10 stdenv.mkDerivation (finalAttrs: {
11 pname = "graphene-hardened-malloc";
14 src = fetchFromGitHub {
16 repo = "hardened_malloc";
17 rev = finalAttrs.version;
18 sha256 = "sha256-ujwzr4njNsf/VTyEq7zKHWxoivU3feavSTx+MLIj1ZM=";
22 nativeCheckInputs = [ python3 ];
23 # these tests cover use as a build-time-linked library
27 install -Dm444 -t $out/include include/*
28 install -Dm444 -t $out/lib out/libhardened_malloc.so
31 substitute preload.sh $out/bin/preload-hardened-malloc --replace "\$dir" $out/lib
32 chmod 0555 $out/bin/preload-hardened-malloc
35 separateDebugInfo = true;
38 ld-preload-tests = stdenv.mkDerivation {
39 name = "${finalAttrs.pname}-ld-preload-tests";
40 inherit (finalAttrs) src;
42 nativeBuildInputs = [ makeWrapper ];
44 # reuse the projects tests to cover use with LD_PRELOAD. we have
45 # to convince the test programs to build as though they're naive
46 # standalone executables. this includes disabling tests for
47 # malloc_object_size, which doesn't make sense to use via LD_PRELOAD.
50 make LDLIBS= LDFLAGS=-Wl,--unresolved-symbols=ignore-all CXXFLAGS=-lstdc++
51 substituteInPlace test_smc.py \
52 --replace 'test_malloc_object_size' 'dont_test_malloc_object_size' \
53 --replace 'test_invalid_malloc_object_size' 'dont_test_invalid_malloc_object_size'
62 makeWrapper ${python3.interpreter} $out/bin/run-tests \
63 --add-flags "-I -m unittest discover --start-directory $out/test"
67 ld-preload = runCommand "ld-preload-test-run" { } ''
68 ${finalAttrs.finalPackage}/bin/preload-hardened-malloc ${finalAttrs.passthru.ld-preload-tests}/bin/run-tests
71 # to compensate for the lack of tests of correct normal malloc operation
72 stress = runCommand "stress-test-run" { } ''
73 ${finalAttrs.finalPackage}/bin/preload-hardened-malloc ${stress-ng}/bin/stress-ng \
76 --malloc-ops 1000000 \
84 homepage = "https://github.com/GrapheneOS/hardened_malloc";
85 description = "Hardened allocator designed for modern systems";
87 This is a security-focused general purpose memory allocator providing the malloc API
88 along with various extensions. It provides substantial hardening against heap
89 corruption vulnerabilities yet aims to provide decent overall performance.
91 license = licenses.mit;
92 maintainers = with maintainers; [ ris ];
93 platforms = [ "x86_64-linux" "aarch64-linux" ];