dummy malloc doesn't free and all allocations are in freshly sbrk()'d memory, which already zero. Signed-off-by: Ahmad Fatoum <a.fatoum@xxxxxxxxxxxxxx> --- common/calloc.c | 7 +++---- common/dlmalloc.c | 7 +++++++ common/tlsf.c | 6 ++++++ include/malloc.h | 10 ++++++++++ lib/Kconfig.hardening | 23 +++++++++++++++++++++++ 5 files changed, 49 insertions(+), 4 deletions(-) diff --git a/common/calloc.c b/common/calloc.c index 12f18474a4c8..17cbd9beefee 100644 --- a/common/calloc.c +++ b/common/calloc.c @@ -2,6 +2,7 @@ #include <common.h> #include <malloc.h> +#include <memory.h> #include <linux/overflow.h> /* @@ -12,10 +13,8 @@ void *calloc(size_t n, size_t elem_size) size_t size = size_mul(elem_size, n); void *r = malloc(size); - if (!r) - return r; - - memset(r, 0x0, size); + if (r && !want_init_on_alloc()) + memset(r, 0x0, size); return r; } diff --git a/common/dlmalloc.c b/common/dlmalloc.c index 821a193af6bc..731c46b584b0 100644 --- a/common/dlmalloc.c +++ b/common/dlmalloc.c @@ -7,6 +7,7 @@ #include <dlmalloc.h> #include <linux/overflow.h> #include <linux/build_bug.h> +#include <linux/compiler.h> #include <stdio.h> #include <module.h> @@ -1368,6 +1369,8 @@ void dlfree(void *mem) p = mem2chunk(mem); hd = p->size; + if (want_init_on_free()) + memzero_explicit(mem, chunksize(p)); sz = hd & ~PREV_INUSE; next = chunk_at_offset(p, sz); @@ -1952,7 +1955,11 @@ void malloc_stats(void) */ #ifdef CONFIG_MALLOC_DLMALLOC +#ifdef CONFIG_INIT_ON_ALLOC_DEFAULT_ON +void *malloc(size_t bytes) { return dlcalloc(1, bytes); } +#else void *malloc(size_t) __alias(dlmalloc); +#endif EXPORT_SYMBOL(malloc); void *calloc(size_t, size_t) __alias(dlcalloc); EXPORT_SYMBOL(calloc); diff --git a/common/tlsf.c b/common/tlsf.c index ba2ed367c0b9..4cd90e150de2 100644 --- a/common/tlsf.c +++ b/common/tlsf.c @@ -3,6 +3,7 @@ #include <stdio.h> #include <stdlib.h> #include <string.h> +#include <malloc.h> #include <tlsf.h> #include "tlsfbits.h" #include <linux/kasan.h> @@ -615,6 +616,9 @@ static void* block_prepare_used(control_t* control, block_header_t* block, kasan_poison_shadow(&block->size, size + 2 * sizeof(size_t), KASAN_KMALLOC_REDZONE); kasan_unpoison_shadow(p, used); + + if (want_init_on_alloc()) + memzero_explicit(p, size); } return p; } @@ -1023,6 +1027,8 @@ void tlsf_free(tlsf_t tlsf, void* ptr) control_t* control = tlsf_cast(control_t*, tlsf); block_header_t* block = block_from_ptr(ptr); tlsf_assert(!block_is_free(block) && "block already marked as free"); + if (want_init_on_free()) + memzero_explicit(ptr, block_size(block)); kasan_poison_shadow(ptr, block_size(block), 0xff); block_mark_as_free(block); block = block_merge_prev(control, block); diff --git a/include/malloc.h b/include/malloc.h index a823ce8c8462..7bee03dab236 100644 --- a/include/malloc.h +++ b/include/malloc.h @@ -54,4 +54,14 @@ static inline int mem_malloc_is_initialized(void) } #endif +static inline bool want_init_on_alloc(void) +{ + return IS_ENABLED(CONFIG_INIT_ON_ALLOC_DEFAULT_ON); +} + +static inline bool want_init_on_free(void) +{ + return IS_ENABLED(CONFIG_INIT_ON_FREE_DEFAULT_ON); +} + #endif /* __MALLOC_H */ diff --git a/lib/Kconfig.hardening b/lib/Kconfig.hardening index 28be42a27465..7a177840a5a1 100644 --- a/lib/Kconfig.hardening +++ b/lib/Kconfig.hardening @@ -10,6 +10,29 @@ config BUG_ON_DATA_CORRUPTION If unsure, say N. +menu "Memory initialization" + +config INIT_ON_ALLOC_DEFAULT_ON + bool "Enable heap memory zeroing on allocation by default" + depends on !MALLOC_LIBC + help + When this is enabled, all allocator memory will be zeroed + when allocated, eliminating many kinds of "uninitialized + heap memory" flaws, especially heap content exposures. + +config INIT_ON_FREE_DEFAULT_ON + bool "Enable heap memory zeroing on free by default" + depends on !MALLOC_DUMMY && !MALLOC_LIBC + help + When this is enabled, all allocator memory will be zeroed + when freed, eliminating many kinds of "uninitialized heap memory" + flaws, especially heap content exposures. The primary difference + is that data lifetime in memory is reduced, as anything freed is + wiped immediately, making live forensics or cold boot memory + attacks unable to recover freed memory contents. + +endmenu + config STACK_GUARD_PAGE bool "Place guard page to catch stack overflows" depends on ARM && MMU -- 2.39.5