1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "base/process/memory.h"
9 #include "base/file_util.h"
10 #include "base/files/file_path.h"
11 #include "base/logging.h"
12 #include "base/process/internal_linux.h"
13 #include "base/strings/string_number_conversions.h"
17 size_t g_oom_size = 0U;
21 void OnNoMemorySize(size_t size) {
25 LOG(FATAL) << "Out of memory, size = " << size;
26 LOG(FATAL) << "Out of memory.";
35 #if !defined(ADDRESS_SANITIZER) && !defined(MEMORY_SANITIZER) && \
36 !defined(THREAD_SANITIZER) && !defined(LEAK_SANITIZER)
38 #if defined(LIBC_GLIBC) && !defined(USE_TCMALLOC)
41 void* __libc_malloc(size_t size);
42 void* __libc_realloc(void* ptr, size_t size);
43 void* __libc_calloc(size_t nmemb, size_t size);
44 void* __libc_valloc(size_t size);
45 void* __libc_pvalloc(size_t size);
46 void* __libc_memalign(size_t alignment, size_t size);
48 // Overriding the system memory allocation functions:
50 // For security reasons, we want malloc failures to be fatal. Too much code
51 // doesn't check for a NULL return value from malloc and unconditionally uses
52 // the resulting pointer. If the first offset that they try to access is
53 // attacker controlled, then the attacker can direct the code to access any
56 // Thus, we define all the standard malloc functions here and mark them as
57 // visibility 'default'. This means that they replace the malloc functions for
58 // all Chromium code and also for all code in shared libraries. There are tests
59 // for this in process_util_unittest.cc.
61 // If we are using tcmalloc, then the problem is moot since tcmalloc handles
62 // this for us. Thus this code is in a !defined(USE_TCMALLOC) block.
64 // If we are testing the binary with AddressSanitizer, we should not
65 // redefine malloc and let AddressSanitizer do it instead.
67 // We call the real libc functions in this code by using __libc_malloc etc.
68 // Previously we tried using dlsym(RTLD_NEXT, ...) but that failed depending on
69 // the link order. Since ld.so needs calloc during symbol resolution, it
70 // defines its own versions of several of these functions in dl-minimal.c.
71 // Depending on the runtime library order, dlsym ended up giving us those
72 // functions and bad things happened. See crbug.com/31809
74 // This means that any code which calls __libc_* gets the raw libc versions of
77 #define DIE_ON_OOM_1(function_name) \
78 void* function_name(size_t) __attribute__ ((visibility("default"))); \
80 void* function_name(size_t size) { \
81 void* ret = __libc_##function_name(size); \
82 if (ret == NULL && size != 0) \
83 OnNoMemorySize(size); \
87 #define DIE_ON_OOM_2(function_name, arg1_type) \
88 void* function_name(arg1_type, size_t) \
89 __attribute__ ((visibility("default"))); \
91 void* function_name(arg1_type arg1, size_t size) { \
92 void* ret = __libc_##function_name(arg1, size); \
93 if (ret == NULL && size != 0) \
94 OnNoMemorySize(size); \
100 DIE_ON_OOM_1(pvalloc)
102 DIE_ON_OOM_2(calloc, size_t)
103 DIE_ON_OOM_2(realloc, void*)
104 DIE_ON_OOM_2(memalign, size_t)
106 // posix_memalign has a unique signature and doesn't have a __libc_ variant.
107 int posix_memalign(void** ptr, size_t alignment, size_t size)
108 __attribute__ ((visibility("default")));
110 int posix_memalign(void** ptr, size_t alignment, size_t size) {
111 // This will use the safe version of memalign, above.
112 *ptr = memalign(alignment, size);
120 // TODO(mostynb@opera.com): dlsym dance
122 #endif // LIBC_GLIBC && !USE_TCMALLOC
124 #endif // !*_SANITIZER
126 void EnableTerminationOnHeapCorruption() {
127 // On Linux, there nothing to do AFAIK.
130 void EnableTerminationOnOutOfMemory() {
131 #if defined(OS_ANDROID)
132 // Android doesn't support setting a new handler.
133 DLOG(WARNING) << "Not feasible.";
135 // Set the new-out of memory handler.
136 std::set_new_handler(&OnNoMemory);
137 // If we're using glibc's allocator, the above functions will override
138 // malloc and friends and make them die on out of memory.
142 // NOTE: This is not the only version of this function in the source:
143 // the setuid sandbox (in process_util_linux.c, in the sandbox source)
144 // also has its own C version.
145 bool AdjustOOMScore(ProcessId process, int score) {
146 if (score < 0 || score > kMaxOomScore)
149 FilePath oom_path(internal::GetProcPidDir(process));
151 // Attempt to write the newer oom_score_adj file first.
152 FilePath oom_file = oom_path.AppendASCII("oom_score_adj");
153 if (PathExists(oom_file)) {
154 std::string score_str = IntToString(score);
155 DVLOG(1) << "Adjusting oom_score_adj of " << process << " to "
157 int score_len = static_cast<int>(score_str.length());
158 return (score_len == file_util::WriteFile(oom_file,
163 // If the oom_score_adj file doesn't exist, then we write the old
164 // style file and translate the oom_adj score to the range 0-15.
165 oom_file = oom_path.AppendASCII("oom_adj");
166 if (PathExists(oom_file)) {
167 // Max score for the old oom_adj range. Used for conversion of new
168 // values to old values.
169 const int kMaxOldOomScore = 15;
171 int converted_score = score * kMaxOldOomScore / kMaxOomScore;
172 std::string score_str = IntToString(converted_score);
173 DVLOG(1) << "Adjusting oom_adj of " << process << " to " << score_str;
174 int score_len = static_cast<int>(score_str.length());
175 return (score_len == file_util::WriteFile(oom_file,