[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH 3/3] xmalloc: add a Kconfig option to poison free pool memory

This patch adds POOL_POISON to the Kconfig DEBUG options. If set, free
blocks (greater than MIN_BLOCK_SIZE) will be poisoned with 0xAA bytes
which will then be verified when memory is subsequently allocated. This
can help in spotting heap corruption, particularly use-after-free.

Signed-off-by: Paul Durrant <paul.durrant@xxxxxxxxxx>
---
Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
Cc: George Dunlap <George.Dunlap@xxxxxxxxxxxxx>
Cc: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
Cc: Jan Beulich <jbeulich@xxxxxxxx>
Cc: Julien Grall <julien.grall@xxxxxxx>
Cc: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>
Cc: Tim Deegan <tim@xxxxxxx>
Cc: Wei Liu <wl@xxxxxxx>
---
 xen/Kconfig.debug         |  7 +++++++
 xen/common/xmalloc_tlsf.c | 13 +++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/xen/Kconfig.debug b/xen/Kconfig.debug
index daacf85141..4f18a1144e 100644
--- a/xen/Kconfig.debug
+++ b/xen/Kconfig.debug
@@ -105,6 +105,13 @@ config DEBUG_TRACE
          either directly to the console or are printed to console in case of
          a system crash.
 
+config POOL_POISON
+       bool "Poison free xenpool blocks"
+       default DEBUG
+       ---help---
+         Poison free blocks with 0xAA bytes and verify them when a block is
+        allocated in order to spot use-after-free issues.
+
 endif # DEBUG || EXPERT
 
 endmenu
diff --git a/xen/common/xmalloc_tlsf.c b/xen/common/xmalloc_tlsf.c
index 71597c3590..a12dbc8e11 100644
--- a/xen/common/xmalloc_tlsf.c
+++ b/xen/common/xmalloc_tlsf.c
@@ -223,6 +223,10 @@ static inline void EXTRACT_BLOCK_HDR(struct bhdr *b, 
struct xmem_pool *p, int fl
 static inline void EXTRACT_BLOCK(struct bhdr *b, struct xmem_pool *p, int fl,
                                  int sl)
 {
+#ifdef CONFIG_POOL_POISON
+    unsigned int i;
+#endif /* CONFIG_POOL_POISON */
+
     if ( b->ptr.free_ptr.next )
         b->ptr.free_ptr.next->ptr.free_ptr.prev =
             b->ptr.free_ptr.prev;
@@ -240,6 +244,10 @@ static inline void EXTRACT_BLOCK(struct bhdr *b, struct 
xmem_pool *p, int fl,
         }
     }
     b->ptr.free_ptr = (struct free_ptr) {NULL, NULL};
+#ifdef CONFIG_POOL_POISON
+    for ( i = MIN_BLOCK_SIZE; i < (b->size & BLOCK_SIZE_MASK); i++ )
+        ASSERT(b->ptr.buffer[i] == 0xAA);
+#endif /* CONFIG_POOL_POISON */
 }
 
 /**
@@ -247,6 +255,11 @@ static inline void EXTRACT_BLOCK(struct bhdr *b, struct 
xmem_pool *p, int fl,
  */
 static inline void INSERT_BLOCK(struct bhdr *b, struct xmem_pool *p, int fl, 
int sl)
 {
+#ifdef CONFIG_POOL_POISON
+    if ( (b->size & BLOCK_SIZE_MASK) > MIN_BLOCK_SIZE )
+        memset(b->ptr.buffer + MIN_BLOCK_SIZE, 0xAA,
+               (b->size & BLOCK_SIZE_MASK) - MIN_BLOCK_SIZE);
+#endif /* CONFIG_POOL_POISON */
     b->ptr.free_ptr = (struct free_ptr) {NULL, p->matrix[fl][sl]};
     if ( p->matrix[fl][sl] )
         p->matrix[fl][sl]->ptr.free_ptr.prev = b;
-- 
2.20.1.2.gb21ebb671


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.