Changeset 52018 in vbox for trunk/src

Timestamp:

Jul 14, 2014 7:44:01 PM (11 years ago)

Author:

vboxsync

Message:

IPRT: Make RTMemSafer use the SUPR3 page allocation if available to allocate locked down memory. Change API to make allocation strategy tweakable to allow for pageable allocations where the support library is not available (build tools like bldRTSignTool) while still making sure the memory is non-pageable for sensitive data

Location:

trunk/src/VBox/Runtime

Files:

• common/math/bignum.cpp (modified) (3 diffs)
• generic/memsafer-generic.cpp (modified) (14 diffs)
• testcase/Makefile.kmk (modified) (2 diffs)
• testcase/tstRTMemSafer.cpp (added)

trunk/src/VBox/Runtime/common/math/bignum.cpp

@@ -118 +118 @@
     Assert(cbNew > cbOld);
 
-    void *pvNew;
+    void *pvNew = NULL;
     if (pBigNum->fSensitive)
-        pvNew = RTMemSaferReallocZ(cbOld, pBigNum->pauElements, cbNew);
+    {
+        int rc = RTMemSaferReallocZEx(cbOld, pBigNum->pauElements, cbNew, &pvNew, RTMEMSAFER_ALLOC_EX_ALLOW_PAGEABLE_BACKING);
+        Assert(VALID_PTR(pvNew) || RT_FAILURE(rc));
+    }
     else
         pvNew = RTMemRealloc(pBigNum->pauElements, cbNew);
@@ -323 +326 @@
         pBigNum->cAllocated = RT_ALIGN_32(pBigNum->cUsed, 4);
         if (pBigNum->fSensitive)
-            pBigNum->pauElements = (RTBIGNUMELEMENT *)RTMemSaferAllocZ(pBigNum->cAllocated * RTBIGNUM_ELEMENT_SIZE);
+        {
+            int rc = RTMemSaferAllocZEx((void **)&pBigNum->pauElements, pBigNum->cAllocated * RTBIGNUM_ELEMENT_SIZE,
+                                        RTMEMSAFER_ALLOC_EX_ALLOW_PAGEABLE_BACKING);
+            Assert(VALID_PTR(pBigNum->pauElements) || RT_FAILURE(rc));
+        }
         else
             pBigNum->pauElements = (RTBIGNUMELEMENT *)RTMemAlloc(pBigNum->cAllocated * RTBIGNUM_ELEMENT_SIZE);
@@ -457 +464 @@
         pBigNum->cAllocated = RT_ALIGN_32(pBigNum->cUsed, 4);
         if (pBigNum->fSensitive)
-            pBigNum->pauElements = (RTBIGNUMELEMENT *)RTMemSaferAllocZ(pBigNum->cAllocated * RTBIGNUM_ELEMENT_SIZE);
+        {
+            rc = RTMemSaferAllocZEx((void **)&pBigNum->pauElements, pBigNum->cAllocated * RTBIGNUM_ELEMENT_SIZE,
+                                    RTMEMSAFER_ALLOC_EX_ALLOW_PAGEABLE_BACKING);
+            Assert(VALID_PTR(pBigNum->pauElements) || RT_FAILURE(rc));
+        }
         else
             pBigNum->pauElements = (RTBIGNUMELEMENT *)RTMemAlloc(pBigNum->cAllocated * RTBIGNUM_ELEMENT_SIZE);

trunk/src/VBox/Runtime/generic/memsafer-generic.cpp

@@ -34 +34 @@
 #include <iprt/assert.h>
 #include <iprt/string.h>
+#if defined(IN_SUP_R3) && defined(VBOX) && !defined(RT_NO_GIP)
+# include <iprt/param.h>
+# include <VBox/sup.h>
+#endif /* IN_SUP_R3 */
 
