introduce secure level 5 which adds guard pages around each mimalloc page; use default secure level 4 as too many guard pages can reach OS limits (on VLA's for example)

Author: daanx

CMakeLists.txt

@@ -4,7 +4,8 @@ project(libmimalloc C CXX)
 set(CMAKE_C_STANDARD 11)
 set(CMAKE_CXX_STANDARD 17)
 
-option(MI_SECURE            "Use full security mitigations (like guard pages, allocation randomization, double-free mitigation, and free-list corruption detection)" OFF)
+option(MI_SECURE            "Use security mitigations (like meta data guard pages, allocation randomization, double-free mitigation, and free-list corruption detection)" OFF)
+option(MI_SECURE_FULL       "Use full security mitigations including guard pages at the end of each mimalloc page (may be expensive)" OFF)
 option(MI_PADDING           "Enable padding to detect heap block overflow (always on in DEBUG or SECURE mode, or with Valgrind/ASAN)" OFF)
 option(MI_OVERRIDE          "Override the standard malloc interface (i.e. define entry points for 'malloc', 'free', etc)" ON)
 option(MI_XMALLOC           "Enable abort() call on memory allocation failure by default" OFF)
@@ -106,7 +107,7 @@ endif()
 # -----------------------------------------------------------------------------
 
 message(STATUS "")
-if (NOT CMAKE_BUILD_TYPE)
+if(NOT CMAKE_BUILD_TYPE)
   if ("${CMAKE_BINARY_DIR}" MATCHES ".*((D|d)ebug|asan|tsan|ubsan|valgrind)$")
     message(STATUS "No build type selected, default to 'Debug'")
     set(CMAKE_BUILD_TYPE "Debug")
@@ -116,12 +117,12 @@ if (NOT CMAKE_BUILD_TYPE)
   endif()
 endif()
 
-if (CMAKE_GENERATOR MATCHES "^Visual Studio.*$")
+if(CMAKE_GENERATOR MATCHES "^Visual Studio.*$")
   message(STATUS "Note: when building with Visual Studio the build type is specified when building.")
   message(STATUS "For example: 'cmake --build . --config=Release")
 endif()
 
-if("${CMAKE_BINARY_DIR}" MATCHES ".*(S|s)ecure$")
+if(NOT MI_SECURE AND NOT MI_SECURE_FULL AND "${CMAKE_BINARY_DIR}" MATCHES ".*(S|s)ecure$")
   message(STATUS "Default to secure build")
   set(MI_SECURE "ON")
 endif()
@@ -221,8 +222,12 @@ if(WIN32)
   endif()
 endif()
 
-if(MI_SECURE)
-  message(STATUS "Set full secure build (MI_SECURE=ON)")
+if(MI_SECURE_FULL)
+  set(MI_SECURE ON)
+  message(STATUS "Set full secure build (MI_SECURE_FULL=ON)")
+  list(APPEND mi_defines MI_SECURE=5)
+elseif(MI_SECURE)
+  message(STATUS "Set secure build (MI_SECURE=ON)")
   list(APPEND mi_defines MI_SECURE=4)
 endif()
 

include/mimalloc/types.h

@@ -53,10 +53,11 @@ terms of the MIT license. A copy of the license can be found in the file
 // #define MI_STAT 1
 
 // Define MI_SECURE to enable security mitigations
-// #define MI_SECURE 1  // guard page around metadata
-// #define MI_SECURE 2  // guard page around each mimalloc page
+// #define MI_SECURE 1  // guard pages around meta data, randomize arena allocation addresses (like ASLR), abort on detected meta data corruption
+// #define MI_SECURE 2  // randomize relative allocation addresses (within mimalloc pages)
 // #define MI_SECURE 3  // encode free lists (detect corrupted free list (buffer overflow), and invalid pointer free)
-// #define MI_SECURE 4  // checks for double free. (may be more expensive)
+// #define MI_SECURE 4  // checks for double free (may be more expensive) (`-DMI_SECURE=ON`)
+// #define MI_SECURE 5  // guard page at the end of each mimalloc page (expensive!) (`-DMI_SECURE_FULL=ON`)
 
 #if !defined(MI_SECURE)
 #define MI_SECURE 0

src/page.c

@@ -619,8 +619,8 @@ static mi_decl_noinline void mi_page_free_list_extend( mi_page_t* const page, co
 ----------------------------------------------------------- */
 
 #define MI_MAX_EXTEND_SIZE    (4*1024)      // heuristic, one OS page seems to work well.
-#if (MI_SECURE>0)
-#define MI_MIN_EXTEND         (8*MI_SECURE) // extend at least by this many
+#if (MI_SECURE>=2)
+#define MI_MIN_EXTEND         (8*MI_SECURE) // extend at least by this many blocks
 #else
 #define MI_MIN_EXTEND         (1)
 #endif
@@ -663,7 +663,7 @@ static bool mi_page_extend_free(mi_heap_t* heap, mi_page_t* page, mi_tld_t* tld)
   mi_assert_internal(extend < (1UL<<16));
 
