Revert "[page_allocator] Support predictable ASLR calculation for fuz…

…zers." This reverts commit 0ad0d05. Reason for revert: This doesn't actually help V8, so I'm removing it for now. Original change's description: > [page_allocator] Support predictable ASLR calculation for fuzzers. > > - Adds a 'initial_seed' parameter to GetRandomPageBase, which defaults > to 0. If non-zero, generates a predictable sequence, using the value > as the initial seed. > - Adds a unit test for the predictable sequence. > > Bug: chromium:756050 > Change-Id: Iaf718baa2b7d49dc8eda7b0f97aa12b576ddca28 > Reviewed-on: https://chromium-review.googlesource.com/703509 > Commit-Queue: Bill Budge <bbudge@chromium.org> > Reviewed-by: Chris Palmer <palmer@chromium.org> > Reviewed-by: Kentaro Hara <haraken@chromium.org> > Cr-Commit-Position: refs/heads/master@{#509575} TBR=palmer@chromium.org,bbudge@chromium.org,haraken@chromium.org # Not skipping CQ checks because original CL landed > 1 day ago. Bug: chromium:756050 Change-Id: I0f6a3618465470e93b7981580cb547474456dda9 Reviewed-on: https://chromium-review.googlesource.com/728459 Commit-Queue: Bill Budge <bbudge@chromium.org> Reviewed-by: Bill Budge <bbudge@chromium.org> Cr-Commit-Position: refs/heads/master@{#510170}
Denger-Network · Oct 19, 2017 · 0491d45 · 0491d45
1 parent a385a68
commit 0491d45
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 87 deletions.
diff --git a/base/allocator/partition_allocator/address_space_randomization.cc b/base/allocator/partition_allocator/address_space_randomization.cc
@@ -37,8 +37,6 @@ struct ranctx {
   uint32_t d;
 };
 
-static LazyInstance<ranctx>::Leaky s_ranctx = LAZY_INSTANCE_INITIALIZER;
-
 #define rot(x, k) (((x) << (k)) | ((x) >> (32 - (k))))
 
 uint32_t ranvalInternal(ranctx* x) {
@@ -83,20 +81,12 @@ uint32_t ranval(ranctx* x) {
   return ret;
 }
 
-}  // namespace
+static LazyInstance<ranctx>::Leaky s_ranctx = LAZY_INSTANCE_INITIALIZER;
 
-void SetRandomPageBaseSeed(int64_t seed) {
-// This code must not be included in builds shipped to end users.
-#if defined(UNSAFE_DEVELOPER_BUILD)
-  ranctx* x = s_ranctx.Pointer();
-  subtle::SpinLock::Guard guard(x->lock);
-  // Set RNG to initial state.
-  x->initialized = true;
-  x->a = x->b = static_cast<uint32_t>(seed);
-  x->c = x->d = static_cast<uint32_t>(seed >> 32);
-#endif  // !defined(UNSAFE_DEVELOPER_BUILD)
-}
+}  // namespace
 
+// Calculates a random preferred mapping address. In calculating an address, we
+// balance good ASLR against not fragmenting the address space too badly.
 void* GetRandomPageBase() {
   uintptr_t random = static_cast<uintptr_t>(ranval(s_ranctx.Pointer()));
 

diff --git a/base/allocator/partition_allocator/address_space_randomization.h b/base/allocator/partition_allocator/address_space_randomization.h
@@ -11,15 +11,6 @@
 
 namespace base {
 
-// Sets the seed for the random number generator used by GetRandomPageBase in
-// order to generate a predictable sequence of addresses. May be called multiple
-// times. On official Chrome builds this function is disabled and has no effect.
-BASE_EXPORT void SetRandomPageBaseSeed(int64_t seed);
-
-// Calculates a random preferred mapping address. In calculating an address, we
-// balance good ASLR against not fragmenting the address space too badly.
-BASE_EXPORT void* GetRandomPageBase();
-
 namespace internal {
 
 constexpr uintptr_t AslrAddress(uintptr_t mask) {
@@ -138,6 +129,10 @@ constexpr uintptr_t kASLROffset = AslrAddress(0x20000000ULL);
 
 }  // namespace internal
 
+// Calculates a random preferred mapping address. In calculating an address, we
+// balance good ASLR against not fragmenting the address space too badly.
+BASE_EXPORT void* GetRandomPageBase();
+
 }  // namespace base
 
