CVS commit: src/sys/kern

Mon, 18 Mar 2019 13:35:33 -0700 

Module Name:    src
Committed By:   maxv
Date:           Mon Mar 18 20:34:48 UTC 2019

Modified Files:
        src/sys/kern: subr_pool.c

Log Message:
Kernel Heap Hardening: manage freed items with bitmaps rather than linked
lists when we're on-page and the page header is naturally big enough to
contain a bitmap.

This comes with no increase in memory consumption, and similar CPU cost
(maybe it's a little faster actually).

We want to favor bitmaps over linked lists, because linked lists install
kernel pointers inside the items, and this can be too easily exploitable
in use-after-free or double-free conditions, or in item buffer overflows
occurring within a pool page.


To generate a diff of this commit:
cvs rdiff -u -r1.242 -r1.243 src/sys/kern/subr_pool.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/kern/subr_pool.c
diff -u src/sys/kern/subr_pool.c:1.242 src/sys/kern/subr_pool.c:1.243
--- src/sys/kern/subr_pool.c:1.242	Sun Mar 17 19:57:54 2019
+++ src/sys/kern/subr_pool.c	Mon Mar 18 20:34:48 2019
@@ -1,4 +1,4 @@
-/*	$NetBSD: subr_pool.c,v 1.242 2019/03/17 19:57:54 maxv Exp $	*/
+/*	$NetBSD: subr_pool.c,v 1.243 2019/03/18 20:34:48 maxv Exp $	*/
 
 /*
  * Copyright (c) 1997, 1999, 2000, 2002, 2007, 2008, 2010, 2014, 2015, 2018
@@ -33,7 +33,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: subr_pool.c,v 1.242 2019/03/17 19:57:54 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: subr_pool.c,v 1.243 2019/03/18 20:34:48 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_ddb.h"
@@ -601,10 +601,26 @@ pool_init_is_phinpage(const struct pool 
 static inline bool
 pool_init_is_usebmap(const struct pool *pp)
 {
+	size_t bmapsize;
+
 	if (pp->pr_roflags & PR_NOTOUCH) {
 		return true;
 	}
 
+	/*
+	 * If we're on-page, and the page header can already contain a bitmap
+	 * big enough to cover all the items of the page, go with a bitmap.
+	 */
+	if (!(pp->pr_roflags & PR_PHINPAGE)) {
+		return false;
+	}
+	bmapsize = roundup(PHSIZE, pp->pr_align) -
+	    offsetof(struct pool_item_header, ph_bitmap[0]);
+	KASSERT(bmapsize % sizeof(pool_item_bitmap_t) == 0);
+	if (pp->pr_itemsperpage <= bmapsize * CHAR_BIT) {
+		return true;
+	}
+
 	return false;
 }
 
@@ -728,6 +744,9 @@ pool_init(struct pool *pp, size_t size, 
 		SPLAY_INIT(&pp->pr_phtree);
 	}
 
+	pp->pr_itemsperpage = itemspace / pp->pr_size;
+	KASSERT(pp->pr_itemsperpage != 0);
+
 	/*
 	 * Decide whether to use a bitmap or a linked list to manage freed
 	 * items.
@@ -736,9 +755,6 @@ pool_init(struct pool *pp, size_t size, 
 		pp->pr_roflags |= PR_USEBMAP;
 	}
 
-	pp->pr_itemsperpage = itemspace / pp->pr_size;
-	KASSERT(pp->pr_itemsperpage != 0);
-
 	/*
 	 * If we're off-page and use a bitmap, choose the appropriate pool to
 	 * allocate page headers, whose size varies depending on the bitmap. If

Reply via email to