   // and append the extend the free list
-  if (extend < MI_MIN_SLICES || MI_SECURE==0) { //!mi_option_is_enabled(mi_option_secure)) {
+  if (extend < MI_MIN_SLICES || MI_SECURE<2) { //!mi_option_is_enabled(mi_option_secure)) {
     mi_page_free_list_extend(page, bsize, extend, &tld->stats );
   }
   else {
@@ -860,7 +860,7 @@ static inline mi_page_t* mi_find_free_page(mi_heap_t* heap, size_t size) {
   // check the first page: we even do this with candidate search or otherwise we re-search every time
   mi_page_t* page = pq->first;
   if (page != NULL) {
-   #if (MI_SECURE>=3) // in secure mode, we extend half the time to increase randomness
+   #if (MI_SECURE>=2) // in secure mode, we extend half the time to increase randomness
     if (page->capacity < page->reserved && ((_mi_heap_random_next(heap) & 1) == 1)) {
       mi_page_extend_free(heap, page, heap->tld);
       mi_assert_internal(mi_page_immediate_available(page));

src/prim/unix/prim.c

@@ -427,7 +427,7 @@ int _mi_prim_alloc(void* hint_addr, size_t size, size_t try_alignment, bool comm
 //---------------------------------------------
 
 static void unix_mprotect_hint(int err) {
-  #if defined(__linux__) && (MI_SECURE>=2) // guard page around every mimalloc page
+  #if defined(__linux__) && (MI_SECURE>=5) // guard page around every mimalloc page
   if (err == ENOMEM) {
     _mi_warning_message("The next warning may be caused by a low memory map limit.\n"
                         "  On Linux this is controlled by the vm.max_map_count -- maybe increase it?\n"

src/segment.c

@@ -113,7 +113,7 @@ static void mi_segment_insert_in_free_queue(mi_segment_t* segment, mi_segments_t
  Invariant checking
 ----------------------------------------------------------- */
 
-#if (MI_DEBUG >= 2) || (MI_SECURE >= 2)
+#if (MI_DEBUG >= 2) || (MI_SECURE >= 5)
 static size_t mi_segment_page_size(const mi_segment_t* segment) {
   if (segment->capacity > 1) {
     mi_assert_internal(segment->page_kind <= MI_PAGE_MEDIUM);
@@ -199,7 +199,7 @@ static void mi_segment_protect(mi_segment_t* segment, bool protect) {
     mi_assert_internal((segment->segment_info_size - os_psize) >= (sizeof(mi_segment_t) + ((segment->capacity - 1) * sizeof(mi_page_t))));
     mi_assert_internal(((uintptr_t)segment + segment->segment_info_size) % os_psize == 0);
     mi_segment_protect_range((uint8_t*)segment + segment->segment_info_size - os_psize, os_psize, protect);
-    #if (MI_SECURE >= 2)
+    #if (MI_SECURE >= 5)
     if (segment->capacity == 1)
     #endif
     {
@@ -218,7 +218,7 @@ static void mi_segment_protect(mi_segment_t* segment, bool protect) {
         mi_segment_protect_range(start, os_psize, protect);
       }
     }
-    #if (MI_SECURE >= 2)
+    #if (MI_SECURE >= 5)
     else {
       // or protect every page
       const size_t page_size = mi_segment_page_size(segment);
@@ -237,7 +237,7 @@ static void mi_segment_protect(mi_segment_t* segment, bool protect) {
 ----------------------------------------------------------- */
 
 static void mi_page_purge(mi_segment_t* segment, mi_page_t* page, mi_segments_tld_t* tld) {
-  // todo: should we purge the guard page as well when MI_SECURE>=2 ?
+  // todo: should we purge the guard page as well when MI_SECURE>=5 ?
   mi_assert_internal(page->is_committed);
   mi_assert_internal(!page->segment_in_use);
   if (!segment->allow_purge) return;
@@ -258,7 +258,7 @@ static bool mi_page_ensure_committed(mi_segment_t* segment, mi_page_t* page, mi_
   size_t psize;
   uint8_t* start = mi_segment_raw_page_start(segment, page, &psize);
   bool is_zero = false;
-  const size_t gsize = (MI_SECURE >= 2 ? _mi_os_page_size() : 0);
+  const size_t gsize = (MI_SECURE >= 5 ? _mi_os_page_size() : 0);
   bool ok = _mi_os_commit(start, psize + gsize, &is_zero);
   if (!ok) return false; // failed to commit!
   page->is_committed = true;
@@ -408,9 +408,9 @@ static uint8_t* mi_segment_raw_page_start(const mi_segment_t* segment, const mi_
     psize -= segment->segment_info_size;
   }
 
-#if (MI_SECURE > 1)  // every page has an os guard page
+#if (MI_SECURE>=5)  // every page has an os guard page
   psize -= _mi_os_page_size();
-#elif (MI_SECURE==1) // the last page has an os guard page at the end
+#elif (MI_SECURE>=1) // the last page has an os guard page at the end
   if (page->segment_idx == segment->capacity - 1) {
     psize -= _mi_os_page_size();
   }