This is an archive of the discontinued LLVM Phabricator instance.

Differential D14979

[asan] Correctly release memory allocated during early startup.
ClosedPublic

Authored by ygribov on Nov 25 2015, 2:55 AM.

Details

Reviewers
kcc
samsonov
Commits
rG67a001fd17d6: [asan] Correctly release memory allocated during early startup.
rCRT254395: [asan] Correctly release memory allocated during early startup.
rL254395: [asan] Correctly release memory allocated during early startup.
Summary

Inspired by https://github.com/google/sanitizers/issues/626

Calloc interceptor initially allocates memory from temp buffer (to serve dlsyms called during asan_init). There is a chance that some non-instrumented library (or executable) has allocated memory with calloc before asan_init and got pointer from the same temporary buffer which later caused problems with free.

Diff Detail

Repository
rL LLVM

Event Timeline

ygribov updated this revision to Diff 41121.Nov 25 2015, 2:55 AM
ygribov retitled this revision from to [asan] Correctly release memory allocated during early startup..
ygribov updated this object.
ygribov added reviewers: kcc, samsonov.
ygribov set the repository for this revision to rL LLVM.
ygribov added subscribers: eugenis, dvyukov, llvm-commits.
Herald added subscribers: srhines, danalbert, tberghammer. · View Herald TranscriptNov 25 2015, 2:55 AM
ygribov updated this revision to Diff 41122.Nov 25 2015, 2:57 AM
ygribov removed rL LLVM as the repository for this revision.

Added UNLIKELY hints.

samsonov added inline comments.Nov 25 2015, 11:25 AM
lib/asan/asan_malloc_linux.cc
33 ↗(On Diff #41122)

Wait, why is it not ptr - calloc_memory_for_dlsym?

74 ↗(On Diff #41122)

It's not that hard to keep sizes of the allocations from calloc_memory_for_dlsym. E.g. when you return &calloc_memory_for_dlsym[allocated] you can store size_in_words in calloc_memory_for_dlsym_sizes[allocated].

test/asan/TestCases/Linux/calloc-preload.c
10 ↗(On Diff #41122)

UNSUPPORTED: android
?

ygribov updated this revision to Diff 41210.Nov 25 2015, 11:09 PM

Fixed Alexey's remarks.

ygribov added inline comments.Nov 25 2015, 11:13 PM
lib/asan/asan_malloc_linux.cc
33 ↗(On Diff #41210)

Right, shame on me. This worked because ptr was equal to calloc_memory_for_dlsym.

74 ↗(On Diff #41210)

Sure, but is it worth it? We do not expect pool pointers to sneak into normal allocator very often.

test/asan/TestCases/Linux/calloc-preload.c
11 ↗(On Diff #41210)

That's Evgeniy's code, also used in other tests. Perhaps fix this in separate commit?

ygribov marked 4 inline comments as done.Nov 25 2015, 11:13 PM
eugenis added inline comments.Nov 30 2015, 11:18 AM
test/asan/TestCases/Linux/calloc-preload.c
11 ↗(On Diff #41210)

Yes, this should be replaced with UNSUPPORTED. Other occurrencies could be fixed in a separate commit, but there no reason to use not-android in newly added tests.

samsonov accepted this revision.Nov 30 2015, 11:37 AM
samsonov edited edge metadata.

Looks OK, but please fix the bug pointed out below.

lib/asan/asan_malloc_linux.cc
73 ↗(On Diff #41210)

ptr - calloc_memory_for_dlsym here as well

74 ↗(On Diff #41210)

Okay

This revision is now accepted and ready to land.Nov 30 2015, 11:37 AM
Closed by commit rL254395: [asan] Correctly release memory allocated during early startup. (authored by ygribov). · Explain WhyDec 1 2015, 1:25 AM
This revision was automatically updated to reflect the committed changes.
ygribov marked 3 inline comments as done.Dec 1 2015, 1:26 AM
ygribov added inline comments.
lib/asan/asan_malloc_linux.cc
73 ↗(On Diff #41210)

Done.

jevinskie added a subscriber: jevinskie.Dec 1 2015, 12:38 PM

Revision Contents

PathSize
compiler-rt/
trunk/
lib/
asan/
21 lines
test/
asan/
TestCases/
Linux/
36 lines

