[PATCH 2/4] malloc: use mmap() to improve ASLR

[Topi Miettinen]

sbrk() returns rather predictable allocations because they are located
close to the data segment. Let's use mmap() instead, except if
instructed by a tunable.

--
v2: use tunable
---
 malloc/arena.c    | 11 +++++++++--
 malloc/morecore.c | 10 ++++++++++
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/malloc/arena.c b/malloc/arena.c
index 202daf15b0..129e231bae 100644
--- a/malloc/arena.c
+++ b/malloc/arena.c
@@ -295,14 +295,21 @@ ptmalloc_init (void)
 
 #ifdef SHARED
   /* In case this libc copy is in a non-default namespace, never use brk.
-     Likewise if dlopened from statically linked program.  */
+     Likewise if dlopened from statically linked program.
+     Otherwise the use of brk is controlled by a tunable
+     glibc.malloc.use_sbrk. */
   Dl_info di;
   struct link_map *l;
 
   if (_dl_open_hook != NULL
       || (_dl_addr (ptmalloc_init, &di, &l, NULL) != 0
-          && l->l_ns != LM_ID_BASE))
+          && l->l_ns != LM_ID_BASE)
+#if HAVE_TUNABLES
+      || !TUNABLE_GET (use_sbrk, int32_t, NULL)
+#endif
+      )
     __morecore = __failing_morecore;
+
 #endif
 
   thread_arena = &main_arena;
diff --git a/malloc/morecore.c b/malloc/morecore.c
index 72e655f84f..d5da5ffc45 100644
--- a/malloc/morecore.c
+++ b/malloc/morecore.c
@@ -38,12 +38,22 @@ libc_hidden_proto (__sbrk)
 # define NULL 0
 #endif
 
+#if HAVE_TUNABLES
+# define TUNABLE_NAMESPACE malloc
+#endif
+#include <elf/dl-tunables.h>
+
 /* Allocate INCREMENT more bytes of data space,
    and return the start of data space, or NULL on errors.
    If INCREMENT is negative, shrink data space.  */
 void *
 __default_morecore (ptrdiff_t increment)
 {
+  /* Tunable glibc.malloc.use_sbrk controls use of 'sbrk()'. */
+#if HAVE_TUNABLES
+  if (!TUNABLE_GET (use_sbrk, int32_t, NULL))
+    return NULL;
+#endif
   void *result = (void *) __sbrk (increment);
   if (result == (void *) -1)
     return NULL;
-- 
2.29.2