RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-26 00:17:46 +00:00
Code Issues Activity Actions

UserspaceEmulator+LibC: Use sys$emuctl() to disable auditing in malloc

Browse source 
It was fragile to use the address of the body of the memory management
functions to disable memory auditing within them. Functions called from
these did not get exempted from the audits, so in some cases
UserspaceEmulator reported bogus heap buffer overflows.

Memory auditing did not work at all on Clang because when querying the
addresses, their offset was taken relative to the base of `.text` which
is not the first segment in the `R/RX/RW(RELRO)/RW(non-RELRO)` layout
produced by LLD.

Similarly to when setting metadata about the allocations, we now use the
`emuctl` system call to selectively suppress auditing when we reach
these functions. This ensures that functions called from `malloc` are
affected too, and no issues occur because of the inconsistency between
Clang and GCC memory layouts.
This commit is contained in:
Daniel Bertalan 2021-08-14 16:15:32 +02:00 committed by Andreas Kling
parent 0a36cea9dc
commit 87ef2718bc
5 changed files with 34 additions and 69 deletions
Download patch file Download diff file Expand all files Collapse all files

28
Userland/DevTools/UserspaceEmulator/Emulator.cpp
View file

@ -671,34 +671,6 @@ void Emulator::setup_signal_trampoline()
mmu().add_region(move(trampoline_region));
}
bool Emulator::find_malloc_symbols(MmapRegion const& libc_text)
{
auto file_or_error = MappedFile::map("/usr/lib/libc.so");
if (file_or_error.is_error())
return false;
ELF::Image image(file_or_error.value()->bytes());
auto malloc_symbol = image.find_demangled_function("malloc");
auto free_symbol = image.find_demangled_function("free");
auto realloc_symbol = image.find_demangled_function("realloc");
auto calloc_symbol = image.find_demangled_function("calloc");
auto malloc_size_symbol = image.find_demangled_function("malloc_size");
if (!malloc_symbol.has_value() || !free_symbol.has_value() || !realloc_symbol.has_value() || !malloc_size_symbol.has_value())
return false;
m_malloc_symbol_start = malloc_symbol.value().value() + libc_text.base();
m_malloc_symbol_end = m_malloc_symbol_start + malloc_symbol.value().size();
m_free_symbol_start = free_symbol.value().value() + libc_text.base();
m_free_symbol_end = m_free_symbol_start + free_symbol.value().size();
m_realloc_symbol_start = realloc_symbol.value().value() + libc_text.base();
m_realloc_symbol_end = m_realloc_symbol_start + realloc_symbol.value().size();
m_calloc_symbol_start = calloc_symbol.value().value() + libc_text.base();
m_calloc_symbol_end = m_calloc_symbol_start + calloc_symbol.value().size();
m_malloc_size_symbol_start = malloc_size_symbol.value().value() + libc_text.base();
m_malloc_size_symbol_end = m_malloc_size_symbol_start + malloc_size_symbol.value().size();
return true;
}
void Emulator::dump_regions() const
{
const_cast<SoftMMU&>(m_mmu).for_each_region([&](Region const& region) {