diff options
author | Kostya Kortchinsky <kostyak@google.com> | 2018-01-23 23:07:42 +0000 |
---|---|---|
committer | Kostya Kortchinsky <kostyak@google.com> | 2018-01-23 23:07:42 +0000 |
commit | d0c532095b9333f331f7afdea053f3676c9549fd (patch) | |
tree | e550d061ffc770210e1d14be0509c68eef30faf1 /lib/scudo | |
parent | 2fbd5f8be24f33ba6fcf66034dbf826bc4903f7b (diff) | |
download | compiler-rt-d0c532095b9333f331f7afdea053f3676c9549fd.tar.gz |
[scudo] Allow for weak hooks, gated by a define
Summary:
Hooks in the allocation & deallocation paths can be a security risk (see for an
example https://scarybeastsecurity.blogspot.com/2016/11/0day-exploit-advancing-exploitation.html
which used the glibc's __free_hook to complete exploitation).
But some users have expressed a need for them, even if only for tests and
memory benchmarks. So allow for `__sanitizer_malloc_hook` &
`__sanitizer_free_hook` to be called if defined, and gate them behind a global
define `SCUDO_CAN_USE_HOOKS` defaulting to 0.
Reviewers: alekseyshl
Reviewed By: alekseyshl
Subscribers: #sanitizers, llvm-commits
Differential Revision: https://reviews.llvm.org/D42430
git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@323278 91177308-0d34-0410-b5e6-96231b3b80d8
Diffstat (limited to 'lib/scudo')
-rw-r--r-- | lib/scudo/scudo_allocator.cpp | 6 | ||||
-rw-r--r-- | lib/scudo/scudo_platform.h | 6 |
2 files changed, 10 insertions, 2 deletions
diff --git a/lib/scudo/scudo_allocator.cpp b/lib/scudo/scudo_allocator.cpp index 0e18141f4..31317b7cf 100644 --- a/lib/scudo/scudo_allocator.cpp +++ b/lib/scudo/scudo_allocator.cpp @@ -430,7 +430,8 @@ struct ScudoAllocator { } void *Ptr = reinterpret_cast<void *>(UserPtr); Chunk::storeHeader(Ptr, &Header); - // if (&__sanitizer_malloc_hook) __sanitizer_malloc_hook(Ptr, Size); + if (SCUDO_CAN_USE_HOOKS && &__sanitizer_malloc_hook) + __sanitizer_malloc_hook(Ptr, Size); return Ptr; } @@ -480,7 +481,8 @@ struct ScudoAllocator { // the TLS destructors, ending up in initialized thread specific data never // being destroyed properly. Any other heap operation will do a full init. initThreadMaybe(/*MinimalInit=*/true); - // if (&__sanitizer_free_hook) __sanitizer_free_hook(Ptr); + if (SCUDO_CAN_USE_HOOKS && &__sanitizer_free_hook) + __sanitizer_free_hook(Ptr); if (UNLIKELY(!Ptr)) return; if (UNLIKELY(!Chunk::isAligned(Ptr))) { diff --git a/lib/scudo/scudo_platform.h b/lib/scudo/scudo_platform.h index 31498efcf..9837d55f1 100644 --- a/lib/scudo/scudo_platform.h +++ b/lib/scudo/scudo_platform.h @@ -55,6 +55,12 @@ # define SCUDO_CAN_USE_PUBLIC_INTERFACE 1 #endif +// Hooks in the allocation & deallocation paths can become a security concern if +// implemented improperly, or if overwritten by an attacker. Use with caution. +#ifndef SCUDO_CAN_USE_HOOKS +# define SCUDO_CAN_USE_HOOKS 0 +#endif + namespace __scudo { #if SANITIZER_CAN_USE_ALLOCATOR64 |