Use zero-init pools (#5855)

## Description

Following up on #4871 to
introduce a broader fix to address
#4870.

Makes pool allocs zero-init by default in user mode.

## Testing

Added an alloc test to test zero-inits.

## Documentation

N/A

Author: ProjectsByJackHe

src/inc/quic_platform_posix.h

@@ -367,6 +367,13 @@ CxPlatAlloc(
     _In_ uint32_t Tag
     );
 
+_Ret_maybenull_
+void*
+CxPlatAllocUninitialized(
+    _In_ size_t ByteCount,
+    _In_ uint32_t Tag
+    );
+
 void
 CxPlatFree(
     __drv_freesMem(Mem) _Frees_ptr_ void* Mem,
@@ -375,6 +382,8 @@ CxPlatFree(
 
 #define CXPLAT_ALLOC_PAGED(Size, Tag) CxPlatAlloc(Size, Tag)
 #define CXPLAT_ALLOC_NONPAGED(Size, Tag) CxPlatAlloc(Size, Tag)
+#define CXPLAT_ALLOC_PAGED_UNINITIALIZED(Size, Tag) CxPlatAllocUninitialized(Size, Tag)
+#define CXPLAT_ALLOC_NONPAGED_UNINITIALIZED(Size, Tag) CxPlatAllocUninitialized(Size, Tag)
 #define CXPLAT_FREE(Mem, Tag) CxPlatFree((void*)Mem, Tag)
 
 #define CxPlatZeroMemory(Destination, Length) memset((Destination), 0, (Length))
@@ -605,6 +614,39 @@ CxPlatPoolAlloc(
     }
 #if DEBUG
     Header->SpecialFlag = CXPLAT_POOL_ALLOC_FLAG;
+#endif
+    Header->Owner = Pool;
+    void* Result = (void*)((uint8_t*)Header + sizeof(CXPLAT_POOL_HEADER));
+    CxPlatZeroMemory(Result, Pool->Size - sizeof(CXPLAT_POOL_HEADER));
+    return Result;
+}
+
+QUIC_INLINE
+void*
+CxPlatPoolAllocUninitialized(
+    _Inout_ CXPLAT_POOL* Pool
+    )
+{
+    CxPlatLockAcquire(&Pool->Lock);
+    CXPLAT_POOL_HEADER* Header =
+    #if DEBUG
+        CxPlatGetAllocFailDenominator() ? NULL : // No pool when using simulated alloc failures
+    #endif
+        (CXPLAT_POOL_HEADER*)CxPlatListPopEntry(&Pool->ListHead);
+    if (Header != NULL) {
+        CXPLAT_DBG_ASSERT(Pool->ListDepth > 0);
+        CXPLAT_DBG_ASSERT(Header->SpecialFlag == CXPLAT_POOL_FREE_FLAG);
+        Pool->ListDepth--;
+    }
+    CxPlatLockRelease(&Pool->Lock);
+    if (Header == NULL) {
+        Header = (CXPLAT_POOL_HEADER*)CxPlatAlloc(Pool->Size, Pool->Tag);
+        if (Header == NULL) {
+            return NULL;
+        }
+    }
+#if DEBUG
+    Header->SpecialFlag = CXPLAT_POOL_ALLOC_FLAG;
 #endif
     Header->Owner = Pool;
     return (void*)((uint8_t*)Header + sizeof(CXPLAT_POOL_HEADER));

src/inc/quic_platform_winkernel.h

@@ -253,8 +253,10 @@ CxPlatLogAssert(
 
 extern uint64_t CxPlatTotalMemory;
 
-#define CXPLAT_ALLOC_PAGED(Size, Tag) ExAllocatePool2(POOL_FLAG_PAGED | POOL_FLAG_UNINITIALIZED, Size, Tag)
-#define CXPLAT_ALLOC_NONPAGED(Size, Tag) ExAllocatePool2(POOL_FLAG_NON_PAGED | POOL_FLAG_UNINITIALIZED, Size, Tag)
+#define CXPLAT_ALLOC_PAGED(Size, Tag) ExAllocatePool2(POOL_FLAG_PAGED, Size, Tag)
+#define CXPLAT_ALLOC_NONPAGED(Size, Tag) ExAllocatePool2(POOL_FLAG_NON_PAGED, Size, Tag)
+#define CXPLAT_ALLOC_PAGED_UNINITIALIZED(Size, Tag) ExAllocatePool2(POOL_FLAG_PAGED | POOL_FLAG_UNINITIALIZED, Size, Tag)
+#define CXPLAT_ALLOC_NONPAGED_UNINITIALIZED(Size, Tag) ExAllocatePool2(POOL_FLAG_NON_PAGED | POOL_FLAG_UNINITIALIZED, Size, Tag)
 #define CXPLAT_FREE(Mem, Tag) ExFreePoolWithTag((void*)Mem, Tag)
 
