1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
|
// Copyright (c) 2013 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "base/process/memory.h"
#include <stddef.h>
#include <new>
#include "base/allocator/allocator_shim.h"
#include "base/allocator/features.h"
#include "base/files/file_path.h"
#include "base/files/file_util.h"
#include "base/logging.h"
#include "base/process/internal_linux.h"
#include "base/strings/string_number_conversions.h"
#include "build/build_config.h"
#if defined(USE_TCMALLOC)
#include "third_party/tcmalloc/chromium/src/gperftools/tcmalloc.h"
#endif
namespace base {
size_t g_oom_size = 0U;
namespace {
void OnNoMemorySize(size_t size) {
g_oom_size = size;
if (size != 0)
LOG(FATAL) << "Out of memory, size = " << size;
LOG(FATAL) << "Out of memory.";
}
void OnNoMemory() {
OnNoMemorySize(0);
}
} // namespace
// TODO(primiano): Once the unified shim is on by default (crbug.com/550886)
// get rid of the code in this entire #if section. The whole termination-on-OOM
// logic is implemented in the shim.
#if !defined(ADDRESS_SANITIZER) && !defined(MEMORY_SANITIZER) && \
!defined(THREAD_SANITIZER) && !defined(LEAK_SANITIZER) && \
!BUILDFLAG(USE_EXPERIMENTAL_ALLOCATOR_SHIM)
#if defined(LIBC_GLIBC) && !defined(USE_TCMALLOC)
extern "C" {
void* __libc_malloc(size_t size);
void* __libc_realloc(void* ptr, size_t size);
void* __libc_calloc(size_t nmemb, size_t size);
void* __libc_valloc(size_t size);
#if PVALLOC_AVAILABLE == 1
void* __libc_pvalloc(size_t size);
#endif
void* __libc_memalign(size_t alignment, size_t size);
#if !defined(TOOLKIT_QT) // QTBUG-61521,QTBUG-60565
// Overriding the system memory allocation functions:
//
// For security reasons, we want malloc failures to be fatal. Too much code
// doesn't check for a NULL return value from malloc and unconditionally uses
// the resulting pointer. If the first offset that they try to access is
// attacker controlled, then the attacker can direct the code to access any
// part of memory.
//
// Thus, we define all the standard malloc functions here and mark them as
// visibility 'default'. This means that they replace the malloc functions for
// all Chromium code and also for all code in shared libraries. There are tests
// for this in process_util_unittest.cc.
//
// If we are using tcmalloc, then the problem is moot since tcmalloc handles
// this for us. Thus this code is in a !defined(USE_TCMALLOC) block.
//
// If we are testing the binary with AddressSanitizer, we should not
// redefine malloc and let AddressSanitizer do it instead.
//
// We call the real libc functions in this code by using __libc_malloc etc.
// Previously we tried using dlsym(RTLD_NEXT, ...) but that failed depending on
// the link order. Since ld.so needs calloc during symbol resolution, it
// defines its own versions of several of these functions in dl-minimal.c.
// Depending on the runtime library order, dlsym ended up giving us those
// functions and bad things happened. See crbug.com/31809
//
// This means that any code which calls __libc_* gets the raw libc versions of
// these functions.
#define DIE_ON_OOM_1(function_name) \
void* function_name(size_t) __attribute__ ((visibility("default"))); \
\
void* function_name(size_t size) { \
void* ret = __libc_##function_name(size); \
if (ret == NULL && size != 0) \
OnNoMemorySize(size); \
return ret; \
}
#define DIE_ON_OOM_2(function_name, arg1_type) \
void* function_name(arg1_type, size_t) \
__attribute__ ((visibility("default"))); \
\
void* function_name(arg1_type arg1, size_t size) { \
void* ret = __libc_##function_name(arg1, size); \
if (ret == NULL && size != 0) \
OnNoMemorySize(size); \
return ret; \
}
DIE_ON_OOM_1(malloc)
DIE_ON_OOM_1(valloc)
#if PVALLOC_AVAILABLE == 1
DIE_ON_OOM_1(pvalloc)
#endif
DIE_ON_OOM_2(calloc, size_t)
DIE_ON_OOM_2(realloc, void*)
DIE_ON_OOM_2(memalign, size_t)
// posix_memalign has a unique signature and doesn't have a __libc_ variant.
int posix_memalign(void** ptr, size_t alignment, size_t size)
__attribute__ ((visibility("default")));
int posix_memalign(void** ptr, size_t alignment, size_t size) {
// This will use the safe version of memalign, above.
*ptr = memalign(alignment, size);
return 0;
}
#endif // TOOLKIT_QT
} // extern C
#else
// TODO(mostynb@opera.com): dlsym dance
#endif // LIBC_GLIBC && !USE_TCMALLOC
#endif // !*_SANITIZER
void EnableTerminationOnHeapCorruption() {
// On Linux, there nothing to do AFAIK.
}
void EnableTerminationOnOutOfMemory() {
// Set the new-out of memory handler.
std::set_new_handler(&OnNoMemory);
// If we're using glibc's allocator, the above functions will override
// malloc and friends and make them die on out of memory.
#if BUILDFLAG(USE_EXPERIMENTAL_ALLOCATOR_SHIM)
allocator::SetCallNewHandlerOnMallocFailure(true);
#elif defined(USE_TCMALLOC)
// For tcmalloc, we need to tell it to behave like new.
tc_set_new_mode(1);
#endif
}
// NOTE: This is not the only version of this function in the source:
// the setuid sandbox (in process_util_linux.c, in the sandbox source)
// also has its own C version.
bool AdjustOOMScore(ProcessId process, int score) {
if (score < 0 || score > kMaxOomScore)
return false;
FilePath oom_path(internal::GetProcPidDir(process));
// Attempt to write the newer oom_score_adj file first.
FilePath oom_file = oom_path.AppendASCII("oom_score_adj");
if (PathExists(oom_file)) {
std::string score_str = IntToString(score);
DVLOG(1) << "Adjusting oom_score_adj of " << process << " to "
<< score_str;
int score_len = static_cast<int>(score_str.length());
return (score_len == WriteFile(oom_file, score_str.c_str(), score_len));
}
// If the oom_score_adj file doesn't exist, then we write the old
// style file and translate the oom_adj score to the range 0-15.
oom_file = oom_path.AppendASCII("oom_adj");
if (PathExists(oom_file)) {
// Max score for the old oom_adj range. Used for conversion of new
// values to old values.
const int kMaxOldOomScore = 15;
int converted_score = score * kMaxOldOomScore / kMaxOomScore;
std::string score_str = IntToString(converted_score);
DVLOG(1) << "Adjusting oom_adj of " << process << " to " << score_str;
int score_len = static_cast<int>(score_str.length());
return (score_len == WriteFile(oom_file, score_str.c_str(), score_len));
}
return false;
}
bool UncheckedMalloc(size_t size, void** result) {
#if BUILDFLAG(USE_EXPERIMENTAL_ALLOCATOR_SHIM)
*result = allocator::UncheckedAlloc(size);
#elif defined(MEMORY_TOOL_REPLACES_ALLOCATOR) || \
(!defined(LIBC_GLIBC) && !defined(USE_TCMALLOC))
*result = malloc(size);
#elif defined(LIBC_GLIBC) && !defined(USE_TCMALLOC)
*result = __libc_malloc(size);
#elif defined(USE_TCMALLOC)
*result = tc_malloc_skip_new_handler(size);
#endif
return *result != NULL;
}
} // namespace base
|
