base/process/memory_linux.cc

   1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "base/process/memory.h"
   6
   7 #include <new>
   8
   9 #include "base/files/file_path.h"
  10 #include "base/files/file_util.h"
  11 #include "base/logging.h"
  12 #include "base/process/internal_linux.h"
  13 #include "base/strings/string_number_conversions.h"
  14
  15 #if defined(USE_TCMALLOC)
  16 // Used by UncheckedMalloc. If tcmalloc is linked to the executable
  17 // this will be replaced by a strong symbol that actually implement
  18 // the semantics and don't call new handler in case the allocation fails.
  19 extern "C" {
  20
  21 __attribute__((weak, visibility("default")))
  22 void* tc_malloc_skip_new_handler_weak(size_t size);
  23
  24 void* tc_malloc_skip_new_handler_weak(size_t size) {
  25   return malloc(size);
  26 }
  27
  28 }
  29 #endif
  30
  31 namespace base {
  32
  33 size_t g_oom_size = 0U;
  34
  35 namespace {
  36
  37 #if !defined(OS_ANDROID)
  38 void OnNoMemorySize(size_t size) {
  39   g_oom_size = size;
  40
  41   if (size != 0)
  42     LOG(FATAL) << "Out of memory, size = " << size;
  43   LOG(FATAL) << "Out of memory.";
  44 }
  45
  46 void OnNoMemory() {
  47   OnNoMemorySize(0);
  48 }
  49 #endif  // !defined(OS_ANDROID)
  50
  51 }  // namespace
  52
  53 #if !defined(ADDRESS_SANITIZER) && !defined(MEMORY_SANITIZER) && \
  54     !defined(THREAD_SANITIZER) && !defined(LEAK_SANITIZER)
  55
  56 #if defined(LIBC_GLIBC) && !defined(USE_TCMALLOC)
  57
  58 extern "C" {
  59 void* __libc_malloc(size_t size);
  60 void* __libc_realloc(void* ptr, size_t size);
  61 void* __libc_calloc(size_t nmemb, size_t size);
  62 void* __libc_valloc(size_t size);
  63 #if PVALLOC_AVAILABLE == 1
  64 void* __libc_pvalloc(size_t size);
  65 #endif
  66 void* __libc_memalign(size_t alignment, size_t size);
  67
  68 // Overriding the system memory allocation functions:
  69 //
  70 // For security reasons, we want malloc failures to be fatal. Too much code
  71 // doesn't check for a NULL return value from malloc and unconditionally uses
  72 // the resulting pointer. If the first offset that they try to access is
  73 // attacker controlled, then the attacker can direct the code to access any
  74 // part of memory.
  75 //
  76 // Thus, we define all the standard malloc functions here and mark them as
  77 // visibility 'default'. This means that they replace the malloc functions for
  78 // all Chromium code and also for all code in shared libraries. There are tests
  79 // for this in process_util_unittest.cc.
  80 //
  81 // If we are using tcmalloc, then the problem is moot since tcmalloc handles
  82 // this for us. Thus this code is in a !defined(USE_TCMALLOC) block.
  83 //
  84 // If we are testing the binary with AddressSanitizer, we should not
  85 // redefine malloc and let AddressSanitizer do it instead.
  86 //
  87 // We call the real libc functions in this code by using __libc_malloc etc.
  88 // Previously we tried using dlsym(RTLD_NEXT, ...) but that failed depending on
  89 // the link order. Since ld.so needs calloc during symbol resolution, it
  90 // defines its own versions of several of these functions in dl-minimal.c.
  91 // Depending on the runtime library order, dlsym ended up giving us those
  92 // functions and bad things happened. See crbug.com/31809
  93 //
  94 // This means that any code which calls __libc_* gets the raw libc versions of
  95 // these functions.