 //
@@ -292,6 +294,23 @@ void*
 CxPlatPoolAlloc(
     _Inout_ CXPLAT_POOL* Pool
     )
+{
+    CXPLAT_POOL_HEADER* Header =
+        (CXPLAT_POOL_HEADER*)ExAllocateFromLookasideListEx(Pool);
+    if (Header == NULL) {
+        return NULL;
+    }
+    Header->Owner = Pool;
+    void* Result = (void*)(Header + 1);
+    RtlZeroMemory(Result, Pool->L.Size - sizeof(CXPLAT_POOL_HEADER));
+    return Result;
+}
+
+QUIC_INLINE
+void*
+CxPlatPoolAllocUninitialized(
+    _Inout_ CXPLAT_POOL* Pool
+    )
 {
     CXPLAT_POOL_HEADER* Header =
         (CXPLAT_POOL_HEADER*)ExAllocateFromLookasideListEx(Pool);

src/inc/quic_platform_winuser.h

@@ -278,6 +278,12 @@ CxPlatAlloc(
     _In_ uint32_t Tag
     );
 
+void*
+CxPlatAllocUninitialized(
+    _In_ size_t ByteCount,
+    _In_ uint32_t Tag
+    );
+
 void
 CxPlatFree(
     __drv_freesMem(Mem) _Frees_ptr_ void* Mem,
@@ -286,6 +292,8 @@ CxPlatFree(
 
 #define CXPLAT_ALLOC_PAGED(Size, Tag) CxPlatAlloc(Size, Tag)
 #define CXPLAT_ALLOC_NONPAGED(Size, Tag) CxPlatAlloc(Size, Tag)
+#define CXPLAT_ALLOC_PAGED_UNINITIALIZED(Size, Tag) CxPlatAllocUninitialized(Size, Tag)
+#define CXPLAT_ALLOC_NONPAGED_UNINITIALIZED(Size, Tag) CxPlatAllocUninitialized(Size, Tag)
 #define CXPLAT_FREE(Mem, Tag) CxPlatFree((void*)Mem, Tag)
 
 typedef struct CXPLAT_POOL CXPLAT_POOL;
@@ -446,6 +454,35 @@ CxPlatPoolAlloc(
         CXPLAT_DBG_ASSERT(Header->SpecialFlag == CXPLAT_POOL_FREE_FLAG);
     }
     Header->SpecialFlag = CXPLAT_POOL_ALLOC_FLAG;
+#endif
+    Header->Owner = Pool;
+    void* Result = (void*)(Header + 1);
+    RtlZeroMemory(Result, Pool->Size - sizeof(CXPLAT_POOL_HEADER));
+    return Result;
+}
+
+QUIC_INLINE
+void*
+CxPlatPoolAllocUninitialized(
+    _Inout_ CXPLAT_POOL* Pool
+    )
+{
+    CXPLAT_POOL_HEADER* Header =
+#if DEBUG
+        CxPlatGetAllocFailDenominator() ? NULL : // No pool when using simulated alloc failures
+#endif
+        (CXPLAT_POOL_HEADER*)InterlockedPopEntrySList(&Pool->ListHead);
+    if (Header == NULL) {
+        Header = Pool->Allocate(Pool->Size, Pool->Tag, Pool);
+        if (Header == NULL) {
+            return NULL;
+        }
+    }
+#if DEBUG
+    else {
+        CXPLAT_DBG_ASSERT(Header->SpecialFlag == CXPLAT_POOL_FREE_FLAG);
+    }
+    Header->SpecialFlag = CXPLAT_POOL_ALLOC_FLAG;
 #endif
     Header->Owner = Pool;
     return (void*)(Header + 1);

