儲存庫 vbox 的更動 52050

時間撮記:

2014-7-16 下午01:53:24 (10 年 以前)

作者:

vboxsync

訊息:

RTMemSafer: Split generic from ring-3 specific page based implementation. Adjusted the ring-3 implementation to use RTMemPage when SUPR3PageAllocEx isn't available, and to separate the real data from the heap metadata to make finding the data just a little bit more difficult.

位置:

trunk

檔案:

• include/iprt/err.h (修改) (1 筆差異)
• include/iprt/memsafer.h (修改) (5 筆差異)
• src/VBox/Runtime/Makefile.kmk (修改) (3 筆差異)
• src/VBox/Runtime/common/math/bignum.cpp (修改) (3 筆差異)
• src/VBox/Runtime/generic/memsafer-generic.cpp (修改) (9 筆差異)
• src/VBox/Runtime/r3/memsafer-r3.cpp (複製) (複製 從 trunk/src/VBox/Runtime/generic/memsafer-generic.cpp ) (10 筆差異)
• src/VBox/Runtime/testcase/tstRTMemSafer.cpp (修改) (5 筆差異)

trunk/include/iprt/err.h

@@ -921 +921 @@
 /** An account is restricted in a certain way. */
 #define VINF_ACCOUNT_RESTRICTED             22405
+/** Not able satisfy all the requirements of the request. */
+#define VERR_UNABLE_TO_SATISFY_REQUIREMENTS (-22406)
+/** Not able satisfy all the requirements of the request. */
+#define VWRN_UNABLE_TO_SATISFY_REQUIREMENTS 22406
+/** The requested allocation is too big. */
+#define VERR_ALLOCATION_TOO_BIG             (-22405)
 /** @} */
 

trunk/include/iprt/memsafer.h

@@ -57 +57 @@
  */
 
-/** Default memory allocation, non-pageable memory backing, return error
- * if not possible to allocate such memor. */
-#define RTMEMSAFER_ALLOC_EX_FLAGS_DEFAULT                   (0)
-/** Allow pageable memory backing for cases where the content is not that sensitive
- * and allocating non-pageable memory failes. Use with care! */
-#define RTMEMSAFER_ALLOC_EX_ALLOW_PAGEABLE_BACKING RT_BIT_32(1)
+/** @name RTMEMSAFER_F_XXX
+ * @{ */
+/** Require the memory to not hit the page file.
+ * @remarks Makes not guarantees with regards to hibernation /
+ *          suspend-to-disk. */
+#define RTMEMSAFER_F_REQUIRE_NOT_PAGABLE    RT_BIT_32(0)
+/** Mask of valid bits.  */
+#define RTMEMSAFER_F_VALID_MASK             UINT32_C(0x00000001)
+/** @} */
 
 /**
@@ -92 +95 @@
 RTDECL(int) RTMemSaferUnscramble(void *pv, size_t cb);
 
-
 /**
  * Allocates memory for sensitive data.
@@ -102 +104 @@
  * @param   ppvNew      Where to return the pointer to the memory.
  * @param   cb          Number of bytes to allocate.
- * @param   fFlags      Flags for controlling the allocation. See RTMEMSAFER_ALLOC_EX_FLAGS_* defines.
+ * @param   fFlags      Flags for controlling the allocation, see
+ *                      RTMEMSAFER_F_XXX.
  * @param   pszTag      Allocation tag used for statistics and such.
  */
@@ -116 +119 @@
  * @param   a_ppvNew    Where to return the pointer to the memory.
  * @param   a_cb        Number of bytes to allocate.
- * @param   a_fFlags    Flags for controlling the allocation. See RTMEMSAFER_ALLOC_EX_FLAGS_* defines.
+ * @param   a_fFlags    Flags for controlling the allocation, see
+ *                      RTMEMSAFER_F_XXX.
  */
 #define RTMemSaferAllocZEx(a_ppvNew, a_cb, a_fFlags) RTMemSaferAllocZExTag(a_ppvNew, a_cb, a_fFlags, RTMEM_TAG)
@@ -159 +163 @@
  * @param   cbNew       The size of the new allocation.
  * @param   ppvNew      Where to return the pointer to the new memory.
- * @param   fFlags      Flags for controlling the allocation. See RTMEMSAFER_ALLOC_EX_FLAGS_* defines,
- *                      this takes only effect when allocating completely new memory, for extending or
- *                      shrinking existing allocations the flags of the allocation take precedence.
+ * @param   a_fFlags    Flags for controlling the allocation, see
+ *                      RTMEMSAFER_F_XXX.  It is not permitted to drop saftely
+ *                      requirments after the initial allocation.
  * @param   pszTag      Allocation tag used for statistics and such.
  */

trunk/src/VBox/Runtime/Makefile.kmk

@@ -585 +585 @@
         generic/RTTimerLRCreate-generic.cpp \
         generic/mempool-generic.cpp \
-        generic/memsafer-generic.cpp \
         generic/semfastmutex-generic.cpp \
         generic/semxroads-generic.cpp \
@@ -599 +598 @@
         r3/init.cpp \
         r3/isofs.cpp \
+        r3/memsafer-r3.cpp \
         r3/path.cpp \
         r3/poll.cpp \
@@ -1187 +1187 @@
 RuntimeBldProg_BLD_TRG_ARCH    := $(KBUILD_HOST_ARCH)
 RuntimeBldProg_BLD_TRG_CPU     := $(KBUILD_HOST_CPU)
-RuntimeBldProg_DEFS            := $(RuntimeR3_DEFS) IPRT_WITHOUT_LDR_VERIFY
+RuntimeBldProg_DEFS            := $(filter-out IN_SUP_R3 IN_SUP, $(RuntimeR3_DEFS)) IPRT_WITHOUT_LDR_VERIFY RT_NO_GIP
 RuntimeBldProg_SOURCES          = $(filter-out \
         r3/xml.cpp \

trunk/src/VBox/Runtime/common/math/bignum.cpp

@@ -118 +118 @@
     Assert(cbNew > cbOld);
 
-    void *pvNew = NULL;
+    void *pvNew;
     if (pBigNum->fSensitive)
-    {
-        int rc = RTMemSaferReallocZEx(cbOld, pBigNum->pauElements, cbNew, &pvNew, RTMEMSAFER_ALLOC_EX_ALLOW_PAGEABLE_BACKING);
-        Assert(VALID_PTR(pvNew) || RT_FAILURE(rc));
-    }
+        pvNew = RTMemSaferReallocZ(cbOld, pBigNum->pauElements, cbNew);
     else
         pvNew = RTMemRealloc(pBigNum->pauElements, cbNew);
@@ -326 +323 @@
         pBigNum->cAllocated = RT_ALIGN_32(pBigNum->cUsed, 4);
         if (pBigNum->fSensitive)
-        {
-            int rc = RTMemSaferAllocZEx((void **)&pBigNum->pauElements, pBigNum->cAllocated * RTBIGNUM_ELEMENT_SIZE,
-                                        RTMEMSAFER_ALLOC_EX_ALLOW_PAGEABLE_BACKING);
-            Assert(VALID_PTR(pBigNum->pauElements) || RT_FAILURE(rc));
-        }
+            pBigNum->pauElements = (RTBIGNUMELEMENT *)RTMemSaferAllocZ(pBigNum->cAllocated * RTBIGNUM_ELEMENT_SIZE);
         else
             pBigNum->pauElements = (RTBIGNUMELEMENT *)RTMemAlloc(pBigNum->cAllocated * RTBIGNUM_ELEMENT_SIZE);
@@ -464 +457 @@
         pBigNum->cAllocated = RT_ALIGN_32(pBigNum->cUsed, 4);
         if (pBigNum->fSensitive)
-        {
-            rc = RTMemSaferAllocZEx((void **)&pBigNum->pauElements, pBigNum->cAllocated * RTBIGNUM_ELEMENT_SIZE,
-                                    RTMEMSAFER_ALLOC_EX_ALLOW_PAGEABLE_BACKING);
-            Assert(VALID_PTR(pBigNum->pauElements) || RT_FAILURE(rc));
-        }
+            pBigNum->pauElements = (RTBIGNUMELEMENT *)RTMemSaferAllocZ(pBigNum->cAllocated * RTBIGNUM_ELEMENT_SIZE);
         else
             pBigNum->pauElements = (RTBIGNUMELEMENT *)RTMemAlloc(pBigNum->cAllocated * RTBIGNUM_ELEMENT_SIZE);

trunk/src/VBox/Runtime/generic/memsafer-generic.cpp

@@ -34 +34 @@
 #include <iprt/assert.h>
 #include <iprt/string.h>
-#if defined(IN_SUP_R3) && defined(VBOX) && !defined(RT_NO_GIP)
-# include <iprt/param.h>
-# include <VBox/sup.h>
-#endif /* IN_SUP_R3 */
 
