OLD | NEW |
---|---|
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include <fcntl.h> | |
5 #include <stdio.h> | 6 #include <stdio.h> |
6 #include <stdlib.h> | 7 #include <stdlib.h> |
7 #include <string.h> | 8 #include <string.h> |
9 #include <sys/stat.h> | |
10 #include <sys/types.h> | |
8 | 11 |
9 #include <algorithm> | 12 #include <algorithm> |
10 #include <limits> | 13 #include <limits> |
11 | 14 |
15 #include "base/file_util.h" | |
12 #include "base/logging.h" | 16 #include "base/logging.h" |
13 #include "base/memory/scoped_ptr.h" | 17 #include "base/memory/scoped_ptr.h" |
14 #include "testing/gtest/include/gtest/gtest.h" | 18 #include "testing/gtest/include/gtest/gtest.h" |
15 | 19 |
20 using file_util::ScopedFD; | |
16 using std::nothrow; | 21 using std::nothrow; |
17 | 22 |
18 namespace { | 23 namespace { |
19 | 24 |
20 // Check that we can not allocate a memory range that cannot be indexed | 25 // Check that we can not allocate a memory range that cannot be indexed |
21 // via an int. This is used to mitigate vulnerabilities in libraries that use | 26 // via an int. This is used to mitigate vulnerabilities in libraries that use |
22 // int instead of size_t. | 27 // int instead of size_t. |
23 // See crbug.com/169327. | 28 // See crbug.com/169327. |
24 | 29 |
25 // - NO_TCMALLOC because we only patched tcmalloc | 30 // - NO_TCMALLOC because we only patched tcmalloc |
(...skipping 67 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
93 } | 98 } |
94 } | 99 } |
95 | 100 |
96 TEST(SecurityTest, ALLOC_TEST(MemoryAllocationRestrictionsNewArray)) { | 101 TEST(SecurityTest, ALLOC_TEST(MemoryAllocationRestrictionsNewArray)) { |
97 if (!IsTcMallocBypassed()) { | 102 if (!IsTcMallocBypassed()) { |
98 scoped_ptr<char[]> ptr(new (nothrow) char[kTooBigAllocSize]); | 103 scoped_ptr<char[]> ptr(new (nothrow) char[kTooBigAllocSize]); |
99 ASSERT_TRUE(ptr == NULL); | 104 ASSERT_TRUE(ptr == NULL); |
100 } | 105 } |
101 } | 106 } |
102 | 107 |
108 #if (defined(OS_LINUX) || defined(OS_CHROMEOS)) && defined(__x86_64__) | |
109 // Useful for debugging. | |
110 void PrintProcSelfMaps() { | |
111 int fd = open("/proc/self/maps", O_RDONLY); | |
112 ScopedFD fd_closer(&fd); | |
113 ASSERT_GE(fd, 0); | |
114 char buffer[1<<13]; | |
115 int ret; | |
116 ret = read(fd, buffer, sizeof(buffer) - 1); | |
Marius
2013/01/29 07:41:27
where's the close()?
jln (very slow on Chromium)
2013/01/29 07:48:15
I added a ScopedFD instead.
| |
117 ASSERT_GT(ret, 0); | |
118 buffer[ret - 1] = 0; | |
119 fprintf(stdout, "%s\n", buffer); | |
120 } | |
121 | |
122 // Check if TCMalloc uses an underlying random memory allocator. | |
123 TEST(SecurityTest, ALLOC_TEST(RandomMemoryAllocations)) { | |
124 if (IsTcMallocBypassed()) | |
125 return; | |
126 // Two successive calls to mmap() have roughly one chance out of 2^6 to be | |
127 // detected as having the same order. With 32 allocations, we see ~16 that | |
128 // trigger a call to mmap, so the chances of this test flaking is roughly | |
129 // 2^-(6*15), i.e. virtually impossible. | |
130 const int kAllocNumber = 32; | |
131 bool is_contiguous = true; | |
132 // Make kAllocNumber successive allocations of growing size and compare the | |
133 // successive pointers to detect adjacent mappings. We grow the size because | |
134 // TCMalloc can sometimes over-allocate. | |
135 scoped_ptr<char, base::FreeDeleter> ptr[kAllocNumber]; | |
136 for (int i = 0; i < kAllocNumber; ++i) { | |
137 // Grow the Malloc size slightly sub-exponentially. | |
138 const size_t kMallocSize = 1 << (12 + (i>>1)); | |
139 ptr[i].reset(static_cast<char*>(malloc(kMallocSize))); | |
140 ASSERT_TRUE(ptr[i] != NULL); | |
141 if (i > 0) { | |
142 // Without mmap randomization, the two high order nibbles | |
143 // of a 47 bits userland address address will be identical. | |
144 const uintptr_t kHighOrderMask = 0xff0000000000ULL; | |
145 bool pointer_have_same_high_order = | |
146 (reinterpret_cast<size_t>(ptr[i].get()) & kHighOrderMask) == | |
147 (reinterpret_cast<size_t>(ptr[i - 1].get()) & kHighOrderMask); | |
148 if (!pointer_have_same_high_order) { | |
149 // PrintProcSelfMaps(); | |
150 is_contiguous = false; | |
151 break; | |
152 } | |
153 } | |
154 } | |
155 ASSERT_FALSE(is_contiguous); | |
156 } | |
157 | |
158 #endif // (defined(OS_LINUX) || defined(OS_CHROMEOS)) && defined(__x86_64__) | |
159 | |
103 } // namespace | 160 } // namespace |
OLD | NEW |