christoph/wamr
1
Fork 0
Code Releases Activity

Add more checks to enhance app heap's security (#428)

Browse Source
This commit is contained in:
Wenyong Huang
2020-10-22 18:52:33 +08:00
committed by GitHub
parent c515fb1b75
commit 91b9458ebd
10 changed files with 431 additions and 205 deletions
Download Patch File Download Diff File Expand all files Collapse all files

278
core/shared/mem-alloc/ems/ems_alloc.c
View File

@ -6,12 +6,14 @@
#include "ems_gc_internal.h"
static int
hmu_is_in_heap(gc_heap_t* heap, hmu_t* hmu)
static inline bool
hmu_is_in_heap(void *hmu,
gc_uint8 *heap_base_addr,
gc_uint8 *heap_end_addr)
{
return heap && hmu
&& (gc_uint8*) hmu >= heap->base_addr
&& (gc_uint8*) hmu < heap->base_addr + heap->current_size;
gc_uint8 *addr = (gc_uint8 *)hmu;
return (addr >= heap_base_addr && addr < heap_end_addr)
? true : false;
}
/**
@ -23,21 +25,35 @@ hmu_is_in_heap(gc_heap_t* heap, hmu_t* hmu)
* won't be touched. The tree will be re-organized so that the order
* conditions are still satisified.
*/
static void
remove_tree_node(hmu_tree_node_t *p)
static bool
remove_tree_node(gc_heap_t *heap, hmu_tree_node_t *p)
{
hmu_tree_node_t *q = NULL, **slot = NULL;
hmu_tree_node_t *q = NULL, **slot = NULL, *parent;
hmu_tree_node_t *root = &heap->kfc_tree_root;
gc_uint8 *base_addr = heap->base_addr;
gc_uint8 *end_addr = base_addr + heap->current_size;
bh_assert(p);
bh_assert(p->parent); /* @p can not be the ROOT node*/
parent = p->parent;
if (!parent || p == root /* p can not be the ROOT node */
|| !hmu_is_in_heap(p, base_addr, end_addr)
|| (parent != root
&& !hmu_is_in_heap(parent, base_addr, end_addr))) {
goto fail;
}
/* get the slot which holds pointer to node p*/
if (p == p->parent->right) {
slot = &p->parent->right;
} else {
bh_assert(p == p->parent->left); /* @p should be a child of its parent*/
}
else if (p == p->parent->left) {
/* p should be a child of its parent*/
slot = &p->parent->left;
}
else {
goto fail;
}
/**
* algorithms used to remove node p
@ -51,65 +67,110 @@ remove_tree_node(hmu_tree_node_t *p)
if (!p->left) {
/* move right child up*/
*slot = p->right;
if (p->right)
if (p->right) {
if (!hmu_is_in_heap(p->right, base_addr, end_addr)) {
goto fail;
}
p->right->parent = p->parent;
}
p->left = p->right = p->parent = NULL;
return;
return true;
}
if (!p->right) {
/* move left child up*/
*slot = p->left;
p->left->parent = p->parent; /* p->left can never be NULL.*/
if (!hmu_is_in_heap(p->left, base_addr, end_addr)) {
goto fail;
}
/* p->left can never be NULL unless it is corrupted. */
p->left->parent = p->parent;
p->left = p->right = p->parent = NULL;
return;
return true;
}
/* both left & right exist, find p's predecessor at first*/
q = p->left;
while (q->right)
if (!hmu_is_in_heap(q, base_addr, end_addr)) {
goto fail;
}
while (q->right) {
q = q->right;
if (!hmu_is_in_heap(q, base_addr, end_addr)) {
goto fail;
}
}
/* remove from the tree*/
remove_tree_node(q);
if (!remove_tree_node(heap, q))
return false;
*slot = q;
q->parent = p->parent;
q->left = p->left;
q->right = p->right;
if (q->left)
if (q->left) {
if (!hmu_is_in_heap(q->left, base_addr, end_addr)) {
goto fail;
}
q->left->parent = q;
if (q->right)
}
if (q->right) {
if (!hmu_is_in_heap(q->right, base_addr, end_addr)) {
goto fail;
}
q->right->parent = q;
}
p->left = p->right = p->parent = NULL;
return true;
fail:
heap->is_heap_corrupted = true;
return false;
}
static void
static bool
unlink_hmu(gc_heap_t *heap, hmu_t *hmu)
{
gc_uint8 *base_addr, *end_addr;
gc_size_t size;
bh_assert(gci_is_heap_valid(heap));
bh_assert(hmu && (gc_uint8*) hmu >= heap->base_addr
&& (gc_uint8*) hmu < heap->base_addr + heap->current_size);
bh_assert(hmu_get_ut(hmu) == HMU_FC);
if (hmu_get_ut(hmu) != HMU_FC) {
heap->is_heap_corrupted = true;
return false;
}
base_addr = heap->base_addr;
end_addr = base_addr + heap->current_size;
size = hmu_get_size(hmu);
if (HMU_IS_FC_NORMAL(size)) {
uint32 node_idx = size >> 3;
hmu_normal_node_t *node_prev = &heap->kfc_normal_list[node_idx];
hmu_normal_node_t *node =
get_hmu_normal_node_next(&heap->kfc_normal_list[node_idx]);
hmu_normal_node_t *node_prev = NULL, *node_next;
hmu_normal_node_t *node = heap->kfc_normal_list[node_idx].next;
while (node) {
if ((hmu_t*) node == hmu) {
set_hmu_normal_node_next(node_prev, get_hmu_normal_node_next(node));
if (!hmu_is_in_heap(node, base_addr, end_addr)) {
heap->is_heap_corrupted = true;
return false;
}
node_next = get_hmu_normal_node_next(node);
if ((hmu_t*)node == hmu) {
if (!node_prev) /* list head */
heap->kfc_normal_list[node_idx].next = node_next;
else
set_hmu_normal_node_next(node_prev, node_next);
break;
}
node_prev = node;
node = get_hmu_normal_node_next(node);
node = node_next;
}
if (!node) {
@ -117,8 +178,10 @@ unlink_hmu(gc_heap_t *heap, hmu_t *hmu)
}
}
else {
remove_tree_node((hmu_tree_node_t *) hmu);
if (!remove_tree_node(heap, (hmu_tree_node_t *)hmu))
return false;
}
return true;
}
static void
@ -140,37 +203,44 @@ hmu_set_free_size(hmu_t *hmu)
* @param size should be positive and multiple of 8
* hmu with size @size will be added into KFC as a new FC.
*/
void
bool
gci_add_fc(gc_heap_t *heap, hmu_t *hmu, gc_size_t size)
{
gc_uint8 *base_addr, *end_addr;
hmu_normal_node_t *np = NULL;
hmu_tree_node_t *root = NULL, *tp = NULL, *node = NULL;
uint32 node_idx;
bh_assert(gci_is_heap_valid(heap));
bh_assert(hmu && (gc_uint8*) hmu >= heap->base_addr
&& (gc_uint8*) hmu < heap->base_addr + heap->current_size);
bh_assert(hmu && (gc_uint8*)hmu >= heap->base_addr
&& (gc_uint8*)hmu < heap->base_addr + heap->current_size);
bh_assert(((gc_uint32)(uintptr_t)hmu_to_obj(hmu) & 7) == 0);
bh_assert(size > 0
&& ((gc_uint8*) hmu) + size <= heap->base_addr + heap->current_size);
&& ((gc_uint8*)hmu) + size <= heap->base_addr + heap->current_size);
