Merge 96836f463b into a000fd4b5e

Instead of protecting the global read-only data structure after startup
via the read-only flag, which can be reverted, use the in Linux 6.10
introduced irreversible syscall mseal(2).

README.md

@@ -83,7 +83,7 @@ there will be custom integration offering better performance in the future
 along with other hardening for the C standard library implementation.
 
 For Android, only the current generation, actively developed maintenance branch of the Android
-Open Source Project will be supported, which currently means `android16-release`.
+Open Source Project will be supported, which currently means `android16-qpr1-release`.
 
 ## Testing
 

h_malloc.c

@@ -1295,7 +1295,12 @@ COLD static void init_slow_path(void) {
 
     atomic_store_explicit(&ro.slab_region_end, slab_region_end, memory_order_release);
 
+#if defined(__ANDROID__) && defined(HAS_ARM_MTE)
+    /* Do not seal to support disabling memory tagging */
     if (unlikely(memory_protect_ro(&ro, sizeof(ro)))) {
+#else
+    if (unlikely(memory_protect_seal(&ro, sizeof(ro)))) {
+#endif
         fatal_error("failed to protect allocator data");
     }
     memory_set_name(&ro, sizeof(ro), "malloc read-only after init");

memory.c

@@ -1,6 +1,8 @@
 #include <errno.h>
+#include <unistd.h>
 
 #include <sys/mman.h>
+#include <sys/syscall.h>
 
 #ifdef LABEL_MEMORY
 #include <sys/prctl.h>
@@ -91,6 +93,22 @@ bool memory_protect_rw_metadata(void *ptr, size_t size) {
     return memory_protect_prot(ptr, size, PROT_READ|PROT_WRITE, get_metadata_key());
 }
 
+COLD bool memory_protect_seal(void *ptr, size_t size) {
+#if defined(__linux__) && defined(__NR_mseal)
+    /* supported since Linux 6.10 */
+    int ret = syscall(__NR_mseal, ptr, size, 0);
+    if (ret == 0)
+        return false;
+    if (unlikely(errno == ENOMEM))
+        return true;
+    if (errno == ENOSYS)
+        return memory_protect_ro(ptr, size);
+    fatal_error("non-ENOMEM and non-ENOSYS mseal failure");
+#else
+    return memory_protect_ro(ptr, size);
+#endif
+}
+
 #ifdef HAVE_COMPATIBLE_MREMAP
 bool memory_remap(void *old, size_t old_size, size_t new_size) {
     void *ptr = mremap(old, old_size, new_size, 0);

memory.h

@@ -22,6 +22,7 @@ bool memory_unmap(void *ptr, size_t size);
 bool memory_protect_ro(void *ptr, size_t size);
 bool memory_protect_rw(void *ptr, size_t size);
 bool memory_protect_rw_metadata(void *ptr, size_t size);
+bool memory_protect_seal(void *ptr, size_t size);
 #ifdef HAVE_COMPATIBLE_MREMAP
 bool memory_remap(void *old, size_t old_size, size_t new_size);
 bool memory_remap_fixed(void *old, size_t old_size, void *new, size_t new_size);