From 37d336d7414f0c29fdcdddebd45882c53eaf51d1 Mon Sep 17 00:00:00 2001 From: Andreas Kling Date: Sat, 1 Feb 2020 10:36:25 +0100 Subject: [PATCH] Kernel: Add memory scrubbing in slab_alloc() and slab_dealloc() These now scrub allocated and freed memory like kmalloc()/kfree() was already doing. --- Kernel/Arch/i386/CPU.cpp | 6 ++++++ Kernel/Heap/SlabAllocator.cpp | 7 +++++++ Kernel/Heap/SlabAllocator.h | 3 +++ 3 files changed, 16 insertions(+) diff --git a/Kernel/Arch/i386/CPU.cpp b/Kernel/Arch/i386/CPU.cpp index 52082ecc3dd..a1055503947 100644 --- a/Kernel/Arch/i386/CPU.cpp +++ b/Kernel/Arch/i386/CPU.cpp @@ -319,6 +319,8 @@ void page_fault_handler(RegisterDump regs) u32 free_scrub_pattern = explode_byte(FREE_SCRUB_BYTE); u32 kmalloc_scrub_pattern = explode_byte(KMALLOC_SCRUB_BYTE); u32 kfree_scrub_pattern = explode_byte(KFREE_SCRUB_BYTE); + u32 slab_alloc_scrub_pattern = explode_byte(SLAB_ALLOC_SCRUB_BYTE); + u32 slab_dealloc_scrub_pattern = explode_byte(SLAB_DEALLOC_SCRUB_BYTE); if ((fault_address & 0xffff0000) == (malloc_scrub_pattern & 0xffff0000)) { kprintf("\033[33;1mNote: Address %p looks like it may be uninitialized malloc() memory\033[0m\n", fault_address); } else if ((fault_address & 0xffff0000) == (free_scrub_pattern & 0xffff0000)) { @@ -327,6 +329,10 @@ void page_fault_handler(RegisterDump regs) kprintf("\033[33;1mNote: Address %p looks like it may be uninitialized kmalloc() memory\033[0m\n", fault_address); } else if ((fault_address & 0xffff0000) == (kfree_scrub_pattern & 0xffff0000)) { kprintf("\033[33;1mNote: Address %p looks like it may be recently kfree()'d memory\033[0m\n", fault_address); + } else if ((fault_address & 0xffff0000) == (slab_alloc_scrub_pattern & 0xffff0000)) { + kprintf("\033[33;1mNote: Address %p looks like it may be uninitialized slab_alloc() memory\033[0m\n", fault_address); + } else if ((fault_address & 0xffff0000) == (slab_dealloc_scrub_pattern & 0xffff0000)) { + kprintf("\033[33;1mNote: Address %p looks like it may be recently slab_dealloc()'d memory\033[0m\n", fault_address); } else if (fault_address < 4096) { kprintf("\033[33;1mNote: Address %p looks like a possible nullptr dereference\033[0m\n", fault_address); } diff --git a/Kernel/Heap/SlabAllocator.cpp b/Kernel/Heap/SlabAllocator.cpp index 3481acfd5b0..fcf6ec1ba9e 100644 --- a/Kernel/Heap/SlabAllocator.cpp +++ b/Kernel/Heap/SlabAllocator.cpp @@ -61,6 +61,9 @@ public: m_freelist = m_freelist->next; ++m_num_allocated; --m_num_free; +#ifdef SANITIZE_KMALLOC + memset(ptr, SLAB_ALLOC_SCRUB_BYTE, slab_size()); +#endif return ptr; } @@ -73,6 +76,10 @@ public: return; } ((FreeSlab*)ptr)->next = m_freelist; +#ifdef SANITIZE_KMALLOC + if (slab_size() > sizeof(FreeSlab*)) + memset(((FreeSlab*)ptr)->padding, SLAB_DEALLOC_SCRUB_BYTE, sizeof(FreeSlab::padding)); +#endif m_freelist = (FreeSlab*)ptr; ++m_num_allocated; --m_num_free; diff --git a/Kernel/Heap/SlabAllocator.h b/Kernel/Heap/SlabAllocator.h index d799be33738..8415bb8f071 100644 --- a/Kernel/Heap/SlabAllocator.h +++ b/Kernel/Heap/SlabAllocator.h @@ -29,6 +29,9 @@ #include #include +#define SLAB_ALLOC_SCRUB_BYTE 0xab +#define SLAB_DEALLOC_SCRUB_BYTE 0xbc + class JsonObjectSerializer; void* slab_alloc(size_t slab_size);