christoph/wamr
1
Fork 0
Code Releases Activity

Add more checks to enhance app heap's security (#428)

Browse Source
This commit is contained in:
Wenyong Huang
2020-10-22 18:52:33 +08:00
committed by GitHub
parent c515fb1b75
commit 91b9458ebd
10 changed files with 431 additions and 205 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
core/iwasm/aot/aot_runtime.c
View File

@ -171,8 +171,10 @@ memories_deinstantiate(AOTModuleInstance *module_inst)
continue;
}
#endif
if (memory_inst->heap_handle.ptr)
if (memory_inst->heap_handle.ptr) {
mem_allocator_destroy(memory_inst->heap_handle.ptr);
wasm_runtime_free(memory_inst->heap_handle.ptr);
}
if (memory_inst->heap_data.ptr) {
#ifndef OS_ENABLE_HW_BOUND_CHECK
@ -359,13 +361,22 @@ memory_instantiate(AOTModuleInstance *module_inst, AOTModule *module,
memory_inst->heap_data.ptr = p + heap_offset;
memory_inst->heap_data_end.ptr = p + heap_offset + heap_size;
if (heap_size > 0) {
if (!(heap_handle = mem_allocator_create(memory_inst->heap_data.ptr,
heap_size))) {
set_error_buf(error_buf, error_buf_size,
"init app heap failed");
uint32 heap_struct_size = mem_allocator_get_heap_struct_size();
if (!(heap_handle = runtime_malloc((uint64)heap_struct_size,
error_buf, error_buf_size))) {
goto fail1;
}
memory_inst->heap_handle.ptr = heap_handle;
if (!mem_allocator_create_with_struct_and_pool
(heap_handle, heap_struct_size,
memory_inst->heap_data.ptr, heap_size)) {
set_error_buf(error_buf, error_buf_size,
"init app heap failed");
goto fail2;
}
}
if (total_size > 0) {
@ -390,7 +401,7 @@ memory_instantiate(AOTModuleInstance *module_inst, AOTModule *module,
(WASMMemoryInstanceCommon *)memory_inst)) {
set_error_buf(error_buf, error_buf_size,
"allocate memory failed");
goto fail2;
goto fail3;
}
}
#endif
@ -398,12 +409,13 @@ memory_instantiate(AOTModuleInstance *module_inst, AOTModule *module,
return memory_inst;
#if WASM_ENABLE_SHARED_MEMORY != 0
fail2:
if (heap_size > 0) {
fail3:
if (heap_size > 0)
mem_allocator_destroy(memory_inst->heap_handle.ptr);
memory_inst->heap_handle.ptr = NULL;
}
#endif
fail2:
if (heap_size > 0)
wasm_runtime_free(memory_inst->heap_handle.ptr);
fail1:
#ifndef OS_ENABLE_HW_BOUND_CHECK
wasm_runtime_free(memory_inst->memory_data.ptr);
@ -1474,7 +1486,6 @@ aot_enlarge_memory(AOTModuleInstance *module_inst, uint32 inc_page_count)
uint8 *memory_data_old = (uint8 *)memory_inst->memory_data.ptr;
uint8 *heap_data_old = (uint8 *)memory_inst->heap_data.ptr;
uint8 *memory_data, *heap_data;
void *heap_handle_old = memory_inst->heap_handle.ptr;
if (inc_page_count <= 0)
/* No need to enlarge memory */
@ -1498,18 +1509,9 @@ aot_enlarge_memory(AOTModuleInstance *module_inst, uint32 inc_page_count)
}
#endif
if (heap_size > 0) {
/* Destroy heap's lock firstly, if its memory is re-allocated,
we cannot access its lock again. */
mem_allocator_destroy_lock(memory_inst->heap_handle.ptr);
}
if (!(memory_data = wasm_runtime_realloc(memory_data_old,
(uint32)total_size))) {
if (!(memory_data = wasm_runtime_malloc((uint32)total_size))) {
if (heap_size > 0) {
/* Restore heap's lock if memory re-alloc failed */
mem_allocator_reinit_lock(memory_inst->heap_handle.ptr);
}
return false;
}
bh_memcpy_s(memory_data, (uint32)total_size,
@ -1526,10 +1528,10 @@ aot_enlarge_memory(AOTModuleInstance *module_inst, uint32 inc_page_count)
memory_inst->memory_data_end.ptr = memory_data + total_size;
if (heap_size > 0) {
memory_inst->heap_handle.ptr = (uint8 *)heap_handle_old
+ (memory_data - memory_data_old);
if (mem_allocator_migrate(memory_inst->heap_handle.ptr,
heap_handle_old) != 0) {
(char*)heap_data_old
+ (memory_data - memory_data_old),
heap_size)) {
return false;
}
}

