tech-kern archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

KMEM_REDZONE on DIAGNOSTIC



Hi,
I intend to enable KMEM_REDZONE on DIAGNOSTIC. It adds a 2-byte-sized pattern at
the end of each allocated buffer when allocating, and checks this pattern when
freeing to ensure the caller hasn't written outside the requested area. It can
catch off-by-one's, and has almost no performance impact now.

I think it's a nice feature, and our (me and lars@) recent improvements make it
more efficient and lighter. As a comparison, one month ago I enabled KMEM_SIZE
and shortly afterwards it caught a memory corruption bug:

        http://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=48963

Ok/Comments?

Index: subr_kmem.c
===================================================================
RCS file: /cvsroot/src/sys/kern/subr_kmem.c,v
retrieving revision 1.59
diff -u -r1.59 subr_kmem.c
--- subr_kmem.c 3 Jul 2014 08:43:49 -0000       1.59
+++ subr_kmem.c 3 Jul 2014 12:56:41 -0000
@@ -65,13 +65,23 @@
  *     Prefix each allocations with a fixed-sized, aligned header and record
  *     the exact user-requested allocation size in it. When freeing, compare
  *     it with kmem_free's "size" argument.
- */
-
-/*
+ *
  * KMEM_REDZONE: detect overrun bugs.
  *     Add a 2-byte pattern (allocate one more memory chunk if needed) at the
  *     end of each allocated buffer. Check this pattern on kmem_free.
  *
+ * These options are enabled on DIAGNOSTIC.
+ *
+ *  |CHUNK|CHUNK|CHUNK|CHUNK|CHUNK|CHUNK|CHUNK|CHUNK|CHUNK|CHUNK|CHUNK|
+ *  +-----+-----+-----+-----+-----+-----+-----+-----+-----+---+-+--+--+
+ *  |/////|     |     |     |     |     |     |     |     |   |*|**|UU|
+ *  |/HSZ/|     |     |     |     |     |     |     |     |   |*|**|UU|
+ *  |/////|     |     |     |     |     |     |     |     |   |*|**|UU|
+ *  +-----+-----+-----+-----+-----+-----+-----+-----+-----+---+-+--+--+
+ *  |Size |    Buffer usable by the caller (requested size)   |RedZ|Unused\
+ */
+
+/*
  * KMEM_POISON: detect modify-after-free bugs.
  *     Fill freed (in the sense of kmem_free) memory with a garbage pattern.
  *     Check the pattern on allocation.
@@ -168,11 +178,11 @@
 
 #if defined(DIAGNOSTIC) && defined(_HARDKERNEL)
 #define        KMEM_SIZE
+#define        KMEM_REDZONE
 #endif /* defined(DIAGNOSTIC) */
 
 #if defined(DEBUG) && defined(_HARDKERNEL)
 #define        KMEM_POISON
-#define        KMEM_REDZONE
 #define        KMEM_GUARD
 #endif /* defined(DEBUG) */
 


Home | Main Index | Thread Index | Old Index