1// Copyright (c) 2013 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#include "base/process/memory.h"
6
7#include <new>
8
9#include "base/files/file_path.h"
10#include "base/files/file_util.h"
11#include "base/logging.h"
12#include "base/process/internal_linux.h"
13#include "base/strings/string_number_conversions.h"
14
15#if defined(USE_TCMALLOC)
16// Used by UncheckedMalloc. If tcmalloc is linked to the executable
17// this will be replaced by a strong symbol that actually implement
18// the semantics and don't call new handler in case the allocation fails.
19extern "C" {
20
21__attribute__((weak, visibility("default")))
22void* tc_malloc_skip_new_handler_weak(size_t size);
23
24void* tc_malloc_skip_new_handler_weak(size_t size) {
25  return malloc(size);
26}
27
28}
29#endif
30
31namespace base {
32
33size_t g_oom_size = 0U;
34
35namespace {
36
37#if !defined(OS_ANDROID)
38void OnNoMemorySize(size_t size) {
39  g_oom_size = size;
40
41  if (size != 0)
42    LOG(FATAL) << "Out of memory, size = " << size;
43  LOG(FATAL) << "Out of memory.";
44}
45
46void OnNoMemory() {
47  OnNoMemorySize(0);
48}
49#endif  // !defined(OS_ANDROID)
50
51}  // namespace
52
53#if !defined(ADDRESS_SANITIZER) && !defined(MEMORY_SANITIZER) && \
54    !defined(THREAD_SANITIZER) && !defined(LEAK_SANITIZER)
55
56#if defined(LIBC_GLIBC) && !defined(USE_TCMALLOC)
57
58extern "C" {
59void* __libc_malloc(size_t size);
60void* __libc_realloc(void* ptr, size_t size);
61void* __libc_calloc(size_t nmemb, size_t size);
62void* __libc_valloc(size_t size);
63#if PVALLOC_AVAILABLE == 1
64void* __libc_pvalloc(size_t size);
65#endif
66void* __libc_memalign(size_t alignment, size_t size);
67
68// Overriding the system memory allocation functions:
69//
70// For security reasons, we want malloc failures to be fatal. Too much code
71// doesn't check for a NULL return value from malloc and unconditionally uses
72// the resulting pointer. If the first offset that they try to access is
73// attacker controlled, then the attacker can direct the code to access any
74// part of memory.
75//
76// Thus, we define all the standard malloc functions here and mark them as
77// visibility 'default'. This means that they replace the malloc functions for
78// all Chromium code and also for all code in shared libraries. There are tests
79// for this in process_util_unittest.cc.
80//
81// If we are using tcmalloc, then the problem is moot since tcmalloc handles
82// this for us. Thus this code is in a !defined(USE_TCMALLOC) block.
83//
84// If we are testing the binary with AddressSanitizer, we should not
85// redefine malloc and let AddressSanitizer do it instead.
86//
87// We call the real libc functions in this code by using __libc_malloc etc.
88// Previously we tried using dlsym(RTLD_NEXT, ...) but that failed depending on
89// the link order. Since ld.so needs calloc during symbol resolution, it
90// defines its own versions of several of these functions in dl-minimal.c.
91// Depending on the runtime library order, dlsym ended up giving us those
92// functions and bad things happened. See crbug.com/31809
93//
94// This means that any code which calls __libc_* gets the raw libc versions of
95// these functions.
