[PATCH v2] mem: poison memory when freed

[Stephen Hemminger <stephen@networkplumber.org>]

DPDK malloc library allows broken programs to work because
the semantics of zmalloc and malloc are the same.

This patch enables a  more secure model which will catch
(and crash) programs that reuse memory already freed if
RTE_MALLOC_DEBUG is enabled.

Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Acked-by: Andrew Rybchenko <arybchenko@solarflare.com>
Reviewed-by: Anatoly Burakov <anatoly.burakov@intel.com>
---
v2 -- fix #ifdef to get correct semantics, and add more comments

 lib/librte_eal/common/malloc_elem.c | 18 +++++++++++++++---
 lib/librte_eal/common/rte_malloc.c  | 13 ++++++++++++-
 2 files changed, 27 insertions(+), 4 deletions(-)

diff --git a/lib/librte_eal/common/malloc_elem.c b/lib/librte_eal/common/malloc_elem.c
index d54a528ed653..658c9b5b7993 100644
--- a/lib/librte_eal/common/malloc_elem.c
+++ b/lib/librte_eal/common/malloc_elem.c
@@ -23,6 +23,17 @@
 #include "malloc_elem.h"
 #include "malloc_heap.h"
 
+/*
+ * If debugging is enabled, freed memory is set to poison value
+ * to catch buggy programs. Otherwise, freed memory is set to zero
+ * to avoid having to zero in zmalloc
+ */
+#ifdef RTE_MALLOC_DEBUG
+#define MALLOC_POISON	       0x6b
+#else
+#define MALLOC_POISON	       0
+#endif
+
 size_t
 malloc_elem_find_max_iova_contig(struct malloc_elem *elem, size_t align)
 {
@@ -494,7 +505,7 @@ malloc_elem_join_adjacent_free(struct malloc_elem *elem)
 		join_elem(elem, elem->next);
 
 		/* erase header, trailer and pad */
-		memset(erase, 0, erase_len);
+		memset(erase, MALLOC_POISON, erase_len);
 	}
 
 	/*
@@ -518,7 +529,7 @@ malloc_elem_join_adjacent_free(struct malloc_elem *elem)
 		join_elem(new_elem, elem);
 
 		/* erase header, trailer and pad */
-		memset(erase, 0, erase_len);
+		memset(erase, MALLOC_POISON, erase_len);
 
 		elem = new_elem;
 	}
@@ -549,7 +560,8 @@ malloc_elem_free(struct malloc_elem *elem)
 	/* decrease heap's count of allocated elements */
 	elem->heap->alloc_count--;
 
-	memset(ptr, 0, data_len);
+	/* poison memory */
+	memset(ptr, MALLOC_POISON, data_len);
 
 	return elem;
 }
diff --git a/lib/librte_eal/common/rte_malloc.c b/lib/librte_eal/common/rte_malloc.c
index b39de3c99e58..9db8ded73bfc 100644
--- a/lib/librte_eal/common/rte_malloc.c
+++ b/lib/librte_eal/common/rte_malloc.c
@@ -74,7 +74,18 @@ rte_malloc(const char *type, size_t size, unsigned align)
 void *
 rte_zmalloc_socket(const char *type, size_t size, unsigned align, int socket)
 {
-	return rte_malloc_socket(type, size, align, socket);
+	void *ptr = rte_malloc_socket(type, size, align, socket);
+
+#ifdef RTE_MALLOC_DEBUG
+	/*
+	 * If DEBUG is enabled, then freed memory is marked with poison
+	 * value and set to zero on allocation.
+	 * If DEBUG is not enabled then  memory is already zeroed.
+	 */
+	if (ptr != NULL)
+		memset(ptr, 0, size);
+#endif
+	return ptr;
 }
 
 /*
-- 
2.17.1