X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/ee3c2fea18d0c940c2256c6bf041f546c703c375..b7c6d0ccbc57c958954205b2c9d70528b9688c1a:/src/src/store.c diff --git a/src/src/store.c b/src/src/store.c index 9d155821b..8603a8fb1 100644 --- a/src/src/store.c +++ b/src/src/store.c @@ -3,7 +3,7 @@ *************************************************/ /* Copyright (c) University of Cambridge 1995 - 2018 */ -/* Copyright (c) The Exim maintainers 2019 - 2020 */ +/* Copyright (c) The Exim maintainers 2019 - 2021 */ /* See the file NOTICE for conditions of use and distribution. */ /* Exim gets and frees all its store through these functions. In the original @@ -41,6 +41,9 @@ The following different types of store are recognized: a single message transaction but needed for longer than the use of the main pool permits. Currently this means only receive-time DKIM information. +- There is a dedicated pool for configuration data read from the config file(s). + Once complete, it is made readonly. + . Orthogonal to the three pool types, there are two classes of memory: untainted and tainted. The latter is used for values derived from untrusted input, and the string-expansion mechanism refuses to operate on such values (obviously, @@ -105,10 +108,21 @@ length. */ (((sizeof(storeblock) + alignment - 1) / alignment) * alignment) /* Size of block to get from malloc to carve up into smaller ones. This -must be a multiple of the alignment. We assume that 8192 is going to be -suitably aligned. */ - -#define STORE_BLOCK_SIZE (8192 - ALIGNED_SIZEOF_STOREBLOCK) +must be a multiple of the alignment. We assume that 4096 is going to be +suitably aligned. Double the size per-pool for every malloc, to mitigate +certain denial-of-service attacks. Don't bother to decrease on block frees. +We waste average half the current alloc size per pool. This could be several +hundred kB now, vs. 4kB with a constant-size block size. But the search time +for is_tainted(), linear in the number of blocks for the pool, is O(n log n) +rather than O(n^2). +A test of 2000 RCPTs and just accept ACL had 370kB in 21 blocks before, +504kB in 6 blocks now, for the untainted-main (largest) pool. +Builds for restricted-memory system can disable the expansion by +defining RESTRICTED_MEMORY */ +/*XXX should we allow any for malloc's own overhead? But how much? */ + +/* #define RESTRICTED_MEMORY */ +#define STORE_BLOCK_SIZE(order) ((1U << (order)) - ALIGNED_SIZEOF_STOREBLOCK) /* Variables holding data for the local pools of store. The current pool number is held in store_pool, which is global so that it can be changed from outside. @@ -121,6 +135,7 @@ static storeblock *chainbase[NPOOLS]; static storeblock *current_block[NPOOLS]; static void *next_yield[NPOOLS]; static int yield_length[NPOOLS]; +static unsigned store_block_order[NPOOLS]; /* pool_malloc holds the amount of memory used by the store pools; this goes up and down as store is reset or released. nonpool_malloc is the total got by @@ -142,6 +157,7 @@ static int nbytes[NPOOLS]; /* current bytes allocated */ static int maxbytes[NPOOLS]; /* max number reached */ static int nblocks[NPOOLS]; /* current number of blocks allocated */ static int maxblocks[NPOOLS]; +static unsigned maxorder[NPOOLS]; static int n_nonpool_blocks; /* current number of direct store_malloc() blocks */ static int max_nonpool_blocks; static int max_pool_malloc; /* max value for pool_malloc */ @@ -152,28 +168,31 @@ static int max_nonpool_malloc; /* max value for nonpool_malloc */ static const uschar * pooluse[NPOOLS] = { [POOL_MAIN] = US"main", [POOL_PERM] = US"perm", +[POOL_CONFIG] = US"config", [POOL_SEARCH] = US"search", [POOL_MESSAGE] = US"message", [POOL_TAINT_MAIN] = US"main", [POOL_TAINT_PERM] = US"perm", -[POOL_TAINT_SEARCH] = US"search", +[POOL_TAINT_CONFIG] = US"config", [POOL_TAINT_SEARCH] = US"search", [POOL_TAINT_MESSAGE] = US"message", }; static const uschar * poolclass[NPOOLS] = { [POOL_MAIN] = US"untainted", [POOL_PERM] = US"untainted", +[POOL_CONFIG] = US"untainted", [POOL_SEARCH] = US"untainted", [POOL_MESSAGE] = US"untainted", [POOL_TAINT_MAIN] = US"tainted", [POOL_TAINT_PERM] = US"tainted", +[POOL_TAINT_CONFIG] = US"tainted", [POOL_TAINT_SEARCH] = US"tainted", [POOL_TAINT_MESSAGE] = US"tainted", }; #endif -static void * internal_store_malloc(int, const char *, int); +static void * internal_store_malloc(size_t, const char *, int); static void internal_store_free(void *, const char *, int linenumber); /******************************************************************************/ @@ -183,7 +202,11 @@ static initialisers. */ void store_init(void) { -for (int i = 0; i < NPOOLS; i++) yield_length[i] = -1; +for (int i = 0; i < NPOOLS; i++) + { + yield_length[i] = -1; + store_block_order[i] = 12; /* log2(allocation_size) ie. 4kB */ + } } /******************************************************************************/ @@ -228,6 +251,19 @@ log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Taint mismatch, %s: %s %d\n", +/******************************************************************************/ +void +store_writeprotect(int pool) +{ +#if !defined(COMPILE_UTILITY) && !defined(MISSING_POSIX_MEMALIGN) +for (storeblock * b = chainbase[pool]; b; b = b->next) + if (mprotect(b, ALIGNED_SIZEOF_STOREBLOCK + b->length, PROT_READ) != 0) + DEBUG(D_any) debug_printf("config block mprotect: (%d) %s\n", errno, strerror(errno)); +#endif +} + +/******************************************************************************/ + /************************************************* * Get a block from the current pool * *************************************************/ @@ -247,10 +283,21 @@ Returns: pointer to store (panic on malloc failure) */ void * -store_get_3(int size, BOOL tainted, const char *func, int linenumber) +store_get_3(int size, BOOL tainted, const char * func, int linenumber) { int pool = tainted ? store_pool + POOL_TAINT_BASE : store_pool; +/* Ensure we've been asked to allocate memory. +A negative size is a sign of a security problem. +A zero size might be also suspect, but our internal usage deliberately +does this to return a current watermark value for a later release of +allocated store. */ + +if (size < 0 || size >= INT_MAX/2) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, + "bad memory allocation requested (%d bytes) at %s %d", + size, func, linenumber); + /* Round up the size to a multiple of the alignment. Although this looks a messy statement, because "alignment" is a constant expression, the compiler can do a reasonable job of optimizing, especially if the value of "alignment" is a @@ -265,7 +312,9 @@ these functions are mostly called for small amounts of store. */ if (size > yield_length[pool]) { - int length = size <= STORE_BLOCK_SIZE ? STORE_BLOCK_SIZE : size; + int length = MAX( + STORE_BLOCK_SIZE(store_block_order[pool]) - ALIGNED_SIZEOF_STOREBLOCK, + size); int mlength = length + ALIGNED_SIZEOF_STOREBLOCK; storeblock * newblock; @@ -294,9 +343,27 @@ if (size > yield_length[pool]) if (++nblocks[pool] > maxblocks[pool]) maxblocks[pool] = nblocks[pool]; - newblock = internal_store_malloc(mlength, func, linenumber); +#ifndef MISSING_POSIX_MEMALIGN + if (pool == POOL_CONFIG) + { + long pgsize = sysconf(_SC_PAGESIZE); + int err = posix_memalign((void **)&newblock, + pgsize, (mlength + pgsize - 1) & ~(pgsize - 1)); + if (err) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, + "failed to alloc (using posix_memalign) %d bytes of memory: '%s'" + "called from line %d in %s", + size, strerror(err), linenumber, func); + } + else +#endif + newblock = internal_store_malloc(mlength, func, linenumber); newblock->next = NULL; newblock->length = length; +#ifndef RESTRICTED_MEMORY + if (store_block_order[pool]++ > maxorder[pool]) + maxorder[pool] = store_block_order[pool]; +#endif if (!chainbase[pool]) chainbase[pool] = newblock; @@ -351,9 +418,9 @@ Returns: pointer to store (panic on malloc failure) */ void * -store_get_perm_3(int size, BOOL tainted, const char *func, int linenumber) +store_get_perm_3(int size, BOOL tainted, const char * func, int linenumber) { -void *yield; +void * yield; int old_pool = store_pool; store_pool = POOL_PERM; yield = store_get_3(size, tainted, func, linenumber); @@ -394,6 +461,11 @@ int pool = tainted ? store_pool + POOL_TAINT_BASE : store_pool; int inc = newsize - oldsize; int rounded_oldsize = oldsize; +if (oldsize < 0 || newsize < oldsize || newsize >= INT_MAX/2) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, + "bad memory extension requested (%d -> %d bytes) at %s %d", + oldsize, newsize, func, linenumber); + /* Check that the block being extended was already of the required taint status; refuse to extend if not. */ @@ -426,6 +498,14 @@ return TRUE; +static BOOL +is_pwr2_size(int len) +{ +unsigned x = len; +return (x & (x - 1)) == 0; +} + + /************************************************* * Back up to a previous point on the stack * *************************************************/ @@ -436,7 +516,8 @@ not call with a pointer returned by store_get(). Both the untainted and tainted pools corresposding to store_pool are reset. Arguments: - r place to back up to + ptr place to back up to + pool pool holding the pointer func function from which called linenumber line number in source file @@ -497,11 +578,11 @@ current_block[pool] = b; /* Free any subsequent block. Do NOT free the first successor, if our current block has less than 256 bytes left. This should prevent us from flapping memory. However, keep this block only when it has -the default size. */ +a power-of-two size so probably is not a custom inflated one. */ if ( yield_length[pool] < STOREPOOL_MIN_SIZE && b->next - && b->next->length == STORE_BLOCK_SIZE) + && is_pwr2_size(b->next->length + ALIGNED_SIZEOF_STOREBLOCK)) { b = b->next; #ifndef COMPILE_UTILITY @@ -514,11 +595,13 @@ if ( yield_length[pool] < STOREPOOL_MIN_SIZE } bb = b->next; -b->next = NULL; +if (pool != POOL_CONFIG) + b->next = NULL; while ((b = bb)) { int siz = b->length + ALIGNED_SIZEOF_STOREBLOCK; + #ifndef COMPILE_UTILITY if (debug_store) assert_no_variables(b, b->length + ALIGNED_SIZEOF_STOREBLOCK, @@ -528,7 +611,12 @@ while ((b = bb)) nbytes[pool] -= siz; pool_malloc -= siz; nblocks[pool]--; - internal_store_free(b, func, linenumber); + if (pool != POOL_CONFIG) + internal_store_free(b, func, linenumber); + +#ifndef RESTRICTED_MEMORY + if (store_block_order[pool] > 13) store_block_order[pool]--; +#endif } /* Cut out the debugging stuff for utilities, but stop picky compilers from @@ -536,7 +624,7 @@ giving warnings. */ #ifndef COMPILE_UTILITY DEBUG(D_memory) - debug_printf("---%d Rst %6p %5d %-14s %4d %d\n", pool, ptr, + debug_printf("---%d Rst %6p %5d %-14s %4d\tpool %d\n", pool, ptr, count + oldmalloc - pool_malloc, func, linenumber, pool_malloc); #endif /* COMPILE_UTILITY */ @@ -620,7 +708,7 @@ for (int pool = 0; pool < nelem(current_block); pool++) #ifndef COMPILE_UTILITY DEBUG(D_memory) - debug_printf("---%d Rel %6p %5d %-14s %4d %d\n", pool, ptr, count, + debug_printf("---%d Rel %6p %5d %-14s %4d\tpool %d\n", pool, ptr, count, func, linenumber, pool_malloc); #endif return; @@ -638,6 +726,12 @@ store_mark_3(const char *func, int linenumber) { void ** p; +#ifndef COMPILE_UTILITY +DEBUG(D_memory) + debug_printf("---%d Mrk %-14s %4d\tpool %d\n", + store_pool, func, linenumber, pool_malloc); +#endif /* COMPILE_UTILITY */ + if (store_pool >= POOL_TAINT_BASE) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "store_mark called for pool %d: %s %d\n", store_pool, func, linenumber); @@ -698,7 +792,7 @@ for (storeblock * b = chainbase[pool]; b; b = b->next) memset(bb, 0xF0, bb->length+ALIGNED_SIZEOF_STOREBLOCK); #endif /* COMPILE_UTILITY */ - free(bb); + internal_store_free(bb, func, linenumber); return; } } @@ -742,6 +836,11 @@ if (is_tainted(block) != tainted) die_tainted(US"store_newblock", CUS func, linenumber); #endif +if (len < 0 || len > newsize) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, + "bad memory extension requested (%d -> %d bytes) at %s %d", + len, newsize, func, linenumber); + newtext = store_get(newsize, tainted); memcpy(newtext, block, len); if (release_ok) store_release_3(block, pool, func, linenumber); @@ -768,16 +867,30 @@ Returns: pointer to gotten store (panic on failure) */ static void * -internal_store_malloc(int size, const char *func, int line) +internal_store_malloc(size_t size, const char *func, int line) { void * yield; +/* Check specifically for a possibly result of conversion from +a negative int, to the (unsigned, wider) size_t */ + +if (size >= INT_MAX/2) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, + "bad memory allocation requested (" SIZE_T_FMT " bytes) at %s %d", + size, func, line); + +size += sizeof(size_t); /* space to store the size, used under debug */ if (size < 16) size = 16; -if (!(yield = malloc((size_t)size))) - log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to malloc %d bytes of memory: " +if (!(yield = malloc(size))) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to malloc " SIZE_T_FMT " bytes of memory: " "called from line %d in %s", size, line, func); +#ifndef COMPILE_UTILITY +DEBUG(D_any) *(size_t *)yield = size; +#endif +yield = US yield + sizeof(size_t); + if ((nonpool_malloc += size) > max_nonpool_malloc) max_nonpool_malloc = nonpool_malloc; @@ -789,8 +902,8 @@ giving warnings. */ is not filled with zeros so as to catch problems. */ if (f.running_in_test_harness) - memset(yield, 0xF0, (size_t)size); -DEBUG(D_memory) debug_printf("--Malloc %6p %5d bytes\t%-14s %4d\tpool %5d nonpool %5d\n", + memset(yield, 0xF0, size - sizeof(size_t)); +DEBUG(D_memory) debug_printf("--Malloc %6p %5lu bytes\t%-20s %4d\tpool %5d nonpool %5d\n", yield, size, func, line, pool_malloc, nonpool_malloc); #endif /* COMPILE_UTILITY */ @@ -798,7 +911,7 @@ return yield; } void * -store_malloc_3(int size, const char *func, int linenumber) +store_malloc_3(size_t size, const char *func, int linenumber) { if (n_nonpool_blocks++ > max_nonpool_blocks) max_nonpool_blocks = n_nonpool_blocks; @@ -823,11 +936,13 @@ Returns: nothing static void internal_store_free(void * block, const char * func, int linenumber) { +uschar * p = US block - sizeof(size_t); #ifndef COMPILE_UTILITY -DEBUG(D_memory) - debug_printf("----Free %6p %-20s %4d\n", block, func, linenumber); -#endif /* COMPILE_UTILITY */ -free(block); +DEBUG(D_any) nonpool_malloc -= *(size_t *)p; +DEBUG(D_memory) debug_printf("----Free %6p %5ld bytes\t%-20s %4d\n", + block, *(size_t *)p, func, linenumber); +#endif +free(p); } void @@ -849,8 +964,9 @@ DEBUG(D_memory) (max_nonpool_malloc+1023)/1024, max_nonpool_blocks); debug_printf("----Exit npools max: %3d kB\n", max_pool_malloc/1024); for (int i = 0; i < NPOOLS; i++) - debug_printf("----Exit pool %d max: %3d kB in %d blocks\t%s %s\n", - i, maxbytes[i]/1024, maxblocks[i], poolclass[i], pooluse[i]); + debug_printf("----Exit pool %d max: %3d kB in %d blocks at order %u\t%s %s\n", + i, (maxbytes[i]+1023)/1024, maxblocks[i], maxorder[i], + poolclass[i], pooluse[i]); } #endif }