pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #133556 from risicle/ris-graphene-hardened-malloc-8

graphene-hardened-malloc: 2 -> 8, overhaul tests

Robert Scott 23485f23 6e01aa7c

options
unified split
Changed files
+56 -49
nixos
tests
hardened.nix
pkgs
development
libraries
graphene-hardened-malloc
default.nix
+2 -26
nixos/tests/hardened.nix 
···

       
33

       
33

       
 

       



     

       
34

       
34

       
 

       
  testScript =


     

       
35

       
35

       
 

       
    let


     

       
36

       

       
-

       
      hardened-malloc-tests = pkgs.stdenv.mkDerivation {


     

       
37

       

       
-

       
        name = "hardened-malloc-tests-${pkgs.graphene-hardened-malloc.version}";


     

       
38

       

       
-

       
        src = pkgs.graphene-hardened-malloc.src;


     

       
39

       

       
-

       
        buildPhase = ''


     

       
40

       

       
-

       
          cd test/simple-memory-corruption


     

       
41

       

       
-

       
          make -j4


     

       
42

       

       
-

       
        '';


     

       
43

       

       
-

       



     

       
44

       

       
-

       
        installPhase = ''


     

       
45

       

       
-

       
          find . -type f -executable -exec install -Dt $out/bin '{}' +


     

       
46

       

       
-

       
        '';


     

       
47

       

       
-

       
      };


     

       

       
36

       
+

       
      hardened-malloc-tests = pkgs.graphene-hardened-malloc.ld-preload-tests;


     

       
48

       
37

       
 

       
    in


     

       
49

       
38

       
 

       
    ''


     

       
50

       
39

       
 

       
      machine.wait_for_unit("multi-user.target")


     
···

       
107

       
96

       
 

       
          machine.fail("systemctl kexec")


     

       
108

       
97

       
 

       



     

       
109

       
98

       
 

       



     

       
110

       

       
-

       
      # Test hardened memory allocator


     

       
111

       

       
-

       
      def runMallocTestProg(prog_name, error_text):


     

       
112

       

       
-

       
          text = "fatal allocator error: " + error_text


     

       
113

       

       
-

       
          if not text in machine.fail(


     

       
114

       

       
-

       
              "${hardened-malloc-tests}/bin/"


     

       
115

       

       
-

       
              + prog_name


     

       
116

       

       
-

       
              + " 2>&1"


     

       
117

       

       
-

       
          ):


     

       
118

       

       
-

       
              raise Exception("Hardened malloc does not work for {}".format(error_text))


     

       
119

       

       
-

       



     

       
120

       

       
-

       



     

       
121

       
99

       
 

       
      with subtest("The hardened memory allocator works"):


     

       
122

       

       
-

       
          runMallocTestProg("double_free_large", "invalid free")


     

       
123

       

       
-

       
          runMallocTestProg("unaligned_free_small", "invalid unaligned free")


     

       
124

       

       
-

       
          runMallocTestProg("write_after_free_small", "detected write after free")


     

       

       
100

       
+

       
          machine.succeed("${hardened-malloc-tests}/bin/run-tests")


     

       
125

       
101

       
 

       
    '';


     

       
126

       
102

       
 

       
})
+54 -23
pkgs/development/libraries/graphene-hardened-malloc/default.nix 
···

       
1

       

       
-

       
{ lib, stdenv, fetchurl }:


     

       

       
1

       
+

       
{ lib, stdenv, fetchurl, python3, runCommand, makeWrapper, stress-ng }:


     

       
2

       
2

       
 

       



     

       
3

       

       
-

       
stdenv.mkDerivation rec {


     

       

       
3

       
+

       
lib.fix (self: stdenv.mkDerivation rec {


     

       
4

       
4

       
 

       
  pname = "graphene-hardened-malloc";


     

       
5

       

       
-

       
  version = "2";


     

       

       
5

       
+

       
  version = "8";


     

       
6

       
6

       
 

       



     

       
7

       
7

       
 

       
  src = fetchurl {


     

       
8

       
8

       
 

       
    url = "https://github.com/GrapheneOS/hardened_malloc/archive/${version}.tar.gz";


     

       
9

       

       
-

       
    sha256 = "0zsl4vl65ic6lw5rzcjzvcxg8makg683abnwvy60zfap8hvijvjb";


     

       

       
9

       
+

       
    sha256 = "0lipyd2pb1bmghkyv9zmg25jwcglj7m281f01zlh3ghz3xlfh0ym";


     

       
10

       
10

       
 

       
  };


     

       
11

       
11

       
 

       



     

       

       
12

       
+

       
  doCheck = true;


     

       

       
13

       
+

       
  checkInputs = [ python3 ];


     

       

       
14

       
+

       
  # these tests cover use as a build-time-linked library


     

       

       
15

       
+

       
  checkPhase = ''


     

       

       
16

       
+

       
    make test


     

       

       
17

       
+

       
  '';


     

       

       
18

       
+

       



     

       
12

       
19

       
 

       
  installPhase = ''


     

       

       
20

       
+

       
    install -Dm444 -t $out/include include/*


     

       
13

       
21

       
 

       
    install -Dm444 -t $out/lib libhardened_malloc.so


     

       
14

       
22

       
 

       



     

       
15

       
23

       
 

       
    mkdir -p $out/bin


     
···

       
19

       
27

       
 

