tomoaki/hakmem
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Debug patches: C7 logging, Front Gate detection, TLS-SLL fixes

Browse Source 
- Add C7 first alloc/free logging for path verification
- Add Front Gate libc bypass detection with counter
- Fix TLS-SLL splice alignment issues causing SIGSEGV
- Add ptr_trace dump capabilities for debugging
- Include LINEAR_LINK debug logging after carve
- Preserve ptr=0xa0 guard for small pointer detection

Debug improvements help isolate memory corruption issues in Tiny allocator.
Front Gate detection helps identify libc bypass patterns.
TLS-SLL fixes resolve misaligned memory access causing crashes.

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>
This commit is contained in:
Moe Charm (CI)
2025-11-11 21:48:10 +09:00
parent 5b31629650
commit 79c74e72da
4 changed files with 34 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
core/tiny_alloc_fast_inline.h
View File

@ -7,8 +7,10 @@
#define TINY_ALLOC_FAST_INLINE_H
#include <stddef.h>
#include <stdint.h>
#include "hakmem_build_flags.h"
#include "tiny_remote.h" // for TINY_REMOTE_SENTINEL (defense-in-depth)
#include "tiny_nextptr.h"
// External TLS variables (defined in hakmem_tiny.c)
extern __thread void* g_tls_sll_head[TINY_NUM_CLASSES];
@ -49,9 +51,8 @@ extern __thread uint32_t g_tls_sll_count[TINY_NUM_CLASSES];
if (g_tls_sll_count[(class_idx)] > 0) g_tls_sll_count[(class_idx)]--; \
(ptr_out) = NULL; \
} else { \
/* Phase 7: header-aware next (C0-C6: base+1, C7: base) */ \
size_t _off = (HAKMEM_TINY_HEADER_CLASSIDX ? (((class_idx) == 7) ? 0 : 1) : 0); \
void* _next = *(void**)((uint8_t*)_head + _off); \
/* Safe load of header-aware next (avoid UB on unaligned) */ \
void* _next = tiny_next_load(_head, (class_idx)); \
g_tls_sll_head[(class_idx)] = _next; \
if (g_tls_sll_count[(class_idx)] > 0) { \
g_tls_sll_count[(class_idx)]--; \
@ -83,9 +84,8 @@ extern __thread uint32_t g_tls_sll_count[TINY_NUM_CLASSES];
// mov %rsi, g_tls_sll_head(%rdi)
//
#define TINY_ALLOC_FAST_PUSH_INLINE(class_idx, ptr) do { \
/* Phase 7: header-aware next (C0-C6: base+1, C7: base) */ \
size_t _off = (HAKMEM_TINY_HEADER_CLASSIDX ? (((class_idx) == 7) ? 0 : 1) : 0); \
*(void**)((uint8_t*)(ptr) + _off) = g_tls_sll_head[(class_idx)]; \
/* Safe store of header-aware next (avoid UB on unaligned) */ \
tiny_next_store((ptr), (class_idx), g_tls_sll_head[(class_idx)]); \
g_tls_sll_head[(class_idx)] = (ptr); \
g_tls_sll_count[(class_idx)]++; \
} while(0)