Linux: grow a unique random mapping in ASLR

third_party/tcmalloc/chromium/src/system-alloc.cc

 // Copyright (c) 2005, Google Inc.
 // All rights reserved.
 // 
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 // 
 //     * Redistributions of source code must retain the above copyright
 // notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
@@ skipping 175 matching lines @@
   // 0x7ffbf8000000.
   // We use 0x3ffffffff000 as the mask so that we only "pollute" half of the
   // address space. In the unlikely case where fragmentation would become an
   // issue, the kernel will still have another half to use.
   // A a bit-wise "and" won't bias our random distribution.
   random_address &= 0x3ffffffff000ULL;
   return reinterpret_cast<void*>(random_address);
 #endif  // ASLR_IS_SUPPORTED
 }
 
+// Allocate |length| bytes of memory using mmap(). The memory will be
+// readable and writeable, but not executable.
+// Like mmap(), we will return MAP_FAILED on failure.
+// |is_aslr_enabled| controls address space layout randomization. When true, we
+// will put the first mapping at a random address and will then try to grow it.
+// If it's not possible to grow an existing mapping, a new one will be created.
+void* AllocWithMmap(size_t length, bool is_aslr_enabled) {
+  static void* address_hint = NULL;

[Chris Evans, 2013/02/01 09:22:30]

What's the threading story here? Is it possible for two threads to be in here at
once? If not, maybe a comment declaring the lock that protects this?

[jln (very slow on Chromium), 2013/02/01 09:53:10]

Done.

+  if (!address_hint && is_aslr_enabled) {
+    address_hint = GetRandomAddrHint();
+  }

[Chris Evans, 2013/02/01 09:22:30]

Style: don't need braces for single-line if with single-line body.

[jln (very slow on Chromium), 2013/02/01 09:53:10]

The style guide is open on this. I usually always put them, I've been bitten by
it before.

But since I didn't do it below, you're right that I should be consistent.

+  void* result = mmap(address_hint, length, PROT_READ|PROT_WRITE,

[Chris Evans, 2013/02/01 09:22:30]

Maybe some form of comment that the intent here is to map right at the end of
the previous mapping, leading to the extension of the existing VMA instead of a
new VMA?

[jln (very slow on Chromium), 2013/02/01 09:53:10]

Isn't the comment below good enough ? Should I move the comment here?

+                      MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
+  if (result != static_cast<void*>(MAP_FAILED) && is_aslr_enabled) {

[Chris Evans, 2013/02/01 09:22:30]

I think you can simplify this block to simply

if (result != address_hint)
  address_hint = NULL;

It'll work in the MAP_FAILED case and reset the hint for _any_ VMA collision.

[jln (very slow on Chromium), 2013/02/01 09:53:10]

But is that what we want ? If the goal is to grow existing areas as much as
possible, this is not optimal.

I was already tempted to do it, so you convinced me. It's closer to the balance
we'll eventually get when we start skewing this more towards security later.

+    // If mmap() succeeded at a random address, our next mmap() will try to grow
+    // the current mapping.
+    // This has been done for performance reasons, see crbug.com/173371.
+    // It should be possible to strike a better balance between performance
+    // and security but will be done at a later date.
+    address_hint = static_cast<char*>(result) + length;
+    if (address_hint < result)
+      address_hint = NULL;
+    ASSERT((reinterpret_cast<uintptr_t>(address_hint) & 0xfff) == 0);
+  }
+  return result;
+}
+
 }  // Anonymous namespace to avoid name conflicts on "CheckAddressBits".
 
 COMPILE_ASSERT(kAddressBits <= 8 * sizeof(void*),
                address_bits_larger_than_pointer_size);
 
 // Structure for discovering alignment
 union MemoryAligner {
   void*  p;
   double d;
   size_t s;
@@ skipping 192 matching lines @@
   // Ask for extra memory if alignment > pagesize
   size_t extra = 0;
   if (alignment > pagesize) {
     extra = alignment - pagesize;
   }
 
   // Note: size + extra does not overflow since:
   //            size + alignment < (1<<NBITS).
   // and        extra <= alignment
   // therefore  size + extra < (1<<NBITS)
-  void* address_hint = NULL;
-  if (FLAGS_malloc_random_allocator) {
-    address_hint = GetRandomAddrHint();
-  }
-  void* result = mmap(address_hint, size + extra,
-                      PROT_READ|PROT_WRITE,
-                      MAP_PRIVATE|MAP_ANONYMOUS,
-                      -1, 0);
+  void* result = AllocWithMmap(size + extra, FLAGS_malloc_random_allocator);
   if (result == reinterpret_cast<void*>(MAP_FAILED)) {
     return NULL;
   }
 
   // Adjust the return memory so it is aligned
   uintptr_t ptr = reinterpret_cast<uintptr_t>(result);
   size_t adjust = 0;
   if ((ptr & (alignment - 1)) != 0) {
     adjust = alignment - (ptr & (alignment - 1));
   }
@@ skipping 226 matching lines @@
     }
   }
 #endif
 }
 
 void TCMalloc_SystemCommit(void* start, size_t length) {
   // Nothing to do here.  TCMalloc_SystemRelease does not alter pages
   // such that they need to be re-committed before they can be used by the
   // application.
 }