 
@@ -50 +46 @@
 #define RTMEMSAFER_PAD_AFTER    32
 
-/*******************************************************************************
-*   Structures and Typedefs                                                    *
-*******************************************************************************/
-
-/**
- * Supported allocation methods.
- */
-typedef enum RTMEMSAFERALLOCMETHOD
-{
-    /** Invalid method. */
-    RTMEMSAFERALLOCMETHOD_INVALID = 0,
-    /** RTMem{Alloc|Free} methods, least secure!. */
-    RTMEMSAFERALLOCMETHOD_RTMEM,
-    /** Support library. */
-    RTMEMSAFERALLOCMETHOD_SUPR3,
-    /** 32bit hack. */
-    RTMEMSAFERALLOCMETHOD_32BIT_HACK = 0x7fffffff
-} RTMEMSAFERALLOCMETHOD;
-/** Pointer to a allocation method enum. */
-typedef RTMEMSAFERALLOCMETHOD *PRTMEMSAFERALLOCMETHOD;
-
-/**
- * Memory header for safer memory allocations.
- *
- * @note: There is no magic value used deliberately to make identifying this structure
- *        as hard as possible.
- */
-typedef struct RTMEMSAFERHDR
-{
-    /** Flags passed to this allocation - used for freeing and reallocation. */
-    uint32_t              fFlags;
-    /** Allocation method used. */
-    RTMEMSAFERALLOCMETHOD enmAllocMethod;
-    /** Amount of bytes allocated. */
-    size_t                cb;
-} RTMEMSAFERHDR;
-/** Pointer to a safer memory header. */
-typedef RTMEMSAFERHDR *PRTMEMSAFERHDR;
-/** Make sure we are staying in the padding area. */
-AssertCompile(sizeof(RTMEMSAFERHDR) < RTMEMSAFER_PAD_BEFORE);
 
 /*******************************************************************************
 *   Global Variables                                                           *
 *******************************************************************************/
-/** XOR scrambler value.
+/** XOR scrabler value.
  * @todo determine this at runtime */
 #if ARCH_BITS == 32
@@ -106 +62 @@
 
 
-/**
- * Support (SUPR3) based allocator.
- *
- * @returns VBox status code.
- * @retval VERR_NOT_SUPPORTED if this allocation method is not supported in this
- *         version of the library.
- * @param  ppvNew    Where to store the pointer to the new buffer on success.
- * @param  cb        Amount of bytes to allocate.
- *
- * @note: The allocation will have an extra page allocated before and after the
- *        user area with all access rights removed if the host supports that to
- *        prevent heartbleed like attacks.
- */
-static int rtMemSaferSupR3Alloc(void **ppvNew, size_t cb)
-{
-#if defined(IN_SUP_R3) && defined(VBOX) && !defined(RT_NO_GIP)
-    /*
-     * Allocate locked memory from the support library.
-     * 
-     */
-    size_t cbUser = RT_ALIGN_Z(cb, PAGE_SIZE);
-    size_t cPages = cbUser / PAGE_SIZE + 2; /* For the extra guarding pages. */
-    void *pvNew = NULL;
-    int rc = SUPR3PageAllocEx(cPages, 0 /* fFlags */, &pvNew, NULL /* pR0Ptr */, NULL /* paPages */);
-    if (RT_SUCCESS(rc))
-    {
-        /*
-         * Change the memory protection of the pages guarding the allocation.
-         * Some hosts don't support changing the page protection, ignore these
-         * errors.
-         */
-        rc = SUPR3PageProtect(pvNew, NIL_RTR0PTR, 0, PAGE_SIZE, RTMEM_PROT_NONE);
-        if (RT_SUCCESS(rc) || rc == VERR_NOT_SUPPORTED)
-        {
-            Assert(PAGE_SIZE + cbUser == (size_t)((uint32_t)(PAGE_SIZE + cbUser)));
-            if (rc == VERR_NOT_SUPPORTED)
-                rc = VINF_SUCCESS;
-            else
-                rc = SUPR3PageProtect(pvNew, NIL_RTR0PTR, PAGE_SIZE + (uint32_t)cbUser, PAGE_SIZE, RTMEM_PROT_NONE);
-
-            if (RT_SUCCESS(rc))
-            {
-                *ppvNew = (uint8_t *)pvNew + PAGE_SIZE;
-                return VINF_SUCCESS;
-            }
-        }
-
-        rc = SUPR3PageFreeEx(pvNew, cPages);
-        AssertRC(rc);
-    }
-
-    return rc;
-#else
-    return VERR_NOT_SUPPORTED;
-#endif
-}
-
-
-/**
- * Free method for memory allocated using the Support (SUPR3) based allocator.
- *
- * @returns nothing.
- * @param   pv    Pointer to the memory to free.
- * @param   cb    Amount of bytes allocated.
- */
-static void rtMemSafeSupR3Free(void *pv, size_t cb)
-{
-#if defined(IN_SUP_R3) && defined(VBOX) && !defined(RT_NO_GIP)
-    size_t cbUser = RT_ALIGN_Z(cb, PAGE_SIZE);
-    size_t cPages = cbUser / PAGE_SIZE + 2; /* For the extra pages. */
-    void *pvStart = (uint8_t *)pv - PAGE_SIZE;
-
-    int rc = SUPR3PageFreeEx(pvStart, cPages);
-    AssertRC(rc);
-#else
-    AssertMsgFailed(("SUPR3 allocated memory but freeing is not supported, messed up\n"));
-#endif
-}
-
-
 RTDECL(int) RTMemSaferScramble(void *pv, size_t cb)
 {
-    PRTMEMSAFERHDR pHdr = (PRTMEMSAFERHDR)((char *)pv - RTMEMSAFER_PAD_BEFORE);
-    AssertMsg(pHdr->cb == cb, ("pHdr->cb=%#zx cb=%#zx\n", pHdr->cb, cb));
+
+    AssertMsg(*(size_t *)((char *)pv - RTMEMSAFER_PAD_BEFORE) == cb,
+              ("*pvStart=%#zx cb=%#zx\n", *(size_t *)((char *)pv- RTMEMSAFER_PAD_BEFORE), cb));
 
     /* Note! This isn't supposed to be safe, just less obvious. */
@@ -208 +85 @@
 RTDECL(int) RTMemSaferUnscramble(void *pv, size_t cb)
 {
-    PRTMEMSAFERHDR pHdr = (PRTMEMSAFERHDR)((char *)pv - RTMEMSAFER_PAD_BEFORE);
-    AssertMsg(pHdr->cb == cb, ("pHdr->cb=%#zx cb=%#zx\n", pHdr->cb, cb));
+    AssertMsg(*(size_t *)((char *)pv - RTMEMSAFER_PAD_BEFORE) == cb,
+              ("*pvStart=%#zx cb=%#zx\n", *(size_t *)((char *)pv - RTMEMSAFER_PAD_BEFORE), cb));
 
     /* Note! This isn't supposed to be safe, just less obvious. */
@@ -228 +105 @@
 RTDECL(int) RTMemSaferAllocZExTag(void **ppvNew, size_t cb, uint32_t fFlags, const char *pszTag) RT_NO_THROW
 {
-    AssertReturn(cb, VERR_INVALID_PARAMETER);
     AssertPtrReturn(ppvNew, VERR_INVALID_PARAMETER);
     *ppvNew = NULL;
+    AssertReturn(cb, VERR_INVALID_PARAMETER);
 