src/platform/datapath_winkernel.c

@@ -2606,7 +2606,11 @@ CxPlatSendDataAllocDataBuffer(
     _In_ CXPLAT_POOL* BufferPool
     )
 {
-    CXPLAT_DATAPATH_SEND_BUFFER* SendBuffer = CxPlatPoolAlloc(BufferPool);
+    //
+    // Use the *PoolAllocUninitialized method here to preserve the MDL
+    // pre-initializations (the default *PoolAlloc method zero-inits).
+    //
+    CXPLAT_DATAPATH_SEND_BUFFER* SendBuffer = CxPlatPoolAllocUninitialized(BufferPool);
     if (SendBuffer == NULL) {
         return NULL;
     }

src/platform/platform_posix.c

@@ -281,6 +281,24 @@ CxPlatAlloc(
         (CxPlatform.AllocFailDenominator < 0 && InterlockedIncrement(&CxPlatform.AllocCounter) % CxPlatform.AllocFailDenominator == 0)) {
         return NULL;
     }
+#endif
+    return calloc(1, ByteCount);
+}
+
+void*
+CxPlatAllocUninitialized(
+    _In_ size_t ByteCount,
+    _In_ uint32_t Tag
+    )
+{
+    UNREFERENCED_PARAMETER(Tag);
+#ifdef DEBUG
+    CXPLAT_DBG_ASSERT(ByteCount != 0);
+    uint32_t Rand;
+    if ((CxPlatform.AllocFailDenominator > 0 && (CxPlatRandom(sizeof(Rand), &Rand), Rand % CxPlatform.AllocFailDenominator) == 1) ||
+        (CxPlatform.AllocFailDenominator < 0 && InterlockedIncrement(&CxPlatform.AllocCounter) % CxPlatform.AllocFailDenominator == 0)) {
+        return NULL;
+    }
 #endif
     return malloc(ByteCount);
 }

src/platform/platform_winuser.c

@@ -459,6 +459,33 @@ CxPlatAlloc(
         return NULL;
     }
 
+    void* Alloc = HeapAlloc(CxPlatform.Heap, HEAP_ZERO_MEMORY, ByteCount + AllocOffset);
+    if (Alloc == NULL) {
+        return NULL;
+    }
+    *((uint32_t*)Alloc) = Tag;
+    return (void*)((uint8_t*)Alloc + AllocOffset);
+#else
+    UNREFERENCED_PARAMETER(Tag);
+    return HeapAlloc(CxPlatform.Heap, HEAP_ZERO_MEMORY, ByteCount);
+#endif
+}
+
+void*
+CxPlatAllocUninitialized(
+    _In_ size_t ByteCount,
+    _In_ uint32_t Tag
+    )
+{
+#ifdef DEBUG
+    CXPLAT_DBG_ASSERT(CxPlatform.Heap);
+    CXPLAT_DBG_ASSERT(ByteCount != 0);
+    uint32_t Rand;
+    if ((CxPlatform.AllocFailDenominator > 0 && (CxPlatRandom(sizeof(Rand), &Rand), Rand % CxPlatform.AllocFailDenominator) == 1) ||
+        (CxPlatform.AllocFailDenominator < 0 && InterlockedIncrement(&CxPlatform.AllocCounter) % CxPlatform.AllocFailDenominator == 0)) {
+        return NULL;
+    }
+
     void* Alloc = HeapAlloc(CxPlatform.Heap, 0, ByteCount + AllocOffset);
     if (Alloc == NULL) {
         return NULL;

