Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 007ac1ad authored by Peter Collingbourne's avatar Peter Collingbourne
Browse files

Switch from getrlimit(RLIMIT_AS) to android_mallopt(M_SET_ALLOCATION_LIMIT_BYTES). 

The RLIMIT_AS limit was introduced as a security mitigation, but it
isn't exactly what the media processes want to control. It is also
problematic under sanitizers which allocate large amounts of address
space as shadow memory, and is especially problematic under shadow
call stack, which requires 16MB of address space per thread. Instead,
use the newly introduced android_mallopt(M_SET_ALLOCATION_LIMIT_BYTES)
to control the allocator's memory limit directly.

Also remove ASAN/HWASAN/CFI specific hacks; they are no longer
necessary because these tools consume address space using mmap and
not the allocator, and remove the 64-bit pointer check before calling
__scudo_set_rss_limit, since otherwise the limit would stop being
enforced in 32-bit mode with Scudo.

Bug: 118642754
Change-Id: Ie66128626976c0b04d5dafd455c375bbfdccc083
parent 5ee05596

media/libmedia/Android.bp

+11 −0
Original line number Diff line number Diff line 
cc_defaults {

    name: "libmedia_defaults",

    include_dirs: [

        "bionic/libc/private",

    ],

}



cc_library_headers {

    name: "libmedia_headers",

    vendor_available: true,
@@ -148,6 +155,8 @@ filegroup { 
cc_library {

    name: "libmedia",



    defaults: [ "libmedia_defaults" ],



    srcs: [

        ":mediaupdateservice_aidl",

        "IDataSource.cpp",
@@ -256,6 +265,8 @@ cc_library { 
cc_library {

    name: "libmedia_player2_util",



    defaults: [ "libmedia_defaults" ],



    srcs: [

        "BufferingSettings.cpp",

        "DataSourceDesc.cpp",

media/libmedia/MediaUtils.cpp

+9 −37
Original line number Diff line number Diff line
@@ -22,23 +22,16 @@ 
#include <sys/resource.h>

#include <unistd.h>



#include <bionic_malloc.h>



#include "MediaUtils.h"



extern "C" size_t __cfi_shadow_size();

extern "C" void __scudo_set_rss_limit(size_t, int) __attribute__((weak));



namespace android {



void limitProcessMemory(

    const char *property,

    size_t numberOfBytes,

void limitProcessMemory(const char *property, size_t numberOfBytes,

                        size_t percentageOfTotalMem) {



    if (running_with_asan()) {

        ALOGW("Running with (HW)ASan, skip enforcing memory limitations.");

        return;

    }



    long pageSize = sysconf(_SC_PAGESIZE);

    long numPages = sysconf(_SC_PHYS_PAGES);

    size_t maxMem = SIZE_MAX;
@@ -66,38 +59,17 @@ void limitProcessMemory( 
        maxMem = propVal;

    }



    // If 64-bit Scudo is in use, enforce the hard RSS limit (in MB).

    if (maxMem != SIZE_MAX && sizeof(void *) == 8 &&

        &__scudo_set_rss_limit != 0) {

    // If Scudo is in use, enforce the hard RSS limit (in MB).

    if (maxMem != SIZE_MAX && &__scudo_set_rss_limit != 0) {

      __scudo_set_rss_limit(maxMem >> 20, 1);

      ALOGV("Scudo hard RSS limit set to %zu MB", maxMem >> 20);

      return;

    }



    // Increase by the size of the CFI shadow mapping. Most of the shadow is not

    // backed with physical pages, and it is possible for the result to be

    // higher than total physical memory. This is fine for RLIMIT_AS.

    size_t cfi_size = __cfi_shadow_size();

    if (cfi_size) {

      ALOGV("cfi shadow size: %zu", cfi_size);

      if (maxMem <= SIZE_MAX - cfi_size) {

        maxMem += cfi_size;

      } else {

        maxMem = SIZE_MAX;

      }

    if (!android_mallopt(M_SET_ALLOCATION_LIMIT_BYTES, &maxMem,

                         sizeof(maxMem))) {

      ALOGW("couldn't set allocation limit");

    }

    ALOGV("actual limit: %zu", maxMem);



    struct rlimit limit;

    getrlimit(RLIMIT_AS, &limit);

    ALOGV("original limits: %lld/%lld", (long long)limit.rlim_cur, (long long)limit.rlim_max);

    limit.rlim_cur = maxMem;

    setrlimit(RLIMIT_AS, &limit);

    limit.rlim_cur = -1;

    limit.rlim_max = -1;

    getrlimit(RLIMIT_AS, &limit);

    ALOGV("new limits: %lld/%lld", (long long)limit.rlim_cur, (long long)limit.rlim_max);



}



} // namespace android

media/libmedia/MediaUtils.h

+0 −7
Original line number Diff line number Diff line
@@ -19,13 +19,6 @@ 


namespace android {



extern "C" void __asan_init(void) __attribute__((weak));

extern "C" void __hwasan_init(void) __attribute__((weak));



static inline int running_with_asan() {

    return &__asan_init != 0 || &__hwasan_init != 0;

}



/**

   Limit the amount of memory a process can allocate using setrlimit(RLIMIT_AS).

   The value to use will be read from the specified system property, or if the

services/mediaextractor/seccomp_policy/mediaextractor-arm.policy

+1 −0
Original line number Diff line number Diff line
@@ -14,6 +14,7 @@ getuid32: 1 
setpriority: 1

sigaltstack: 1

openat: 1

open: 1

clone: 1

read: 1

clock_gettime: 1

services/mediaextractor/seccomp_policy/mediaextractor-x86.policy

+1 −0
Original line number Diff line number Diff line
@@ -11,6 +11,7 @@ munmap: 1 
mmap2: 1

madvise: 1

openat: 1

open: 1

clock_gettime: 1

writev: 1

brk: 1