From d835fe24d126abedd3e517f54e4337917516d7c0 Mon Sep 17 00:00:00 2001 From: djm <> Date: Tue, 30 Dec 2008 07:44:51 +0000 Subject: [PATCH] Remove mprotecting of struct dir_info introduced in previous commit (MALLOC_OPTIONS=L). It was too slow to turn on by default, and we don't do optional security. requested by deraadt@ grumbling ok otto@ --- src/lib/libc/stdlib/malloc.3 | 11 ++-------- src/lib/libc/stdlib/malloc.c | 39 ++---------------------------------- 2 files changed, 4 insertions(+), 46 deletions(-) diff --git a/src/lib/libc/stdlib/malloc.3 b/src/lib/libc/stdlib/malloc.3 index 24588343..c3566e37 100644 --- a/src/lib/libc/stdlib/malloc.3 +++ b/src/lib/libc/stdlib/malloc.3 @@ -30,9 +30,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $OpenBSD: malloc.3,v 1.59 2008/12/29 22:25:50 djm Exp $ +.\" $OpenBSD: malloc.3,v 1.60 2008/12/30 07:44:51 djm Exp $ .\" -.Dd $Mdocdate: December 29 2008 $ +.Dd $Mdocdate: December 30 2008 $ .Dt MALLOC 3 .Os .Sh NAME @@ -249,13 +249,6 @@ Currently junk is bytes of 0xd0 when allocating; this is pronounced .Dq Duh . \&:-) Freed chunks are filled with 0xdf. -.It Cm L -.Dq Lock . -Lock critical data structures using -.Xr mprotect 2 -to protect against modification except by -.Nm -and related routines. .It Cm P .Dq Move allocations within a page. Allocations larger than half a page but smaller than a page diff --git a/src/lib/libc/stdlib/malloc.c b/src/lib/libc/stdlib/malloc.c index e15a64ac..3d2e3dd2 100644 --- a/src/lib/libc/stdlib/malloc.c +++ b/src/lib/libc/stdlib/malloc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: malloc.c,v 1.112 2008/12/29 22:25:50 djm Exp $ */ +/* $OpenBSD: malloc.c,v 1.113 2008/12/30 07:44:51 djm Exp $ */ /* * Copyright (c) 2008 Otto Moerbeek * @@ -88,23 +88,6 @@ #define MMAPA(a,sz) mmap((a), (size_t)(sz), PROT_READ | PROT_WRITE, \ MAP_ANON | MAP_PRIVATE, -1, (off_t) 0) -/* Protect and unprotect g_pool structure as we enter/exit the allocator */ -#define DIR_INFO_RSZ ((sizeof(struct dir_info) + PAGE_MASK) & ~PAGE_MASK) -#define PROTECT_G_POOL() \ - do { \ - if (g_pool != NULL && mopts.malloc_poolprot) { \ - mprotect((void *)((uintptr_t)g_pool & ~PAGE_MASK), \ - DIR_INFO_RSZ, PROT_NONE); \ - } \ - } while (0) -#define UNPROTECT_G_POOL() \ - do { \ - if (g_pool != NULL && mopts.malloc_poolprot) { \ - mprotect((void *)((uintptr_t)g_pool & ~PAGE_MASK), \ - DIR_INFO_RSZ, PROT_READ | PROT_WRITE); \ - } \ - } while (0) - struct region_info { void *p; /* page; low bits used to mark chunks */ uintptr_t size; /* size for pages, or chunk_info pointer */ @@ -142,7 +125,7 @@ struct dir_info { #endif /* MALLOC_STATS */ u_int32_t canary2; }; - +#define DIR_INFO_RSZ ((sizeof(struct dir_info) + PAGE_MASK) & ~PAGE_MASK) /* * This structure describes a page worth of chunks. @@ -165,7 +148,6 @@ struct chunk_info { struct malloc_readonly { struct dir_info *g_pool; /* Main bookkeeping information */ int malloc_abort; /* abort() on error */ - int malloc_poolprot; /* mprotect heap PROT_NONE? */ int malloc_freeprot; /* mprotect free pages PROT_NONE? */ int malloc_hint; /* call madvice on free pages? */ int malloc_junk; /* junk fill? */ @@ -653,12 +635,6 @@ omalloc_init(struct dir_info **dp) case 'J': mopts.malloc_junk = 1; break; - case 'l': - mopts.malloc_poolprot = 0; - break; - case 'L': - mopts.malloc_poolprot = 1; - break; case 'n': case 'N': break; @@ -1214,7 +1190,6 @@ malloc_recurse(void) wrterror("recursive call"); } malloc_active--; - PROTECT_G_POOL(); _MALLOC_UNLOCK(); errno = EDEADLK; } @@ -1223,7 +1198,6 @@ static void malloc_global_corrupt(void) { wrterror("global malloc data corrupt"); - PROTECT_G_POOL(); _MALLOC_UNLOCK(); errno = EINVAL; } @@ -1248,7 +1222,6 @@ malloc(size_t size) int saved_errno = errno; _MALLOC_LOCK(); - UNPROTECT_G_POOL(); malloc_func = " in malloc():"; if (g_pool == NULL) { if (malloc_init() != 0) @@ -1260,7 +1233,6 @@ malloc(size_t size) } r = omalloc(size, mopts.malloc_zero); malloc_active--; - PROTECT_G_POOL(); _MALLOC_UNLOCK(); if (r == NULL && mopts.malloc_xmalloc) { wrterror("out of memory"); @@ -1349,7 +1321,6 @@ free(void *ptr) return; _MALLOC_LOCK(); - UNPROTECT_G_POOL(); malloc_func = " in free():"; if (g_pool == NULL) { _MALLOC_UNLOCK(); @@ -1362,7 +1333,6 @@ free(void *ptr) } ofree(ptr); malloc_active--; - PROTECT_G_POOL(); _MALLOC_UNLOCK(); errno = saved_errno; } @@ -1466,7 +1436,6 @@ realloc(void *ptr, size_t size) int saved_errno = errno; _MALLOC_LOCK(); - UNPROTECT_G_POOL(); malloc_func = " in realloc():"; if (g_pool == NULL) { if (malloc_init() != 0) @@ -1479,7 +1448,6 @@ realloc(void *ptr, size_t size) r = orealloc(ptr, size); malloc_active--; - PROTECT_G_POOL(); _MALLOC_UNLOCK(); if (r == NULL && mopts.malloc_xmalloc) { wrterror("out of memory"); @@ -1500,7 +1468,6 @@ calloc(size_t nmemb, size_t size) int saved_errno = errno; _MALLOC_LOCK(); - UNPROTECT_G_POOL(); malloc_func = " in calloc():"; if (g_pool == NULL) { if (malloc_init() != 0) @@ -1508,7 +1475,6 @@ calloc(size_t nmemb, size_t size) } if ((nmemb >= MUL_NO_OVERFLOW || size >= MUL_NO_OVERFLOW) && nmemb > 0 && SIZE_MAX / nmemb < size) { - PROTECT_G_POOL(); _MALLOC_UNLOCK(); if (mopts.malloc_xmalloc) wrterror("out of memory"); @@ -1525,7 +1491,6 @@ calloc(size_t nmemb, size_t size) r = omalloc(size, 1); malloc_active--; - PROTECT_G_POOL(); _MALLOC_UNLOCK(); if (r == NULL && mopts.malloc_xmalloc) { wrterror("out of memory");