Re: Dumper problems and a possible solutions

[Rich Felker <dalias@libc.org>]

On Wed, Jun 25, 2014 at 09:49:42PM +0300, Eli Zaretskii wrote:
> > Date: Wed, 25 Jun 2014 14:32:41 -0400
> > From: Rich Felker <dalias@libc.org>
> > Cc: Dmitry Antipov <dmantipov@yandex.ru>, emacs-devel@gnu.org
> > 
> > > Is it possible to provide our own implementation of sbrk that
> > > allocates memory from some large static array?
> > 
> > That's exactly the hack I described which I'm using right now. But
> > since I didn't implement a free-like operation and since
> > load_charset_map_from_file allocates >700k every time it's called, I
> > had to make the static array 400MB.
> 
> That's not a problem, because those 700K are free'd before the next
> one is allocated.  And in any case, they are all free'd before we call
> unexec.  Just implement sbrk for negative increment.  The Windows port

But load_charset_map_from_file doesn't call an sbrk-like interface; it
calls (indirectly) xmalloc and xfree. So there's at least some
nontrivial glue that goes in between.

> already does that, see w32heap.c on the trunk.  It works with only
> 11MB of static array for 32-bit builds and 18MB for 64-bit.

Nice to know.

> > I think it would work with a "real" mini-malloc implementation using
> > the static array, and a much smaller static array (maybe 8-15 MB)
> > but my attempts to write a quick one have been sloppy and buggy so
> > far.
> 
> If supporting deallocation in such an sbrk isn't feasible, how about
> using gmalloc, as an malloc replacement before dumping?

I suspect it's a lot of work to wire up gmalloc to (1) avoid
interposing on the malloc/free/etc. names, (2) use the static mini-brk
buffer, (3) only allocate from the mini-brk buffer before dumping
(otherwise pass to real malloc), but still check realloc/free calls
after dumping and handle the case where the old memory was in the
mini-brk.

What seems easier, and what I tried, is writing a completely naive
malloc with a single freelist that's linear-searched on malloc and
which does not support coalescing free chunks. But I think my
implementation has some bugs still, because it's not working. I'm not
sure if they're bugs in the allocator, or bugs in how it's used (maybe
missing some places that would have to be redirected through it and
which are still calling malloc or free directly).

> > I would be reasonably happy with this solution (at least it would fix
> > the problems I'm experiencing), but I don't think it's as elegant as
> > fixing the portability problem completely by getting rid of the need
> > to dump executable binary files and instead dumping a C array.
> 
> But it's conceptually much simpler and reliable.  That's "elegant" in
> my book, when such hairy stuff is concerned.

No, it's less reliable. See my other posts in the thread about what
happens if you have other libraries linked and they do nontrivial
things prior to dumping (e.g. from static ctors). Dumping JUST the
lisp object state in a C array ensures that none of the pre-dump state
from other libraries (or even libc) can pollute the state observed
after dumping. Both the current method, and the proposed simple fixes
above, suffer from this issue and are therefore very fragile. As an
example (I think I mentioned this earlier), if you static link, musl
libc is remembering the clock_gettime vdso pointer from the pre-dump
state and attempting to use it later (which is not valid because the
kernel maps it at a random address).

> > And it doesn't fix the fact that you can't build a PIE emacs.
> 
> Why is that important?

Since emacs is processing lots of potentially untrusted data, PIE
hardening may be beneficial for hardening against vulnerabilities
where an attacker would otherwise be able to perform arbitrary code
execution as the user running emacs. I'm not aware of such
vulnerabilities, but being that I found things that look suspiciously
like use-after-free while reading the allocator-related code, I
wouldn't be surprised if they exist.

Rich