jemalloc: use get_underlying_allocation in je_malloc_underlying_allocation

Add get_underlying_allocation() helper function that properly resolves
sub-capabilities (interior pointers) to their underlying allocation.
This correctly handles the case where a pointer points within a slab
allocation by calculating the region base from the extent.

Use this new function in je_malloc_underlying_allocation() instead of
the previous unbound_ptr approach which had issues with interior
pointers.

Author: MauriceDHanisch

contrib/jemalloc/include/jemalloc/internal/jemalloc_internal_inlines_c.h

@@ -21,6 +21,63 @@
 #include "jemalloc/internal/sz.h"
 #include "jemalloc/internal/witness.h"
 
+JEMALLOC_ALWAYS_INLINE void *
+get_underlying_allocation(tsdn_t *tsdn, void *ptr) {
+	void *ubptr;
+
+#ifndef __CHERI_PURE_CAPABILITY__
+	ubptr = ptr;
+#else
+	rtree_ctx_t *rtree_ctx;
+	rtree_ctx_t rtree_ctx_fallback;
+	extent_t *extent;
+	szind_t szind;
+
+	/*
+	 * These checks catch attacks from an adversary that can manipulate the 
+	 * offset and the bounds of a ptr passed to free() or realloc().
+	 * Reject zero-length capabilities: region arithmetic can misclassify an
+	 * end-of-region pointer as the start of the next region.
+	 */
+	if (unlikely(!cheri_gettag(ptr))) {
+		return NULL;
+	}
+	if (unlikely(cheri_getoffset(ptr) > cheri_getlen(ptr))) {
+		return NULL;
+	}
+	if (unlikely(cheri_getlen(ptr) == 0)) {
+		return NULL;
+	}
+	if (unlikely(cheri_getsealed(ptr))) {
+		return NULL;
+	}
+
+	rtree_ctx = tsdn_rtree_ctx(tsdn, &rtree_ctx_fallback);
+	if (rtree_extent_szind_read(tsdn, &extents_rtree, rtree_ctx,
+	    (uintptr_t)ptr, false, &extent, &szind)) {
+		return NULL;
+	}
+
+	assert(extent_state_get(extent) == extent_state_active);
+	/* Only slab members should be looked up via interior pointers. */
+	assert(extent_addr_get(extent) == ptr || extent_slab_get(extent));
+	assert(szind != SC_NSIZES);
+
+	size_t underlying_size = sz_index2size(szind);
+	void *extent_base = extent->e_addr;
+
+	size_t offset = (uintptr_t)ptr - (uintptr_t)extent_base;
+	size_t region_index = offset / underlying_size;
+	void *region_base = (void *)((uintptr_t)extent_base +
+	    region_index * underlying_size);
+
+	ubptr = cheri_setbounds(
+	    cheri_setaddress(extent_base, (ptraddr_t)region_base),
+	    underlying_size);
+#endif
+	return ubptr;
+}
+
 JEMALLOC_ALWAYS_INLINE void *
 unbound_ptr(tsdn_t *tsdn, void *ptr) {
 	void *ubptr;

contrib/jemalloc/src/jemalloc.c

@@ -3799,22 +3799,18 @@ je_malloc_underlying_allocation(void *ptr) {
 	if (unlikely(ptr == NULL)) {
 		ret = NULL;
 	} else {
-		size_t underlying_size = ivsalloc(tsdn, ptr);
-		if (underlying_size == 0) {
+		ret = get_underlying_allocation(tsdn, ptr);
+		ret = cheri_andperm(ret,
+		    CHERI_PERMS_USERSPACE_DATA | CHERI_PERM_SW_VMEM);
+	}
+
+	/*
+	 * Check that ptr corresponds to a ptr returned by malloc.
+	 */
+	if (ret != NULL) {
+		void *ret_check = cheri_andperm(ret, ~CHERI_PERM_SW_VMEM);
+		if (unlikely(!cheri_equal_exact(ptr, ret_check))) {
 			ret = NULL;
-		} else {
-			/*
-			 * XXX unbound_ptr will actually work if this isn't
-			 * a pointer to an original allocation but is
-			 * contained within an extent - we can
-			 * probably fix this in rtree functions.
-			 */
-			ret = unbound_ptr(tsdn, ptr);
-			/* Bounds as with BOUND_PTR, but preserve SW_VMEM */
-			if (ret != NULL)
-				ret = cheri_andperm(
-				    cheri_setbounds(ret, underlying_size),
-				    CHERI_PERMS_USERSPACE_DATA | CHERI_PERM_SW_VMEM);
 		}
 	}