shadow memory

[zachturing]

There is a place on shadow memory that doesn't quite understand, as described below:

Take memory size 4G as an example.

In taint_memory.h：

define BITPAGE_LEAF_BITS TARGET_PAGE_BITS

define BITPAGE_MIDDLE_BITS (32-TARGET_PAGE_BITS)/2

BITPAGE_LEAF_BITS=12，BITPAGE_MIDDLE_BITS=(32-12)/2=10

//definition of leaf node typedef struct _tbitpage_leaf {
uint8_t bitmap[2 << BITPAGE_LEAF_BITS]; //bitmap[2^13] } tbitpage_leaf_t; The bitmap size is 2^13bytes（8KB）

/ Middle node for holding memory taint information / typedef struct _tbitpage_middle { tbitpage_leaf_t *leaf[2 << BITPAGE_MIDDLE_BITS]; //leaf[2^11] } tbitpage_middle_t; Each middle node contains 2^11 leaf nods。

/ Root node for holding memory taint information / tbitpage_middle_t **taint_memory_page_table = NULL;

static void allocate_taint_memory_page_table(void) { if (taint_memory_page_table) return; // AWH - Don't allocate if one exists taint_memory_page_table_root_size = ram_size >> (BITPAGE_LEAF_BITS + BITPAGE_MIDDLE_BITS); //ram_size=2^32,taint_memory_page_table_root_size=2^10 taint_memory_page_table = (tbitpage_middle_t *) g_malloc0(taint_memory_page_table_root_size sizeof(void*)); allocate_leaf_pool(); allocate_middle_pool(); middle_nodes_in_use = 0; leaf_nodes_in_use = 0; }

In the function allocate_taint_memory_page_table(), we assign the size of the root node,ram_size = 2^32，taint_memory_page_table_root_size = ram_size >> (BITPAGE_LEAF_BITS + BITPAGE_MIDDLE_BITS)=(2^32)> > (12 + 10)= 2^10 = 1024

Qeustion1:Generally, the page size of 4G RAM is 4KB, and the size of a leaf node defined here is not equal to the size of a page. Why? Qeustion2:From the above allocation, if the ram_size is 4G, then the size of the entire shadow memory should be 2^13 2^11 2^10 bytes = 2^34bytes = 16G > ram_size, which is wrong or deliberate So designed?