preserve errno in deallocate_small success path and h_free_sized

thomasbuilds · thestinger · commit ff431a4837d1 · 2026-04-28T16:39:10.000-04:00
deallocate_small captured saved_errno but only restored it on the OOM
fallback path. The fast path through label_slab() returned without
restoring errno, violating the function's "preserves errno" contract that
h_free and h_free_sized rely on. prctl(PR_SET_VMA_ANON_NAME) is only
called when CONFIG_LABEL_MEMORY is non-zero (Android debuggable builds),
so restore errno conditionally via if (CONFIG_LABEL_MEMORY).

h_free_sized's large path called deallocate_large() directly with no
save/restore, while h_free already wraps it correctly. This leaked errno
via the region quarantine's mmap/munmap/madvise/prctl calls and surfaced
through C++17 sized-deallocation (operator delete(void*, size_t)).

Replace the valueless -DLABEL_MEMORY flag with CONFIG_LABEL_MEMORY=true/false
following the project's existing CONFIG_* convention. Add it to the Makefile
and config files (default false). Android.bp sets it to true for debuggable
builds via product_variables. Use if (CONFIG_LABEL_MEMORY) in the code to
avoid preprocessor use where plain C suffices.
diff --git a/Android.bp b/Android.bp
@@ -69,7 +69,7 @@ cc_library {
     },
     product_variables: {
         debuggable: {
-            cflags: ["-DLABEL_MEMORY"],
+            cflags: ["-DCONFIG_LABEL_MEMORY=true"],
         },
         device_has_arm_mte: {
             cflags: ["-DHAS_ARM_MTE", "-march=armv8-a+dotprod+memtag"]
diff --git a/Makefile b/Makefile
@@ -89,6 +89,10 @@ ifeq (,$(filter $(CONFIG_SELF_INIT),true false))
     $(error CONFIG_SELF_INIT must be true or false)
 endif
 
+ifeq (,$(filter $(CONFIG_LABEL_MEMORY),true false))
+    $(error CONFIG_LABEL_MEMORY must be true or false)
+endif
+
 CPPFLAGS += \
     -DCONFIG_SEAL_METADATA=$(CONFIG_SEAL_METADATA) \
     -DZERO_ON_FREE=$(CONFIG_ZERO_ON_FREE) \
@@ -108,7 +112,8 @@ CPPFLAGS += \
     -DCONFIG_CLASS_REGION_SIZE=$(CONFIG_CLASS_REGION_SIZE) \
     -DN_ARENA=$(CONFIG_N_ARENA) \
     -DCONFIG_STATS=$(CONFIG_STATS) \
-    -DCONFIG_SELF_INIT=$(CONFIG_SELF_INIT)
+    -DCONFIG_SELF_INIT=$(CONFIG_SELF_INIT) \
+    -DCONFIG_LABEL_MEMORY=$(CONFIG_LABEL_MEMORY)
 
 $(OUT)/libhardened_malloc$(SUFFIX).so: $(OBJECTS) | $(OUT)
 	$(CC) $(CFLAGS) $(LDFLAGS) -shared $^ $(LDLIBS) -o $@
diff --git a/config/default.mk b/config/default.mk
@@ -21,3 +21,4 @@ CONFIG_CLASS_REGION_SIZE := 34359738368 # 32GiB
 CONFIG_N_ARENA := 4
 CONFIG_STATS := false
 CONFIG_SELF_INIT := true
+CONFIG_LABEL_MEMORY := false
diff --git a/config/light.mk b/config/light.mk
@@ -21,3 +21,4 @@ CONFIG_CLASS_REGION_SIZE := 34359738368 # 32GiB
 CONFIG_N_ARENA := 4
 CONFIG_STATS := false
 CONFIG_SELF_INIT := true
+CONFIG_LABEL_MEMORY := false
diff --git a/h_malloc.c b/h_malloc.c
@@ -928,6 +928,10 @@ static inline void deallocate_small(void *p, const size_t *expected_size) {
                 stats_slab_deallocate(c, slab_size);
                 enqueue_free_slab(c, metadata);
                 mutex_unlock(&c->lock);
+                if (CONFIG_LABEL_MEMORY) {
+                    // label_slab -> prctl(PR_SET_VMA_ANON_NAME) can clobber errno
+                    errno = saved_errno;
+                }
                 return;
             }
             memory_purge(slab, slab_size);
@@ -1751,7 +1755,9 @@ EXPORT void h_free_sized(void *p, size_t expected_size) {
         return;
     }
 
+    int saved_errno = errno;
     deallocate_large(p, &expected_size);
+    errno = saved_errno;
 
     thread_seal_metadata();
 }
diff --git a/memory.c b/memory.c
@@ -2,9 +2,7 @@
 
 #include <sys/mman.h>
 
-#ifdef LABEL_MEMORY
 #include <sys/prctl.h>
-#endif
 
 #ifndef PR_SET_VMA
 #define PR_SET_VMA 0x53564d41
@@ -120,9 +118,8 @@ bool memory_purge(void *ptr, size_t size) {
 }
 
 bool memory_set_name(UNUSED void *ptr, UNUSED size_t size, UNUSED const char *name) {
-#ifdef LABEL_MEMORY
-    return prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, ptr, size, name);
-#else
+    if (CONFIG_LABEL_MEMORY) {
+        return prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, ptr, size, name);
+    }
     return false;
-#endif
 }
diff --git a/memory.h b/memory.h
@@ -8,6 +8,10 @@
 #define HAVE_COMPATIBLE_MREMAP
 #endif
 
+#ifndef CONFIG_LABEL_MEMORY
+#define CONFIG_LABEL_MEMORY false
+#endif
+
 int get_metadata_key(void);
 
 void *memory_map(size_t size);

Original file line number	Diff line number	Diff line change
`@@ -928,6 +928,10 @@ static inline void deallocate_small(void p, const size_t expected_size) {`
`928`	`928`	`stats_slab_deallocate(c, slab_size);`
`929`	`929`	`enqueue_free_slab(c, metadata);`
`930`	`930`	`mutex_unlock(&c->lock);`
	`931`	`+ if (CONFIG_LABEL_MEMORY) {`
	`932`	`+ // label_slab -> prctl(PR_SET_VMA_ANON_NAME) can clobber errno`
	`933`	`+ errno = saved_errno;`
	`934`	`+ }`
`931`	`935`	`return;`
`932`	`936`	`}`
`933`	`937`	`memory_purge(slab, slab_size);`
`@@ -1751,7 +1755,9 @@ EXPORT void h_free_sized(void *p, size_t expected_size) {`
`1751`	`1755`	`return;`
`1752`	`1756`	`}`
`1753`	`1757`
	`1758`	`+ int saved_errno = errno;`
`1754`	`1759`	`deallocate_large(p, &expected_size);`
	`1760`	`+ errno = saved_errno;`
`1755`	`1761`
`1756`	`1762`	`thread_seal_metadata();`
`1757`	`1763`	`}`