Mask freelist entries in tcmalloc

third_party/tcmalloc/chromium/src/free_list.cc

 // Copyright (c) 2011, Google Inc.
 // All rights reserved.
 //
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 // notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
@@ skipping 41 matching lines @@
 // -In singly linked lists, the |next| pointer is stored in the first N
 // bytes of the node.
 //
 // For both types of lists: when a pop operation is performed on a non
 // empty list, the new list head becomes that which is pointed to by
 // the former head's |next| pointer.  If the list is doubly linked, the
 // new head |previous| pointer gets changed from pointing to the former
 // head to NULL.
 
 
+#include <limits>
 #include <stddef.h>
 #include "free_list.h"
+#include "system-alloc.h"
 
 #if defined(TCMALLOC_USE_DOUBLYLINKED_FREELIST)
 
 using tcmalloc::kCrash;
 
 // TODO(jar): We should use C++ rather than a macro here.
 #define MEMORY_CHECK(v1, v2) \
   if (v1 != v2) Log(kCrash, __FILE__, __LINE__, "Memory corruption detected.")
 
 namespace {
 void EnsureNonLoop(void* node, void* next) {
   // We only have time to do minimal checking.  We don't traverse the list, but
   // only look for an immediate loop (cycle back to ourself).
   if (node != next) return;
   Log(kCrash, __FILE__, __LINE__, "Circular loop in list detected: ", next);
 }
 
+inline void* MaskPtr(void* p) {
+  // Maximize ASLR entropy and guarantee the result is an invalid address.
+  const uintptr_t q = ~(reinterpret_cast<intptr_t>(TCMalloc_SystemAlloc) >> 13);
+  // Do not mask NULL pointers, otherwise we could leak address state.
+  if (p)
+    return reinterpret_cast<void*>(reinterpret_cast<uintptr_t>(p) ^ q);
+  return p;
+}
+
+inline void* UnmaskPtr(void* p) {
+  return MaskPtr(p);
+}
+
 // Returns value of the |previous| pointer w/out running a sanity
 // check.
 inline void *FL_Previous_No_Check(void *t) {
-  return reinterpret_cast<void**>(t)[1];
+  return UnmaskPtr(reinterpret_cast<void**>(t)[1]);
 }
 
 // Returns value of the |next| pointer w/out running a sanity check.
 inline void *FL_Next_No_Check(void *t) {
-  return reinterpret_cast<void**>(t)[0];
+  return UnmaskPtr(reinterpret_cast<void**>(t)[0]);
 }
 
 void *FL_Previous(void *t) {
   void *previous = FL_Previous_No_Check(t);
   if (previous) {
     MEMORY_CHECK(FL_Next_No_Check(previous), t);
   }
   return previous;
 }
 
 inline void FL_SetPrevious(void *t, void *n) {
   EnsureNonLoop(t, n);
-  reinterpret_cast<void**>(t)[1] = n;
+  reinterpret_cast<void**>(t)[1] = MaskPtr(n);
 }
 
 inline void FL_SetNext(void *t, void *n) {
   EnsureNonLoop(t, n);
-  reinterpret_cast<void**>(t)[0] = n;
+  reinterpret_cast<void**>(t)[0] = MaskPtr(n);
 }
 
 } // namespace
 
 namespace tcmalloc {
 
 void *FL_Next(void *t) {
   void *next = FL_Next_No_Check(t);
   if (next) {
     MEMORY_CHECK(FL_Previous_No_Check(next), t);
@@ skipping 104 matching lines @@
 
 namespace {
 
 inline void FL_SetNext(void *t, void *n) {
   tcmalloc::SLL_SetNext(t,n);
 }
 
 }
 
 #endif // TCMALLOC_USE_DOUBLYLINKED_FREELIST