Kernel: Add crash logging heuristic for uninitialized kmalloc()/kfree()

Since we scrub both kmalloc() and kfree() with predictable values, we can log a helpful message when hitting a crash that looks like it might be a dereference of such scrubbed data.
2025-07-25 22:27:35 +00:00 · 2020-02-01 10:26:05 +01:00 · 2020-02-01 10:26:05 +01:00 · 8d51352b96
commit 8d51352b96
parent f2846e8e08
3 changed files with 11 additions and 2 deletions
--- a/Kernel/Arch/i386/CPU.cpp
+++ b/Kernel/Arch/i386/CPU.cpp
@ -317,10 +317,16 @@ void page_fault_handler(RegisterDump regs)

        u32 malloc_scrub_pattern = explode_byte(MALLOC_SCRUB_BYTE);
        u32 free_scrub_pattern = explode_byte(FREE_SCRUB_BYTE);
+        u32 kmalloc_scrub_pattern = explode_byte(KMALLOC_SCRUB_BYTE);
+        u32 kfree_scrub_pattern = explode_byte(KFREE_SCRUB_BYTE);
        if ((fault_address & 0xffff0000) == (malloc_scrub_pattern & 0xffff0000)) {
            kprintf("\033[33;1mNote: Address %p looks like it may be uninitialized malloc() memory\033[0m\n", fault_address);
        } else if ((fault_address & 0xffff0000) == (free_scrub_pattern & 0xffff0000)) {
            kprintf("\033[33;1mNote: Address %p looks like it may be recently free()'d memory\033[0m\n", fault_address);
+        } else if ((fault_address & 0xffff0000) == (kmalloc_scrub_pattern & 0xffff0000)) {
+            kprintf("\033[33;1mNote: Address %p looks like it may be uninitialized kmalloc() memory\033[0m\n", fault_address);
+        } else if ((fault_address & 0xffff0000) == (kfree_scrub_pattern & 0xffff0000)) {
+            kprintf("\033[33;1mNote: Address %p looks like it may be recently kfree()'d memory\033[0m\n", fault_address);
        } else if (fault_address < 4096) {
            kprintf("\033[33;1mNote: Address %p looks like a possible nullptr dereference\033[0m\n", fault_address);
        }
--- a/Kernel/Heap/kmalloc.cpp
+++ b/Kernel/Heap/kmalloc.cpp
@ -166,7 +166,7 @@ void* kmalloc_impl(size_t size)
                    sum_alloc += a->nchunk * CHUNK_SIZE;
                    sum_free -= a->nchunk * CHUNK_SIZE;
 #ifdef SANITIZE_KMALLOC
-                    memset(ptr, 0xbb, (a->nchunk * CHUNK_SIZE) - sizeof(allocation_t));
+                    memset(ptr, KMALLOC_SCRUB_BYTE, (a->nchunk * CHUNK_SIZE) - sizeof(allocation_t));
 #endif
                    return ptr;
                }
@ -199,7 +199,7 @@ void kfree(void* ptr)
    sum_free += a->nchunk * CHUNK_SIZE;

 #ifdef SANITIZE_KMALLOC
-    memset(a, 0xaa, a->nchunk * CHUNK_SIZE);
+    memset(a, KFREE_SCRUB_BYTE, a->nchunk * CHUNK_SIZE);
 #endif
 }

--- a/Kernel/Heap/kmalloc.h
+++ b/Kernel/Heap/kmalloc.h
@ -30,6 +30,9 @@

 //#define KMALLOC_DEBUG_LARGE_ALLOCATIONS

+#define KMALLOC_SCRUB_BYTE 0xbb
+#define KFREE_SCRUB_BYTE 0xaa
+
 void kmalloc_init();
 [[gnu::malloc, gnu::returns_nonnull, gnu::alloc_size(1)]] void* kmalloc_impl(size_t);
 [[gnu::malloc, gnu::returns_nonnull, gnu::alloc_size(1)]] void* kmalloc_eternal(size_t);