Diff 41472

compiler-rt/trunk/lib/asan/asan_malloc_linux.cc

Show All 20 Lines
#include "asan_allocator.h" #include "asan_allocator.h"
#include "asan_interceptors.h" #include "asan_interceptors.h"
#include "asan_internal.h" #include "asan_internal.h"
#include "asan_stack.h" #include "asan_stack.h"
// ---------------------- Replacement functions ---------------- {{{1 // ---------------------- Replacement functions ---------------- {{{1
using namespace __asan; // NOLINT using namespace __asan; // NOLINT
static const uptr kCallocPoolSize = 1024;
static uptr calloc_memory_for_dlsym[kCallocPoolSize];
static bool IsInCallocPool(const void *ptr) {
sptr off = (sptr)ptr - (sptr)calloc_memory_for_dlsym;
return 0 <= off && off < (sptr)kCallocPoolSize;
}
INTERCEPTOR(void, free, void *ptr) { INTERCEPTOR(void, free, void *ptr) {
GET_STACK_TRACE_FREE; GET_STACK_TRACE_FREE;
if (UNLIKELY(IsInCallocPool(ptr)))
return;
asan_free(ptr, &stack, FROM_MALLOC); asan_free(ptr, &stack, FROM_MALLOC);
} }
INTERCEPTOR(void, cfree, void *ptr) { INTERCEPTOR(void, cfree, void *ptr) {
GET_STACK_TRACE_FREE; GET_STACK_TRACE_FREE;
if (UNLIKELY(IsInCallocPool(ptr)))
return;
asan_free(ptr, &stack, FROM_MALLOC); asan_free(ptr, &stack, FROM_MALLOC);
} }
INTERCEPTOR(void*, malloc, uptr size) { INTERCEPTOR(void*, malloc, uptr size) {
GET_STACK_TRACE_MALLOC; GET_STACK_TRACE_MALLOC;
return asan_malloc(size, &stack); return asan_malloc(size, &stack);
} }
INTERCEPTOR(void*, calloc, uptr nmemb, uptr size) { INTERCEPTOR(void*, calloc, uptr nmemb, uptr size) {
if (UNLIKELY(!asan_inited)) { if (UNLIKELY(!asan_inited)) {
// Hack: dlsym calls calloc before REAL(calloc) is retrieved from dlsym. // Hack: dlsym calls calloc before REAL(calloc) is retrieved from dlsym.
const uptr kCallocPoolSize = 1024;
static uptr calloc_memory_for_dlsym[kCallocPoolSize];
static uptr allocated; static uptr allocated;
uptr size_in_words = ((nmemb * size) + kWordSize - 1) / kWordSize; uptr size_in_words = ((nmemb * size) + kWordSize - 1) / kWordSize;
void *mem = (void*)&calloc_memory_for_dlsym[allocated]; void *mem = (void*)&calloc_memory_for_dlsym[allocated];
allocated += size_in_words; allocated += size_in_words;
CHECK(allocated < kCallocPoolSize); CHECK(allocated < kCallocPoolSize);
return mem; return mem;
} }
GET_STACK_TRACE_MALLOC; GET_STACK_TRACE_MALLOC;
return asan_calloc(nmemb, size, &stack); return asan_calloc(nmemb, size, &stack);
} }
INTERCEPTOR(void*, realloc, void *ptr, uptr size) { INTERCEPTOR(void*, realloc, void *ptr, uptr size) {
GET_STACK_TRACE_MALLOC; GET_STACK_TRACE_MALLOC;
if (UNLIKELY(IsInCallocPool(ptr))) {
uptr offset = (uptr)ptr - (uptr)calloc_memory_for_dlsym;
uptr copy_size = Min(size, kCallocPoolSize - offset);
void *new_ptr = asan_malloc(size, &stack);
internal_memcpy(new_ptr, ptr, copy_size);
return new_ptr;
}
return asan_realloc(ptr, size, &stack); return asan_realloc(ptr, size, &stack);
} }
INTERCEPTOR(void*, memalign, uptr boundary, uptr size) { INTERCEPTOR(void*, memalign, uptr boundary, uptr size) {
GET_STACK_TRACE_MALLOC; GET_STACK_TRACE_MALLOC;
return asan_memalign(boundary, size, &stack, FROM_MALLOC); return asan_memalign(boundary, size, &stack, FROM_MALLOC);
} }
▲ Show 20 LinesShow All 117 LinesShow Last 20 Lines

compiler-rt/trunk/test/asan/TestCases/Linux/calloc-preload.c

// Test that initially callocked memory is properly freed
// (see https://github.com/google/sanitizers/issues/626).
//
// RUN: %clang %s -o %t
// RUN: env LD_PRELOAD=%shared_libasan %run %t
//
// REQUIRES: asan-dynamic-runtime
//
// This way of setting LD_PRELOAD does not work with Android test runner.
// REQUIRES: not-android
#include <stdio.h>
#include <stdlib.h>
static void *ptr;
// This constructor will run before __asan_init
// so calloc will allocate memory from special pool.
static void init() {
ptr = calloc(10, 1);
}
__attribute__((section(".preinit_array"), used))
void *dummy = init;
void free_memory() {
// This used to abort because
// Asan's free didn't recognize ptr.
free(ptr);
}
int main() {
free_memory();
return 0;
}