2
core/iwasm/common/wasm_runtime_common.c
View File

@ -2138,8 +2138,6 @@ wasm_application_execute_main(WASMModuleInstanceCommon *module_inst,
return ret;
}
#if WASM_ENABLE_MULTI_MODULE != 0
static WASMModuleInstance *
get_sub_module_inst(const WASMModuleInstance *parent_module_inst,

46
core/iwasm/interpreter/wasm_runtime.c
View File

@ -107,6 +107,7 @@ memories_deinstantiate(WASMModuleInstance *module_inst,
#endif
if (memories[i]->heap_handle) {
mem_allocator_destroy(memories[i]->heap_handle);
wasm_runtime_free(memories[i]->heap_handle);
memories[i]->heap_handle = NULL;
}
wasm_runtime_free(memories[i]->memory_data);
@ -262,17 +263,25 @@ memory_instantiate(WASMModuleInstance *module_inst,
memory->memory_data_end = memory->memory_data + (uint32)memory_data_size;
/* Initialize heap */
if (heap_size > 0
&& !(memory->heap_handle =
mem_allocator_create(memory->heap_data, heap_size))) {
set_error_buf(error_buf, error_buf_size, "init app heap failed");
goto fail2;
if (heap_size > 0) {
uint32 heap_struct_size = mem_allocator_get_heap_struct_size();
if (!(memory->heap_handle = runtime_malloc((uint64)heap_struct_size,
error_buf, error_buf_size))) {
goto fail2;
}
if (!mem_allocator_create_with_struct_and_pool
(memory->heap_handle, heap_struct_size,
memory->heap_data, heap_size)) {
set_error_buf(error_buf, error_buf_size, "init app heap failed");
goto fail3;
}
}
#if WASM_ENABLE_SHARED_MEMORY != 0
if (0 != os_mutex_init(&memory->mem_lock)) {
set_error_buf(error_buf, error_buf_size, "init mutex failed");
goto fail3;
goto fail4;
}
if (is_shared_memory) {
memory->is_shared = true;
@ -281,18 +290,21 @@ memory_instantiate(WASMModuleInstance *module_inst,
(WASMMemoryInstanceCommon *)memory)) {
set_error_buf(error_buf, error_buf_size,
"allocate memory failed");
goto fail4;
goto fail5;
}
}
#endif
return memory;
#if WASM_ENABLE_SHARED_MEMORY != 0
fail4:
fail5:
os_mutex_destroy(&memory->mem_lock);
fail3:
fail4:
if (heap_size > 0)
mem_allocator_destroy(memory->heap_handle);
#endif
fail3:
if (heap_size > 0)
wasm_runtime_free(memory->heap_handle);
fail2:
wasm_runtime_free(memory->memory_data);
fail1:
@ -1796,7 +1808,6 @@ wasm_enlarge_memory(WASMModuleInstance *module, uint32 inc_page_count)
uint32 total_size_old = memory->memory_data_end - memory_data;
uint32 total_page_count = inc_page_count + memory->cur_page_count;
uint64 total_size = memory->num_bytes_per_page * (uint64)total_page_count;
void *heap_handle_old = memory->heap_handle;
uint8 *heap_data_old = memory->heap_data;
if (inc_page_count <= 0)
@ -1821,17 +1832,8 @@ wasm_enlarge_memory(WASMModuleInstance *module, uint32 inc_page_count)
}
#endif
if (heap_size > 0) {
/* Destroy heap's lock firstly, if its memory is re-allocated,
we cannot access its lock again. */
mem_allocator_destroy_lock(memory->heap_handle);
}
if (!(new_memory_data = wasm_runtime_realloc(memory_data, (uint32)total_size))) {
if (!(new_memory_data = wasm_runtime_malloc((uint32)total_size))) {
if (heap_size > 0) {
/* Restore heap's lock if memory re-alloc failed */
mem_allocator_reinit_lock(memory->heap_handle);
}
return false;
}
bh_memcpy_s(new_memory_data, (uint32)total_size,
@ -1843,10 +1845,10 @@ wasm_enlarge_memory(WASMModuleInstance *module, uint32 inc_page_count)
0, (uint32)total_size - total_size_old);
if (heap_size > 0) {
memory->heap_handle = (uint8 *)heap_handle_old +
(new_memory_data - memory_data);
if (mem_allocator_migrate(memory->heap_handle,
heap_handle_old) != 0) {
(char *)heap_data_old
+ (new_memory_data - memory_data),
heap_size) != 0) {
return false;
}
}