     /*
-     * Don't request zeroed memory.  We want random heap garbage in the
-     * padding zones, nothing that makes our allocations easier to find.
+     * We support none of the hard requirements passed thru flags.
      */
-    RTMEMSAFERALLOCMETHOD enmAllocMethod = RTMEMSAFERALLOCMETHOD_SUPR3;
-    size_t cbUser = RT_ALIGN_Z(cb, RTMEMSAFER_ALIGN);
-    void *pvNew = NULL;
-    int rc = rtMemSaferSupR3Alloc(&pvNew, cbUser + RTMEMSAFER_PAD_BEFORE + RTMEMSAFER_PAD_AFTER);
-    if (   RT_FAILURE(rc)
-        && fFlags & RTMEMSAFER_ALLOC_EX_ALLOW_PAGEABLE_BACKING)
-    {
-        /* Pageable memory allowed. */
-        enmAllocMethod = RTMEMSAFERALLOCMETHOD_RTMEM;
-        pvNew = RTMemAlloc(cbUser + RTMEMSAFER_PAD_BEFORE + RTMEMSAFER_PAD_AFTER);
-    }
-
-    if (pvNew)
-    {
-        PRTMEMSAFERHDR pHdr = (PRTMEMSAFERHDR)pvNew;
-        pHdr->fFlags         = fFlags;
-        pHdr->cb             = cb;
-        pHdr->enmAllocMethod = enmAllocMethod;
-#ifdef RT_STRICT /* For checking input in strict builds. */
-        memset((char *)pvNew + sizeof(RTMEMSAFERHDR), 0xad, RTMEMSAFER_PAD_BEFORE - sizeof(RTMEMSAFERHDR));
-        memset((char *)pvNew + RTMEMSAFER_PAD_BEFORE + cb, 0xda, RTMEMSAFER_PAD_AFTER + (cbUser - cb));
+    if (fFlags == 0)
+    {
+        /*
+         * Don't request zeroed memory.  We want random heap garbage in the
+         * padding zones, nothing that makes our allocations easier to find.
+         */
+        size_t cbUser = RT_ALIGN_Z(cb, RTMEMSAFER_ALIGN);
+        void *pvNew = RTMemAlloc(cbUser + RTMEMSAFER_PAD_BEFORE + RTMEMSAFER_PAD_AFTER);
+        if (pvNew)
+        {
+#ifdef RT_STRICT /* For checking input in string builds. */
+            memset(pvNew, 0xad, RTMEMSAFER_PAD_BEFORE);
+            memset((char *)pvNew + RTMEMSAFER_PAD_BEFORE + cb, 0xda, RTMEMSAFER_PAD_AFTER + (cbUser - cb));
+            *(size_t *)pvNew = cb;
 #endif
 
-        void *pvUser = (char *)pvNew + RTMEMSAFER_PAD_BEFORE;
-        *ppvNew = pvUser;
-
-        /* You don't use this API for performance, so we always clean memory. */
-        RT_BZERO(pvUser, cb);
-
-        return VINF_SUCCESS;
-    }
-    return rc;
+            void *pvUser = (char *)pvNew + RTMEMSAFER_PAD_BEFORE;
+            *ppvNew = pvUser;
+
+            /* You don't use this API for performance, so we always clean memory. */
+            RT_BZERO(pvUser, cb);
+
+            return VINF_SUCCESS;
+        }
+        return VERR_NO_MEMORY;
+    }
+    AssertReturn(!(fFlags & ~RTMEMSAFER_F_VALID_MASK), VERR_INVALID_FLAGS);
+    return VWRN_UNABLE_TO_SATISFY_REQUIREMENTS;
 }
 RT_EXPORT_SYMBOL(RTMemSaferAllocZExTag);
@@ -277 +149 @@
     {
         Assert(cb);
-
-        size_t cbUser = RT_ALIGN_Z(cb, RTMEMSAFER_ALIGN);
         void *pvStart = (char *)pv - RTMEMSAFER_PAD_BEFORE;
-        PRTMEMSAFERHDR pHdr = (PRTMEMSAFERHDR)pvStart;
-        AssertMsg(pHdr->cb == cb, ("pHdr->cb=%#zx cb=%#zx\n", pHdr->cb, cb));
-
+        AssertMsg(*(size_t *)pvStart == cb, ("*pvStart=%#zx cb=%#zx\n", *(size_t *)pvStart, cb));
         RTMemWipeThoroughly(pv, RT_ALIGN_Z(cb, RTMEMSAFER_ALIGN), 3);
-
-        switch (pHdr->enmAllocMethod)
-        {
-            case RTMEMSAFERALLOCMETHOD_SUPR3:
-                rtMemSafeSupR3Free(pvStart, cbUser + RTMEMSAFER_PAD_BEFORE + RTMEMSAFER_PAD_AFTER);
-                break;
-            case RTMEMSAFERALLOCMETHOD_RTMEM:
-                RTMemFree(pvStart);
-                break;
-            default:
-                AssertMsgFailed(("Invalid allocation method, corrupted header\n"));
-        }
+        RTMemFree(pvStart);
     }
     else
@@ -314 +171 @@
     if (cbNew && cbOld)
     {
-        PRTMEMSAFERHDR pHdr = (PRTMEMSAFERHDR)((char *)pvOld - RTMEMSAFER_PAD_BEFORE);
         AssertPtr(pvOld);
         AssertMsg(*(size_t *)((char *)pvOld - RTMEMSAFER_PAD_BEFORE) == cbOld,
                   ("*pvStart=%#zx cbOld=%#zx\n", *(size_t *)((char *)pvOld - RTMEMSAFER_PAD_BEFORE), cbOld));
 
+        /*
+         * We support none of the hard requirements passed thru flags.
+         */
         void *pvNew;
-        rc = RTMemSaferAllocZExTag(&pvNew, cbNew, pHdr->fFlags, pszTag);
+        rc = RTMemSaferAllocZExTag(&pvNew, cbNew, fFlags, pszTag);
         if (RT_SUCCESS(rc))
         {
@@ -348 +207 @@
 {
     void *pvNew = NULL;
-    int rc = RTMemSaferAllocZExTag(&pvNew, cb, RTMEMSAFER_ALLOC_EX_FLAGS_DEFAULT, pszTag);
+    int rc = RTMemSaferAllocZExTag(&pvNew, cb, 0 /*fFlags*/, pszTag);
     if (RT_SUCCESS(rc))
         return pvNew;
@@ -359 +218 @@
 {
     void *pvNew = NULL;
-    int rc = RTMemSaferReallocZExTag(cbOld, pvOld, cbNew, &pvNew, RTMEMSAFER_ALLOC_EX_FLAGS_DEFAULT, pszTag);
+    int rc = RTMemSaferReallocZExTag(cbOld, pvOld, cbNew, &pvNew, 0 /*fFlags*/, pszTag);
     if (RT_SUCCESS(rc))
         return pvNew;

trunk/src/VBox/Runtime/r3/memsafer-r3.cpp

@@ -32 +32 @@
 #include <iprt/memsafer.h>
 
+#include <iprt/asm.h>
 #include <iprt/assert.h>
+#include <iprt/avl.h>
+#include <iprt/critsect.h>
+#include <iprt/mem.h>
+#include <iprt/once.h>
+#include <iprt/rand.h>
+#include <iprt/param.h>
 #include <iprt/string.h>
-#if defined(IN_SUP_R3) && defined(VBOX) && !defined(RT_NO_GIP)
-# include <iprt/param.h>
+#ifdef IN_SUP_R3
 # include <VBox/sup.h>
-#endif /* IN_SUP_R3 */
+#endif
 
 
@@ -43 +49 @@
 *   Defined Constants And Macros                                               *
 *******************************************************************************/
-/** Allocation size alignment. */
+/** Allocation size alignment (power of two). */
 #define RTMEMSAFER_ALIGN        16
-/** Padding after the block to avoid small overruns. */
-#define RTMEMSAFER_PAD_BEFORE   96
-/** Padding after the block to avoid small underruns. */
-#define RTMEMSAFER_PAD_AFTER    32
+
 