 
@@ -46 +50 @@
 #define RTMEMSAFER_PAD_AFTER    32
 
+/*******************************************************************************
+*   Structures and Typedefs                                                    *
+*******************************************************************************/
+
+/**
+ * Supported allocation methods.
+ */
+typedef enum RTMEMSAFERALLOCMETHOD
+{
+    /** Invalid method. */
+    RTMEMSAFERALLOCMETHOD_INVALID = 0,
+    /** RTMem{Alloc|Free} methods, least secure!. */
+    RTMEMSAFERALLOCMETHOD_RTMEM,
+    /** Support library. */
+    RTMEMSAFERALLOCMETHOD_SUPR3,
+    /** 32bit hack. */
+    RTMEMSAFERALLOCMETHOD_32BIT_HACK = 0x7fffffff
+} RTMEMSAFERALLOCMETHOD;
+/** Pointer to a allocation method enum. */
+typedef RTMEMSAFERALLOCMETHOD *PRTMEMSAFERALLOCMETHOD;
+
+/**
+ * Memory header for safer memory allocations.
+ *
+ * @note: There is no magic value used deliberately to make identifying this structure
+ *        as hard as possible.
+ */
+typedef struct RTMEMSAFERHDR
+{
+    /** Flags passed to this allocation - used for freeing and reallocation. */
+    uint32_t              fFlags;
+    /** Allocation method used. */
+    RTMEMSAFERALLOCMETHOD enmAllocMethod;
+    /** Amount of bytes allocated. */
+    size_t                cb;
+} RTMEMSAFERHDR;
+/** Pointer to a safer memory header. */
+typedef RTMEMSAFERHDR *PRTMEMSAFERHDR;
+/** Make sure we are staying in the padding area. */
+AssertCompile(sizeof(RTMEMSAFERHDR) < RTMEMSAFER_PAD_BEFORE);
 
 /*******************************************************************************
 *   Global Variables                                                           *
 *******************************************************************************/
-/** XOR scrabler value.
+/** XOR scrambler value.
  * @todo determine this at runtime */
 #if ARCH_BITS == 32
@@ -62 +106 @@
 
 
+/**
+ * Support (SUPR3) based allocator.
+ *
+ * @returns VBox status code.
+ * @retval VERR_NOT_SUPPORTED if this allocation method is not supported in this
+ *         version of the library.
+ * @param  ppvNew    Where to store the pointer to the new buffer on success.
+ * @param  cb        Amount of bytes to allocate.
+ *
+ * @note: The allocation will have an extra page allocated before and after the
+ *        user area with all access rights removed to prevent heartbleed like
+ *        attacks.
+ */
+static int rtMemSaferSupR3Alloc(void **ppvNew, size_t cb)
+{
+#if defined(IN_SUP_R3) && defined(VBOX) && !defined(RT_NO_GIP)
+    /*
+     * Allocate locked memory from the support library.
+     * 
+     */
+    size_t cbUser = RT_ALIGN_Z(cb, PAGE_SIZE);
+    size_t cPages = cbUser / PAGE_SIZE + 2; /* For the extra guarding pages. */
+    void *pvNew = NULL;
+    int rc = SUPR3PageAllocEx(cPages, 0 /* fFlags */, &pvNew, NULL /* pR0Ptr */, NULL /* paPages */);
+    if (RT_SUCCESS(rc))
+    {
+        /* Change the memory protection of the pages guarding the allocation. */
+        rc = SUPR3PageProtect(pvNew, NIL_RTR0PTR, 0, PAGE_SIZE, RTMEM_PROT_NONE);
+        if (RT_SUCCESS(rc))
+        {
+            rc = SUPR3PageProtect(pvNew, NIL_RTR0PTR, PAGE_SIZE + cbUser, PAGE_SIZE, RTMEM_PROT_NONE);
+            if (RT_SUCCESS(rc))
+            {
+                *ppvNew = (uint8_t *)pvNew + PAGE_SIZE;
+                return VINF_SUCCESS;
+            }
+        }
+
+        rc = SUPR3PageFreeEx(pvNew, cPages);
+        AssertRC(rc);
+    }
+
+    return rc;
+#else
+    return VERR_NOT_SUPPORTED;
+#endif
+}
+
+
+/**
+ * Free method for memory allocated using the Support (SUPR3) based allocator.
+ *
+ * @returns nothing.
+ * @param   pv    Pointer to the memory to free.
+ * @param   cb    Amount of bytes allocated.
+ */
+static void rtMemSafeSupR3Free(void *pv, size_t cb)
+{
+#if defined(IN_SUP_R3) && defined(VBOX) && !defined(RT_NO_GIP)
+    size_t cbUser = RT_ALIGN_Z(cb, PAGE_SIZE);
+    size_t cPages = cbUser / PAGE_SIZE + 2; /* For the extra pages. */
+    void *pvStart = (uint8_t *)pv - PAGE_SIZE;
+
+    int rc = SUPR3PageFreeEx(pvStart, cPages);
+    AssertRC(rc);
+#else
+    AssertMsgFailed(("SUPR3 allocated memory but freeing is not supported, messed up\n"));
+#endif
+}
+
+
 RTDECL(int) RTMemSaferScramble(void *pv, size_t cb)
 {
-
-    AssertMsg(*(size_t *)((char *)pv - RTMEMSAFER_PAD_BEFORE) == cb,
-              ("*pvStart=%#zx cb=%#zx\n", *(size_t *)((char *)pv- RTMEMSAFER_PAD_BEFORE), cb));
+    PRTMEMSAFERHDR pHdr = (PRTMEMSAFERHDR)((char *)pv - RTMEMSAFER_PAD_BEFORE);
+    AssertMsg(pHdr->cb == cb, ("pHdr->cb=%#zx cb=%#zx\n", pHdr->cb, cb));
 
