Commit Graph

23 Commits

Author SHA1 Message Date
Nathaniel Filardo
95871ff8a1 SP: free lists and remote queues are CBAlloc
Continue tightening the screws on pointer bounds.

Notably, pointers in remote queues are bounded to the free objects.  While we
believe that something like MTE is required to make in-band metadata safe, this
is a kind of defense in depth for StrictProvenance architectures: UAF for small
and medium objects expose mostly other (free) small or medium objects and not
allocator metadata (modulo some potential aliasing when Superslabs and
Mediumslabs interconvert).  This might shift the burdon on an attacker from
simply holding a UAF pointer to having had to farm several heap pointers.

The policy of bounding remote queue pointers may make the allocator's behavior
for small objects unexpected: while initial object construction during
allocation (that is, when the free list is empty) continues to cleave out
exportable pointers from elevated pointers to internal slabs, reuse pulls from
free lists of *already-bounded* objects.  These objects are queued by the
deallocation side, of course, but these paths now include "parallel
reconstruction" of a pointer to the free object from the amplified view of the
returned pointer, rather than queueing amplified pointers and leaving
reconstruction to the allocation side.

Medium objects are possibly similarly mysterious with the added twist that
medium slabs do not store pointers but rather always cleave from their
self-reference (but their interface has always operated using pointers).
Nevertheless, pointers to medium objects end up in remote queues, so we continue
to engage in "parallel reconstruction" in the deallocation paths.
2021-04-09 12:39:29 +01:00
Nathaniel Filardo
cf50fc5e55 SP: mediumslab: reduce capptr_export calls
Mediumslabs are strung on a dllist and used to feed the allocator there.  If we
ensure that these (and the root pointer to the list itself) are already
exported, then our alloc paths can bound these to arrive at exposible pointers.

The dealloc paths, where we might want a non-exported pointer, already have one,
as they have gone through amplification to get an arena-bounded pointer.

The sole wrinkle in this plan is that we might need a pointer without platform
constraints to manipulate the memory map for page-based zeroing.  Since we have
ample room in the Mediumslab header (a few kilobytes end up being used for
padding; the curious should see b8b5f305 and 3d3b0487), just cache therein a
copy of the CBChunk-bound pointer used in Mediumslab::init() for ::alloc().
2021-04-09 12:39:29 +01:00
Nathaniel Filardo
f7821e11eb SP: LargeAlloc return CBChunk & chase consequences
Even if we opt not to bound these pointers internally (if they aren't headed out
to the user program or we later derive bounded pointers), they should still be
annotated as something other than CBArena, ensuring that we do not attempt to
use them for general amplification.
2021-04-09 12:39:29 +01:00
Nathaniel Filardo
54fec3821f SP: alloc paths: begin using CBAllocE
Begin turning the screws on bounds: pointers the allocator is about to reveal
must be annotated as CBAllocE.  Use the PAL's capptr_export and the AAL's
capptr_bound<> to get them there.
2021-04-09 12:39:29 +01:00
Nathaniel Filardo
005f5787ef SP: start plumbing CapPtr<>s 2021-04-09 12:39:29 +01:00
Nathaniel Filardo
7f841ff081 NFC: Introduce and switch to pal_zero
This wrapper will allow us to pass `AuthPtr<T,B> p` to zero() without needing to
write `p.unsafe_auth_ptr` to get to a `T*` inside.  Moreover, it will give us a
convenient point to assert that `B` is such that the pointer can be used to
manipulate the memory map (i.e. is not exported).
2021-04-06 16:25:57 +01:00
Nathaniel Filardo
a1f17e6060 Mediumslab: pre-factor init() to take explicit self 2021-04-06 16:25:57 +01:00
Nathaniel Filardo
4f6cf8cb40 NFC: make Slab, Mediumslab interfaces static
Going forward, this gives us explicit pointers with which to carry bounds
annotations.  Otherwise, assuming AuthPtr overloads operator->, a OOP-style call
like

