From: Ahmad Fatoum <a.fatoum@pengutronix.de>
To: barebox@lists.infradead.org
Cc: Ahmad Fatoum <a.fatoum@pengutronix.de>
Subject: [PATCH v2 2/5] hardening: support zeroing all malloc buffers by default
Date: Mon, 2 Dec 2024 09:18:12 +0100 [thread overview]
Message-ID: <20241202081815.3475994-3-a.fatoum@pengutronix.de> (raw)
In-Reply-To: <20241202081815.3475994-1-a.fatoum@pengutronix.de>
dummy malloc doesn't free and all allocations are in freshly sbrk()'d
memory, which already zero.
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
common/calloc.c | 7 +++----
common/dlmalloc.c | 7 +++++++
common/tlsf.c | 6 ++++++
include/malloc.h | 10 ++++++++++
lib/Kconfig.hardening | 23 +++++++++++++++++++++++
5 files changed, 49 insertions(+), 4 deletions(-)
diff --git a/common/calloc.c b/common/calloc.c
index 12f18474a4c8..17cbd9beefee 100644
--- a/common/calloc.c
+++ b/common/calloc.c
@@ -2,6 +2,7 @@
#include <common.h>
#include <malloc.h>
+#include <memory.h>
#include <linux/overflow.h>
/*
@@ -12,10 +13,8 @@ void *calloc(size_t n, size_t elem_size)
size_t size = size_mul(elem_size, n);
void *r = malloc(size);
- if (!r)
- return r;
-
- memset(r, 0x0, size);
+ if (r && !want_init_on_alloc())
+ memset(r, 0x0, size);
return r;
}
diff --git a/common/dlmalloc.c b/common/dlmalloc.c
index 821a193af6bc..731c46b584b0 100644
--- a/common/dlmalloc.c
+++ b/common/dlmalloc.c
@@ -7,6 +7,7 @@
#include <dlmalloc.h>
#include <linux/overflow.h>
#include <linux/build_bug.h>
+#include <linux/compiler.h>
#include <stdio.h>
#include <module.h>
@@ -1368,6 +1369,8 @@ void dlfree(void *mem)
p = mem2chunk(mem);
hd = p->size;
+ if (want_init_on_free())
+ memzero_explicit(mem, chunksize(p));
sz = hd & ~PREV_INUSE;
next = chunk_at_offset(p, sz);
@@ -1952,7 +1955,11 @@ void malloc_stats(void)
*/
#ifdef CONFIG_MALLOC_DLMALLOC
+#ifdef CONFIG_INIT_ON_ALLOC_DEFAULT_ON
+void *malloc(size_t bytes) { return dlcalloc(1, bytes); }
+#else
void *malloc(size_t) __alias(dlmalloc);
+#endif
EXPORT_SYMBOL(malloc);
void *calloc(size_t, size_t) __alias(dlcalloc);
EXPORT_SYMBOL(calloc);
diff --git a/common/tlsf.c b/common/tlsf.c
index ba2ed367c0b9..4cd90e150de2 100644
--- a/common/tlsf.c
+++ b/common/tlsf.c
@@ -3,6 +3,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <malloc.h>
#include <tlsf.h>
#include "tlsfbits.h"
#include <linux/kasan.h>
@@ -615,6 +616,9 @@ static void* block_prepare_used(control_t* control, block_header_t* block,
kasan_poison_shadow(&block->size, size + 2 * sizeof(size_t),
KASAN_KMALLOC_REDZONE);
kasan_unpoison_shadow(p, used);
+
+ if (want_init_on_alloc())
+ memzero_explicit(p, size);
}
return p;
}
@@ -1023,6 +1027,8 @@ void tlsf_free(tlsf_t tlsf, void* ptr)
control_t* control = tlsf_cast(control_t*, tlsf);
block_header_t* block = block_from_ptr(ptr);
tlsf_assert(!block_is_free(block) && "block already marked as free");
+ if (want_init_on_free())
+ memzero_explicit(ptr, block_size(block));
kasan_poison_shadow(ptr, block_size(block), 0xff);
block_mark_as_free(block);
block = block_merge_prev(control, block);
diff --git a/include/malloc.h b/include/malloc.h
index a823ce8c8462..7bee03dab236 100644
--- a/include/malloc.h
+++ b/include/malloc.h
@@ -54,4 +54,14 @@ static inline int mem_malloc_is_initialized(void)
}
#endif
+static inline bool want_init_on_alloc(void)
+{
+ return IS_ENABLED(CONFIG_INIT_ON_ALLOC_DEFAULT_ON);
+}
+
+static inline bool want_init_on_free(void)
+{
+ return IS_ENABLED(CONFIG_INIT_ON_FREE_DEFAULT_ON);
+}
+
#endif /* __MALLOC_H */
diff --git a/lib/Kconfig.hardening b/lib/Kconfig.hardening
index 28be42a27465..7a177840a5a1 100644
--- a/lib/Kconfig.hardening
+++ b/lib/Kconfig.hardening
@@ -10,6 +10,29 @@ config BUG_ON_DATA_CORRUPTION
If unsure, say N.
+menu "Memory initialization"
+
+config INIT_ON_ALLOC_DEFAULT_ON
+ bool "Enable heap memory zeroing on allocation by default"
+ depends on !MALLOC_LIBC
+ help
+ When this is enabled, all allocator memory will be zeroed
+ when allocated, eliminating many kinds of "uninitialized
+ heap memory" flaws, especially heap content exposures.
+
+config INIT_ON_FREE_DEFAULT_ON
+ bool "Enable heap memory zeroing on free by default"
+ depends on !MALLOC_DUMMY && !MALLOC_LIBC
+ help
+ When this is enabled, all allocator memory will be zeroed
+ when freed, eliminating many kinds of "uninitialized heap memory"
+ flaws, especially heap content exposures. The primary difference
+ is that data lifetime in memory is reduced, as anything freed is
+ wiped immediately, making live forensics or cold boot memory
+ attacks unable to recover freed memory contents.
+
+endmenu
+
config STACK_GUARD_PAGE
bool "Place guard page to catch stack overflows"
depends on ARM && MMU
--
2.39.5
next prev parent reply other threads:[~2024-12-02 8:18 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-02 8:18 [PATCH v2 0/5] malloc: add options to zero-initialize buffers Ahmad Fatoum
2024-12-02 8:18 ` [PATCH v2 1/5] dlmalloc: add aliases with dl as prefix Ahmad Fatoum
2024-12-02 8:18 ` Ahmad Fatoum [this message]
2024-12-02 8:18 ` [PATCH v2 3/5] hardening: support initializing stack variables by default Ahmad Fatoum
2024-12-02 8:18 ` [PATCH v2 4/5] hardening: support register zeroing on function exit Ahmad Fatoum
2024-12-02 8:18 ` [PATCH v2 5/5] tlsf: panic in asserts if CONFIG_BUG_ON_DATA_CORRUPTION=y Ahmad Fatoum
2024-12-02 11:09 ` [PATCH v2 0/5] malloc: add options to zero-initialize buffers Sascha Hauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241202081815.3475994-3-a.fatoum@pengutronix.de \
--to=a.fatoum@pengutronix.de \
--cc=barebox@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox