Merge 96836f463b into 33ed3027ab

Instead of protecting the global read-only data structure after startup
via the read-only flag, which can be reverted, use the in Linux 6.10
introduced irreversible syscall mseal(2).

README.md

@@ -159,8 +159,11 @@ line to the `/etc/ld.so.preload` configuration file:
 The format of this configuration file is a whitespace-separated list, so it's
 good practice to put each library on a separate line.
 
-On Debian systems `libhardened_malloc.so` should be installed into `/usr/lib/`
-to avoid preload failures caused by AppArmor profile restrictions.
+For maximum compatibility `libhardened_malloc.so` can be installed into
+`/usr/lib/` to avoid preload failures caused by AppArmor profiles or systemd
+ExecPaths= restrictions. Check for logs of the following format:
+
+    ERROR: ld.so: object '/usr/local/lib/libhardened_malloc.so' from /etc/ld.so.preload cannot be preloaded (failed to map segment from shared object): ignored.
 
 Using the `LD_PRELOAD` environment variable to load it on a case-by-case basis
 will not work when `AT_SECURE` is set such as with setuid binaries. It's also

androidtest/memtag/memtag_test.cc

@@ -44,7 +44,7 @@ void *set_pointer_tag(void *ptr, u8 tag) {
     return (void *) (((uintptr_t) tag << 56) | (uintptr_t) untag_pointer(ptr));
 }
 
-// This test checks that slab slot allocation uses tag that is distint from tags of its neighbors
+// This test checks that slab slot allocation uses tag that is distinct from tags of its neighbors
 // and from the tag of the previous allocation that used the same slot
 void tag_distinctness() {
     // tag 0 is reserved

h_malloc.c

@@ -1295,7 +1295,12 @@ COLD static void init_slow_path(void) {
 
     atomic_store_explicit(&ro.slab_region_end, slab_region_end, memory_order_release);
 
+#if defined(__ANDROID__) && defined(HAS_ARM_MTE)
+    /* Do not seal to support disabling memory tagging */
     if (unlikely(memory_protect_ro(&ro, sizeof(ro)))) {
+#else
+    if (unlikely(memory_protect_seal(&ro, sizeof(ro)))) {
+#endif
         fatal_error("failed to protect allocator data");
     }
     memory_set_name(&ro, sizeof(ro), "malloc read-only after init");

memory.c

@@ -1,6 +1,8 @@
 #include <errno.h>
+#include <unistd.h>
 
 #include <sys/mman.h>
+#include <sys/syscall.h>
 
 #ifdef LABEL_MEMORY
 #include <sys/prctl.h>
@@ -91,6 +93,22 @@ bool memory_protect_rw_metadata(void *ptr, size_t size) {
     return memory_protect_prot(ptr, size, PROT_READ|PROT_WRITE, get_metadata_key());
 }
 
+COLD bool memory_protect_seal(void *ptr, size_t size) {
+#if defined(__linux__) && defined(__NR_mseal)
+    /* supported since Linux 6.10 */
+    int ret = syscall(__NR_mseal, ptr, size, 0);
+    if (ret == 0)
+        return false;
+    if (unlikely(errno == ENOMEM))
+        return true;
+    if (errno == ENOSYS)
+        return memory_protect_ro(ptr, size);
+    fatal_error("non-ENOMEM and non-ENOSYS mseal failure");
+#else
+    return memory_protect_ro(ptr, size);
+#endif
+}
+
 #ifdef HAVE_COMPATIBLE_MREMAP
 bool memory_remap(void *old, size_t old_size, size_t new_size) {
     void *ptr = mremap(old, old_size, new_size, 0);

memory.h

@@ -22,6 +22,7 @@ bool memory_unmap(void *ptr, size_t size);
 bool memory_protect_ro(void *ptr, size_t size);
 bool memory_protect_rw(void *ptr, size_t size);
 bool memory_protect_rw_metadata(void *ptr, size_t size);
+bool memory_protect_seal(void *ptr, size_t size);
 #ifdef HAVE_COMPATIBLE_MREMAP
 bool memory_remap(void *old, size_t old_size, size_t new_size);
 bool memory_remap_fixed(void *old, size_t old_size, void *new, size_t new_size);

test/test_smc.py

@@ -98,7 +98,7 @@ class TestSimpleMemoryCorruption(unittest.TestCase):
         self.assertEqual(stderr.decode("utf-8"),
                          "fatal allocator error: invalid free\n")
 
-    def test_invalid_malloc_usable_size_small_quarantene(self):
+    def test_invalid_malloc_usable_size_small_quarantine(self):
         _stdout, stderr, returncode = self.run_test(
             "invalid_malloc_usable_size_small_quarantine")
         self.assertEqual(returncode, -6)