     /* Note! This isn't supposed to be safe, just less obvious. */
@@ -85 +199 @@
 RTDECL(int) RTMemSaferUnscramble(void *pv, size_t cb)
 {
-    AssertMsg(*(size_t *)((char *)pv - RTMEMSAFER_PAD_BEFORE) == cb,
-              ("*pvStart=%#zx cb=%#zx\n", *(size_t *)((char *)pv - RTMEMSAFER_PAD_BEFORE), cb));
+    PRTMEMSAFERHDR pHdr = (PRTMEMSAFERHDR)((char *)pv - RTMEMSAFER_PAD_BEFORE);
+    AssertMsg(pHdr->cb == cb, ("pHdr->cb=%#zx cb=%#zx\n", pHdr->cb, cb));
 
     /* Note! This isn't supposed to be safe, just less obvious. */
@@ -103 +217 @@
 
 
-RTDECL(int) RTMemSaferAllocZExTag(void **ppvNew, size_t cb, const char *pszTag) RT_NO_THROW
+RTDECL(int) RTMemSaferAllocZExTag(void **ppvNew, size_t cb, uint32_t fFlags, const char *pszTag) RT_NO_THROW
 {
     AssertReturn(cb, VERR_INVALID_PARAMETER);
@@ -111 +225 @@
     /*
      * Don't request zeroed memory.  We want random heap garbage in the
-     * padding zones, notthing that makes our allocations easier to find.
+     * padding zones, nothing that makes our allocations easier to find.
      */
+    RTMEMSAFERALLOCMETHOD enmAllocMethod = RTMEMSAFERALLOCMETHOD_SUPR3;
     size_t cbUser = RT_ALIGN_Z(cb, RTMEMSAFER_ALIGN);
-    void *pvNew = RTMemAlloc(cbUser + RTMEMSAFER_PAD_BEFORE + RTMEMSAFER_PAD_AFTER);
+    void *pvNew = NULL;
+    int rc = rtMemSaferSupR3Alloc(&pvNew, cbUser + RTMEMSAFER_PAD_BEFORE + RTMEMSAFER_PAD_AFTER);
+    if (   RT_FAILURE(rc)
+        && fFlags & RTMEMSAFER_ALLOC_EX_ALLOW_PAGEABLE_BACKING)
+    {
+        /* Pageable memory allowed. */
+        enmAllocMethod = RTMEMSAFERALLOCMETHOD_RTMEM;
+        pvNew = RTMemAlloc(cbUser + RTMEMSAFER_PAD_BEFORE + RTMEMSAFER_PAD_AFTER);
+    }
+
     if (pvNew)
     {
-#ifdef RT_STRICT /* For checking input in string builds. */
-        memset(pvNew, 0xad, RTMEMSAFER_PAD_BEFORE);
+        PRTMEMSAFERHDR pHdr = (PRTMEMSAFERHDR)pvNew;
+        pHdr->fFlags         = fFlags;
+        pHdr->cb             = cb;
+        pHdr->enmAllocMethod = enmAllocMethod;
+#ifdef RT_STRICT /* For checking input in strict builds. */
+        memset((char *)pvNew + sizeof(RTMEMSAFERHDR), 0xad, RTMEMSAFER_PAD_BEFORE - sizeof(RTMEMSAFERHDR));
         memset((char *)pvNew + RTMEMSAFER_PAD_BEFORE + cb, 0xda, RTMEMSAFER_PAD_AFTER + (cbUser - cb));
-        *(size_t *)pvNew = cb;
 #endif
 