 /*******************************************************************************
 *   Structures and Typedefs                                                    *
 *******************************************************************************/
-
-/**
- * Supported allocation methods.
- */
-typedef enum RTMEMSAFERALLOCMETHOD
+/**
+ * Allocators.
+ */
+typedef enum RTMEMSAFERALLOCATOR
 {
     /** Invalid method. */
-    RTMEMSAFERALLOCMETHOD_INVALID = 0,
-    /** RTMem{Alloc|Free} methods, least secure!. */
-    RTMEMSAFERALLOCMETHOD_RTMEM,
-    /** Support library. */
-    RTMEMSAFERALLOCMETHOD_SUPR3,
-    /** 32bit hack. */
-    RTMEMSAFERALLOCMETHOD_32BIT_HACK = 0x7fffffff
-} RTMEMSAFERALLOCMETHOD;
-/** Pointer to a allocation method enum. */
-typedef RTMEMSAFERALLOCMETHOD *PRTMEMSAFERALLOCMETHOD;
-
-/**
- * Memory header for safer memory allocations.
- *
- * @note: There is no magic value used deliberately to make identifying this structure
- *        as hard as possible.
- */
-typedef struct RTMEMSAFERHDR
-{
-    /** Flags passed to this allocation - used for freeing and reallocation. */
-    uint32_t              fFlags;
-    /** Allocation method used. */
-    RTMEMSAFERALLOCMETHOD enmAllocMethod;
-    /** Amount of bytes allocated. */
-    size_t                cb;
-} RTMEMSAFERHDR;
-/** Pointer to a safer memory header. */
-typedef RTMEMSAFERHDR *PRTMEMSAFERHDR;
-/** Make sure we are staying in the padding area. */
-AssertCompile(sizeof(RTMEMSAFERHDR) < RTMEMSAFER_PAD_BEFORE);
+    RTMEMSAFERALLOCATOR_INVALID = 0,
+    /** RTMemPageAlloc. */
+    RTMEMSAFERALLOCATOR_RTMEMPAGE,
+    /** SUPR3PageAllocEx. */
+    RTMEMSAFERALLOCATOR_SUPR3
+} RTMEMSAFERALLOCATOR;
+
+/**
+ * Tracking node (lives on normal heap).
+ */
+typedef struct RTMEMSAFERNODE
+{
+    /** Node core.
+     * The core key is a scrambled pointer the user memory. */
+    AVLPVNODECORE           Core;
+    /** The allocation flags. */
+    uint32_t                fFlags;
+    /** The offset into the allocation of the user memory. */
+    uint32_t                offUser;
+    /** The requested allocation size. */
+    size_t                  cbUser;
+    /** The allocation size in pages, this includes the two guard pages. */
+    uint32_t                cPages;
+    /** The allocator used for this node. */
+    RTMEMSAFERALLOCATOR     enmAllocator;
+} RTMEMSAFERNODE;
+/** Pointer to an allocation tracking node. */
+typedef RTMEMSAFERNODE *PRTMEMSAFERNODE;
+
 
 /*******************************************************************************
 *   Global Variables                                                           *
 *******************************************************************************/
-/** XOR scrambler value.
- * @todo determine this at runtime */
-#if ARCH_BITS == 32
-static uintptr_t g_uScramblerXor = UINT32_C(0x867af88d);
-#elif ARCH_BITS == 64
-static uintptr_t g_uScramblerXor = UINT64_C(0xed95ecc99416d312);
+/** Init once structure for this module. */
+static RTONCE       g_MemSaferOnce = RTONCE_INITIALIZER;
+/** Critical section protecting the allocation tree. */
+static RTCRITSECTRW g_MemSaferCritSect;
+/** Tree of allocation nodes. */
+static AVLPVTREE    g_pMemSaferTree;
+/** XOR scrambler value for memory. */
+static uintptr_t    g_uMemSaferScramblerXor;
+/** XOR scrambler value pointers. */
+static uintptr_t    g_uMemSaferPtrScramblerXor;
+/** Pointer rotate shift count.*/
+static uintptr_t    g_cMemSaferPtrScramblerRotate;
+
+
+/**
+ * @callback_method_impl{FNRTONCE, Inits globals.}
+ */
+static DECLCALLBACK(int32_t) rtMemSaferOnceInit(void *pvUserIgnore)
+{
+    g_uMemSaferScramblerXor = (uintptr_t)RTRandU64();
+    g_uMemSaferPtrScramblerXor = (uintptr_t)RTRandU64();
+    g_cMemSaferPtrScramblerRotate = RTRandU32Ex(0, ARCH_BITS - 1);
+    return RTCritSectRwInit(&g_MemSaferCritSect);
+}
+
+
+/**
+ * @callback_method_impl{PFNRTONCECLEANUP, Cleans up globals.}
+ */
+static DECLCALLBACK(void) rtMemSaferOnceTerm(void *pvUser, bool fLazyCleanUpOk)
+{
+    if (!fLazyCleanUpOk)
+    {
+        RTCritSectRwDelete(&g_MemSaferCritSect);
+        Assert(!g_pMemSaferTree);
+    }
+}
+
+
+
+DECLINLINE(void *) rtMemSaferScramblePointer(void *pvUser)
+{
+    uintptr_t uPtr = (uintptr_t)pvUser;
+    uPtr ^= g_uMemSaferPtrScramblerXor;
+#if ARCH_BITS == 64
+    uPtr = ASMRotateRightU64(uPtr, g_cMemSaferPtrScramblerRotate);
+#elif ARCH_BITS == 32
+    uPtr = ASMRotateRightU32(uPtr, g_cMemSaferPtrScramblerRotate);
 #else
-# error "Bad ARCH_BITS value"
+# error "Unsupported/missing ARCH_BITS."
 #endif
-
-
-
-/**
- * Support (SUPR3) based allocator.
- *
- * @returns VBox status code.
- * @retval VERR_NOT_SUPPORTED if this allocation method is not supported in this
- *         version of the library.
- * @param  ppvNew    Where to store the pointer to the new buffer on success.
- * @param  cb        Amount of bytes to allocate.
- *
- * @note: The allocation will have an extra page allocated before and after the
- *        user area with all access rights removed if the host supports that to
- *        prevent heartbleed like attacks.
- */
-static int rtMemSaferSupR3Alloc(void **ppvNew, size_t cb)
-{
-#if defined(IN_SUP_R3) && defined(VBOX) && !defined(RT_NO_GIP)
-    /*
-     * Allocate locked memory from the support library.
-     * 
-     */
-    size_t cbUser = RT_ALIGN_Z(cb, PAGE_SIZE);
-    size_t cPages = cbUser / PAGE_SIZE + 2; /* For the extra guarding pages. */
-    void *pvNew = NULL;
-    int rc = SUPR3PageAllocEx(cPages, 0 /* fFlags */, &pvNew, NULL /* pR0Ptr */, NULL /* paPages */);
-    if (RT_SUCCESS(rc))
-    {
-        /*
-         * Change the memory protection of the pages guarding the allocation.
-         * Some hosts don't support changing the page protection, ignore these
-         * errors.
-         */
-        rc = SUPR3PageProtect(pvNew, NIL_RTR0PTR, 0, PAGE_SIZE, RTMEM_PROT_NONE);
-        if (RT_SUCCESS(rc) || rc == VERR_NOT_SUPPORTED)
-        {
-            Assert(PAGE_SIZE + cbUser == (size_t)((uint32_t)(PAGE_SIZE + cbUser)));
-            if (rc == VERR_NOT_SUPPORTED)
-                rc = VINF_SUCCESS;
-            else
-                rc = SUPR3PageProtect(pvNew, NIL_RTR0PTR, PAGE_SIZE + (uint32_t)cbUser, PAGE_SIZE, RTMEM_PROT_NONE);
-
-            if (RT_SUCCESS(rc))
-            {
-                *ppvNew = (uint8_t *)pvNew + PAGE_SIZE;
-                return VINF_SUCCESS;
-            }
-        }
-
-        rc = SUPR3PageFreeEx(pvNew, cPages);
-        AssertRC(rc);
-    }
-
-    return rc;
-#else
-    return VERR_NOT_SUPPORTED;
+    return (void *)uPtr;
+}
+
+
+/**
+ * Inserts a tracking node into the tree.
+ *
+ * @param   pThis               The allocation tracking node to insert.
+ */
+static void rtMemSaferNodeInsert(PRTMEMSAFERNODE pThis)
+{
+    RTCritSectRwEnterExcl(&g_MemSaferCritSect);
+    pThis->Core.Key = rtMemSaferScramblePointer(pThis->Core.Key);
+    bool fRc = RTAvlPVInsert(&g_pMemSaferTree, &pThis->Core);
+    RTCritSectRwLeaveExcl(&g_MemSaferCritSect);
+    Assert(fRc);
+}
+
+
+/**
+ * Finds a tracking node into the tree.
+ *
+ * @returns The allocation tracking node for @a pvUser. NULL if not found.
+ * @param   pvUser              The user pointer to the allocation.
+ */
+static PRTMEMSAFERNODE rtMemSaferNodeLookup(void *pvUser)
+{
+    void *pvKey = rtMemSaferScramblePointer(pvUser);
+    RTCritSectRwEnterShared(&g_MemSaferCritSect);
+    PRTMEMSAFERNODE pThis = (PRTMEMSAFERNODE)RTAvlPVGet(&g_pMemSaferTree, pvKey);
+    RTCritSectRwLeaveShared(&g_MemSaferCritSect);
+    return pThis;
+}
+
+
+/**
+ * Removes a tracking node from the tree.
+ *
+ * @returns The allocation tracking node for @a pvUser. NULL if not found.
+ * @param   pvUser              The user pointer to the allocation.
+ */
+static PRTMEMSAFERNODE rtMemSaferNodeRemove(void *pvUser)
+{
+    void *pvKey = rtMemSaferScramblePointer(pvUser);
+    RTCritSectRwEnterExcl(&g_MemSaferCritSect);
+    PRTMEMSAFERNODE pThis = (PRTMEMSAFERNODE)RTAvlPVRemove(&g_pMemSaferTree, pvKey);
+    RTCritSectRwLeaveExcl(&g_MemSaferCritSect);
+    return pThis;
+}
+
+
+RTDECL(int) RTMemSaferScramble(void *pv, size_t cb)
+{
+#ifdef RT_STRICT
+    PRTMEMSAFERNODE pThis = rtMemSaferNodeLookup(pv);
+    AssertReturn(pThis, VERR_INVALID_POINTER);
+    AssertMsgReturn(cb == pThis->cbUser, ("cb=%#zx != %#zx\n", cb, pThis->cbUser), VERR_INVALID_PARAMETER);
 #endif
-}
-
-
-/**
- * Free method for memory allocated using the Support (SUPR3) based allocator.
- *
- * @returns nothing.
- * @param   pv    Pointer to the memory to free.
- * @param   cb    Amount of bytes allocated.
- */
-static void rtMemSafeSupR3Free(void *pv, size_t cb)
-{
-#if defined(IN_SUP_R3) && defined(VBOX) && !defined(RT_NO_GIP)
-    size_t cbUser = RT_ALIGN_Z(cb, PAGE_SIZE);
-    size_t cPages = cbUser / PAGE_SIZE + 2; /* For the extra pages. */
-    void *pvStart = (uint8_t *)pv - PAGE_SIZE;
-
-    int rc = SUPR3PageFreeEx(pvStart, cPages);
-    AssertRC(rc);
-#else
-    AssertMsgFailed(("SUPR3 allocated memory but freeing is not supported, messed up\n"));
-#endif
-}
-
-
-RTDECL(int) RTMemSaferScramble(void *pv, size_t cb)
-{
-    PRTMEMSAFERHDR pHdr = (PRTMEMSAFERHDR)((char *)pv - RTMEMSAFER_PAD_BEFORE);
-    AssertMsg(pHdr->cb == cb, ("pHdr->cb=%#zx cb=%#zx\n", pHdr->cb, cb));
 