bh_assert(!(size & 7));
base_addr = heap->base_addr;
end_addr = base_addr + heap->current_size;
hmu_set_ut(hmu, HMU_FC);
hmu_set_size(hmu, size);
hmu_set_free_size(hmu);
if (HMU_IS_FC_NORMAL(size)) {
np = (hmu_normal_node_t*) hmu;
np = (hmu_normal_node_t*)hmu;
if (!hmu_is_in_heap(np, base_addr, end_addr)) {
heap->is_heap_corrupted = true;
return false;
}
node_idx = size >> 3;
set_hmu_normal_node_next(np, get_hmu_normal_node_next
(&heap->kfc_normal_list[node_idx]));
set_hmu_normal_node_next(&heap->kfc_normal_list[node_idx], np);
return;
set_hmu_normal_node_next(np, heap->kfc_normal_list[node_idx].next);
heap->kfc_normal_list[node_idx].next = np;
return true;
}
/* big block*/
node = (hmu_tree_node_t*) hmu;
node = (hmu_tree_node_t*)hmu;
node->size = size;
node->left = node->right = node->parent = NULL;
@ -195,7 +265,12 @@ gci_add_fc(gc_heap_t *heap, hmu_t *hmu, gc_size_t size)
}
tp = tp->left;
}
if (!hmu_is_in_heap(tp, base_addr, end_addr)) {
heap->is_heap_corrupted = true;
return false;
}
}
return true;
}
/**
@ -212,7 +287,9 @@ gci_add_fc(gc_heap_t *heap, hmu_t *hmu, gc_size_t size)
static hmu_t *
alloc_hmu(gc_heap_t *heap, gc_size_t size)
{
hmu_normal_node_t *node = NULL, *p = NULL;
gc_uint8 *base_addr, *end_addr;
hmu_normal_list_t *normal_head = NULL;
hmu_normal_node_t *p = NULL;
uint32 node_idx = 0, init_node_idx = 0;
hmu_tree_node_t *root = NULL, *tp = NULL, *last_tp = NULL;
hmu_t *next, *rest;
@ -220,6 +297,9 @@ alloc_hmu(gc_heap_t *heap, gc_size_t size)
bh_assert(gci_is_heap_valid(heap));
bh_assert(size > 0 && !(size & 7));
base_addr = heap->base_addr;
end_addr = base_addr + heap->current_size;
if (size < GC_SMALLEST_SIZE)
size = GC_SMALLEST_SIZE;
@ -229,31 +309,40 @@ alloc_hmu(gc_heap_t *heap, gc_size_t size)
init_node_idx = (size >> 3);
for (node_idx = init_node_idx; node_idx < HMU_NORMAL_NODE_CNT;
node_idx++) {
node = heap->kfc_normal_list + node_idx;
if (get_hmu_normal_node_next(node))
normal_head = heap->kfc_normal_list + node_idx;
if (normal_head->next)
break;
node = NULL;
normal_head = NULL;
}
/* not found in normal list*/
if (node) {
/* found in normal list*/
if (normal_head) {
bh_assert(node_idx >= init_node_idx);
p = get_hmu_normal_node_next(node);
set_hmu_normal_node_next(node, get_hmu_normal_node_next(p));
bh_assert(((gc_int32)(uintptr_t)hmu_to_obj(p) & 7) == 0);
p = normal_head->next;
if (!hmu_is_in_heap(p, base_addr, end_addr)) {
heap->is_heap_corrupted = true;
return NULL;
}
normal_head->next = get_hmu_normal_node_next(p);
if (((gc_int32)(uintptr_t)hmu_to_obj(p) & 7) != 0) {
heap->is_heap_corrupted = true;
return NULL;
}
if ((gc_size_t)node_idx != (uint32)init_node_idx
/* with bigger size*/
&& ((gc_size_t)node_idx << 3) >= size + GC_SMALLEST_SIZE) {
rest = (hmu_t*) (((char *) p) + size);
gci_add_fc(heap, rest, (node_idx << 3) - size);
if (!gci_add_fc(heap, rest, (node_idx << 3) - size)) {
