This is an archive of the discontinued LLVM Phabricator instance.

Differential D107201

[libfuzzer] Use crash stack for fuchsia
AcceptedPublic

Authored by charco on Jul 30 2021, 3:55 PM.

Details

Reviewers
mcgrathr
aarongreen
Summary

This commits add a temporary stack to handle libfuzzer crashes in
Fuchsia.

Crashes in fuchsia are handled via exception channels: an exception
handler thread waits for an exception, and when one happs, it will try
to "resurrect" the crashed thread by writing the registers onto the
stack and changing the PC to a crash trampoline, which then calls
libfuzzer's static crash handler.

If the crashed thread has an invalid stack, writing the registers onto
the stack will fail. The end result is that the fuzzer would hang and
the error would be reported as a time out.

To solve it, we set up a temporary stack of a few pages so the crash
handler can run. This crash handler will end the application, so we are
not expected to resume normal execution.

The code changes three stacks: The SafeStack (current sp pointer), the
UnsafeStack (stored at an offset from the Thread Pointer), and the
ShadowCallStack if it's available.

Diff Detail

Event Timeline

charco created this revision.Jul 30 2021, 3:55 PM
Herald added a subscriber: phosek. · View Herald TranscriptJul 30 2021, 3:55 PM
charco requested review of this revision.Jul 30 2021, 3:55 PM
Herald added a project: Restricted Project. · View Herald TranscriptJul 30 2021, 3:55 PM
Herald added a subscriber: Restricted Project. · View Herald Transcript
Harbormaster completed remote builds in B117276: Diff 363231.Jul 30 2021, 3:55 PM
mcgrathr accepted this revision.Aug 25 2021, 3:03 PM
mcgrathr added inline comments.
compiler-rt/lib/fuzzer/FuzzerUtilFuchsia.cpp
284

You want to do this regardless of how the fuzzer library itself was compiled.
The SCSP in x18 is part of the --target=aarch64-fuchsia ABI.

302

Same here. You can conditionalize it to aarch64, but it should always be done for all aarch64 code.

