1 /* 2 * Copyright (C) 2018 The Android Open Source Project 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * * Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * * Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in 12 * the documentation and/or other materials provided with the 13 * distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 16 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 17 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 18 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 19 * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 21 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS 22 * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 23 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 24 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT 25 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 */ 28 29 #pragma once 30 31 #include <malloc.h> 32 #include <stdbool.h> 33 #include <stdint.h> 34 35 // Structures for android_mallopt. 36 37 typedef struct { 38 // Pointer to the buffer allocated by a call to M_GET_MALLOC_LEAK_INFO. 39 uint8_t* buffer; 40 // The size of the "info" buffer. 41 size_t overall_size; 42 // The size of a single entry. 43 size_t info_size; 44 // The sum of all allocations that have been tracked. Does not include 45 // any heap overhead. 46 size_t total_memory; 47 // The maximum number of backtrace entries. 48 size_t backtrace_size; 49 } android_mallopt_leak_info_t; 50 51 // Opcodes for android_mallopt. 52 53 enum { 54 // Marks the calling process as a profileable zygote child, possibly 55 // initializing profiling infrastructure. 56 M_INIT_ZYGOTE_CHILD_PROFILING = 1, 57 #define M_INIT_ZYGOTE_CHILD_PROFILING M_INIT_ZYGOTE_CHILD_PROFILING 58 M_RESET_HOOKS = 2, 59 #define M_RESET_HOOKS M_RESET_HOOKS 60 // Set an upper bound on the total size in bytes of all allocations made 61 // using the memory allocation APIs. 62 // arg = size_t* 63 // arg_size = sizeof(size_t) 64 M_SET_ALLOCATION_LIMIT_BYTES = 3, 65 #define M_SET_ALLOCATION_LIMIT_BYTES M_SET_ALLOCATION_LIMIT_BYTES 66 // Called after the zygote forks to indicate this is a child. 67 M_SET_ZYGOTE_CHILD = 4, 68 #define M_SET_ZYGOTE_CHILD M_SET_ZYGOTE_CHILD 69 70 // Options to dump backtraces of allocations. These options only 71 // work when malloc debug has been enabled. 72 73 // Writes the backtrace information of all current allocations to a file. 74 // NOTE: arg_size has to be sizeof(FILE*) because FILE is an opaque type. 75 // arg = FILE* 76 // arg_size = sizeof(FILE*) 77 M_WRITE_MALLOC_LEAK_INFO_TO_FILE = 5, 78 #define M_WRITE_MALLOC_LEAK_INFO_TO_FILE M_WRITE_MALLOC_LEAK_INFO_TO_FILE 79 // Get information about the backtraces of all 80 // arg = android_mallopt_leak_info_t* 81 // arg_size = sizeof(android_mallopt_leak_info_t) 82 M_GET_MALLOC_LEAK_INFO = 6, 83 #define M_GET_MALLOC_LEAK_INFO M_GET_MALLOC_LEAK_INFO 84 // Free the memory allocated and returned by M_GET_MALLOC_LEAK_INFO. 85 // arg = android_mallopt_leak_info_t* 86 // arg_size = sizeof(android_mallopt_leak_info_t) 87 M_FREE_MALLOC_LEAK_INFO = 7, 88 #define M_FREE_MALLOC_LEAK_INFO M_FREE_MALLOC_LEAK_INFO 89 // Query whether the current process is considered to be profileable by the 90 // Android platform. Result is assigned to the arg pointer's destination. 91 // arg = bool* 92 // arg_size = sizeof(bool) 93 M_GET_PROCESS_PROFILEABLE = 9, 94 #define M_GET_PROCESS_PROFILEABLE M_GET_PROCESS_PROFILEABLE 95 // Maybe enable GWP-ASan. Set *arg to force GWP-ASan to be turned on, 96 // otherwise this mallopt() will internally decide whether to sample the 97 // process. The program must be single threaded at the point when the 98 // android_mallopt function is called. 99 // arg = android_mallopt_gwp_asan_options_t* 100 // arg_size = sizeof(android_mallopt_gwp_asan_options_t) 101 M_INITIALIZE_GWP_ASAN = 10, 102 #define M_INITIALIZE_GWP_ASAN M_INITIALIZE_GWP_ASAN 103 // Query whether memtag stack is enabled for this process. 104 M_MEMTAG_STACK_IS_ON = 11, 105 #define M_MEMTAG_STACK_IS_ON M_MEMTAG_STACK_IS_ON 106 }; 107 108 typedef struct { 109 // The null-terminated name that the zygote is spawning. Because native 110 // SpecializeCommon (where the GWP-ASan mallopt() is called from) happens 111 // before argv[0] is set, we need the zygote to tell us the new app name. 112 const char* program_name = nullptr; 113 114 // An android_mallopt(M_INITIALIZE_GWP_ASAN) is always issued on process 115 // startup and app startup, regardless of whether GWP-ASan is desired or not. 116 // This allows the process/app's desire to be overwritten by the 117 // "libc.debug.gwp_asan.*.app_default" or "libc.debug.gwp_asan.*.<name>" 118 // system properties, as well as the "GWP_ASAN_*" environment variables. 119 // 120 // Worth noting, the "libc.debug.gwp_asan.*.app_default" sysprops *do not* 121 // apply to system apps. They use the "libc.debug.gwp_asan.*.system_default" 122 // sysprops. 123 enum Action { 124 // Enable GWP-ASan. This is used by apps that have `gwpAsanMode=always` in 125 // the manifest. 126 TURN_ON_FOR_APP, 127 // Enable GWP-ASan, but only a small percentage of the time. This is used by 128 // system processes and system apps, and we use a lottery to determine which 129 // processes have GWP-ASan enabled. This allows us to mitigate system-wide 130 // memory overhead concerns, as each GWP-ASan enabled process uses ~70KiB of 131 // extra memory. 132 TURN_ON_WITH_SAMPLING, 133 // Don't enable GWP-ASan, unless overwritten by a system property or 134 // environment variable. This is used by apps that have `gwpAsanMode=never` 135 // in the manifest. Prior to Android 14, this also was used by non-system 136 // apps that didn't specify a `gwpAsanMode` in their manifest. 137 DONT_TURN_ON_UNLESS_OVERRIDDEN, 138 // Enable GWP-ASan, but only a small percentage of the time, and enable it 139 // in the non-crashing ("recoverable") mode. In Android 14, this is used by 140 // apps that don't specify `gwpAsanMode` (or use `gwpAsanMode=default`) in 141 // their manifest. GWP-ASan will detect heap memory safety bugs in this 142 // mode, and bug reports will be created by debuggerd, however the process 143 // will recover and continue to function as if the memory safety bug wasn't 144 // detected. 145 TURN_ON_FOR_APP_SAMPLED_NON_CRASHING, 146 }; 147 148 Action desire = DONT_TURN_ON_UNLESS_OVERRIDDEN; 149 } android_mallopt_gwp_asan_options_t; 150 151 // Manipulates bionic-specific handling of memory allocation APIs such as 152 // malloc. Only for use by the Android platform and APEXes. 153 // 154 // On success, returns true. On failure, returns false and sets errno. 155 extern "C" bool android_mallopt(int opcode, void* arg, size_t arg_size); 156