return NULL;
}
hmu_mark_pinuse(rest);
}
else {
size = node_idx << 3;
next = (hmu_t*) ((char*) p + size);
if (hmu_is_in_heap(heap, next))
if (hmu_is_in_heap(next, base_addr, end_addr))
hmu_mark_pinuse(next);
}
@ -275,6 +364,11 @@ alloc_hmu(gc_heap_t *heap, gc_size_t size)
bh_assert(root);
tp = root->right;
while (tp) {
if (!hmu_is_in_heap(tp, base_addr, end_addr)) {
heap->is_heap_corrupted = true;
return NULL;
}
if (tp->size < size) {
tp = tp->right;
continue;
@ -291,17 +385,19 @@ alloc_hmu(gc_heap_t *heap, gc_size_t size)
/* alloc in last_p*/
/* remove node last_p from tree*/
remove_tree_node(last_tp);
if (!remove_tree_node(heap, last_tp))
return NULL;
if (last_tp->size >= size + GC_SMALLEST_SIZE) {
rest = (hmu_t*) ((char*) last_tp + size);
gci_add_fc(heap, rest, last_tp->size - size);
rest = (hmu_t*)((char*)last_tp + size);
if (!gci_add_fc(heap, rest, last_tp->size - size))
return NULL;
hmu_mark_pinuse(rest);
}
else {
size = last_tp->size;
next = (hmu_t*) ((char*) last_tp + size);
if (hmu_is_in_heap(heap, next))
next = (hmu_t*)((char*)last_tp + size);
if (hmu_is_in_heap(next, base_addr, end_addr))
hmu_mark_pinuse(next);
}
@ -309,8 +405,8 @@ alloc_hmu(gc_heap_t *heap, gc_size_t size)
if ((heap->current_size - heap->total_free_size) > heap->highmark_size)
heap->highmark_size = heap->current_size - heap->total_free_size;
hmu_set_size((hmu_t* ) last_tp, size);
return (hmu_t*) last_tp;
hmu_set_size((hmu_t*)last_tp, size);
return (hmu_t*)last_tp;
}
return NULL;
@ -365,6 +461,11 @@ gc_alloc_vo_internal(void *vheap, gc_size_t size,
/* integer overflow */
return NULL;
if (heap->is_heap_corrupted) {
os_printf("[GC_ERROR]Heap is corrupted, allocate memory failed.\n");
return NULL;
}
os_mutex_lock(&heap->lock);
hmu = alloc_hmu_ex(heap, tot_size);
@ -404,6 +505,7 @@ gc_realloc_vo_internal(void *vheap, void *ptr, gc_size_t size,
gc_object_t ret = (gc_object_t) NULL, obj_old = (gc_object_t)ptr;
gc_size_t tot_size, tot_size_unaligned, tot_size_old = 0, tot_size_next;
gc_size_t obj_size, obj_size_old;
gc_uint8 *base_addr, *end_addr;
hmu_type_t ut;
/* hmu header + prefix + obj + suffix */
@ -414,6 +516,11 @@ gc_realloc_vo_internal(void *vheap, void *ptr, gc_size_t size,
/* integer overflow */
return NULL;
if (heap->is_heap_corrupted) {
os_printf("[GC_ERROR]Heap is corrupted, allocate memory failed.\n");
return NULL;
}
if (obj_old) {
hmu_old = obj_to_hmu(obj_old);
tot_size_old = hmu_get_size(hmu_old);
@ -422,17 +529,23 @@ gc_realloc_vo_internal(void *vheap, void *ptr, gc_size_t size,
return obj_old;
}
base_addr = heap->base_addr;
end_addr = base_addr + heap->current_size;
os_mutex_lock(&heap->lock);
if (hmu_old) {
hmu_next = (hmu_t*)((char *)hmu_old + tot_size_old);
if (hmu_is_in_heap(heap, hmu_next)) {
if (hmu_is_in_heap(hmu_next, base_addr, end_addr)) {
ut = hmu_get_ut(hmu_next);
tot_size_next = hmu_get_size(hmu_next);