96
97#define DIE_ON_OOM_1(function_name) \
98  void* function_name(size_t) __attribute__ ((visibility("default"))); \
99  \
100  void* function_name(size_t size) { \
101    void* ret = __libc_##function_name(size); \
102    if (ret == NULL && size != 0) \
103      OnNoMemorySize(size); \
104    return ret; \
105  }
106
107#define DIE_ON_OOM_2(function_name, arg1_type) \
108  void* function_name(arg1_type, size_t) \
109      __attribute__ ((visibility("default"))); \
110  \
111  void* function_name(arg1_type arg1, size_t size) { \
112    void* ret = __libc_##function_name(arg1, size); \
113    if (ret == NULL && size != 0) \
114      OnNoMemorySize(size); \
115    return ret; \
116  }
117
118DIE_ON_OOM_1(malloc)
119DIE_ON_OOM_1(valloc)
120#if PVALLOC_AVAILABLE == 1
121DIE_ON_OOM_1(pvalloc)
122#endif
123
124DIE_ON_OOM_2(calloc, size_t)
125DIE_ON_OOM_2(realloc, void*)
126DIE_ON_OOM_2(memalign, size_t)
127
128// posix_memalign has a unique signature and doesn't have a __libc_ variant.
129int posix_memalign(void** ptr, size_t alignment, size_t size)
130    __attribute__ ((visibility("default")));
131
132int posix_memalign(void** ptr, size_t alignment, size_t size) {
133  // This will use the safe version of memalign, above.
134  *ptr = memalign(alignment, size);
135  return 0;
136}
137
138}  // extern C
139
140#else
141
142// TODO(mostynb@opera.com): dlsym dance
143
144#endif  // LIBC_GLIBC && !USE_TCMALLOC
145
146#endif  // !*_SANITIZER
147
148void EnableTerminationOnHeapCorruption() {
149  // On Linux, there nothing to do AFAIK.
150}
151
152void EnableTerminationOnOutOfMemory() {
153#if defined(OS_ANDROID)
154  // Android doesn't support setting a new handler.
155  DLOG(WARNING) << "Not feasible.";
156#else
157  // Set the new-out of memory handler.
158  std::set_new_handler(&OnNoMemory);
159  // If we're using glibc's allocator, the above functions will override
160  // malloc and friends and make them die on out of memory.
161#endif
162}
163
164// NOTE: This is not the only version of this function in the source:
165// the setuid sandbox (in process_util_linux.c, in the sandbox source)
166// also has its own C version.
167bool AdjustOOMScore(ProcessId process, int score) {
168  if (score < 0 || score > kMaxOomScore)
169    return false;
170
171  FilePath oom_path(internal::GetProcPidDir(process));
172
173  // Attempt to write the newer oom_score_adj file first.
174  FilePath oom_file = oom_path.AppendASCII("oom_score_adj");
175  if (PathExists(oom_file)) {
176    std::string score_str = IntToString(score);
177    DVLOG(1) << "Adjusting oom_score_adj of " << process << " to "
178             << score_str;
179    int score_len = static_cast<int>(score_str.length());
180    return (score_len == WriteFile(oom_file, score_str.c_str(), score_len));
181  }
182
183  // If the oom_score_adj file doesn't exist, then we write the old
184  // style file and translate the oom_adj score to the range 0-15.
185  oom_file = oom_path.AppendASCII("oom_adj");
186  if (PathExists(oom_file)) {
187    // Max score for the old oom_adj range.  Used for conversion of new
188    // values to old values.
189    const int kMaxOldOomScore = 15;
190
191    int converted_score = score * kMaxOldOomScore / kMaxOomScore;
192    std::string score_str = IntToString(converted_score);
193    DVLOG(1) << "Adjusting oom_adj of " << process << " to " << score_str;
194    int score_len = static_cast<int>(score_str.length());
195    return (score_len == WriteFile(oom_file, score_str.c_str(), score_len));
196  }
197
198  return false;
199}
200
201bool UncheckedMalloc(size_t size, void** result) {
202#if defined(MEMORY_TOOL_REPLACES_ALLOCATOR) || \
203    (!defined(LIBC_GLIBC) && !defined(USE_TCMALLOC))
204  *result = malloc(size);
205#elif defined(LIBC_GLIBC) && !defined(USE_TCMALLOC)
206  *result = __libc_malloc(size);
207#elif defined(USE_TCMALLOC)
208  *result = tc_malloc_skip_new_handler_weak(size);
209#endif
210  return *result != NULL;
211}
212
213}  // namespace base
214