
+ When this is enabled, all allocator memory will be zeroed
+ when allocated, eliminating many kinds of "uninitialized
+ heap memory" flaws, especially heap content exposures.
+
+config INIT_ON_FREE_DEFAULT_ON
+ bool "Enable heap memory zeroing on free by default"
+ depends on !MALLOC_DUMMY && !MALLOC_LIBC
+ help
+ When this is enabled, all allocator memory will be zeroed
+ when freed, eliminating many kinds of "uninitialized heap memory"
+ flaws, especially heap content exposures. The primary difference
+ is that data lifetime in memory is reduced, as anything freed is
+ wiped immediately, making live forensics or cold boot memory
+ attacks unable to recover freed memory contents.
+
+endmenu
+
config STACK_GUARD_PAGE
bool "Place guard page to catch stack overflows"
depends on ARM && MMU
--
2.39.5
More information about the barebox
mailing list