 #endif  // BASE_ALLOCATOR_PARTITION_ALLOCATOR_ADDRESS_SPACE_RANDOMIZATION
diff --git a/base/allocator/partition_allocator/address_space_randomization_unittest.cc b/base/allocator/partition_allocator/address_space_randomization_unittest.cc
@@ -20,9 +20,7 @@
 
 namespace base {
 
-namespace {
-
-uintptr_t GetMask() {
+TEST(AddressSpaceRandomizationTest, GetRandomPageBase) {
   uintptr_t mask = internal::kASLRMask;
 #if defined(ARCH_CPU_64_BITS)
 #if defined(OS_WIN)
@@ -36,28 +34,12 @@ uintptr_t GetMask() {
   if (!IsWow64Process(GetCurrentProcess(), &is_wow64))
     is_wow64 = FALSE;
   if (!is_wow64) {
-    mask = 0;
-  }
-#endif  // defined(OS_WIN)
-#endif  // defined(ARCH_CPU_32_BITS)
-  return mask;
-}
-
-}  // namespace
-
-TEST(AddressSpaceRandomizationTest, Unpredictable) {
-  uintptr_t mask = GetMask();
-  if (!mask) {
-#if defined(OS_WIN) && defined(ARCH_CPU_32_BITS)
-    // ASLR should be turned off on 32-bit Windows.
+    // ASLR is turned off on 32-bit Windows; check that result is null.
     EXPECT_EQ(nullptr, base::GetRandomPageBase());
-#else
-    // Otherwise, nullptr is very unexpected.
-    EXPECT_NE(nullptr, base::GetRandomPageBase());
-#endif
     return;
   }
-
+#endif  // defined(OS_WIN)
+#endif  // defined(ARCH_CPU_32_BITS)
   // Sample the first 100 addresses.
   std::set<uintptr_t> addresses;
   uintptr_t address_logical_sum = 0;
@@ -86,46 +68,4 @@ TEST(AddressSpaceRandomizationTest, Unpredictable) {
   EXPECT_EQ(0ULL, address_logical_product & mask);
 }
 
-#if defined(UNSAFE_DEVELPER_BUILD)
-TEST(AddressSpaceRandomizationTest, Predictable) {
-  const uintptr_t kInitialSeed = 0xfeed5eedULL;
-  base::SetRandomPageBaseSeed(kInitialSeed);
-  uintptr_t mask = GetMask();
-  if (!mask) {
-#if defined(OS_WIN) && defined(ARCH_CPU_32_BITS)
-    // ASLR should be turned off on 32-bit Windows.
-    EXPECT_EQ(nullptr, base::GetRandomPageBase());
-#else
-    // Otherwise, nullptr is very unexpected.
-    EXPECT_NE(nullptr, base::GetRandomPageBase());
-#endif
-    return;
-  }
-// The first 4 elements of the random sequences generated from kInitialSeed.
-#if ARCH_CPU_32_BITS
-  const uint32_t random[4] = {0x8de352e3, 0xe6da7cd8, 0x9e7eb32d, 0xe8c2b6c};
-#elif ARCH_CPU_64_BITS
-  const uint64_t random[4] = {0x8de352e3e6da7cd8, 0x9e7eb32d0e8c2b6c,
-                              0xd3cc6055308d048d, 0xe229f78b344317a5};
-#endif
-
-  // Make sure the addresses look random but are predictable.
-  std::set<uintptr_t> addresses;
-  for (int i = 0; i < 4; i++) {
-    uintptr_t address = reinterpret_cast<uintptr_t>(base::GetRandomPageBase());
-    // Test that address is in range.
-    EXPECT_LE(internal::kASLROffset, address);
-    EXPECT_GE(internal::kASLROffset + mask, address);
-    // Test that address is page aligned.
-    EXPECT_EQ(0ULL, (address & kPageAllocationGranularityOffsetMask));
-    // Test that address is unique (no collisions in 100 tries)
-    CHECK_EQ(0ULL, addresses.count(address));
-    addresses.insert(address);
-    // Test that (address - offset) == (predicted & mask).
-    address -= internal::kASLROffset;
-    EXPECT_EQ(random[i] & internal::kASLRMask, address);
-  }
-}
-#endif  // defined(UNSAFE_DEVELPER_BUILD)
-
 }  // namespace base