| Index: base/security_unittest.cc
|
| diff --git a/base/security_unittest.cc b/base/security_unittest.cc
|
| index 5db18fdfe457ad132092e7cdcb188c12d6ead3b0..3eab7588e76a3d6f52a59a60b4fc23e158af54e2 100644
|
| --- a/base/security_unittest.cc
|
| +++ b/base/security_unittest.cc
|
| @@ -2,13 +2,17 @@
|
| // Use of this source code is governed by a BSD-style license that can be
|
| // found in the LICENSE file.
|
|
|
| +#include <fcntl.h>
|
| #include <stdio.h>
|
| #include <stdlib.h>
|
| #include <string.h>
|
| +#include <sys/stat.h>
|
| +#include <sys/types.h>
|
|
|
| #include <algorithm>
|
| #include <limits>
|
|
|
| +#include "base/file_util.h"
|
| #include "base/logging.h"
|
| #include "base/memory/scoped_ptr.h"
|
| #include "testing/gtest/include/gtest/gtest.h"
|
| @@ -100,4 +104,59 @@ TEST(SecurityTest, ALLOC_TEST(MemoryAllocationRestrictionsNewArray)) {
|
| }
|
| }
|
|
|
| +#if (defined(OS_LINUX) || defined(OS_CHROMEOS)) && defined(__x86_64__)
|
| +// Useful for debugging.
|
| +void PrintProcSelfMaps() {
|
| + int fd = open("/proc/self/maps", O_RDONLY);
|
| + file_util::ScopedFD fd_closer(&fd);
|
| + ASSERT_GE(fd, 0);
|
| + char buffer[1<<13];
|
| + int ret;
|
| + ret = read(fd, buffer, sizeof(buffer) - 1);
|
| + ASSERT_GT(ret, 0);
|
| + buffer[ret - 1] = 0;
|
| + fprintf(stdout, "%s\n", buffer);
|
| +}
|
| +
|
| +// Check if TCMalloc uses an underlying random memory allocator.
|
| +TEST(SecurityTest, ALLOC_TEST(RandomMemoryAllocations)) {
|
| + if (IsTcMallocBypassed())
|
| + return;
|
| + // Two successsive calls to mmap() have roughly one chance out of 2^6 to
|
| + // have the same two high order nibbles, which is what we are looking at in
|
| + // this test. (In the implementation, we mask these two nibbles with 0x3f,
|
| + // hence the 6 bits).
|
| + // With 32 allocations, we see ~16 that end-up in different buckets (i.e.
|
| + // zones mapped via mmap(), so the chances of this test flaking is roughly
|
| + // 2^-(6*15).
|
| + const int kAllocNumber = 32;
|
| + // Make kAllocNumber successive allocations of growing size and compare the
|
| + // successive pointers to detect adjacent mappings. We grow the size because
|
| + // TCMalloc can sometimes over-allocate.
|
| + scoped_ptr<char, base::FreeDeleter> ptr[kAllocNumber];
|
| + for (int i = 0; i < kAllocNumber; ++i) {
|
| + // Grow the Malloc size slightly sub-exponentially.
|
| + const size_t kMallocSize = 1 << (12 + (i>>1));
|
| + ptr[i].reset(static_cast<char*>(malloc(kMallocSize)));
|
| + ASSERT_TRUE(ptr[i] != NULL);
|
| + if (i > 0) {
|
| + // Without mmap randomization, the two high order nibbles
|
| + // of a 47 bits userland address address will be identical.
|
| + // We're only watching the 6 bits that we actually do touch
|
| + // in our implementation.
|
| + const uintptr_t kHighOrderMask = 0x3f0000000000ULL;
|
| + bool pointer_have_same_high_order =
|
| + (reinterpret_cast<size_t>(ptr[i].get()) & kHighOrderMask) ==
|
| + (reinterpret_cast<size_t>(ptr[i - 1].get()) & kHighOrderMask);
|
| + if (!pointer_have_same_high_order) {
|
| + // PrintProcSelfMaps();
|
| + return; // Test passes.
|
| + }
|
| + }
|
| + }
|
| + ASSERT_TRUE(false); // NOTREACHED();
|
| +}
|
| +
|
| +#endif // (defined(OS_LINUX) || defined(OS_CHROMEOS)) && defined(__x86_64__)
|
| +
|
| } // namespace
|
|
|
Chromium Code Reviews
Issue 12093035:
TCMalloc: support userland ASLR on Linux (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src