Hardened Malloc - Hardened Memory Allocator

madaidan · March 9, 2020, 5:51pm

Got a reply on the CLIP OS issue:

We looked at hardened_malloc a while ago and are likely to integrate it to CLIP OS (at least to the Core ). As we still have quite important things to accomplish beforehand, we won’t tackle this straightaway but contributions are of course welcome.

Thanks for opening this issue, I’ll leave it open to track related progress.

madaidan · March 24, 2020, 8:43pm

We can disable hardened_malloc per program by using bubblewrap (or any other namespacing program):

bwrap --dev-bind / / --tmpfs /usr/lib/libhardened_malloc.so program_name

This makes the /usr/lib/libhardened_malloc.so directory an empty tmpfs without the hardened_malloc library so it isn’t preloaded:

ERROR: ld.so: object '/usr/lib/libhardened_malloc.so/libhardened_malloc.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.

This can be verified with cat /proc/self/maps. You’ll see /usr/lib/libhardened_malloc.so/libhardened_malloc.so in the output without bubblewrap and it’ll be missing with bubblewrap.

So if we have any issues with programs, we can just use bubblewrap.

Patrick · September 18, 2020, 10:06am

Patrick · September 18, 2020, 10:47am

github.com/GrapheneOS/hardened_malloc

tests failing in cowbuilder chroot

opened 10:46AM - 18 Sep 20 UTC

closed 03:31PM - 18 Sep 20 UTC

adrelanos

bug upstream

``` sudo cowbuilder --login --basepath /var/cache/pbuilder/base.cow_amd64 ``` … ``` root@work:/hardened_malloc# make cc -std=c11 -O3 -flto -fPIC -fvisibility=hidden -fno-plt -fstack-clash-protection -fstack-protector-strong -pipe -Wall -Wextra -Wcast-align=strict -Wcast-qual -Wwrite-strings -Werror -march=native -Wmissing-prototypes -D_GNU_SOURCE -I include -DCONFIG_SEAL_METADATA=false -DZERO_ON_FREE=true -DWRITE_AFTER_FREE_CHECK=true -DSLOT_RANDOMIZE=true -DSLAB_CANARY=true -DSLAB_QUARANTINE_RANDOM_LENGTH=1 -DSLAB_QUARANTINE_QUEUE_LENGTH=1 -DCONFIG_EXTENDED_SIZE_CLASSES=true -DCONFIG_LARGE_SIZE_CLASSES=true -DGUARD_SLABS_INTERVAL=1 -DGUARD_SIZE_DIVISOR=2 -DREGION_QUARANTINE_RANDOM_LENGTH=128 -DREGION_QUARANTINE_QUEUE_LENGTH=1024 -DREGION_QUARANTINE_SKIP_THRESHOLD=33554432 -DFREE_SLABS_QUARANTINE_RANDOM_LENGTH=32 -DCONFIG_CLASS_REGION_SIZE=34359738368 -DN_ARENA=4 -DCONFIG_STATS=false -c -o chacha.o chacha.c cc -std=c11 -O3 -flto -fPIC -fvisibility=hidden -fno-plt -fstack-clash-protection -fstack-protector-strong -pipe -Wall -Wextra -Wcast-align=strict -Wcast-qual -Wwrite-strings -Werror -march=native -Wmissing-prototypes -D_GNU_SOURCE -I include -DCONFIG_SEAL_METADATA=false -DZERO_ON_FREE=true -DWRITE_AFTER_FREE_CHECK=true -DSLOT_RANDOMIZE=true -DSLAB_CANARY=true -DSLAB_QUARANTINE_RANDOM_LENGTH=1 -DSLAB_QUARANTINE_QUEUE_LENGTH=1 -DCONFIG_EXTENDED_SIZE_CLASSES=true -DCONFIG_LARGE_SIZE_CLASSES=true -DGUARD_SLABS_INTERVAL=1 -DGUARD_SIZE_DIVISOR=2 -DREGION_QUARANTINE_RANDOM_LENGTH=128 -DREGION_QUARANTINE_QUEUE_LENGTH=1024 -DREGION_QUARANTINE_SKIP_THRESHOLD=33554432 -DFREE_SLABS_QUARANTINE_RANDOM_LENGTH=32 -DCONFIG_CLASS_REGION_SIZE=34359738368 -DN_ARENA=4 -DCONFIG_STATS=false -c -o h_malloc.o h_malloc.c cc -std=c11 -O3 -flto -fPIC -fvisibility=hidden -fno-plt -fstack-clash-protection -fstack-protector-strong -pipe -Wall -Wextra -Wcast-align=strict -Wcast-qual -Wwrite-strings -Werror -march=native -Wmissing-prototypes -D_GNU_SOURCE -I include -DCONFIG_SEAL_METADATA=false -DZERO_ON_FREE=true -DWRITE_AFTER_FREE_CHECK=true -DSLOT_RANDOMIZE=true -DSLAB_CANARY=true -DSLAB_QUARANTINE_RANDOM_LENGTH=1 -DSLAB_QUARANTINE_QUEUE_LENGTH=1 -DCONFIG_EXTENDED_SIZE_CLASSES=true -DCONFIG_LARGE_SIZE_CLASSES=true -DGUARD_SLABS_INTERVAL=1 -DGUARD_SIZE_DIVISOR=2 -DREGION_QUARANTINE_RANDOM_LENGTH=128 -DREGION_QUARANTINE_QUEUE_LENGTH=1024 -DREGION_QUARANTINE_SKIP_THRESHOLD=33554432 -DFREE_SLABS_QUARANTINE_RANDOM_LENGTH=32 -DCONFIG_CLASS_REGION_SIZE=34359738368 -DN_ARENA=4 -DCONFIG_STATS=false -c -o pages.o pages.c cc -std=c11 -O3 -flto -fPIC -fvisibility=hidden -fno-plt -fstack-clash-protection -fstack-protector-strong -pipe -Wall -Wextra -Wcast-align=strict -Wcast-qual -Wwrite-strings -Werror -march=native -Wmissing-prototypes -D_GNU_SOURCE -I include -DCONFIG_SEAL_METADATA=false -DZERO_ON_FREE=true -DWRITE_AFTER_FREE_CHECK=true -DSLOT_RANDOMIZE=true -DSLAB_CANARY=true -DSLAB_QUARANTINE_RANDOM_LENGTH=1 -DSLAB_QUARANTINE_QUEUE_LENGTH=1 -DCONFIG_EXTENDED_SIZE_CLASSES=true -DCONFIG_LARGE_SIZE_CLASSES=true -DGUARD_SLABS_INTERVAL=1 -DGUARD_SIZE_DIVISOR=2 -DREGION_QUARANTINE_RANDOM_LENGTH=128 -DREGION_QUARANTINE_QUEUE_LENGTH=1024 -DREGION_QUARANTINE_SKIP_THRESHOLD=33554432 -DFREE_SLABS_QUARANTINE_RANDOM_LENGTH=32 -DCONFIG_CLASS_REGION_SIZE=34359738368 -DN_ARENA=4 -DCONFIG_STATS=false -c -o random.o random.c cc -std=c11 -O3 -flto -fPIC -fvisibility=hidden -fno-plt -fstack-clash-protection -fstack-protector-strong -pipe -Wall -Wextra -Wcast-align=strict -Wcast-qual -Wwrite-strings -Werror -march=native -Wmissing-prototypes -D_GNU_SOURCE -I include -DCONFIG_SEAL_METADATA=false -DZERO_ON_FREE=true -DWRITE_AFTER_FREE_CHECK=true -DSLOT_RANDOMIZE=true -DSLAB_CANARY=true -DSLAB_QUARANTINE_RANDOM_LENGTH=1 -DSLAB_QUARANTINE_QUEUE_LENGTH=1 -DCONFIG_EXTENDED_SIZE_CLASSES=true -DCONFIG_LARGE_SIZE_CLASSES=true -DGUARD_SLABS_INTERVAL=1 -DGUARD_SIZE_DIVISOR=2 -DREGION_QUARANTINE_RANDOM_LENGTH=128 -DREGION_QUARANTINE_QUEUE_LENGTH=1024 -DREGION_QUARANTINE_SKIP_THRESHOLD=33554432 -DFREE_SLABS_QUARANTINE_RANDOM_LENGTH=32 -DCONFIG_CLASS_REGION_SIZE=34359738368 -DN_ARENA=4 -DCONFIG_STATS=false -c -o util.o util.c cc -std=c++17 -O3 -flto -fPIC -fvisibility=hidden -fno-plt -fstack-clash-protection -fstack-protector-strong -pipe -Wall -Wextra -Wcast-align=strict -Wcast-qual -Wwrite-strings -Werror -march=native -D_GNU_SOURCE -I include -DCONFIG_SEAL_METADATA=false -DZERO_ON_FREE=true -DWRITE_AFTER_FREE_CHECK=true -DSLOT_RANDOMIZE=true -DSLAB_CANARY=true -DSLAB_QUARANTINE_RANDOM_LENGTH=1 -DSLAB_QUARANTINE_QUEUE_LENGTH=1 -DCONFIG_EXTENDED_SIZE_CLASSES=true -DCONFIG_LARGE_SIZE_CLASSES=true -DGUARD_SLABS_INTERVAL=1 -DGUARD_SIZE_DIVISOR=2 -DREGION_QUARANTINE_RANDOM_LENGTH=128 -DREGION_QUARANTINE_QUEUE_LENGTH=1024 -DREGION_QUARANTINE_SKIP_THRESHOLD=33554432 -DFREE_SLABS_QUARANTINE_RANDOM_LENGTH=32 -DCONFIG_CLASS_REGION_SIZE=34359738368 -DN_ARENA=4 -DCONFIG_STATS=false -c -o new.o new.cc cc -std=c11 -O3 -flto -fPIC -fvisibility=hidden -fno-plt -fstack-clash-protection -fstack-protector-strong -pipe -Wall -Wextra -Wcast-align=strict -Wcast-qual -Wwrite-strings -Werror -march=native -Wmissing-prototypes -Wl,--as-needed,-z,defs,-z,relro,-z,now,-z,nodlopen,-z,text -shared chacha.o h_malloc.o memory.o pages.o random.o util.o new.o -lstdc++ -lgcc_s -o libhardened_malloc.so root@work:/hardened_malloc# make test make -C test/ make[1]: Entering directory '/hardened_malloc/test' make -C simple-memory-corruption make[2]: Entering directory '/hardened_malloc/test/simple-memory-corruption' make[2]: Nothing to be done for 'all'. make[2]: Leaving directory '/hardened_malloc/test/simple-memory-corruption' make[1]: Leaving directory '/hardened_malloc/test' python -m unittest discover --start-directory test/ FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF ====================================================================== FAIL: test_delete_type_size_mismatch (simple-memory-corruption.test_smc.TestSimpleMemoryCorruption) ---------------------------------------------------------------------- Traceback (most recent call last): File "/hardened_malloc/test/simple-memory-corruption/test_smc.py", line 21, in test_delete_type_size_mismatch self.assertEqual(returncode, -6) AssertionError: 127 != -6 ====================================================================== FAIL: test_double_free_large (simple-memory-corruption.test_smc.TestSimpleMemoryCorruption) ---------------------------------------------------------------------- Traceback (most recent call last): File "/hardened_malloc/test/simple-memory-corruption/test_smc.py", line 34, in test_double_free_large self.assertEqual(returncode, -6) AssertionError: 127 != -6 ====================================================================== FAIL: test_double_free_large_delayed (simple-memory-corruption.test_smc.TestSimpleMemoryCorruption) ---------------------------------------------------------------------- Traceback (most recent call last): File "/hardened_malloc/test/simple-memory-corruption/test_smc.py", line 28, in test_double_free_large_delayed self.assertEqual(returncode, -6) AssertionError: 127 != -6 ====================================================================== FAIL: test_double_free_small (simple-memory-corruption.test_smc.TestSimpleMemoryCorruption) ---------------------------------------------------------------------- Traceback (most recent call last): File "/hardened_malloc/test/simple-memory-corruption/test_smc.py", line 47, in test_double_free_small self.assertEqual(returncode, -6) AssertionError: 127 != -6 ====================================================================== FAIL: test_double_free_small_delayed (simple-memory-corruption.test_smc.TestSimpleMemoryCorruption) ---------------------------------------------------------------------- Traceback (most recent call last): File "/hardened_malloc/test/simple-memory-corruption/test_smc.py", line 41, in test_double_free_small_delayed self.assertEqual(returncode, -6) AssertionError: 127 != -6 ====================================================================== FAIL: test_eight_byte_overflow_large (simple-memory-corruption.test_smc.TestSimpleMemoryCorruption) ---------------------------------------------------------------------- Traceback (most recent call last): File "/hardened_malloc/test/simple-memory-corruption/test_smc.py", line 54, in test_eight_byte_overflow_large self.assertEqual(returncode, -11) AssertionError: 127 != -11 ====================================================================== FAIL: test_eight_byte_overflow_small (simple-memory-corruption.test_smc.TestSimpleMemoryCorruption) ---------------------------------------------------------------------- Traceback (most recent call last): File "/hardened_malloc/test/simple-memory-corruption/test_smc.py", line 59, in test_eight_byte_overflow_small self.assertEqual(returncode, -6) AssertionError: 127 != -6 ====================================================================== FAIL: test_invalid_free_protected (simple-memory-corruption.test_smc.TestSimpleMemoryCorruption) ---------------------------------------------------------------------- Traceback (most recent call last): File "/hardened_malloc/test/simple-memory-corruption/test_smc.py", line 65, in test_invalid_free_protected self.assertEqual(returncode, -6) AssertionError: 127 != -6 ====================================================================== FAIL: test_invalid_free_small_region (simple-memory-corruption.test_smc.TestSimpleMemoryCorruption) ---------------------------------------------------------------------- Traceback (most recent call last): File "/hardened_malloc/test/simple-memory-corruption/test_smc.py", line 79, in test_invalid_free_small_region self.assertEqual(returncode, -6) AssertionError: 127 != -6 ====================================================================== FAIL: test_invalid_free_small_region_far (simple-memory-corruption.test_smc.TestSimpleMemoryCorruption) ---------------------------------------------------------------------- Traceback (most recent call last): File "/hardened_malloc/test/simple-memory-corruption/test_smc.py", line 72, in test_invalid_free_small_region_far self.assertEqual(returncode, -6) AssertionError: 127 != -6 ====================================================================== FAIL: test_invalid_free_unprotected (simple-memory-corruption.test_smc.TestSimpleMemoryCorruption) ---------------------------------------------------------------------- Traceback (most recent call last): File "/hardened_malloc/test/simple-memory-corruption/test_smc.py", line 85, in test_invalid_free_unprotected self.assertEqual(returncode, -6) AssertionError: 127 != -6 ====================================================================== FAIL: test_invalid_malloc_object_size_small (simple-memory-corruption.test_smc.TestSimpleMemoryCorruption) ---------------------------------------------------------------------- Traceback (most recent call last): File "/hardened_malloc/test/simple-memory-corruption/test_smc.py", line 196, in test_invalid_malloc_object_size_small self.assertEqual(returncode, -6) AssertionError: 127 != -6 ====================================================================== FAIL: test_invalid_malloc_object_size_small_quarantine (simple-memory-corruption.test_smc.TestSimpleMemoryCorruption) ---------------------------------------------------------------------- Traceback (most recent call last): File "/hardened_malloc/test/simple-memory-corruption/test_smc.py", line 203, in test_invalid_malloc_object_size_small_quarantine self.assertEqual(returncode, -6) AssertionError: 127 != -6 ====================================================================== FAIL: test_invalid_malloc_usable_size_small (simple-memory-corruption.test_smc.TestSimpleMemoryCorruption) ---------------------------------------------------------------------- Traceback (most recent call last): File "/hardened_malloc/test/simple-memory-corruption/test_smc.py", line 99, in test_invalid_malloc_usable_size_small self.assertEqual(returncode, -6) AssertionError: 127 != -6 ====================================================================== FAIL: test_invalid_malloc_usable_size_small_quarantene (simple-memory-corruption.test_smc.TestSimpleMemoryCorruption) ---------------------------------------------------------------------- Traceback (most recent call last): File "/hardened_malloc/test/simple-memory-corruption/test_smc.py", line 92, in test_invalid_malloc_usable_size_small_quarantene self.assertEqual(returncode, -6) AssertionError: 127 != -6 ====================================================================== FAIL: test_malloc_object_size (simple-memory-corruption.test_smc.TestSimpleMemoryCorruption) ---------------------------------------------------------------------- Traceback (most recent call last): File "/hardened_malloc/test/simple-memory-corruption/test_smc.py", line 186, in test_malloc_object_size self.assertEqual(returncode, 0) AssertionError: 127 != 0 ====================================================================== FAIL: test_malloc_object_size_offset (simple-memory-corruption.test_smc.TestSimpleMemoryCorruption) ---------------------------------------------------------------------- Traceback (most recent call last): File "/hardened_malloc/test/simple-memory-corruption/test_smc.py", line 191, in test_malloc_object_size_offset self.assertEqual(returncode, 0) AssertionError: 127 != 0 ====================================================================== FAIL: test_read_after_free_large (simple-memory-corruption.test_smc.TestSimpleMemoryCorruption) ---------------------------------------------------------------------- Traceback (most recent call last): File "/hardened_malloc/test/simple-memory-corruption/test_smc.py", line 105, in test_read_after_free_large self.assertEqual(returncode, -11) AssertionError: 127 != -11 ====================================================================== FAIL: test_read_after_free_small (simple-memory-corruption.test_smc.TestSimpleMemoryCorruption) ---------------------------------------------------------------------- Traceback (most recent call last): File "/hardened_malloc/test/simple-memory-corruption/test_smc.py", line 109, in test_read_after_free_small self.assertEqual(returncode, 0) AssertionError: 127 != 0 ====================================================================== FAIL: test_read_zero_size (simple-memory-corruption.test_smc.TestSimpleMemoryCorruption) ---------------------------------------------------------------------- Traceback (most recent call last): File "/hardened_malloc/test/simple-memory-corruption/test_smc.py", line 115, in test_read_zero_size self.assertEqual(returncode, -11) AssertionError: 127 != -11 ====================================================================== FAIL: test_string_overflow (simple-memory-corruption.test_smc.TestSimpleMemoryCorruption) ---------------------------------------------------------------------- Traceback (most recent call last): File "/hardened_malloc/test/simple-memory-corruption/test_smc.py", line 119, in test_string_overflow self.assertEqual(returncode, 0) AssertionError: 127 != 0 ====================================================================== FAIL: test_unaligned_free_large (simple-memory-corruption.test_smc.TestSimpleMemoryCorruption) ---------------------------------------------------------------------- Traceback (most recent call last): File "/hardened_malloc/test/simple-memory-corruption/test_smc.py", line 124, in test_unaligned_free_large self.assertEqual(returncode, -6) AssertionError: 127 != -6 ====================================================================== FAIL: test_unaligned_free_small (simple-memory-corruption.test_smc.TestSimpleMemoryCorruption) ---------------------------------------------------------------------- Traceback (most recent call last): File "/hardened_malloc/test/simple-memory-corruption/test_smc.py", line 130, in test_unaligned_free_small self.assertEqual(returncode, -6) AssertionError: 127 != -6 ====================================================================== FAIL: test_unaligned_malloc_usable_size_small (simple-memory-corruption.test_smc.TestSimpleMemoryCorruption) ---------------------------------------------------------------------- Traceback (most recent call last): File "/hardened_malloc/test/simple-memory-corruption/test_smc.py", line 137, in test_unaligned_malloc_usable_size_small self.assertEqual(returncode, -6) AssertionError: 127 != -6 ====================================================================== FAIL: test_uninitialized_free (simple-memory-corruption.test_smc.TestSimpleMemoryCorruption) ---------------------------------------------------------------------- Traceback (most recent call last): File "/hardened_malloc/test/simple-memory-corruption/test_smc.py", line 143, in test_uninitialized_free self.assertEqual(returncode, -6) AssertionError: 127 != -6 ====================================================================== FAIL: test_uninitialized_malloc_usable_size (simple-memory-corruption.test_smc.TestSimpleMemoryCorruption) ---------------------------------------------------------------------- Traceback (most recent call last): File "/hardened_malloc/test/simple-memory-corruption/test_smc.py", line 150, in test_uninitialized_malloc_usable_size self.assertEqual(returncode, -11) AssertionError: 127 != -11 ====================================================================== FAIL: test_uninitialized_realloc (simple-memory-corruption.test_smc.TestSimpleMemoryCorruption) ---------------------------------------------------------------------- Traceback (most recent call last): File "/hardened_malloc/test/simple-memory-corruption/test_smc.py", line 154, in test_uninitialized_realloc self.assertEqual(returncode, -6) AssertionError: 127 != -6 ====================================================================== FAIL: test_write_after_free_large (simple-memory-corruption.test_smc.TestSimpleMemoryCorruption) ---------------------------------------------------------------------- Traceback (most recent call last): File "/hardened_malloc/test/simple-memory-corruption/test_smc.py", line 165, in test_write_after_free_large self.assertEqual(returncode, -11) AssertionError: 127 != -11 ====================================================================== FAIL: test_write_after_free_large_reuse (simple-memory-corruption.test_smc.TestSimpleMemoryCorruption) ---------------------------------------------------------------------- Traceback (most recent call last): File "/hardened_malloc/test/simple-memory-corruption/test_smc.py", line 161, in test_write_after_free_large_reuse self.assertEqual(returncode, -11) AssertionError: 127 != -11 ====================================================================== FAIL: test_write_after_free_small (simple-memory-corruption.test_smc.TestSimpleMemoryCorruption) ---------------------------------------------------------------------- Traceback (most recent call last): File "/hardened_malloc/test/simple-memory-corruption/test_smc.py", line 176, in test_write_after_free_small self.assertEqual(returncode, -6) AssertionError: 127 != -6 ====================================================================== FAIL: test_write_after_free_small_reuse (simple-memory-corruption.test_smc.TestSimpleMemoryCorruption) ---------------------------------------------------------------------- Traceback (most recent call last): File "/hardened_malloc/test/simple-memory-corruption/test_smc.py", line 170, in test_write_after_free_small_reuse self.assertEqual(returncode, -6) AssertionError: 127 != -6 ====================================================================== FAIL: test_write_zero_size (simple-memory-corruption.test_smc.TestSimpleMemoryCorruption) ---------------------------------------------------------------------- Traceback (most recent call last): File "/hardened_malloc/test/simple-memory-corruption/test_smc.py", line 182, in test_write_zero_size self.assertEqual(returncode, -11) AssertionError: 127 != -11 ---------------------------------------------------------------------- Ran 32 tests in 0.036s FAILED (failures=32) make: [Makefile:139: test] Error 1 (ignored) root@work:/hardened_malloc# ``` Any idea why this is happening? Fixable at chroot side or in hardened malloc source side?

Patrick · September 18, 2020, 2:18pm

github.com/GrapheneOS/hardened_malloc

mallinfo.c:14:22: error: format '%zu' expects argument of type 'size_t', but argument 2 has type 'int' [-Werror=format=]

opened 02:19PM - 18 Sep 20 UTC

closed 07:15PM - 10 Nov 20 UTC

adrelanos

bug upstream

Trying to build on travis CI, Debian docker container. ``` cc -g -O2 -fdebug…-prefix-map=/home/travis/build/Whonix/hardened_malloc=. -fstack-protector-strong -Wformat -Werror=format-security -std=c11 -O3 -flto -fPIC -fvisibility=hidden -fno-plt -fstack-clash-protection -fstack-protector-strong -pipe -Wall -Wextra -Wcast-align=strict -Wcast-qual -Wwrite-strings -Werror -march=native -Wmissing-prototypes -Wdate-time -D_FORTIFY_SOURCE=2 -D_GNU_SOURCE -I include -DCONFIG_SEAL_METADATA=false -DZERO_ON_FREE=true -DWRITE_AFTER_FREE_CHECK=true -DSLOT_RANDOMIZE=true -DSLAB_CANARY=true -DSLAB_QUARANTINE_RANDOM_LENGTH=1 -DSLAB_QUARANTINE_QUEUE_LENGTH=1 -DCONFIG_EXTENDED_SIZE_CLASSES=true -DCONFIG_LARGE_SIZE_CLASSES=true -DGUARD_SLABS_INTERVAL=1 -DGUARD_SIZE_DIVISOR=2 -DREGION_QUARANTINE_RANDOM_LENGTH=128 -DREGION_QUARANTINE_QUEUE_LENGTH=1024 -DREGION_QUARANTINE_SKIP_THRESHOLD=33554432 -DFREE_SLABS_QUARANTINE_RANDOM_LENGTH=32 -DCONFIG_CLASS_REGION_SIZE=34359738368 -DN_ARENA=4 -DCONFIG_STATS=false -DSLAB_CANARY=true -DCONFIG_EXTENDED_SIZE_CLASSES=true -Wl,-z,relro -Wl,-z,now -Wl,--as-needed,-z,defs,-z,relro,-z,now,-z,nodlopen,-z,text mallinfo.c -lpthread -o mallinfo mallinfo.c: In function 'main': mallinfo.c:14:22: error: format '%zu' expects argument of type 'size_t', but argument 2 has type 'int' [-Werror=format=] printf("arena: %zu\n", info.arena); ~~^ ~~~~~~~~~~ %u mallinfo.c:15:24: error: format '%zu' expects argument of type 'size_t', but argument 2 has type 'int' [-Werror=format=] printf("ordblks: %zu\n", info.ordblks); ~~^ ~~~~~~~~~~~~ %u mallinfo.c:16:23: error: format '%zu' expects argument of type 'size_t', but argument 2 has type 'int' [-Werror=format=] printf("smblks: %zu\n", info.smblks); ~~^ ~~~~~~~~~~~ %u mallinfo.c:17:22: error: format '%zu' expects argument of type 'size_t', but argument 2 has type 'int' [-Werror=format=] printf("hblks: %zu\n", info.hblks); ~~^ ~~~~~~~~~~ %u mallinfo.c:18:23: error: format '%zu' expects argument of type 'size_t', but argument 2 has type 'int' [-Werror=format=] printf("hblkhd: %zu\n", info.hblkhd); ~~^ ~~~~~~~~~~~ %u mallinfo.c:19:24: error: format '%zu' expects argument of type 'size_t', but argument 2 has type 'int' [-Werror=format=] printf("usmblks: %zu\n", info.usmblks); ~~^ ~~~~~~~~~~~~ %u mallinfo.c:20:24: error: format '%zu' expects argument of type 'size_t', but argument 2 has type 'int' [-Werror=format=] printf("fsmblks: %zu\n", info.fsmblks); ~~^ ~~~~~~~~~~~~ %u mallinfo.c:21:25: error: format '%zu' expects argument of type 'size_t', but argument 2 has type 'int' [-Werror=format=] printf("uordblks: %zu\n", info.uordblks); ~~^ ~~~~~~~~~~~~~ %u mallinfo.c:22:25: error: format '%zu' expects argument of type 'size_t', but argument 2 has type 'int' [-Werror=format=] printf("fordblks: %zu\n", info.fordblks); ~~^ ~~~~~~~~~~~~~ %u mallinfo.c:23:25: error: format '%zu' expects argument of type 'size_t', but argument 2 has type 'int' [-Werror=format=] printf("keepcost: %zu\n", info.keepcost); ~~^ ~~~~~~~~~~~~~ %u mallinfo.c:8:5: error: ignoring return value of 'malloc', declared with attribute warn_unused_result [-Werror=unused-result] malloc(1024 * 1024 * 1024); ^~~~~~~~~~~~~~~~~~~~~~~~~~ mallinfo.c:9:5: error: ignoring return value of 'malloc', declared with attribute warn_unused_result [-Werror=unused-result] malloc(16); ^~~~~~~~~~ mallinfo.c:10:5: error: ignoring return value of 'malloc', declared with attribute warn_unused_result [-Werror=unused-result] malloc(32); ^~~~~~~~~~ mallinfo.c:11:5: error: ignoring return value of 'malloc', declared with attribute warn_unused_result [-Werror=unused-result] malloc(64); ^~~~~~~~~~ cc1: all warnings being treated as errors ``` full log: https://travis-ci.com/github/Whonix/hardened_malloc/builds/185210851

Patrick · September 19, 2020, 12:32pm

Patrick · September 19, 2020, 1:25pm

github.com

Kicksecure/hardened_malloc/blob/master/.travis.yml

sudo: required
language: generic

services:
  - docker

script:
  #- wget -O- http://travis.debian.net/script.sh | sh -
  - wget -O- https://raw.githubusercontent.com/adrelanos/travis.debian.net/gh-pages/script.sh | sh -

if:
  tag IS blank

env:
  global:
  - TRAVIS_DEBIAN_DISTRIBUTION=bullseye
  - TRAVIS_DEBIAN_GIT_BUILDPACKAGE=./debian/ci_test
  - TRAVIS_DEBIAN_NO_BUILD=true

Patrick · September 19, 2020, 1:51pm

This is now in Whonix testers repository.

madaidan · October 4, 2020, 7:40pm

Tested this by globally preloading it and there are a few issues (likely not with hardened_malloc itself though):

It’s quite slow
The mouse is a bit janky
Xorg bugs out but then fixes itself
The Tor Browser refuses to start

I still think we should enable this globally by default though. Just with a few exceptions + reporting any bugs uncovered upstream. Or, alternatively, we can try disabling a few options and see if it fixes anything.

GitHub - GrapheneOS/hardened_malloc: Hardened allocator designed for modern systems. It has integration into Android's Bionic libc and can be used externally with musl and glibc as a dynamic library for use on other Linux-based platforms. It will gain more portability / integration over time.

Even with all of those options disabled, it’s still pretty secure.

madaidan · October 4, 2020, 7:56pm

I tried the leaner configuration example and literally all issues are fixed.

make \
CONFIG_WRITE_AFTER_FREE_CHECK=false \
CONFIG_SLOT_RANDOMIZE=false \
CONFIG_SLAB_QUARANTINE_RANDOM_LENGTH=0 \
CONFIG_SLAB_QUARANTINE_QUEUE_LENGTH=0 \
CONFIG_GUARD_SLABS_INTERVAL=8

I don’t even see much of a performance loss anymore. Can you test this also?

Patrick · October 5, 2020, 2:48pm

Hardened Malloc is a Debian package for “public service” for lack of better term. Changing compile time options would be weird because then it would be a fork. It would reduce security for those who are using it right now.

Though, could always stop providing that public service and call it a Kicksecure specific fork.

Or compile it twice during build if that is possible (probably is). The default, not-used by default hardened-malloc package and perhaps hardened-malloc-kicksecure - the latter could be installed to a different path and enabled by default.

madaidan · October 5, 2020, 7:40pm

That would be the best choice. Users could use the default hardened_malloc for some applications if they want for the extra security features.

Patrick · October 6, 2020, 12:00pm

delete pyc files in test folder by adrelanos · Pull Request #121 · GrapheneOS/hardened_malloc · GitHub

HulaHoop · October 6, 2020, 5:53pm

@madaidan yet another option: is there a way to blacklist the apps that run into problems when running under the standard hardened_malloc and maybe redirect them to the system default one? Can multiple mem allocators coexist on the same system?

Or maybe reserve the permissive fork for problematic programs and otherwise defer them to the more secure version (by default) as is from Micay?

madaidan · October 6, 2020, 7:38pm

Yes.

Those problematic programs seem to be most things so it would make more sense to keep the permissive one as the default.

madaidan · October 6, 2020, 11:26pm

Managed to trim the config down to

CONFIG_SLAB_QUARANTINE_RANDOM_LENGTH=0
CONFIG_SLAB_QUARANTINE_QUEUE_LENGTH=0
CONFIG_GUARD_SLABS_INTERVAL=8

with the help of Daniel.

madaidan · October 7, 2020, 12:52am

I’ve tried to implement this. What do you think?

GitHub - madaidan/hardened_malloc at kicksecure

Patrick · October 7, 2020, 11:47am

I don’t want to fork any of the files shipped by upstream if not absolutely required. make isn’t something I am comfortable with long term. However, if such Makefile changes were upstreamed this were very much OK. But in this case I doubt upstream would accept a patch to introduce libhardened_malloc_kicksecure.so: $(OBJECTS) and code duplication.

What upstream might accept is configuring the resulting “end product” (for lack for better term) file name libhardened_malloc.so. I.e. could libhardened_malloc.so: $(OBJECTS) be made configurable? If not set, default to libhardened_malloc.so. If set, use that filename set from a make variable.

rm *.o

Better run make clean. More appropriate and future proof.

Here is an approach which would not need any upstream patches, which doesn’t require modifications of files shipped by upstream that should be sold.

override_dh_auto_build:
	dh_auto_build -- libhardened_malloc.so CONFIG_NATIVE=false CC=$(CC)
	mv libhardened_malloc.so libhardened_malloc.so_original
	make clean
	dh_auto_build -- libhardened_malloc.so CONFIG_SLAB_QUARANTINE_RANDOM_LENGTH=0 CONFIG_SLAB_QUARANTINE_QUEUE_LENGTH=0 CONFIG_GUARD_SLABS_INTERVAL=8 CC=$(CC)
	mv libhardened_malloc.so libhardened_malloc.so_kicksecure

and…

libhardened_malloc.so_original usr/lib/libhardened_malloc.so/libhardened_malloc.so
libhardened_malloc.so_kicksecure usr/lib/libhardened_malloc.so/libhardened_malloc_kicksecure.so

Would that work?

madaidan · October 7, 2020, 1:07pm

Yes, that’d be perfect.

Patrick · October 7, 2020, 1:10pm

Could you do a new test / PR please?