     /* Note! This isn't supposed to be safe, just less obvious. */
@@ -196 +210 @@
     while (cb > 0)
     {
-        *pu ^= g_uScramblerXor;
+        *pu ^= g_uMemSaferScramblerXor;
         pu++;
         cb -= sizeof(*pu);
@@ -208 +222 @@
 RTDECL(int) RTMemSaferUnscramble(void *pv, size_t cb)
 {
-    PRTMEMSAFERHDR pHdr = (PRTMEMSAFERHDR)((char *)pv - RTMEMSAFER_PAD_BEFORE);
-    AssertMsg(pHdr->cb == cb, ("pHdr->cb=%#zx cb=%#zx\n", pHdr->cb, cb));
+#ifdef RT_STRICT
+    PRTMEMSAFERNODE pThis = rtMemSaferNodeLookup(pv);
+    AssertReturn(pThis, VERR_INVALID_POINTER);
+    AssertMsgReturn(cb == pThis->cbUser, ("cb=%#zx != %#zx\n", cb, pThis->cbUser), VERR_INVALID_PARAMETER);
+#endif
 
     /* Note! This isn't supposed to be safe, just less obvious. */
@@ -216 +233 @@
     while (cb > 0)
     {
-        *pu ^= g_uScramblerXor;
+        *pu ^= g_uMemSaferScramblerXor;
         pu++;
         cb -= sizeof(*pu);
@@ -226 +243 @@
 
