Add definition of M_MEMTAG_TUNING.

Bug: 191769584
Test: N/A
Merged-In: Ief77f95a04411528563787a9fc6d10738fc5688f
Change-Id: Ief77f95a04411528563787a9fc6d10738fc5688f
(cherry picked from commit d8d561c98457409c0003b37b9c1f84bb7d988e04)

1 files changed, 41 insertions, 2 deletions

diff --git a/libc/include/malloc.h b/libc/include/malloc.h
index bae1f6823..f7beb2c10 100644
--- a/libc/include/malloc.h
+++ b/libc/include/malloc.h
@@ -170,7 +170,45 @@ int malloc_info(int __must_be_zero, FILE* __fp) __INTRODUCED_IN(23);
  * Available since API level 28.
  */
 #define M_PURGE (-101)
-/*
+
+
+/**
+ * mallopt() option to tune the allocator's choice of memory tags to
+ * make it more likely that a certain class of memory errors will be
+ * detected. This is only relevant if MTE is enabled in this process
+ * and ignored otherwise. The value argument should be one of the
+ * M_MEMTAG_TUNING_* flags.
+ * NOTE: This is only available in scudo.
+ *
+ * Available since API level 31.
+ */
+#define M_MEMTAG_TUNING (-102)
+
+/**
+ * When passed as a value of M_MEMTAG_TUNING mallopt() call, enables
+ * deterministic detection of linear buffer overflow and underflow
+ * bugs by assigning distinct tag values to adjacent allocations. This
+ * mode has a slightly reduced chance to detect use-after-free bugs
+ * because only half of the possible tag values are available for each
+ * memory location.
+ *
+ * Please keep in mind that MTE can not detect overflow within the
+ * same tag granule (16-byte aligned chunk), and can miss small
+ * overflows even in this mode. Such overflow can not be the cause of
+ * a memory corruption, because the memory within one granule is never
+ * used for multiple allocations.
+ */
+#define M_MEMTAG_TUNING_BUFFER_OVERFLOW 0
+
+/**
+ * When passed as a value of M_MEMTAG_TUNING mallopt() call, enables
+ * independently randomized tags for uniform ~93% probability of
+ * detecting both spatial (buffer overflow) and temporal (use after
+ * free) bugs.
+ */
+#define M_MEMTAG_TUNING_UAF 1
+
+/**
  * mallopt() option for per-thread memory initialization tuning.
  * The value argument should be one of:
  * 1: Disable automatic heap initialization and, where possible, memory tagging,
@@ -210,7 +248,7 @@ int malloc_info(int __must_be_zero, FILE* __fp) __INTRODUCED_IN(23);
  * should not be zero-initialized, any other value indicates to initialize heap
  * memory to zero.
  *
- * Note that this memory mitigations is only implemented in scudo and therefore
+ * Note that this memory mitigation is only implemented in scudo and therefore
  * this will have no effect when using another allocator (such as jemalloc on
  * Android Go devices).
  *
@@ -222,6 +260,7 @@ int malloc_info(int __must_be_zero, FILE* __fp) __INTRODUCED_IN(23);
  * mallopt() option to change the heap tagging state. May be called at any
  * time, including when multiple threads are running.
  * The value must be one of the M_HEAP_TAGGING_LEVEL_ constants.
+ * NOTE: This is only available in scudo.
  *
  * Available since API level 31.
  */