2019-04-07 21:05:22 +00:00
|
|
|
{ stdenv, fetchurl }:
|
|
|
|
|
|
|
|
stdenv.mkDerivation rec {
|
2019-08-15 12:41:18 +00:00
|
|
|
pname = "graphene-hardened-malloc";
|
2019-08-24 15:52:32 +00:00
|
|
|
version = "2";
|
2019-04-07 21:05:22 +00:00
|
|
|
|
|
|
|
src = fetchurl {
|
2019-07-18 12:15:33 +00:00
|
|
|
url = "https://github.com/GrapheneOS/hardened_malloc/archive/${version}.tar.gz";
|
2019-08-24 15:52:32 +00:00
|
|
|
sha256 = "0zsl4vl65ic6lw5rzcjzvcxg8makg683abnwvy60zfap8hvijvjb";
|
2019-04-07 21:05:22 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
installPhase = ''
|
|
|
|
install -Dm444 -t $out/lib libhardened_malloc.so
|
|
|
|
|
|
|
|
mkdir -p $out/bin
|
|
|
|
substitute preload.sh $out/bin/preload-hardened-malloc --replace "\$dir" $out/lib
|
|
|
|
chmod 0555 $out/bin/preload-hardened-malloc
|
|
|
|
'';
|
|
|
|
|
2019-07-18 12:15:33 +00:00
|
|
|
separateDebugInfo = true;
|
|
|
|
|
2019-04-07 21:05:22 +00:00
|
|
|
doInstallCheck = true;
|
|
|
|
installCheckPhase = ''
|
|
|
|
pushd test
|
|
|
|
make
|
|
|
|
$out/bin/preload-hardened-malloc ./offset
|
|
|
|
|
|
|
|
pushd simple-memory-corruption
|
|
|
|
make
|
|
|
|
|
|
|
|
# these tests don't actually appear to generate overflows currently
|
2019-07-18 12:15:33 +00:00
|
|
|
rm read_after_free_small string_overflow eight_byte_overflow_large
|
2019-04-07 21:05:22 +00:00
|
|
|
|
|
|
|
for t in `find . -regex ".*/[a-z_]+"` ; do
|
|
|
|
echo "Running $t..."
|
|
|
|
# the program being aborted (as it should be) would result in an exit code > 128
|
|
|
|
(($out/bin/preload-hardened-malloc $t) && false) \
|
|
|
|
|| (test $? -gt 128 || (echo "$t was not aborted" && false))
|
|
|
|
done
|
|
|
|
popd
|
|
|
|
|
|
|
|
popd
|
|
|
|
'';
|
|
|
|
|
|
|
|
meta = with stdenv.lib; {
|
2020-04-01 01:11:51 +00:00
|
|
|
homepage = "https://github.com/GrapheneOS/hardened_malloc";
|
2019-04-07 21:05:22 +00:00
|
|
|
description = "Hardened allocator designed for modern systems";
|
|
|
|
longDescription = ''
|
|
|
|
This is a security-focused general purpose memory allocator providing the malloc API
|
|
|
|
along with various extensions. It provides substantial hardening against heap
|
|
|
|
corruption vulnerabilities yet aims to provide decent overall performance.
|
|
|
|
'';
|
|
|
|
license = licenses.mit;
|
|
|
|
maintainers = with maintainers; [ ris ];
|
2020-04-08 20:02:25 +00:00
|
|
|
platforms = [ "x86_64-linux" "aarch64-linux" ];
|
2019-04-07 21:05:22 +00:00
|
|
|
};
|
|
|
|
}
|