 
+/**
+ * Initializes the pages.
+ *
+ * Fills the memory with random bytes in order to make it less obvious where the
+ * secret data starts and ends.  We also zero the user memory in case the
+ * allocator does not do this.
+ *
+ * @param   pThis               The allocation tracer node.  The Core.Key member
+ *                              will be set.
+ * @param   pvPages             The pages to initialize.
+ */
+static void rtMemSaferInitializePages(PRTMEMSAFERNODE pThis, void *pvPages)
+{
+    RTRandBytes(pvPages, PAGE_SIZE + pThis->offUser);
+
+    uint8_t *pbUser = (uint8_t *)pvPages + PAGE_SIZE + pThis->offUser;
+    pThis->Core.Key = pbUser;
+    RT_BZERO(pbUser, pThis->cbUser); /* paranoia */
+
+    RTRandBytes(pbUser + pThis->cbUser, (size_t)pThis->cPages * PAGE_SIZE - PAGE_SIZE - pThis->offUser - pThis->cbUser);
+}
+
+
+/**
+ * Allocates and initializes pages from the support driver and initializes it.
+ *
+ * @returns VBox status code.
+ * @param   pThis       The allocator node. Core.Key will be set on successful
+ *                      return (unscrambled).
+ */
+static int rtMemSaferSupR3AllocPages(PRTMEMSAFERNODE pThis)
+{
+#ifdef IN_SUP_R3
+    /*
+     * Try allocate the memory.
+     */
+    void *pvPages;
+    int rc = SUPR3PageAllocEx(pThis->cPages, 0 /* fFlags */, &pvPages, NULL /* pR0Ptr */, NULL /* paPages */);
+    if (RT_SUCCESS(rc))
+    {
+        rtMemSaferInitializePages(pThis, pvPages);
+
+        /*
+         * Configure the guard pages.
+         * SUPR3PageProtect isn't supported on all hosts, we ignore that.
+         */
+        rc = SUPR3PageProtect(pvPages, NIL_RTR0PTR, 0, PAGE_SIZE, RTMEM_PROT_NONE);
+        if (RT_SUCCESS(rc))
+        {
+            rc = SUPR3PageProtect(pvPages, NIL_RTR0PTR, (pThis->cPages - PAGE_SIZE) * PAGE_SIZE, PAGE_SIZE, RTMEM_PROT_NONE);
+            if (RT_SUCCESS(rc))
+                return VINF_SUCCESS;
+            SUPR3PageProtect(pvPages, NIL_RTR0PTR, 0, PAGE_SIZE, RTMEM_PROT_READ | RTMEM_PROT_WRITE);
+        }
+        else if (rc == VERR_NOT_SUPPORTED)
+            return VINF_SUCCESS;
+
+        /* failed. */
+        int rc2 = SUPR3PageFreeEx(pvPages, pThis->cPages); AssertRC(rc2);
+    }
+    return rc;
+#else  /* !IN_SUP_R3 */
+    return VERR_NOT_SUPPORTED;
+#endif /* !IN_SUP_R3 */
+}
+
+
+/**
+ * Allocates and initializes pages using the IPRT page allocator API.
+ *
+ * @returns VBox status code.
+ * @param   pThis       The allocator node. Core.Key will be set on successful
+ *                      return (unscrambled).
+ */
+static int rtMemSaferMemAllocPages(PRTMEMSAFERNODE pThis)
+{
+    /*
+     * Try allocate the memory.
+     */
+    int rc;
+    void *pvPages = RTMemPageAlloc((size_t)pThis->cPages * PAGE_SIZE);
+    if (pvPages)
+    {
+        rtMemSaferInitializePages(pThis, pvPages);
+
+        /*
+         * Configure the guard pages.
+         */
+        rc = RTMemProtect(pvPages, PAGE_SIZE, RTMEM_PROT_NONE);
+        if (RT_SUCCESS(rc))
+        {
+            rc = RTMemProtect((uint8_t *)pvPages + (size_t)(pThis->cPages - 1U) * PAGE_SIZE, PAGE_SIZE, RTMEM_PROT_NONE);
+            if (RT_SUCCESS(rc))
+                return VINF_SUCCESS;
+            rc = RTMemProtect(pvPages, PAGE_SIZE, RTMEM_PROT_READ | RTMEM_PROT_WRITE);
+        }
+
+        /* failed. */
+        RTMemPageFree(pvPages, (size_t)pThis->cPages * PAGE_SIZE);
+    }
+
+    return rc;
+}
+
+
 RTDECL(int) RTMemSaferAllocZExTag(void **ppvNew, size_t cb, uint32_t fFlags, const char *pszTag) RT_NO_THROW
 {
-    AssertReturn(cb, VERR_INVALID_PARAMETER);
+    /*
+     * Validate input.
+     */
     AssertPtrReturn(ppvNew, VERR_INVALID_PARAMETER);
     *ppvNew = NULL;
+    AssertReturn(cb, VERR_INVALID_PARAMETER);
+    AssertReturn(cb <= 32U*_1M - PAGE_SIZE * 3U, VERR_ALLOCATION_TOO_BIG); /* Max 32 MB minus padding and guard pages. */
+    AssertReturn(!(fFlags & ~RTMEMSAFER_F_VALID_MASK), VERR_INVALID_FLAGS);
 
     /*
-     * Don't request zeroed memory.  We want random heap garbage in the
-     * padding zones, nothing that makes our allocations easier to find.
+     * Initialize globals.
      */
-    RTMEMSAFERALLOCMETHOD enmAllocMethod = RTMEMSAFERALLOCMETHOD_SUPR3;
-    size_t cbUser = RT_ALIGN_Z(cb, RTMEMSAFER_ALIGN);
-    void *pvNew = NULL;
-    int rc = rtMemSaferSupR3Alloc(&pvNew, cbUser + RTMEMSAFER_PAD_BEFORE + RTMEMSAFER_PAD_AFTER);
-    if (   RT_FAILURE(rc)
-        && fFlags & RTMEMSAFER_ALLOC_EX_ALLOW_PAGEABLE_BACKING)
-    {
-        /* Pageable memory allowed. */
-        enmAllocMethod = RTMEMSAFERALLOCMETHOD_RTMEM;
-        pvNew = RTMemAlloc(cbUser + RTMEMSAFER_PAD_BEFORE + RTMEMSAFER_PAD_AFTER);
-    }
-
-    if (pvNew)
-    {
-        PRTMEMSAFERHDR pHdr = (PRTMEMSAFERHDR)pvNew;
-        pHdr->fFlags         = fFlags;
-        pHdr->cb             = cb;
-        pHdr->enmAllocMethod = enmAllocMethod;
-#ifdef RT_STRICT /* For checking input in strict builds. */
-        memset((char *)pvNew + sizeof(RTMEMSAFERHDR), 0xad, RTMEMSAFER_PAD_BEFORE - sizeof(RTMEMSAFERHDR));
-        memset((char *)pvNew + RTMEMSAFER_PAD_BEFORE + cb, 0xda, RTMEMSAFER_PAD_AFTER + (cbUser - cb));
+    int rc = RTOnceEx(&g_MemSaferOnce, rtMemSaferOnceInit, rtMemSaferOnceTerm, NULL);
+    if (RT_SUCCESS(rc))
+    {
+        /*
+         * Allocate a tracker node first.
+         */
+        PRTMEMSAFERNODE pThis = (PRTMEMSAFERNODE)RTMemAllocZ(sizeof(RTMEMSAFERNODE));
+        if (pThis)
+        {
+            /*
+             * Prepare the allocation.
+             */
+            pThis->cbUser  = cb;
+            pThis->offUser = (RTRandU32Ex(0, 128) * RTMEMSAFER_ALIGN) & PAGE_OFFSET_MASK;
+
+            size_t cbNeeded = pThis->offUser + pThis->cbUser;
+            cbNeeded = RT_ALIGN_Z(cbNeeded, PAGE_SIZE);
+
+            pThis->cPages = (uint32_t)(cbNeeded / PAGE_SIZE) + 2; /* +2 for guard pages */
+
+            /*
+             * Try allocate the memory, using the best allocator by default and
+             * falling back on the less safe one.
+             */
+            rc = rtMemSaferSupR3AllocPages(pThis);
+            if (RT_SUCCESS(rc))
+                pThis->enmAllocator = RTMEMSAFERALLOCATOR_SUPR3;
+            else if (!(fFlags & RTMEMSAFER_F_REQUIRE_NOT_PAGABLE))
+            {
+                rc = rtMemSaferMemAllocPages(pThis);
+                if (RT_SUCCESS(rc))
+                    pThis->enmAllocator = RTMEMSAFERALLOCATOR_RTMEMPAGE;
+            }
+            if (RT_SUCCESS(rc))
+            {
+                /*
+                 * Insert the node.
+                 */
+                *ppvNew = pThis->Core.Key;
+                rtMemSaferNodeInsert(pThis); /* (Scrambles Core.Key) */
+                return VINF_SUCCESS;
+            }
+
+            RTMemFree(pThis);
+        }
+        else
+            rc = VERR_NO_MEMORY;
+    }
+    return rc;
+}
+RT_EXPORT_SYMBOL(RTMemSaferAllocZExTag);
+
+
+RTDECL(void) RTMemSaferFree(void *pv, size_t cb) RT_NO_THROW
+{
+    if (pv)
+    {
+        PRTMEMSAFERNODE pThis = rtMemSaferNodeRemove(pv);
+        AssertReturnVoid(pThis);
+        AssertMsg(cb == pThis->cbUser, ("cb=%#zx != %#zx\n", cb, pThis->cbUser));
+
+        /*
+         * Wipe the user memory first.
+         */
+        RTMemWipeThoroughly(pv, RT_ALIGN_Z(cb, RTMEMSAFER_ALIGN), 3);
+
+        /*
+         * Free the pages.
+         */
+        uint8_t *pbPages = (uint8_t *)pv - pThis->offUser - PAGE_SIZE;
+        size_t   cbPages = (size_t)pThis->cPages * PAGE_SIZE;
+        switch (pThis->enmAllocator)
+        {
+#ifdef IN_SUP_R3
+            case RTMEMSAFERALLOCATOR_SUPR3:
+                SUPR3PageProtect(pbPages, NIL_RTR0PTR, 0, PAGE_SIZE, RTMEM_PROT_READ | RTMEM_PROT_WRITE);
+                SUPR3PageProtect(pbPages, NIL_RTR0PTR, (uint32_t)(cbPages - PAGE_SIZE), PAGE_SIZE, RTMEM_PROT_READ | RTMEM_PROT_WRITE);
+                SUPR3PageFreeEx(pbPages, cbPages);
+                break;
 #endif
-
-        void *pvUser = (char *)pvNew + RTMEMSAFER_PAD_BEFORE;
-        *ppvNew = pvUser;
-
-        /* You don't use this API for performance, so we always clean memory. */
-        RT_BZERO(pvUser, cb);
-
-        return VINF_SUCCESS;
-    }
-    return rc;
-}
-RT_EXPORT_SYMBOL(RTMemSaferAllocZExTag);
-
-
-RTDECL(void) RTMemSaferFree(void *pv, size_t cb) RT_NO_THROW
-{
-    if (pv)
-    {
-        Assert(cb);
-
-        size_t cbUser = RT_ALIGN_Z(cb, RTMEMSAFER_ALIGN);
-        void *pvStart = (char *)pv - RTMEMSAFER_PAD_BEFORE;
-        PRTMEMSAFERHDR pHdr = (PRTMEMSAFERHDR)pvStart;
-        AssertMsg(pHdr->cb == cb, ("pHdr->cb=%#zx cb=%#zx\n", pHdr->cb, cb));
-
-        RTMemWipeThoroughly(pv, RT_ALIGN_Z(cb, RTMEMSAFER_ALIGN), 3);
-
-        switch (pHdr->enmAllocMethod)
-        {
-            case RTMEMSAFERALLOCMETHOD_SUPR3:
-                rtMemSafeSupR3Free(pvStart, cbUser + RTMEMSAFER_PAD_BEFORE + RTMEMSAFER_PAD_AFTER);
+            case RTMEMSAFERALLOCATOR_RTMEMPAGE:
+                RTMemProtect(pbPages, PAGE_SIZE, RTMEM_PROT_READ | RTMEM_PROT_WRITE);
+                RTMemProtect(pbPages + cbPages - PAGE_SIZE, PAGE_SIZE, RTMEM_PROT_READ | RTMEM_PROT_WRITE);
+                RTMemPageFree(pbPages, cbPages);
                 break;
-            case RTMEMSAFERALLOCMETHOD_RTMEM:
-                RTMemFree(pvStart);
-                break;
+
             default:
-                AssertMsgFailed(("Invalid allocation method, corrupted header\n"));
+                AssertFailed();
         }
+
+        /*
+         * Free the tracking node.
+         */
+        pThis->Core.Key = NULL;
+        pThis->offUser = 0;
+        pThis->cbUser = 0;
+        RTMemFree(pThis);
     }
     else
@@ -303 +466 @@
 