  96
  97 #define DIE_ON_OOM_1(function_name) \
  98   void* function_name(size_t) __attribute__ ((visibility("default"))); \
  99   \
 100   void* function_name(size_t size) { \
 101     void* ret = __libc_##function_name(size); \
 102     if (ret == NULL && size != 0) \
 103       OnNoMemorySize(size); \
 104     return ret; \
 105   }
 106
 107 #define DIE_ON_OOM_2(function_name, arg1_type) \
 108   void* function_name(arg1_type, size_t) \
 109       __attribute__ ((visibility("default"))); \
 110   \
 111   void* function_name(arg1_type arg1, size_t size) { \
 112     void* ret = __libc_##function_name(arg1, size); \
 113     if (ret == NULL && size != 0) \
 114       OnNoMemorySize(size); \
 115     return ret; \
 116   }
 117
 118 DIE_ON_OOM_1(malloc)
 119 DIE_ON_OOM_1(valloc)
 120 #if PVALLOC_AVAILABLE == 1
 121 DIE_ON_OOM_1(pvalloc)
 122 #endif
 123
 124 DIE_ON_OOM_2(calloc, size_t)
 125 DIE_ON_OOM_2(realloc, void*)
 126 DIE_ON_OOM_2(memalign, size_t)
 127
 128 // posix_memalign has a unique signature and doesn't have a __libc_ variant.
 129 int posix_memalign(void** ptr, size_t alignment, size_t size)
 130     __attribute__ ((visibility("default")));
 131
 132 int posix_memalign(void** ptr, size_t alignment, size_t size) {
 133   // This will use the safe version of memalign, above.
 134   *ptr = memalign(alignment, size);
 135   return 0;
 136 }
 137
 138 }  // extern C
 139
 140 #else
 141
 142 // TODO(mostynb@opera.com): dlsym dance
 143
 144 #endif  // LIBC_GLIBC && !USE_TCMALLOC
 145
 146 #endif  // !*_SANITIZER
 147
 148 void EnableTerminationOnHeapCorruption() {
 149   // On Linux, there nothing to do AFAIK.
 150 }
 151
 152 void EnableTerminationOnOutOfMemory() {
 153 #if defined(OS_ANDROID)
 154   // Android doesn't support setting a new handler.
 155   DLOG(WARNING) << "Not feasible.";
 156 #else
 157   // Set the new-out of memory handler.
 158   std::set_new_handler(&OnNoMemory);
 159   // If we're using glibc's allocator, the above functions will override
 160   // malloc and friends and make them die on out of memory.
 161 #endif
 162 }
 163
 164 // NOTE: This is not the only version of this function in the source:
 165 // the setuid sandbox (in process_util_linux.c, in the sandbox source)
 166 // also has its own C version.
 167 bool AdjustOOMScore(ProcessId process, int score) {
 168   if (score < 0 || score > kMaxOomScore)
 169     return false;
 170
 171   FilePath oom_path(internal::GetProcPidDir(process));
 172
 173   // Attempt to write the newer oom_score_adj file first.
 174   FilePath oom_file = oom_path.AppendASCII("oom_score_adj");
 175   if (PathExists(oom_file)) {
 176     std::string score_str = IntToString(score);
 177     DVLOG(1) << "Adjusting oom_score_adj of " << process << " to "
 178              << score_str;
 179     int score_len = static_cast<int>(score_str.length());
 180     return (score_len == WriteFile(oom_file, score_str.c_str(), score_len));
 181   }
 182
 183   // If the oom_score_adj file doesn't exist, then we write the old
 184   // style file and translate the oom_adj score to the range 0-15.
 185   oom_file = oom_path.AppendASCII("oom_adj");
 186   if (PathExists(oom_file)) {
 187     // Max score for the old oom_adj range.  Used for conversion of new
 188     // values to old values.
 189     const int kMaxOldOomScore = 15;
 190
 191     int converted_score = score * kMaxOldOomScore / kMaxOomScore;
 192     std::string score_str = IntToString(converted_score);
 193     DVLOG(1) << "Adjusting oom_adj of " << process << " to " << score_str;
 194     int score_len = static_cast<int>(score_str.length());
 195     return (score_len == WriteFile(oom_file, score_str.c_str(), score_len));
 196   }
 197
 198   return false;
 199 }
 200
 201 bool UncheckedMalloc(size_t size, void** result) {
 202 #if defined(MEMORY_TOOL_REPLACES_ALLOCATOR) || \
 203     (!defined(LIBC_GLIBC) && !defined(USE_TCMALLOC))
 204   *result = malloc(size);
 205 #elif defined(LIBC_GLIBC) && !defined(USE_TCMALLOC)
 206   *result = __libc_malloc(size);
 207 #elif defined(USE_TCMALLOC)
 208   *result = tc_malloc_skip_new_handler_weak(size);
 209 #endif
 210   return *result != NULL;
 211 }
 212
 213 }  // namespace base