diff options
| author | Evgenii Stepanov <eugenis@google.com> | 2020-06-05 16:50:10 -0700 |
|---|---|---|
| committer | Elliott Hughes <enh@google.com> | 2020-06-12 12:22:32 -0700 |
| commit | 071416b700c9b53d3a7c8b70b573a3f415f63f42 (patch) | |
| tree | 759f7fdbfe19bcbc07de9c2f30329bcdaabed066 /libc/malloc_hooks/malloc_hooks.cpp | |
| parent | 2dced5bfbb389cdde31276c1ea7646c201668066 (diff) | |
Use PROT_NONE on the unused parts of CFI shadow.
This replaces a single 2Gb readable memory region with a bunch of tiny
regions, and leaves the bulk of 2Gb mapped but unaccessible. This makes
it harder to defeat ASLR by probing for the CFI shadow region.
Sample CFI shadow mapping with this change:
7165151000-716541f000 ---p 00000000 00:00 0 [anon:cfi shadow]
716541f000-7165420000 r--p 00000000 00:00 0 [anon:cfi shadow]
7165420000-71654db000 ---p 00000000 00:00 0 [anon:cfi shadow]
71654db000-71654dc000 r--p 00000000 00:00 0 [anon:cfi shadow]
71654dc000-71654dd000 r--p 00000000 00:00 0 [anon:cfi shadow]
71654dd000-71654f0000 ---p 00000000 00:00 0 [anon:cfi shadow]
71654f0000-71654f1000 r--p 00000000 00:00 0 [anon:cfi shadow]
71654f1000-71e5151000 ---p 00000000 00:00 0 [anon:cfi shadow]
This change degrades CFI diagnostics for wild jumps and casts (i.e. when
the target of a CFI check is outside of any known library bounds). This
is acceptable, because CFI does not have much to tell about those cases
anyway. Such bugs will show up as SEGV_ACCERR crashes inside
__cfi_slowpath in libdl.so from now on.
Bug: 158113540
Test: bionic-unit-tests/cfi_test.*
Test: adb shell cat /proc/$PID/maps | grep cfi
Change-Id: I57cbd0d3f87eb1610ad99b48d98ffd497ba214b4
Merged-In: I57cbd0d3f87eb1610ad99b48d98ffd497ba214b4
Diffstat (limited to 'libc/malloc_hooks/malloc_hooks.cpp')
0 files changed, 0 insertions, 0 deletions