    AuthPtr<Slab, Bounds> slab;
    slab->foo()

will create a `Slab* this` within the body of `Slab::foo`, leaving it unable to
see or propagate the Bounds annotation.  If it invokes callees that expect
`AuthPtr` arguments, it will therefore have to fabricate new `Bounds` unsafely.
2021-03-16 09:29:19 +00:00
Nathaniel Filardo
b8b5f30513 mediumslab: limit header to min of page or slab
This had not been observed as an issue prior to
923705e514 because CMakeLists.txt had, until
then, been using EQUAL, not STREQUAL, to test for oe (and to then enable
USE_SMALL_CHUNKS).  This test would fail, and so the default SLAB_SIZE was
used.  Absent this min operation, the use of a whole page on a 64KiB page
causes a crash when using the largest medium size class, as, ultimately, size
classes are not based on page sizes, and so committing a whole page to the
header leaves too little room for that class.

See also 3d3b048776.
2020-12-16 15:57:19 +00:00
Nathaniel Filardo
1e8d0bd743 MemoryProviderStateMixin is not a PAL 2020-09-09 12:55:48 +01:00
Nathaniel Filardo
3d3b048776 mediumslab: stop assuming page-alignedness of objects
With large pages (e.g. the 64K that Debian defaults to for ppc64), this
is a bit much to ask.  It's only not true for the bottom few medium size
classes, tho', as all sizes above 256K are multiples of 64K with the
current two mantissa bits size schedule.
2020-05-23 15:42:10 +00:00
SchrodingerZhu
a43773c5b7 add android support (#171)
* adjust for android

* update docs

* add const qualifier to `alloc_size`

* check const qualifier in cmake
2020-04-18 07:58:13 +01:00
Amaury Chamayou
acbcbce597 replace assert with SNMALLOC_ASSERT 2020-03-04 16:57:44 +00:00
Matthew Parkinson
2e4b289991 Removed DecommitAll strategy
The DecommitAll strategy performs badly.  We are not
functionally testing it, and it does not seem investing in it due to its
performance.
2020-01-29 11:58:57 +00:00
Nathaniel Filardo
83c467eb92 ds/address: add pointer diff function
And use it rather than open-coding subtraction of two address_cast-s.
2019-11-26 15:50:22 +00:00
Nathaniel Filardo
ef7985510c address.h: add pointer alignment functions
More explicit than address_cast and bitwise and
2019-11-26 15:37:52 +00:00
Nathaniel Filardo
20e804728b Move bits::is_aligned_block to address.h
And chase consequences
2019-11-26 15:33:09 +00:00
Matthew Parkinson
7a8eaec2cc Made a sizecass_t to wrap the sizeclass
This is useful as codegen is nicer if we use size_t, but the semantics
is uint8_t, and is stored as that in many places in the metadata.
Ultimately should introduce a wrapper to check this invariant.
2019-07-01 14:30:05 +01:00
David Chisnall
5c197e4ae4 [NFC] More checks, comments on end of namespace braces. 2019-04-30 09:46:01 +01:00
David Chisnall
28fac4d700 Fix the remaining clang-tidy warnings.
This introduces a new `address_t` type and two new casts: `pointer_cast`
and `address_cast` for casting between an `address_t` and a pointer.
These should make it easier to audit the codebase for casts between
pointers and integers.  In particular, the remaining `reinterpret_cast`s
and `pointer_cast`s should be the only places where we could perform
invalid pointer arithmetic.

Also adds a `pointer_offset` helper that adds an offset (in bytes) to a
pointer, preserving its original type.  This is a sufficiently common
pattern that it seemed worthwhile to centralise it.
2019-04-29 13:37:05 +01:00
David Chisnall
4bafca9be7 [NFC] Automatic fixes from clang-tidy. 2019-04-29 11:33:07 +01:00
Matthew Parkinson
8698f87018 Added some constexpr to some ifs. 2019-02-15 16:12:38 +00:00
Matthew Parkinson
4f9d991449 Initial commit of snmalloc
History squashed from internal development.

Internal history has commit hash:
  e27a0e485c44a5003a802de2661ce3b21e120316
2019-01-15 14:17:55 +00:00