[RFC,v2] mem: poison memory when freed
Checks
Commit Message
DPDK malloc library allows broken programs to work because
the semantics of zmalloc and malloc are the same.
This patch enables a more secure model which will catch
(and crash) programs that reuse memory already freed if
RTE_MALLOC_DEBUG is enabled.
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
v2
- keep original behavior unless RTE_MALLOC_DEBUG is enabled.
lib/librte_eal/common/malloc_elem.c | 17 ++++++++++++++---
lib/librte_eal/common/rte_malloc.c | 8 +++++++-
2 files changed, 21 insertions(+), 4 deletions(-)
Comments
On 19.07.2018 19:20, Stephen Hemminger wrote:
> DPDK malloc library allows broken programs to work because
> the semantics of zmalloc and malloc are the same.
>
> This patch enables a more secure model which will catch
> (and crash) programs that reuse memory already freed if
> RTE_MALLOC_DEBUG is enabled.
>
> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
I like the idea, so
Acked-by: Andrew Rybchenko <arybchenko@solarflare.com>
On 19.07.2018 19:20, Stephen Hemminger wrote:
> DPDK malloc library allows broken programs to work because
> the semantics of zmalloc and malloc are the same.
>
> This patch enables a more secure model which will catch
> (and crash) programs that reuse memory already freed if
> RTE_MALLOC_DEBUG is enabled.
>
> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
> ---
>
> v2
> - keep original behavior unless RTE_MALLOC_DEBUG is enabled.
>
> lib/librte_eal/common/malloc_elem.c | 17 ++++++++++++++---
> lib/librte_eal/common/rte_malloc.c | 8 +++++++-
> 2 files changed, 21 insertions(+), 4 deletions(-)
>
> diff --git a/lib/librte_eal/common/malloc_elem.c b/lib/librte_eal/common/malloc_elem.c
> index efcb82677198..6fc63c53a75d 100644
> --- a/lib/librte_eal/common/malloc_elem.c
> +++ b/lib/librte_eal/common/malloc_elem.c
> @@ -23,6 +23,16 @@
> #include "malloc_elem.h"
> #include "malloc_heap.h"
>
> +/* If debugging is enabled, freed memory is set to poison value
> + * to catch buggy programs. Otherwise, freed memory is zerod
> + * to avoid having to zero in zmalloc
> + */
> +#ifdef RTE_MALLOC_DEBUG
> +#define MALLOC_POISON 0x6b
> +#else
> +#define MALLOC_POISON 0
> +#endif
> +
> size_t
> malloc_elem_find_max_iova_contig(struct malloc_elem *elem, size_t align)
> {
> @@ -476,7 +486,7 @@ malloc_elem_join_adjacent_free(struct malloc_elem *elem)
> join_elem(elem, elem->next);
>
> /* erase header, trailer and pad */
> - memset(erase, 0, erase_len);
> + memset(erase, MALLOC_POISON, erase_len);
> }
>
> /*
> @@ -500,7 +510,7 @@ malloc_elem_join_adjacent_free(struct malloc_elem *elem)
> join_elem(new_elem, elem);
>
> /* erase header, trailer and pad */
> - memset(erase, 0, erase_len);
> + memset(erase, MALLOC_POISON, erase_len);
>
> elem = new_elem;
> }
> @@ -531,7 +541,8 @@ malloc_elem_free(struct malloc_elem *elem)
> /* decrease heap's count of allocated elements */
> elem->heap->alloc_count--;
>
> - memset(ptr, 0, data_len);
> + /* poison memory */
> + memset(ptr, MALLOC_POISON, data_len);
>
> return elem;
> }
> diff --git a/lib/librte_eal/common/rte_malloc.c b/lib/librte_eal/common/rte_malloc.c
> index b51a6d111bde..ed253149bb6b 100644
> --- a/lib/librte_eal/common/rte_malloc.c
> +++ b/lib/librte_eal/common/rte_malloc.c
> @@ -70,7 +70,13 @@ rte_malloc(const char *type, size_t size, unsigned align)
> void *
> rte_zmalloc_socket(const char *type, size_t size, unsigned align, int socket)
> {
> - return rte_malloc_socket(type, size, align, socket);
> + void *ptr = rte_malloc_socket(type, size, align, socket);
> +
> +#ifndef RTE_MALLOC_DEBUG
It should be #ifdef above.
> + if (ptr != NULL)
> + memset(ptr, 0, size);
> +#endif
> + return ptr;
> }
>
> /*
On 19-Jul-18 5:20 PM, Stephen Hemminger wrote:
> DPDK malloc library allows broken programs to work because
> the semantics of zmalloc and malloc are the same.
>
> This patch enables a more secure model which will catch
> (and crash) programs that reuse memory already freed if
> RTE_MALLOC_DEBUG is enabled.
>
> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
> ---
Making it not default behavior makes it suitable for inclusion without
deprecation notices IMO.
Reviewed-by: Anatoly Burakov <anatoly.burakov@intel.com>
@@ -23,6 +23,16 @@
#include "malloc_elem.h"
#include "malloc_heap.h"
+/* If debugging is enabled, freed memory is set to poison value
+ * to catch buggy programs. Otherwise, freed memory is zerod
+ * to avoid having to zero in zmalloc
+ */
+#ifdef RTE_MALLOC_DEBUG
+#define MALLOC_POISON 0x6b
+#else
+#define MALLOC_POISON 0
+#endif
+
size_t
malloc_elem_find_max_iova_contig(struct malloc_elem *elem, size_t align)
{
@@ -476,7 +486,7 @@ malloc_elem_join_adjacent_free(struct malloc_elem *elem)
join_elem(elem, elem->next);
/* erase header, trailer and pad */
- memset(erase, 0, erase_len);
+ memset(erase, MALLOC_POISON, erase_len);
}
/*
@@ -500,7 +510,7 @@ malloc_elem_join_adjacent_free(struct malloc_elem *elem)
join_elem(new_elem, elem);
/* erase header, trailer and pad */
- memset(erase, 0, erase_len);
+ memset(erase, MALLOC_POISON, erase_len);
elem = new_elem;
}
@@ -531,7 +541,8 @@ malloc_elem_free(struct malloc_elem *elem)
/* decrease heap's count of allocated elements */
elem->heap->alloc_count--;
- memset(ptr, 0, data_len);
+ /* poison memory */
+ memset(ptr, MALLOC_POISON, data_len);
return elem;
}
@@ -70,7 +70,13 @@ rte_malloc(const char *type, size_t size, unsigned align)
void *
rte_zmalloc_socket(const char *type, size_t size, unsigned align, int socket)
{
- return rte_malloc_socket(type, size, align, socket);
+ void *ptr = rte_malloc_socket(type, size, align, socket);
+
+#ifndef RTE_MALLOC_DEBUG
+ if (ptr != NULL)
+ memset(ptr, 0, size);
+#endif
+ return ptr;
}
/*