mirror of
https://github.com/RGBCube/serenity
synced 2025-07-25 14:37:46 +00:00
UserspaceEmulator+LibC: Use sys$emuctl() to disable auditing in malloc
It was fragile to use the address of the body of the memory management functions to disable memory auditing within them. Functions called from these did not get exempted from the audits, so in some cases UserspaceEmulator reported bogus heap buffer overflows. Memory auditing did not work at all on Clang because when querying the addresses, their offset was taken relative to the base of `.text` which is not the first segment in the `R/RX/RW(RELRO)/RW(non-RELRO)` layout produced by LLD. Similarly to when setting metadata about the allocations, we now use the `emuctl` system call to selectively suppress auditing when we reach these functions. This ensures that functions called from `malloc` are affected too, and no issues occur because of the inconsistency between Clang and GCC memory layouts.
This commit is contained in:
parent
0a36cea9dc
commit
87ef2718bc
5 changed files with 34 additions and 69 deletions
|
@ -671,34 +671,6 @@ void Emulator::setup_signal_trampoline()
|
|||
mmu().add_region(move(trampoline_region));
|
||||
}
|
||||
|
||||
bool Emulator::find_malloc_symbols(MmapRegion const& libc_text)
|
||||
{
|
||||
auto file_or_error = MappedFile::map("/usr/lib/libc.so");
|
||||
if (file_or_error.is_error())
|
||||
return false;
|
||||
|
||||
ELF::Image image(file_or_error.value()->bytes());
|
||||
auto malloc_symbol = image.find_demangled_function("malloc");
|
||||
auto free_symbol = image.find_demangled_function("free");
|
||||
auto realloc_symbol = image.find_demangled_function("realloc");
|
||||
auto calloc_symbol = image.find_demangled_function("calloc");
|
||||
auto malloc_size_symbol = image.find_demangled_function("malloc_size");
|
||||
if (!malloc_symbol.has_value() || !free_symbol.has_value() || !realloc_symbol.has_value() || !malloc_size_symbol.has_value())
|
||||
return false;
|
||||
|
||||
m_malloc_symbol_start = malloc_symbol.value().value() + libc_text.base();
|
||||
m_malloc_symbol_end = m_malloc_symbol_start + malloc_symbol.value().size();
|
||||
m_free_symbol_start = free_symbol.value().value() + libc_text.base();
|
||||
m_free_symbol_end = m_free_symbol_start + free_symbol.value().size();
|
||||
m_realloc_symbol_start = realloc_symbol.value().value() + libc_text.base();
|
||||
m_realloc_symbol_end = m_realloc_symbol_start + realloc_symbol.value().size();
|
||||
m_calloc_symbol_start = calloc_symbol.value().value() + libc_text.base();
|
||||
m_calloc_symbol_end = m_calloc_symbol_start + calloc_symbol.value().size();
|
||||
m_malloc_size_symbol_start = malloc_size_symbol.value().value() + libc_text.base();
|
||||
m_malloc_size_symbol_end = m_malloc_size_symbol_start + malloc_size_symbol.value().size();
|
||||
return true;
|
||||
}
|
||||
|
||||
void Emulator::dump_regions() const
|
||||
{
|
||||
const_cast<SoftMMU&>(m_mmu).for_each_region([&](Region const& region) {
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue