Some Linux code is calling malloc in 100 places and I need to know how big any one chunk is.
Normally I'd just record these sizes in a my_malloc function but I'm not allowed to do that in this instance. Is there any way to ask the malloc subsystem to provide chunk size for a malloc'd pointer?
Your best bet is to use the LD_PRELOAD trick to intercept calls to malloc (definition here). You do not even need to recompile your source code.
Depending on what you are trying to discover, Google Perftools might be useful as well.
*((size_t *)ptr - 1) & ~7
/me covers.
Unfortunately, there is no way to do that.
Related
Hello,
I'm writing a Linux module (based on a GitHub project called "Ccontrol") to create cache partitioning (a.k.a page coloring) for mitigating timing- side-channel attacks (for preventing attacks like Prime+Probe).
I've used LD_PRELOAD system env variable to overwrite all the malloc(),calloc() and free() calls and replace them with color aware calls.
Now I'm looking for away to color the stack and the data segments also.
What is the system-call/Library for allocating memory for a new born process?
Is there a way to overwrite this call(without recompiling the kernel) using LD_PRELOAD or any other method?
Thank you all in advance,
Gal
There are two memory allocating syscalls: sbrk, which expands the (continuous) heap segment and mmap, which is used to map separate anonymous memory segments into the address space of the calling process.
You won't be able to use LD_PRELOAD to override these everywhere, though.
You'll only be able to do it if the code you're overriding makes these calls through the DSO-exported libc wrappers, which means you won't be able to override direct syscalls and syscalls make through unexported wrappers (DSO-internal (__attribute__((visibility("hidden")))), which most libc implementations use quite a bit. You also won't be able to override the syscalls made by the dynamic linker.
If you need a robust way of overriding the calls, you'll need to turn to ptrace or modify the kernel.
We knew that for secure issues, we should use copy_to_user()/copy_from_user() if we want to do memory copy between user space and kernel space.
My question is, so the memcpy() should have better performance than copy_to_user()/copy_from_user()? Because memcpy() didn't do anything to try to protect the system, am I right?
If we don't care about secure issues, can we use memcpy() instead of copy_to_user()/copy_from_user() to get better performance? (it's a bad idea, I know, just ask if it's right)
One answer: No, because security issues are never irrelevant in the kernel.
memcpy() in particular is a bad function to use because the third argument is a signed integer. If the user can in any way influence the value of this third parameter, you open yourself up to serious liability issues if someone attempts to copy a negative number of bytes.
Many a serious buffer overflow bugs have been due to the signed-ness of memcpy()
Another answer: No, because copy_to_user() and copy_from_user() don't just do access_ok(). Those first two functions make sure that the copy you are currently trying to achieve right now will succeed, or fail appropriately. This is not what access_ok() does for you. The documentation for access_ok() specifically says that this function doesn't guarantee that memory accesses will actually succeed:
Note that, depending on architecture, this function probably just
checks that the pointer is in the user space range - after calling
this function, memory access functions may still return -EFAULT.
For example, my most recent source code has, for x86, runtime checking that goes beyond access_ok(): https://lwn.net/Articles/612153/
Yet a third answer: memcpy() probably isn't much more efficient. You might save a few instructions here and there in principle, but those setup and checking instructions are going to be negligible once you're copying anything more than the smallest quantities of data.
I am making a /proc entry for my driver. So, in the read callback function the first argument is the location into which we write the data intended for the user. I searched on how to write the data in it and i could see that everybody is using sprintf for this purpose. I am surprised to see that it works in kernel space. However this should be wrong to use a user space function in kernel space. Also i cant figure out how to write in that location without using any user space function like strcpy, sprintf, etc. I am using kernel version 3.9.10. Please suggest me how i should do this without using sprintf or any other user space function.
Most of the 'normal' user-space functions would make no sense in kernel code, so they are not available in the kernel.
However, some functions like sprintf, strcpy, or memcpy are useful in kernel code, so the kernel implements them (more or less completely) and makes them available for drivers.
See include/linux/kernel.h and string.h.
sprintf is a kernel-space function in Linux. It is totally separate from its user-space namesake and may or may not work identically to it.
Just because a function in user-space exist, it does not mean an identically named function in kernel-space cannot.
Hopefully the title is clear. I have a chunk of memory obtained via mmap(). After some time, I have concluded that I no longer need the data within this range. I still wish to keep this range, however. That is, I do not want to call mummap(). I'm trying to be a good citizen and not make the system swap more than it needs.
Is there a way to tell the Linux kernel that if the given page is backed by a physical page and if the kernel decides it needs that physical page, do not bother writing that page to swap?
I imagine under the hood this magical function call would destroy any mapping between the given virtual page and physical page, if present, without writing to swap first.
Your question (as stated) makes no sense.
Let's assume that there was a way for you to tell the kernel to do what you want.
Let's further assume that it did need the extra RAM, so it took away your page, and didn't swap it out.
Now your program tries to read that page (since you didn't want to munmap the data, presumably you might try to access it). What is the kernel to do? The choices I see:
it can give you a new page filled with 0s.
it can give you SIGSEGV
If you wanted choice 2, you could achieve the same result with munmap.
If you wanted choice 1, you could mremap over the existing mapping with MAP_ANON (or munmap followed by new mmap).
In either case, you can't depend on the old data being there when you need it.
The only way your question would make sense is if there was some additional mechanism for the kernel to let you know that it is taking away your page (e.g. send you a special signal). But the situation you described is likely rare enough to warrant additional complexity.
EDIT:
You might be looking for madvise(..., MADV_DONTNEED)
You could munmap the region, then mmap it again with MAP_NORESERVE
If you know at initial mapping time that swapping is not needed, use MAP_NORESERVE
Can you recommend a good debugging malloc library for linux? I know there are a lot of options out there, I just need to know which libraries people are actually using to solve real-life problems.
Thanks!
EDIT: I know about Valgrind, but sometimes the performance is really too low.
Valgrind. :-) It's not a malloc library, but, it's really good at finding memory management and memory usage bugs.
http://valgrind.org/ for finding memory leaks and heap corruption.
http://dmalloc.com/ for general purpose heap debugging.
gcc now comes with sanitizers which are much more faster than valgrind. you can check different compiler options under -fsanitize. More info here
The GNU C library itself has some debugging features and hooks you can use to add your own.
For documentation on a Linux system type info libc and then g Heap<TAB>. Another useful info node is "Hooks for Malloc", you can get there with g Hooks<TAB>
This might not be very useful to you, but you could write your own malloc wrapper. In our special "diagnostic" builds it keeps a table of all outstanding allocations (including the file name and line number where the allocation occurred) and prints out anything that was still outstanding at exit time. It also uses canary words (to check for buffer overflows) and a combination of memory re-writing and block checksumming after free and before reallocation (to check for use-after-free).
If your product is sufficiently large it might be annoying to have to find-replace your entire source, hoping for the best. Also, the development time for your own malloc wrapper is probably not negligible. Doing lots of heavyweight stuff like what I mentioned above probably won't help out your speed problem, either. Writing your own wrapper would allow the most flexibility, though.