This revision is now accepted and ready to land.Aug 25 2021, 3:03 PM

Revision Contents

PathSize
compiler-rt/
lib/
fuzzer/
116 lines

Diff 363231

compiler-rt/lib/fuzzer/FuzzerUtilFuchsia.cpp

Show All 26 Lines
#include <zircon/errors.h> #include <zircon/errors.h>
#include <zircon/process.h> #include <zircon/process.h>
#include <zircon/sanitizer.h> #include <zircon/sanitizer.h>
#include <zircon/status.h> #include <zircon/status.h>
#include <zircon/syscalls.h> #include <zircon/syscalls.h>
#include <zircon/syscalls/debug.h> #include <zircon/syscalls/debug.h>
#include <zircon/syscalls/exception.h> #include <zircon/syscalls/exception.h>
#include <zircon/syscalls/object.h> #include <zircon/syscalls/object.h>
#include <zircon/tls.h>
#include <zircon/types.h> #include <zircon/types.h>
#include <vector> #include <vector>
namespace fuzzer { namespace fuzzer {
// Given that Fuchsia doesn't have the POSIX signals that libFuzzer was written // Given that Fuchsia doesn't have the POSIX signals that libFuzzer was written
// around, the general approach is to spin up dedicated threads to watch for // around, the general approach is to spin up dedicated threads to watch for
▲ Show 20 LinesShow All 161 Lines▼ Show 20 Lines ".cfi_startproc\n"
: // No outputs : // No outputs
: FOREACH_REGISTER(ASM_OPERAND_REG, ASM_OPERAND_NUM) : FOREACH_REGISTER(ASM_OPERAND_REG, ASM_OPERAND_NUM)
#if defined(__aarch64__) #if defined(__aarch64__)
ASM_OPERAND_REG(pc) ASM_OPERAND_REG(lr) ASM_OPERAND_REG(pc) ASM_OPERAND_REG(lr)
#endif #endif
[StaticCrashHandler] "i"(StaticCrashHandler)); [StaticCrashHandler] "i"(StaticCrashHandler));
} }
uintptr_t CreateStack(size_t Size, const std::string &Name) {
zx_handle_t Vmo;
ExitOnErr(_zx_vmo_create(Size, 0, &Vmo), "_zx_vmo_create");
const size_t PageSize = _zx_system_get_page_size();
ExitOnErr(
_zx_object_set_property(Vmo, ZX_PROP_NAME, Name.c_str(), Name.length()),
"_zx_object_set_property");
zx_handle_t Vmar = zx_vmar_root_self();
uintptr_t Addr;
ExitOnErr(_zx_vmar_allocate(Vmar,
ZX_VM_CAN_MAP_READ | ZX_VM_CAN_MAP_WRITE |
ZX_VM_CAN_MAP_SPECIFIC,
0, Size + 2 * PageSize, &Vmar, &Addr),
"_zx_vmar_allocate");
zx_vaddr_t StackBase;
zx_vm_option_t Opts = ZX_VM_PERM_READ | ZX_VM_PERM_WRITE | ZX_VM_SPECIFIC;
// Map the Vmo leaving one guard page before and after.
ExitOnErr(_zx_vmar_map(Vmar, Opts, PageSize, Vmo, /* vmo_offset */ 0, Size,
&StackBase),
"_zx_vmar_map");
return static_cast<uintptr_t>(StackBase);
}
zx_thread_state_general_regs_t
SetupTrampoline(const zx_thread_state_general_regs_t &registers,
uintptr_t SafeStack, uintptr_t UnsafeStack,
uintptr_t ShadowCallStack) {
// Align the stack to 16 bytes and copy crashed thread's regs so they
// can be restored by the unwinder.
uintptr_t StackPtr =
(SafeStack - (sizeof(registers) + 0xF)) & ~(uintptr_t)0xF;
__unsanitized_memcpy(reinterpret_cast<void *>(StackPtr), &registers,
sizeof(registers));
#if defined(__x86_64__)
static_assert(!__has_feature(ShadowCallStack));
zx_thread_state_general_regs_t res = {
.rdi = reinterpret_cast<uint64_t>(StaticCrashHandler),
.rsp = StackPtr,
.rip = reinterpret_cast<uint64_t>(CrashTrampolineAsm),
.rflags = registers.rflags,
.fs_base = registers.fs_base,
};
// The unsafe stack is located near the crashed threads Thread Pointer.
// If they have an invalid Thread Pointer, the fuzzer program will crash.
uintptr_t *UnsafeStackLocation = reinterpret_cast<uintptr_t *>(
registers.fs_base + ZX_TLS_UNSAFE_SP_OFFSET);
*UnsafeStackLocation = UnsafeStack;
#elif defined(__aarch64__)
zx_thread_state_general_regs_t res = {
.r[0] = reinterpret_cast<uint64_t>(StaticCrashHandler),
.sp = StackPtr,
.pc = reinterpret_cast<uint64_t>(CrashTrampolineAsm),
.cpsr = registers.cpsr,
.tpidr = registers.tpidr,
};
// The unsafe stack is located near the crashed threads Thread Pointer.
// If they have an invalid Thread Pointer, the fuzzer program will crash.
uintptr_t *UnsafeStackLocation =
reinterpret_cast<uintptr_t *>(registers.tpidr + ZX_TLS_UNSAFE_SP_OFFSET);
*UnsafeStackLocation = UnsafeStack;
if constexpr (__has_feature(shadow_call_stack)) {
mcgrathrUnsubmitted
Not Done
ReplyInline Actions

You want to do this regardless of how the fuzzer library itself was compiled.
The SCSP in x18 is part of the --target=aarch64-fuchsia ABI.

