secmalloc.c: Small, Secure Malloc implementation.

README

This is a (probably incomplete) small, secure malloc implementation.

Background
==========

Regular malloc implementations such as dlmalloc, glibc's ptmalloc,
the old brk/sbrk/heap-based UNIX-malloc as well as jemalloc,
THEY ALL honor use-after-free bugs!!! As a result, every software
written for UNIX, Linux, OS X or BSD extensively relies on
use-after-free bugs. Even worse, major Libc implementations do a huge
effort in order to make sure, use-after-free contaminated software wont crash.
This is a giant security thread rendering major internet software insecure.

My malloc implementation is secure by default, as it calls mmap upon
EVERY malloc() and munmap on EVERY free(). It is guaranteed that every
use-after-free bug will cause an segmentation fault.

Still missing functions
=======================

#include <stdlib.h>

int posix_memalign(void **memptr, size_t alignment, size_t size);
void *aligned_alloc(size_t alignment, size_t size);
void *valloc(size_t size);

#include <malloc.h>

void *memalign(size_t alignment, size_t size);
void *pvalloc(size_t size);

/* This function is a GNU extension. */
size_t malloc_usable_size (void *ptr);

/*
 * I found this function while i crawled the web for malloc-related functions.
 * I included it, because it could be relevant (theoretically).
 * Propably, this function is not available on Linux and thus not relevant,
 * but AIX and HP-UX? Solaris? Mac OS? Other UNIXes?
 * 
 * '''
 * The reallocf() function is identical to the realloc() function, except
 * that it will free the passed pointer when the requested memory cannot be
 * allocated. This is a FreeBSD specific API designed to ease the problems
 * with traditional coding styles for realloc causing memory leaks in
 * libraries.
 * '''
 */
void *reallocf(void *ptr, size_t size);

Makefile

secmalloc.o: secmalloc.c
	gcc -c -fPIC secmalloc.c -o secmalloc.o

secmalloc.so: secmalloc.o
	gcc -shared -Wl,-soname,secmalloc.so -o secmalloc.so secmalloc.o

secmalloc.c

/*
 * Copyright (c) 2016 Simon Schmidt
 * 
 * Permission is hereby granted, free of charge, to any person obtaining a copy
 * of this software and associated documentation files (the "Software"), to deal
 * in the Software without restriction, including without limitation the rights
 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 * copies of the Software, and to permit persons to whom the Software is
 * furnished to do so, subject to the following conditions:
 * 
 * The above copyright notice and this permission notice shall be included in all
 * copies or substantial portions of the Software.
 * 
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 * SOFTWARE.
 */

#include <stdint.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <unistd.h>
#include <string.h>

#ifndef MAP_ANONYMOUS
#define MAP_ANONYMOUS MAP_ANON
#endif

#define MPT MAP_PRIVATE|MAP_ANONYMOUS

#define PRT PROT_WRITE|PROT_READ

typedef union Premap_s {
	uintptr_t align;
	size_t allocsize;
} Premap;

static size_t rndup(size_t size){
	int pgs = getpagesize()-1;
	size+=sizeof(Premap);
	size+=pgs;
	size&=~pgs;
	return size;
}

void *malloc(size_t size){
	if(!size)return NULL;
	size=rndup(size);
	Premap* map = mmap(NULL,size,PRT,MPT,-1,0);
	if(map==MAP_FAILED)return NULL;
	map->allocsize=size;
	return &map[1];
}
void free(void *ptr){
	if(!ptr)return;
	Premap* map = (ptr-sizeof(Premap));
	size_t size = map->allocsize;
	munmap(map,size);
}
void *calloc(size_t nmemb, size_t size){
	size*=nmemb;
	return malloc(size);
}
void *realloc(void *ptr, size_t size){
	size_t oldsz,rsize;
	Premap *map,*nmap;
	void* nptr;

	if(!size){
		free(ptr);
		return NULL;
	}
	if(!ptr)return malloc(size);
	rsize=rndup(size);
	map = (ptr-sizeof(Premap));
	oldsz=map->allocsize;
	if(oldsz<rsize){ /* Growing the area */
		nmap = mmap(NULL,rsize,PRT,MPT,-1,0);
		if(nmap==MAP_FAILED) return NULL;
		memcpy(nmap,map,oldsz);
		nmap->allocsize = rsize;
		free(ptr);
		return &nmap[1];
	}else if(oldsz>rsize){ /* Shrinking the area */
		nmap = mmap(NULL,rsize,PRT,MPT,-1,0);
		if(nmap==MAP_FAILED) return ptr;
		memcpy(nmap,map,rsize);
		nmap->allocsize = rsize;
		free(ptr);
		return &nmap[1];
	}
	return ptr;
}

test-use-after-free.c

/*
 * Copyright (c) 2016 Simon Schmidt
 * 
 * Permission is hereby granted, free of charge, to any person obtaining a copy
 * of this software and associated documentation files (the "Software"), to deal
 * in the Software without restriction, including without limitation the rights
 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 * copies of the Software, and to permit persons to whom the Software is
 * furnished to do so, subject to the following conditions:
 * 
 * The above copyright notice and this permission notice shall be included in all
 * copies or substantial portions of the Software.
 * 
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 * SOFTWARE.
 */
#include <stdlib.h>
#include <stdio.h>

void main(){
	char* x = malloc(10000);
	*x=1;
	printf("Everythin is still fine!\n");
	free(x);
	*x=1;
	printf("Your system has been taken over by a use-after-free bug!\n");
}