Skip to content

Extra package: hardened_malloc

EL9

  • Version hardened_malloc-13-3.el9_6.security
  • Based on upstream version 13 with further upstream changes as of git tag 2025092500

Package summary

This package ships the "normal" and "light" configurations of the GrapheneOS hardened_malloc project. The official README.md in the upstream project documents security properties and explains the differences between the regular and light variants.

Usage in Rocky Linux

It is strongly recommended to read all documentation here before deploying this package on your infrastructure.

In order to support the large number of mappings caused by guard slabs and large allocation guard regions, the vm.max_map_count sysctl is increased as part of package installation to 1048576 in /etc/sysctl.d/80-hardened_malloc.conf. You'll need to run sysctl -p /etc/sysctl.d/80-hardened_malloc.conf for this change to take effect without a reboot. Incidentally, Fedora 39 made the same change, so it's not an exotic configuration.

The package ships 2 builds of hardened_malloc, the regular variant, which is located at /usr/lib64/libhardened_malloc.so and can be preloaded using the hardened_malloc_preload.sh script, and the light variant, which is located at /usr/lib64/libhardened_malloc-light.so and can be preloaded using the hardened_malloc_light_preload.sh script. The preload scripts add the relevant library to LD_PRELOAD and then load the desired binary, as shown in the following example: hardened_malloc_preload.sh cat /proc/self/maps.

Users may choose to set an OS-wide LD_PRELOAD with hardened_malloc. This can be done by adding the desired library, for example, /usr/lib64/libhardened_malloc.so, into your /etc/ld.so.preload, which is to be created with permissions 644.

It is suggested that if you wish to deploy hardened_malloc systemwide, that you deploy it in your /etc/ld.so.preload with the normal variant globally, and then for applications which are performance sensitive, or which fail with the normal variant, try them individually with the light variant using the preload script or by setting LD_PRELOAD within a systemd unit. If that does not resolve your issue, try disabling hardened_malloc by running the program under LD_PRELOAD=/lib64/libc.so.6.

A configuration is also possible where hardened_malloc is only enabled for programs started as root (such as many system services). This is achieved by setting permissions on /etc/ld.so.preload to 600. This is the default on Rocky Linux from CIQ - Hardened (RLC-H).

Known issues with hardened_malloc

As with all infrastructure changes, ensure you test in your staging environment extensively before deploying into production. While hardened_malloc may uncover memory corruption bugs that are dormant or undetected under glibc, what it actually uncovered under our usage in Rocky Linux so far are cases of inconsistent dynamic linking with hardened_malloc vs. glibc within a program. Notably, in php and sssd this occurs with usage of the RTLD_DEEPBIND flag with dlopen, whereas in pcsd it occurs with pcs/lib/auth/pam.py's explicit reference to libc.calloc.

Our current hardened_malloc package includes workarounds for all 3 of these issues (so these packages should just work), although in the case of pcsd the workaround simply disables usage of hardened_malloc for that one service.

Potential for issues with EDR

By nature of relying on LD_PRELOAD, if you have EDR software on your server, it may falsely send alerts when using hardened_malloc. If it doesn't, your EDR is probably terrible or misconfigured.

Change log

* Sat Oct  4 2025 Solar Designer <solar@openwall.com> 13-3
- Hook dlopen() and drop RTLD_DEEPBIND for PHP modules to avoid inconsistent
  linking with glibc vs. alternative allocators such as hardened_malloc, see
  https://github.com/php/php-src/issues/10670

* Mon Sep 29 2025 Solar Designer <solar@openwall.com> 13-2
- Rename %_sysconfdir/sysctl.d/hardened_malloc.conf to 80-hardened_malloc.conf
- Add workarounds for sssd (packaged %_sysconfdir/sysconfig/sssd) and pcsd
  (added to %_sysconfdir/sysconfig/pcsd triggered on pcs package installation)

* Fri Sep 26 2025 Solar Designer <solar@openwall.com> 13-1
- Update to post version 13 git tag 2025092500, although there are almost no
  relevant changes since the previous version we were using

* Tue Nov 14 2023 Solar Designer <solar@openwall.com> 12-3
- Package hardened_malloc_light_preload.sh
- Disable arm64 building for now (fix didn't work)

* Wed Nov  8 2023 flawedworld <flawedworld@flawed.world> 12-2
- Set CONFIG_NATIVE to false
- Mark libraries as executable (change to 755 permissions)
- Add hardened_malloc_light_preload.sh
- Fix arm64 building

* Sat Oct 28 2023 flawedworld <flawedworld@flawed.world> 12-1
- Initial packaging for hardened_malloc version 12, co-authored-by
  Scott Shinn (atomicturtle) and Solar Designer