2022-01-30 15:54:48 +00:00
|
|
|
{ lib
|
|
|
|
, stdenv
|
|
|
|
, fetchFromGitHub
|
|
|
|
, python3
|
|
|
|
, runCommand
|
|
|
|
, makeWrapper
|
|
|
|
, stress-ng
|
|
|
|
}:
|
2019-04-07 21:05:22 +00:00
|
|
|
|
2023-06-20 16:57:15 +00:00
|
|
|
stdenv.mkDerivation (finalAttrs: {
|
2019-08-15 12:41:18 +00:00
|
|
|
pname = "graphene-hardened-malloc";
|
2022-01-30 15:54:48 +00:00
|
|
|
version = "11";
|
2019-04-07 21:05:22 +00:00
|
|
|
|
2022-01-04 15:37:07 +00:00
|
|
|
src = fetchFromGitHub {
|
|
|
|
owner = "GrapheneOS";
|
|
|
|
repo = "hardened_malloc";
|
2023-06-20 16:57:15 +00:00
|
|
|
rev = finalAttrs.version;
|
2022-01-30 15:54:48 +00:00
|
|
|
sha256 = "sha256-BbjL0W12QXFmGCzFrFYY6CZZeFbUt0elCGhM+mbL/IU=";
|
2019-04-07 21:05:22 +00:00
|
|
|
};
|
|
|
|
|
2021-08-11 21:35:27 +00:00
|
|
|
doCheck = true;
|
2023-01-21 12:00:00 +00:00
|
|
|
nativeCheckInputs = [ python3 ];
|
2021-08-11 21:35:27 +00:00
|
|
|
# these tests cover use as a build-time-linked library
|
2023-06-20 16:57:15 +00:00
|
|
|
checkTarget = "test";
|
2021-08-11 21:35:27 +00:00
|
|
|
|
2019-04-07 21:05:22 +00:00
|
|
|
installPhase = ''
|
2021-08-11 21:35:27 +00:00
|
|
|
install -Dm444 -t $out/include include/*
|
2022-01-30 15:54:48 +00:00
|
|
|
install -Dm444 -t $out/lib out/libhardened_malloc.so
|
2019-04-07 21:05:22 +00:00
|
|
|
|
|
|
|
mkdir -p $out/bin
|
|
|
|
substitute preload.sh $out/bin/preload-hardened-malloc --replace "\$dir" $out/lib
|
|
|
|
chmod 0555 $out/bin/preload-hardened-malloc
|
|
|
|
'';
|
|
|
|
|
2019-07-18 12:15:33 +00:00
|
|
|
separateDebugInfo = true;
|
|
|
|
|
2021-08-11 21:35:27 +00:00
|
|
|
passthru = {
|
|
|
|
ld-preload-tests = stdenv.mkDerivation {
|
2023-06-20 16:57:15 +00:00
|
|
|
name = "${finalAttrs.pname}-ld-preload-tests";
|
|
|
|
inherit (finalAttrs) src;
|
2019-04-07 21:05:22 +00:00
|
|
|
|
2021-08-11 21:35:27 +00:00
|
|
|
nativeBuildInputs = [ makeWrapper ];
|
2019-04-07 21:05:22 +00:00
|
|
|
|
2021-08-11 21:35:27 +00:00
|
|
|
# reuse the projects tests to cover use with LD_PRELOAD. we have
|
|
|
|
# to convince the test programs to build as though they're naive
|
|
|
|
# standalone executables. this includes disabling tests for
|
|
|
|
# malloc_object_size, which doesn't make sense to use via LD_PRELOAD.
|
|
|
|
buildPhase = ''
|
2022-01-30 15:54:48 +00:00
|
|
|
pushd test
|
2021-08-11 21:35:27 +00:00
|
|
|
make LDLIBS= LDFLAGS=-Wl,--unresolved-symbols=ignore-all CXXFLAGS=-lstdc++
|
|
|
|
substituteInPlace test_smc.py \
|
|
|
|
--replace 'test_malloc_object_size' 'dont_test_malloc_object_size' \
|
|
|
|
--replace 'test_invalid_malloc_object_size' 'dont_test_invalid_malloc_object_size'
|
2022-01-30 15:54:48 +00:00
|
|
|
popd # test
|
2021-08-11 21:35:27 +00:00
|
|
|
'';
|
2019-04-07 21:05:22 +00:00
|
|
|
|
2021-08-11 21:35:27 +00:00
|
|
|
installPhase = ''
|
|
|
|
mkdir -p $out/test
|
2022-01-30 15:54:48 +00:00
|
|
|
cp -r test $out/test
|
2019-04-07 21:05:22 +00:00
|
|
|
|
2021-08-11 21:35:27 +00:00
|
|
|
mkdir -p $out/bin
|
|
|
|
makeWrapper ${python3.interpreter} $out/bin/run-tests \
|
2022-01-30 15:54:48 +00:00
|
|
|
--add-flags "-I -m unittest discover --start-directory $out/test"
|
2021-08-11 21:35:27 +00:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
tests = {
|
2023-06-20 16:57:15 +00:00
|
|
|
ld-preload = runCommand "ld-preload-test-run" { } ''
|
|
|
|
${finalAttrs.finalPackage}/bin/preload-hardened-malloc ${finalAttrs.passthru.ld-preload-tests}/bin/run-tests
|
2021-08-11 21:35:27 +00:00
|
|
|
touch $out
|
|
|
|
'';
|
|
|
|
# to compensate for the lack of tests of correct normal malloc operation
|
2023-06-20 16:57:15 +00:00
|
|
|
stress = runCommand "stress-test-run" { } ''
|
|
|
|
${finalAttrs.finalPackage}/bin/preload-hardened-malloc ${stress-ng}/bin/stress-ng \
|
2021-08-11 21:35:27 +00:00
|
|
|
--no-rand-seed \
|
|
|
|
--malloc 8 \
|
|
|
|
--malloc-ops 1000000 \
|
|
|
|
--verify
|
|
|
|
touch $out
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
2019-04-07 21:05:22 +00:00
|
|
|
|
2021-01-21 17:00:13 +00:00
|
|
|
meta = with lib; {
|
2020-04-01 01:11:51 +00:00
|
|
|
homepage = "https://github.com/GrapheneOS/hardened_malloc";
|
2019-04-07 21:05:22 +00:00
|
|
|
description = "Hardened allocator designed for modern systems";
|
|
|
|
longDescription = ''
|
|
|
|
This is a security-focused general purpose memory allocator providing the malloc API
|
|
|
|
along with various extensions. It provides substantial hardening against heap
|
|
|
|
corruption vulnerabilities yet aims to provide decent overall performance.
|
|
|
|
'';
|
|
|
|
license = licenses.mit;
|
|
|
|
maintainers = with maintainers; [ ris ];
|
2020-04-08 20:02:25 +00:00
|
|
|
platforms = [ "x86_64-linux" "aarch64-linux" ];
|
2019-04-07 21:05:22 +00:00
|
|
|
};
|
2021-08-11 21:35:27 +00:00
|
|
|
})
|