mcgrathr: You want to do this regardless of how the fuzzer library itself was compiled. The SCSP in x18…
res.r[18] = ShadowCallStack;
}
#else
#error "Unsupported architecture for fuzzing on Fuchsia"
#endif
return res;
}
constexpr size_t kCrashStackSize = 4096 * 16;
void CrashHandler(zx_handle_t *Event) { void CrashHandler(zx_handle_t *Event) {
uintptr_t SafeStack =
CreateStack(kCrashStackSize, "crash-safestack") + kCrashStackSize;
uintptr_t UnsafeStack =
CreateStack(kCrashStackSize, "crash-unsafestack") + kCrashStackSize;
uintptr_t ShadowCallStack = 0x0;
if constexpr (__has_feature(shadow_call_stack)) {
mcgrathrUnsubmitted
Not Done
ReplyInline Actions

Same here. You can conditionalize it to aarch64, but it should always be done for all aarch64 code.

mcgrathr: Same here. You can conditionalize it to aarch64, but it should always be done for all aarch64…
// ShadowCallStack grows the other way around. No need to point to the end.
ShadowCallStack = CreateStack(kCrashStackSize, "crash-shadowcallstack");
}
// ScopedHandle is a helper class that makes sure handles are closed when they // ScopedHandle is a helper class that makes sure handles are closed when they
// go out of scope. This also allows handles to be moved. // go out of scope. This also allows handles to be moved.
class ScopedHandle { class ScopedHandle {
public: public:
ScopedHandle() { reset(); } ScopedHandle() { reset(); }
explicit ScopedHandle(zx_handle_t H) { reset(H); } explicit ScopedHandle(zx_handle_t H) { reset(H); }
ScopedHandle(ScopedHandle &&Other) : Handle(Other.release()) {} ScopedHandle(ScopedHandle &&Other) : Handle(Other.release()) {}
ScopedHandle &operator=(ScopedHandle &&Other) { ScopedHandle &operator=(ScopedHandle &&Other) {
▲ Show 20 LinesShow All 87 Lines▼ Show 20 Lines if (crashed_tid != ZX_KOID_INVALID) {
continue; continue;
} }
} }
crashed_tid = ExceptionInfo.tid; crashed_tid = ExceptionInfo.tid;
// To unwind properly, we need to push the crashing thread's register state // To unwind properly, we need to push the crashing thread's register state
// onto the stack and jump into a trampoline with CFI instructions on how // onto the stack and jump into a trampoline with CFI instructions on how
// to restore it. // to restore it.
#if defined(__x86_64__) GeneralRegisters = SetupTrampoline(GeneralRegisters, SafeStack, UnsafeStack,
uintptr_t StackPtr = ShadowCallStack);
(GeneralRegisters.rsp - (128 + sizeof(GeneralRegisters))) &
-(uintptr_t)16;
__unsanitized_memcpy(reinterpret_cast<void *>(StackPtr), &GeneralRegisters,
sizeof(GeneralRegisters));
GeneralRegisters.rsp = StackPtr;
GeneralRegisters.rip = reinterpret_cast<zx_vaddr_t>(CrashTrampolineAsm);
#elif defined(__aarch64__)
uintptr_t StackPtr =
(GeneralRegisters.sp - sizeof(GeneralRegisters)) & -(uintptr_t)16;
__unsanitized_memcpy(reinterpret_cast<void *>(StackPtr), &GeneralRegisters,
sizeof(GeneralRegisters));
GeneralRegisters.sp = StackPtr;
GeneralRegisters.pc = reinterpret_cast<zx_vaddr_t>(CrashTrampolineAsm);
#else
#error "Unsupported architecture for fuzzing on Fuchsia"
#endif
// Now force the crashing thread's state. // Now force the crashing thread's state.
ExitOnErr( ExitOnErr(
_zx_thread_write_state(Thread.Handle, ZX_THREAD_STATE_GENERAL_REGS, _zx_thread_write_state(Thread.Handle, ZX_THREAD_STATE_GENERAL_REGS,
&GeneralRegisters, sizeof(GeneralRegisters)), &GeneralRegisters, sizeof(GeneralRegisters)),
"_zx_thread_write_state"); "_zx_thread_write_state");
// Set the exception to HANDLED so it resumes the thread on close. // Set the exception to HANDLED so it resumes the thread on close.
▲ Show 20 LinesShow All 228 LinesShow Last 20 Lines