if (ut == HMU_FC
&& tot_size <= tot_size_old + tot_size_next) {
/* current node and next node meets requirement */
unlink_hmu(heap, hmu_next);
if (!unlink_hmu(heap, hmu_next)) {
os_mutex_unlock(&heap->lock);
return NULL;
}
hmu_set_size(hmu_old, tot_size);
memset((char*)hmu_old + tot_size_old, 0, tot_size - tot_size_old);
#if BH_ENABLE_GC_VERIFY != 0
@ -441,7 +554,10 @@ gc_realloc_vo_internal(void *vheap, void *ptr, gc_size_t size,
if (tot_size < tot_size_old + tot_size_next) {
hmu_next = (hmu_t*)((char*)hmu_old + tot_size);
tot_size_next = tot_size_old + tot_size_next - tot_size;
gci_add_fc(heap, hmu_next, tot_size_next);
if (!gci_add_fc(heap, hmu_next, tot_size_next)) {
os_mutex_unlock(&heap->lock);
return NULL;
}
}
os_mutex_unlock(&heap->lock);
return obj_old;
@ -507,6 +623,7 @@ gc_free_vo_internal(void *vheap, gc_object_t obj,
#endif
{
gc_heap_t* heap = (gc_heap_t*) vheap;
gc_uint8 *base_addr, *end_addr;
hmu_t *hmu = NULL;
hmu_t *prev = NULL;
hmu_t *next = NULL;
@ -518,14 +635,21 @@ gc_free_vo_internal(void *vheap, gc_object_t obj,
return GC_SUCCESS;
}
if (heap->is_heap_corrupted) {
os_printf("[GC_ERROR]Heap is corrupted, free memory failed.\n");
return GC_ERROR;
}
hmu = obj_to_hmu(obj);
base_addr = heap->base_addr;
end_addr = base_addr + heap->current_size;
os_mutex_lock(&heap->lock);
if ((gc_uint8 *)hmu >= heap->base_addr
&& (gc_uint8 *)hmu < heap->base_addr + heap->current_size) {
if (hmu_is_in_heap(hmu, base_addr, end_addr)) {
#if BH_ENABLE_GC_VERIFY != 0
hmu_verify(hmu);
hmu_verify(heap, hmu);
#endif
ut = hmu_get_ut(hmu);
if (ut == HMU_VO) {
@ -544,25 +668,35 @@ gc_free_vo_internal(void *vheap, gc_object_t obj,
if (!hmu_get_pinuse(hmu)) {
prev = (hmu_t*) ((char*) hmu - *((int*) hmu - 1));
if (hmu_is_in_heap(heap, prev) && hmu_get_ut(prev) == HMU_FC) {
if (hmu_is_in_heap(prev, base_addr, end_addr)
&& hmu_get_ut(prev) == HMU_FC) {
size += hmu_get_size(prev);
hmu = prev;
unlink_hmu(heap, prev);
if (!unlink_hmu(heap, prev)) {
ret = GC_ERROR;
goto out;
}
}
}
next = (hmu_t*) ((char*) hmu + size);
if (hmu_is_in_heap(heap, next)) {
if (hmu_is_in_heap(next, base_addr, end_addr)) {
if (hmu_get_ut(next) == HMU_FC) {
size += hmu_get_size(next);
unlink_hmu(heap, next);
next = (hmu_t*) ((char*) hmu + size);
if (!unlink_hmu(heap, next)) {
ret = GC_ERROR;
goto out;
}
next = (hmu_t*)((char*) hmu + size);
}
}
gci_add_fc(heap, hmu, size);
if (!gci_add_fc(heap, hmu, size)) {
ret = GC_ERROR;
goto out;
}
if (hmu_is_in_heap(heap, next)) {
if (hmu_is_in_heap(next, base_addr, end_addr)) {
hmu_unmark_pinuse(next);
}
@ -620,7 +754,11 @@ gci_dump(gc_heap_t *heap)
else if (ut == HMU_FC)
inuse = 'F';
bh_assert(size > 0);
if (size == 0) {
os_printf("[GC_ERROR]Heap is corrupted, heap dump failed.\n");
heap->is_heap_corrupted = true;
return;
}
os_printf("#%d %08x %x %x %d %c %d\n",
i, (int32)((char*) cur - (char*) heap->base_addr),