@@ -131 +258 @@
         return VINF_SUCCESS;
     }
-    return VERR_NO_MEMORY;
+    return rc;
 }
 RT_EXPORT_SYMBOL(RTMemSaferAllocZExTag);
@@ -141 +268 @@
     {
         Assert(cb);
+
+        size_t cbUser = RT_ALIGN_Z(cb, RTMEMSAFER_ALIGN);
         void *pvStart = (char *)pv - RTMEMSAFER_PAD_BEFORE;
-        AssertMsg(*(size_t *)pvStart == cb, ("*pvStart=%#zx cb=%#zx\n", *(size_t *)pvStart, cb));
+        PRTMEMSAFERHDR pHdr = (PRTMEMSAFERHDR)pvStart;
+        AssertMsg(pHdr->cb == cb, ("pHdr->cb=%#zx cb=%#zx\n", pHdr->cb, cb));
+
         RTMemWipeThoroughly(pv, RT_ALIGN_Z(cb, RTMEMSAFER_ALIGN), 3);
-        RTMemFree(pvStart);
+
+        switch (pHdr->enmAllocMethod)
+        {
+            case RTMEMSAFERALLOCMETHOD_SUPR3:
+                rtMemSafeSupR3Free(pvStart, cbUser + RTMEMSAFER_PAD_BEFORE + RTMEMSAFER_PAD_AFTER);
+                break;
+            case RTMEMSAFERALLOCMETHOD_RTMEM:
+                RTMemFree(pvStart);
+                break;
+            default:
+                AssertMsgFailed(("Invalid allocation method, corrupted header\n"));
+        }
     }
     else
@@ -152 +294 @@
 
 
-RTDECL(int) RTMemSaferReallocZExTag(size_t cbOld, void *pvOld, size_t cbNew, void **ppvNew, const char *pszTag) RT_NO_THROW
+RTDECL(int) RTMemSaferReallocZExTag(size_t cbOld, void *pvOld, size_t cbNew, void **ppvNew, uint32_t fFlags, const char *pszTag) RT_NO_THROW
 {
     /*
@@ -163 +305 @@
     if (cbNew && cbOld)
     {
+        PRTMEMSAFERHDR pHdr = (PRTMEMSAFERHDR)((char *)pvOld - RTMEMSAFER_PAD_BEFORE);
         AssertPtr(pvOld);
         AssertMsg(*(size_t *)((char *)pvOld - RTMEMSAFER_PAD_BEFORE) == cbOld,
@@ -168 +311 @@
 
         void *pvNew;
-        rc = RTMemSaferAllocZExTag(&pvNew, cbNew, pszTag);
+        rc = RTMemSaferAllocZExTag(&pvNew, cbNew, pHdr->fFlags, pszTag);
         if (RT_SUCCESS(rc))
         {
@@ -180 +323 @@
     {
         Assert(pvOld == NULL);
-        rc = RTMemSaferAllocZExTag(ppvNew, cbNew, pszTag);
+        rc = RTMemSaferAllocZExTag(ppvNew, cbNew, fFlags, pszTag);
     }
     /* Free operation*/
@@ -196 +339 @@
 {
     void *pvNew = NULL;
-    int rc = RTMemSaferAllocZExTag(&pvNew, cb, pszTag);
+    int rc = RTMemSaferAllocZExTag(&pvNew, cb, RTMEMSAFER_ALLOC_EX_FLAGS_DEFAULT, pszTag);
     if (RT_SUCCESS(rc))
         return pvNew;
@@ -207 +350 @@
 {
     void *pvNew = NULL;
-    int rc = RTMemSaferReallocZExTag(cbOld, pvOld, cbNew, &pvNew, pszTag);
+    int rc = RTMemSaferReallocZExTag(cbOld, pvOld, cbNew, &pvNew, RTMEMSAFER_ALLOC_EX_FLAGS_DEFAULT, pszTag);
     if (RT_SUCCESS(rc))
         return pvNew;

trunk/src/VBox/Runtime/testcase/Makefile.kmk

@@ -90 +90 @@
         tstRTMemPool \
         tstRTMemWipe \
+        tstRTMemSafer \
         tstMove \
         tstRTMp-1 \
@@ -456 +457 @@
 tstRTMemWipe_SOURCES = tstRTMemWipe.cpp
 
+tstRTMemSafer_TEMPLATE = VBOXR3TSTEXE
+tstRTMemSafer_SOURCES = tstRTMemSafer.cpp
+
 tstMove_TEMPLATE = VBOXR3TSTEXE
 tstMove_SOURCES = tstMove.cpp