allocator: Deprecate use of base::ProtectedMemory

base::ProtectedMemory is being deprecated because it's not widely used enough to make a security impact and justify its maintenance burden. Replace use of base::ProtectedMemory with raw function pointers and add an attribute to disable CFI-icall checking. Bug: 1018834 Change-Id: Id6d956b02758aecaa0710aee56715429f5ffc267 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1884819 Commit-Queue: Primiano Tucci <primiano@chromium.org> Auto-Submit: Vlad Tsyrklevich <vtsyrklevich@chromium.org> Reviewed-by: Primiano Tucci <primiano@chromium.org> Cr-Commit-Position: refs/heads/master@{#711201}

allocator: Deprecate use of base::ProtectedMemory
base::ProtectedMemory is being deprecated because it's not widely used enough to make a security impact and justify its maintenance burden. Replace use of base::ProtectedMemory with raw function pointers and add an attribute to disable CFI-icall checking. Bug: 1018834 Change-Id: Id6d956b02758aecaa0710aee56715429f5ffc267 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1884819 Commit-Queue: Primiano Tucci <primiano@chromium.org> Auto-Submit: Vlad Tsyrklevich <vtsyrklevich@chromium.org> Reviewed-by: Primiano Tucci <primiano@chromium.org> Cr-Commit-Position: refs/heads/master@{#711201}
b3bed83d · Vlad Tsyrklevich · Commit Bot · 59c2e402 · b3bed83d
Commit b3bed83d authored Oct 31, 2019 by Vlad Tsyrklevich Committed by Commit Bot Oct 31, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 9 deletions

base/allocator/allocator_shim_default_dispatch_to_glibc.cc base/allocator/allocator_shim_default_dispatch_to_glibc.cc +7 -9

No files found.
--- a/base/allocator/allocator_shim_default_dispatch_to_glibc.cc
+++ b/base/allocator/allocator_shim_default_dispatch_to_glibc.cc
@@ -3,7 +3,7 @@
 // found in the LICENSE file.
 #include "base/allocator/allocator_shim.h"
-#include "base/memory/protected_memory_cfi.h"
+#include "base/compiler_specific.h"
 #include <dlfcn.h>
 #include <malloc.h>
@@ -23,10 +23,6 @@ void __libc_free(void* ptr);
 namespace {
 using base::allocator::AllocatorDispatch;
-using MallocUsableSizeFunction = decltype(malloc_usable_size)*;
-PROTECTED_MEMORY_SECTION base::ProtectedMemory<MallocUsableSizeFunction>
-    g_MallocUsableSizeFunction;
 void* GlibcMalloc(const AllocatorDispatch*, size_t size, void* context) {
  return __libc_malloc(size);
@@ -57,6 +53,7 @@ void GlibcFree(const AllocatorDispatch*, void* address, void* context) {
  __libc_free(address);
 }
+NO_SANITIZE("cfi-icall")
 size_t GlibcGetSizeEstimate(const AllocatorDispatch*,
                            void* address,
                            void* context) {
@@ -64,11 +61,12 @@ size_t GlibcGetSizeEstimate(const AllocatorDispatch*,
  // resolve it instead. This should be safe because glibc (and hence dlfcn)
  // does not use malloc_size internally and so there should not be a risk of
  // recursion.
-  static base::ProtectedMemory<MallocUsableSizeFunction>::Initializer init(
+  using MallocUsableSizeFunction = decltype(malloc_usable_size)*;
-      &g_MallocUsableSizeFunction, reinterpret_cast<MallocUsableSizeFunction>(
+  static MallocUsableSizeFunction fn_ptr =
-                                       dlsym(RTLD_NEXT, "malloc_usable_size")));
+      reinterpret_cast<MallocUsableSizeFunction>(
+          dlsym(RTLD_NEXT, "malloc_usable_size"));
-  return base::UnsanitizedCfiCall(g_MallocUsableSizeFunction)(address);
+  return fn_ptr(address);
 }
 }  // namespace