src/platform/unittest/AllocTest.cpp

@@ -0,0 +1,129 @@
+/*++
+
+    Copyright (c) Microsoft Corporation.
+    Licensed under the MIT License.
+
+Abstract:
+
+    Tests to verify that memory allocations are zero-initialized by default.
+
+--*/
+
+#include "main.h"
+#include <algorithm>
+
+//
+// Size large enough to avoid small-allocation optimizations that might
+// coincidentally return zeroed memory.
+//
+#define TEST_ALLOC_SIZE 256
+
+static bool
+IsZeroMemory(
+    _In_ const uint8_t* Buffer,
+    _In_ size_t Size
+    )
+{
+    return std::all_of(Buffer, Buffer + Size, [](uint8_t b) { return b == 0; });
+}
+
+//
+// Allocates memory, fills it with non-zero data, frees it, then reallocates
+// the same size and checks whether the new allocation is zero-initialized.
+//
+// If the allocator does NOT zero-initialize, the recycled block will likely
+// still contain the 0xDE pattern, causing the test to fail.
+//
+TEST(AllocTest, NonPagedAllocIsZeroInitialized)
+{
+    //
+    // Phase 1: Allocate and poison memory so the heap has a dirty free block.
+    //
+    uint8_t* First =
+        (uint8_t*)CXPLAT_ALLOC_NONPAGED(TEST_ALLOC_SIZE, QUIC_POOL_TEST);
+    ASSERT_NE(nullptr, First);
+
+    memset(First, 0xDE, TEST_ALLOC_SIZE);
+    CXPLAT_FREE(First, QUIC_POOL_TEST);
+
+    //
+    // Phase 2: Reallocate the same size. A non-zeroing allocator will likely
+    // hand back the same (still dirty) block.
+    //
+    uint8_t* Second =
+        (uint8_t*)CXPLAT_ALLOC_NONPAGED(TEST_ALLOC_SIZE, QUIC_POOL_TEST);
+    ASSERT_NE(nullptr, Second);
+
+    EXPECT_TRUE(IsZeroMemory(Second, TEST_ALLOC_SIZE))
+        << "CXPLAT_ALLOC_NONPAGED returned non-zero-initialized memory. ";
+
+    CXPLAT_FREE(Second, QUIC_POOL_TEST);
+}
+
+TEST(AllocTest, PagedAllocIsZeroInitialized)
+{
+    uint8_t* First =
+        (uint8_t*)CXPLAT_ALLOC_PAGED(TEST_ALLOC_SIZE, QUIC_POOL_TEST);
+    ASSERT_NE(nullptr, First);
+
+    memset(First, 0xDE, TEST_ALLOC_SIZE);
+    CXPLAT_FREE(First, QUIC_POOL_TEST);
+
+    uint8_t* Second =
+        (uint8_t*)CXPLAT_ALLOC_PAGED(TEST_ALLOC_SIZE, QUIC_POOL_TEST);
+    ASSERT_NE(nullptr, Second);
+
+    EXPECT_TRUE(IsZeroMemory(Second, TEST_ALLOC_SIZE))
+        << "CXPLAT_ALLOC_PAGED returned non-zero-initialized memory. ";
+
+    CXPLAT_FREE(Second, QUIC_POOL_TEST);
+}
+
+//
+// CxPlatPoolAlloc can return a previously-used
+// object from its free list, and that object will contain stale data unless
+// the allocator explicitly zeroes it.
+//
+TEST(AllocTest, PoolAllocIsZeroInitializedOnReuse)
+{
+    CXPLAT_POOL Pool;
+    CxPlatPoolInitialize(FALSE, TEST_ALLOC_SIZE, QUIC_POOL_TEST, &Pool);
+
+    //
+    // Phase 1: Allocate from pool, poison, return to pool.
+    //
+    uint8_t* First = (uint8_t*)CxPlatPoolAlloc(&Pool);
+    ASSERT_NE(nullptr, First);
+
+    memset(First, 0xDE, TEST_ALLOC_SIZE);
+    CxPlatPoolFree(First);
+
+    //
+    // Phase 2: Re-allocate from pool. The pool will return the same object
+    // from its free list. If pool alloc doesn't zero-init, it will still
+    // contain the 0xDE poison bytes.
+    //
+    uint8_t* Second = (uint8_t*)CxPlatPoolAlloc(&Pool);
+    ASSERT_NE(nullptr, Second);
+
+    EXPECT_TRUE(IsZeroMemory(Second, TEST_ALLOC_SIZE))
+        << "CxPlatPoolAlloc returned non-zero-initialized memory on reuse. ";
+
+    CxPlatPoolFree(Second);
+    CxPlatPoolUninitialize(&Pool);
+}
+
+TEST(AllocTest, PoolAllocIsZeroInitializedFresh)
+{
+    CXPLAT_POOL Pool;
+    CxPlatPoolInitialize(FALSE, TEST_ALLOC_SIZE, QUIC_POOL_TEST, &Pool);
+
+    uint8_t* Mem = (uint8_t*)CxPlatPoolAlloc(&Pool);
+    ASSERT_NE(nullptr, Mem);
+
+    EXPECT_TRUE(IsZeroMemory(Mem, TEST_ALLOC_SIZE))
+        << "CxPlatPoolAlloc returned non-zero-initialized memory on fresh alloc. ";
+
+    CxPlatPoolFree(Mem);
+    CxPlatPoolUninitialize(&Pool);
+}

src/platform/unittest/CMakeLists.txt

@@ -3,6 +3,7 @@
 
 set(SOURCES
     main.cpp
+    AllocTest.cpp
     CryptTest.cpp
     DataPathTest.cpp
     PlatformTest.cpp