       



     

       
20

       
28

       
 

       
  separateDebugInfo = true;


     

       
21

       
29

       
 

       



     

       
22

       

       
-

       
  doInstallCheck = true;


     

       
23

       

       
-

       
  installCheckPhase = ''


     

       
24

       

       
-

       
    pushd test


     

       
25

       

       
-

       
    make


     

       
26

       

       
-

       
    $out/bin/preload-hardened-malloc ./offset


     

       

       
30

       
+

       
  passthru = {


     

       

       
31

       
+

       
    ld-preload-tests = stdenv.mkDerivation {


     

       

       
32

       
+

       
      name = "${self.name}-ld-preload-tests";


     

       

       
33

       
+

       
      src = self.src;


     

       
27

       
34

       
 

       



     

       
28

       

       
-

       
    pushd simple-memory-corruption


     

       
29

       

       
-

       
    make


     

       

       
35

       
+

       
      nativeBuildInputs = [ makeWrapper ];


     

       
30

       
36

       
 

       



     

       
31

       

       
-

       
    # these tests don't actually appear to generate overflows currently


     

       
32

       

       
-

       
    rm read_after_free_small string_overflow eight_byte_overflow_large


     

       

       
37

       
+

       
      # reuse the projects tests to cover use with LD_PRELOAD. we have


     

       

       
38

       
+

       
      # to convince the test programs to build as though they're naive


     

       

       
39

       
+

       
      # standalone executables. this includes disabling tests for


     

       

       
40

       
+

       
      # malloc_object_size, which doesn't make sense to use via LD_PRELOAD.


     

       

       
41

       
+

       
      buildPhase = ''


     

       

       
42

       
+

       
        pushd test/simple-memory-corruption


     

       

       
43

       
+

       
        make LDLIBS= LDFLAGS=-Wl,--unresolved-symbols=ignore-all CXXFLAGS=-lstdc++


     

       

       
44

       
+

       
        substituteInPlace test_smc.py \


     

       

       
45

       
+

       
          --replace 'test_malloc_object_size' 'dont_test_malloc_object_size' \


     

       

       
46

       
+

       
          --replace 'test_invalid_malloc_object_size' 'dont_test_invalid_malloc_object_size'


     

       

       
47

       
+

       
        popd # test/simple-memory-corruption


     

       

       
48

       
+

       
      '';


     

       
33

       
49

       
 

       



     

       
34

       

       
-

       
    for t in `find . -regex ".*/[a-z_]+"` ; do


     

       
35

       

       
-

       
      echo "Running $t..."


     

       
36

       

       
-

       
      # the program being aborted (as it should be) would result in an exit code > 128


     

       
37

       

       
-

       
      (($out/bin/preload-hardened-malloc $t) && false) \


     

       
38

       

       
-

       
        || (test $? -gt 128 || (echo "$t was not aborted" && false))


     

       
39

       

       
-

       
    done


     

       
40

       

       
-

       
    popd


     

       

       
50

       
+

       
      installPhase = ''


     

       

       
51

       
+

       
        mkdir -p $out/test


     

       

       
52

       
+

       
        cp -r test/simple-memory-corruption $out/test/simple-memory-corruption


     

       
41

       
53

       
 

       



     

       
42

       

       
-

       
    popd


     

       
43

       

       
-

       
  '';


     

       

       
54

       
+

       
        mkdir -p $out/bin


     

       

       
55

       
+

       
        makeWrapper ${python3.interpreter} $out/bin/run-tests \


     

       

       
56

       
+

       
          --add-flags "-I -m unittest discover --start-directory $out/test/simple-memory-corruption"


     

       

       
57

       
+

       
      '';


     

       

       
58

       
+

       
    };


     

       

       
59

       
+

       
    tests = {


     

       

       
60

       
+

       
      ld-preload = runCommand "ld-preload-test-run" {} ''


     

       

       
61

       
+

       
        ${self}/bin/preload-hardened-malloc ${self.ld-preload-tests}/bin/run-tests


     

       

       
62

       
+

       
        touch $out


     

       

       
63

       
+

       
      '';


     

       

       
64

       
+

       
      # to compensate for the lack of tests of correct normal malloc operation


     

       

       
65

       
+

       
      stress = runCommand "stress-test-run" {} ''


     

       

       
66

       
+

       
        ${self}/bin/preload-hardened-malloc ${stress-ng}/bin/stress-ng \


     

       

       
67

       
+

       
          --no-rand-seed \


     

       

       
68

       
+

       
          --malloc 8 \


     

       

       
69

       
+

       
          --malloc-ops 1000000 \


     

       

       
70

       
+

       
          --verify


     

       

       
71

       
+

       
        touch $out


     

       

       
72

       
+

       
      '';


     

       

       
73

       
+

       
    };


     

       

       
74

       
+

       
  };


     

       
44

       
75

       
 

       



     

       
45

       
76

       
 

       
  meta = with lib; {


     

       
46

       
77

       
 

       
    homepage = "https://github.com/GrapheneOS/hardened_malloc";


     
···

       
54

       
85

       
 

       
    maintainers = with maintainers; [ ris ];


     

       
55

       
86

       
 

       
    platforms = [ "x86_64-linux" "aarch64-linux" ];


     

       
56

       
87

       
 

       
  };


     

       
57

       

       
-

       
}


     

       

       
88

       
+

       
})