 
+/**
+ * The simplest reallocation method: allocate new block, copy over the data,
+ * free old block.
+ */
+static int rtMemSaferReallocSimpler(size_t cbOld, void *pvOld, size_t cbNew, void **ppvNew, uint32_t fFlags, const char *pszTag)
+{
+    void *pvNew;
+    int rc = RTMemSaferAllocZExTag(&pvNew, cbNew, fFlags, pszTag);
+    if (RT_SUCCESS(rc))
+    {
+        memcpy(pvNew, pvOld, RT_MIN(cbNew, cbOld));
+        RTMemSaferFree(pvOld, cbOld);
+        *ppvNew = pvNew;
+    }
+    return rc;
+}
+
+
 RTDECL(int) RTMemSaferReallocZExTag(size_t cbOld, void *pvOld, size_t cbNew, void **ppvNew, uint32_t fFlags, const char *pszTag) RT_NO_THROW
 {
-    /*
-     * We cannot let the heap move us around because we will be failing in our
-     * duty to clean things up.  So, allocate a new block, copy over the old
-     * content, and free the old one.
-     */
     int rc;
     /* Real realloc. */
     if (cbNew && cbOld)
     {
-        PRTMEMSAFERHDR pHdr = (PRTMEMSAFERHDR)((char *)pvOld - RTMEMSAFER_PAD_BEFORE);
-        AssertPtr(pvOld);
-        AssertMsg(*(size_t *)((char *)pvOld - RTMEMSAFER_PAD_BEFORE) == cbOld,
-                  ("*pvStart=%#zx cbOld=%#zx\n", *(size_t *)((char *)pvOld - RTMEMSAFER_PAD_BEFORE), cbOld));
-
-        void *pvNew;
-        rc = RTMemSaferAllocZExTag(&pvNew, cbNew, pHdr->fFlags, pszTag);
-        if (RT_SUCCESS(rc))
+        PRTMEMSAFERNODE pThis = rtMemSaferNodeLookup(pvOld);
+        AssertReturn(pThis, VERR_INVALID_POINTER);
+        AssertMsgStmt(cbOld == pThis->cbUser, ("cbOld=%#zx != %#zx\n", cbOld, pThis->cbUser), cbOld = pThis->cbUser);
+
+        if (pThis->fFlags == fFlags)
         {
-            memcpy(pvNew, pvOld, RT_MIN(cbNew, cbOld));
-            RTMemSaferFree(pvOld, cbOld);
-            *ppvNew = pvNew;
+            if (cbNew > cbOld)
+            {
+                /*
+                 * Is the enough room for us to grow?
+                 */
+                size_t cbMax = (size_t)(pThis->cPages - 2) * PAGE_SIZE;
+                if (cbNew <= cbMax)
+                {
+                    size_t const cbAdded = (cbNew - cbOld);
+                    size_t const cbAfter = cbMax - pThis->offUser - cbOld;
+                    if (cbAfter >= cbAdded)
+                    {
+                        /*
+                         * Sufficient space after the current allocation.
+                         */
+                        uint8_t *pbNewSpace = (uint8_t *)pvOld + cbOld;
+                        RT_BZERO(pbNewSpace, cbAdded);
+                        *ppvNew = pvOld;
+                    }
+                    else
+                    {
+                        /*
+                         * Have to move the allocation to make enough room at the
+                         * end.  In order to make it a little less predictable and
+                         * maybe avoid a relocation or two in the next call, divide
+                         * the page offset by four until it it fits.
+                         */
+                        AssertReturn(rtMemSaferNodeRemove(pvOld) == pThis, VERR_INTERNAL_ERROR_3);
+                        uint32_t offNewUser = pThis->offUser;
+                        do
+                            offNewUser = offNewUser / 2;
+                        while ((pThis->offUser - offNewUser) + cbAfter < cbAdded);
+                        offNewUser &= ~(RTMEMSAFER_ALIGN - 1U);
+
+                        uint32_t const cbMove = pThis->offUser - offNewUser;
+                        uint8_t *pbNew = (uint8_t *)pvOld - cbMove;
+                        memmove(pbNew, pvOld, cbOld);
+
+                        RT_BZERO(pbNew + cbOld, cbAdded);
+                        if (cbMove > cbAdded)
+                            RTMemWipeThoroughly(pbNew + cbNew, cbMove - cbAdded, 3);
+
+                        pThis->offUser  = offNewUser;
+                        pThis->Core.Key = pbNew;
+                        *ppvNew = pbNew;
+
+                        rtMemSaferNodeInsert(pThis);
+                    }
+                    Assert(((uintptr_t)*ppvNew & PAGE_OFFSET_MASK) == pThis->offUser);
+                    pThis->cbUser = cbNew;
+                    rc = VINF_SUCCESS;
+                }
+                else
+                {
+                    /*
+                     * Not enough space, allocate a new block and copy over the data.
+                     */
+                    rc = rtMemSaferReallocSimpler(cbOld, pvOld, cbNew, ppvNew, fFlags, pszTag);
+                }
+            }
+            else
+            {
+                /*
+                 * Shrinking the allocation, just wipe the memory that is no longer
+                 * being used.
+                 */
+                if (cbNew != cbOld)
+                {
+                    uint8_t *pbAbandond = (uint8_t *)pvOld + cbNew;
+                    RTMemWipeThoroughly(pbAbandond, cbOld - cbNew, 3);
+                }
+                pThis->cbUser = cbNew;
+                *ppvNew = pvOld;
+                rc = VINF_SUCCESS;
+            }
         }
-    }
-    /* First allocation. */
+        else if (!pThis->fFlags)
+        {
+            /*
+             * New flags added. Allocate a new block and copy over the old one.
+             */
+            rc = rtMemSaferReallocSimpler(cbOld, pvOld, cbNew, ppvNew, fFlags, pszTag);
+        }
+        else
+        {
+            /* Compatible flags. */
+            AssertMsgFailed(("fFlags=%#x old=%#x\n", fFlags, pThis->fFlags));
+            rc = VERR_INVALID_FLAGS;
+        }
+    }
+    /*
+     * First allocation. Pass it on.
+     */
     else if (!cbOld)
     {
@@ -334 +594 @@
         rc = RTMemSaferAllocZExTag(ppvNew, cbNew, fFlags, pszTag);
     }
-    /* Free operation*/
+    /*
+     * Free operation. Pass it on.
+     */
     else
     {
         RTMemSaferFree(pvOld, cbOld);
+        *ppvNew = NULL;
         rc = VINF_SUCCESS;
     }
@@ -348 +611 @@
 {
     void *pvNew = NULL;
-    int rc = RTMemSaferAllocZExTag(&pvNew, cb, RTMEMSAFER_ALLOC_EX_FLAGS_DEFAULT, pszTag);
+    int rc = RTMemSaferAllocZExTag(&pvNew, cb, 0 /*fFlags*/, pszTag);
     if (RT_SUCCESS(rc))
         return pvNew;
@@ -359 +622 @@
 {
     void *pvNew = NULL;
-    int rc = RTMemSaferReallocZExTag(cbOld, pvOld, cbNew, &pvNew, RTMEMSAFER_ALLOC_EX_FLAGS_DEFAULT, pszTag);
+    int rc = RTMemSaferReallocZExTag(cbOld, pvOld, cbNew, &pvNew, 0 /*fFlags*/, pszTag);
     if (RT_SUCCESS(rc))
         return pvNew;

trunk/src/VBox/Runtime/testcase/tstRTMemSafer.cpp

@@ -29 +29 @@
 *   Header Files                                                               *
 *******************************************************************************/
-#include <iprt/path.h>
+#include <iprt/memsafer.h>
+
+#include <iprt/asm.h>
+#include <iprt/param.h>
 #include <iprt/rand.h>
 #include <iprt/string.h>
-#include <iprt/stream.h>
-#include <iprt/initterm.h>
-#include <iprt/param.h>
-#include <iprt/memsafer.h>
 #include <iprt/test.h>
+#ifdef VBOX
+# include <VBox/sup.h>
+#endif
 
 
-/*******************************************************************************
-*   Global Variables                                                           *
-*******************************************************************************/
 
 static void doMemSaferScramble(RTTEST hTest, void *pvBuf, size_t cbAlloc)
 {
-    RTTestPrintf(hTest, RTTESTLVL_ALWAYS, "Testing scrambling (%u bytes) ...\n", cbAlloc);
-
+    /*
+     * Fill it with random bytes and make a reference copy of these.
+     */
     RTRandBytes(pvBuf, cbAlloc);
 
     void *pvRef = RTMemDup(pvBuf, cbAlloc);
-    if (!pvRef)
-    {
-        RTTestIFailed("No memory for reference buffer (%z bytes)\n", cbAlloc);
-        return;
-    }
+    RTTESTI_CHECK_RETV(pvRef);
 
+    /*
+     * Scramble the allocation and check that it no longer matches the refernece bytes.
+     */
     int rc = RTMemSaferScramble(pvBuf, cbAlloc);
     if (RT_SUCCESS(rc))
@@ -64 +63 @@
         else
         {
-            /* Test unscrambling. */
+            /*
+             * Check that unscrambling returns the original content.
+             */
             rc = RTMemSaferUnscramble(pvBuf, cbAlloc);
             if (RT_SUCCESS(rc))
@@ -82 +83 @@
 }
 
+
 static void doMemSaferAllocation(RTTEST hTest)
 {
     size_t cbAlloc = RTRandS32Ex(1, _1M) * sizeof(uint8_t);
 
-    RTTestPrintf(hTest, RTTESTLVL_ALWAYS, "Testing allocation of secure memory (%u bytes) ...\n", cbAlloc);
     void *pvBuf = NULL;
-    int rc = RTMemSaferAllocZEx(&pvBuf, cbAlloc, RTMEMSAFER_ALLOC_EX_FLAGS_DEFAULT);
+    int rc = RTMemSaferAllocZEx(&pvBuf, cbAlloc, 0);
     if (RT_SUCCESS(rc))
     {
-        /* Try to access memory. */
+        /* Fill it with random bytes. */
         RTRandBytes(pvBuf, cbAlloc);
 
@@ -97 +98 @@
         doMemSaferScramble(hTest, pvBuf, cbAlloc);
 
-#if 0
-        /* Try to access memory after the allocation, should crash. */
-        size_t cbAllocAligned = RT_ALIGN_Z(cbAlloc, PAGE_SIZE);
-        *((uint8_t *)pvBuf + cbAllocAligned) = 0xcc;
-#endif
         RTMemSaferFree(pvBuf, cbAlloc);
     }
@@ -108 +104 @@
 }
 
+
+static void doMemRealloc(RTTEST hTest)
+{
+    RTTestPrintf(hTest, RTTESTLVL_ALWAYS, "%u reallocation, grow by 1 bytes\n", PAGE_SIZE * 2);
+    size_t cbAlloc = RTRandS32Ex(1, _16K);
+    void  *pvBuf   = NULL;
+    RTTESTI_CHECK_RC_OK_RETV(RTMemSaferAllocZEx(&pvBuf, cbAlloc, 0));
+    for (uint32_t i = 0; i <= PAGE_SIZE * 2; i++)
+    {
+        cbAlloc += 1;
+        RTTESTI_CHECK_RC_OK_RETV(RTMemSaferReallocZEx(cbAlloc - 1, pvBuf, cbAlloc, &pvBuf, 0));
+        memset(pvBuf, i & 0x7f, cbAlloc);
+    }
+    RTMemSaferFree(pvBuf, cbAlloc);
+
+
+    RTTestPrintf(hTest, RTTESTLVL_ALWAYS, "100 random reallocations\n");
+    uint8_t chFiller = 0x42;
+    cbAlloc = 0;
+    pvBuf   = NULL;
+    for (uint32_t i = 1; i <= 100; i++)
+    {
+        uint32_t cbNew = RTRandS32Ex(1, _16K + (i / 4) * _16K);
+        RTTESTI_CHECK_RC_OK_RETV(RTMemSaferReallocZEx(cbAlloc, pvBuf, cbNew, &pvBuf, 0));
+
+        RTTESTI_CHECK(ASMMemIsAll8(pvBuf, RT_MIN(cbAlloc, cbNew), chFiller) == NULL);
+
+        chFiller += 0x31;
+        memset(pvBuf, chFiller, cbNew);
+        cbAlloc = cbNew;
+    }
+    RTTESTI_CHECK_RC_OK_RETV(RTMemSaferReallocZEx(cbAlloc, pvBuf, 0, &pvBuf, 0));
+    RTTESTI_CHECK(pvBuf == NULL);
+}
+
+
 int main()
 {
     RTTEST hTest;
-    RTEXITCODE rcExit = RTTestInitAndCreate("memsafer", &hTest);
+    RTEXITCODE rcExit = RTTestInitAndCreate("tstRTMemSafer", &hTest);
     if (rcExit != RTEXITCODE_SUCCESS)
         return rcExit;
     RTTestBanner(hTest);
+#ifdef VBOX
+    SUPR3Init(NULL);
+#endif
 
-    doMemSaferAllocation(hTest);
+    /*
+     * Not using sub-tests here, just printing progress.
+     */
+    RTTestPrintf(hTest, RTTESTLVL_ALWAYS, "20 random allocations\n");
+    for (uint32_t i = 0; i < 20; i++)
+        doMemSaferAllocation(hTest);
+
+    doMemRealloc(hTest);
 
     return RTTestSummaryAndDestroy(hTest);