This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
lib/asan/
-
asan/
1
asan_allocator.cc
-
test/asan/TestCases/Posix/
-
asan/
-
TestCases/
-
Posix/
1
bad-free-no-segv.cc

Differential D17690

[asan] Check if the memory is readable before using the AsanChunk in free() and realloc()
AbandonedPublic

Authored by filcab on Feb 28 2016, 1:39 AM.

Download Raw Diff

Details

Reviewers

kcc
samsonov
earthdok

Summary

This allows us to better diagnose free() and realloc() with a bad
pointer, instead of SIGSEGV.

Diff Detail

Event Timeline

filcab updated this revision to Diff 49313.Feb 28 2016, 1:39 AM

filcab retitled this revision from to [asan] Check if the memory is readable before using the AsanChunk in free() and realloc().

filcab updated this object.

filcab added reviewers: kcc, samsonov, earthdok.

filcab added a subscriber: llvm-commits.

I'm somewhat worried about the performance implications of this. IsAccessibleMemoryRange is a syscall after all, not sure it would be nice to call it on every malloc/free. We do run non-trivial operations on these calls though, like collecting stack traces.

Thanks for doing this!
One comment for the test.

test/asan/TestCases/Posix/bad-free-no-segv.cc
15	I'd prefer the test to use a separate mprotec-ted chunk, not the shadow gap.

kcc added inline comments.Feb 29 2016, 10:53 AM

lib/asan/asan_allocator.cc
527	Oh, yes, I've totally missed this. For some reason I thought this is on the error-reporting path. Thanks Alexey. Yes, on the main path we can't do this.

That is totally true. I didn't think of the pipe()+write().
Thank you.

Revision Contents

Path

Size

lib/

asan/

asan_allocator.cc

5 lines

test/

asan/

TestCases/

Posix/

bad-free-no-segv.cc

31 lines

Diff 49313

lib/asan/asan_allocator.cc

Show All 16 Lines

#include "asan_allocator.h"		#include "asan_allocator.h"
#include "asan_mapping.h"		#include "asan_mapping.h"
#include "asan_poisoning.h"		#include "asan_poisoning.h"
#include "asan_report.h"		#include "asan_report.h"
#include "asan_stack.h"		#include "asan_stack.h"
#include "asan_thread.h"		#include "asan_thread.h"
#include "sanitizer_common/sanitizer_allocator_interface.h"		#include "sanitizer_common/sanitizer_allocator_interface.h"
		#include "sanitizer_common/sanitizer_common.h"
#include "sanitizer_common/sanitizer_flags.h"		#include "sanitizer_common/sanitizer_flags.h"
#include "sanitizer_common/sanitizer_internal_defs.h"		#include "sanitizer_common/sanitizer_internal_defs.h"
#include "sanitizer_common/sanitizer_list.h"		#include "sanitizer_common/sanitizer_list.h"
#include "sanitizer_common/sanitizer_stackdepot.h"		#include "sanitizer_common/sanitizer_stackdepot.h"
#include "sanitizer_common/sanitizer_quarantine.h"		#include "sanitizer_common/sanitizer_quarantine.h"
#include "lsan/lsan_common.h"		#include "lsan/lsan_common.h"

namespace __asan {		namespace __asan {
▲ Show 20 Lines • Show All 485 Lines • ▼ Show 20 Lines	#endif

void Deallocate(void ptr, uptr delete_size, BufferedStackTrace stack,		void Deallocate(void ptr, uptr delete_size, BufferedStackTrace stack,
AllocType alloc_type) {		AllocType alloc_type) {
uptr p = reinterpret_cast<uptr>(ptr);		uptr p = reinterpret_cast<uptr>(ptr);
if (p == 0) return;		if (p == 0) return;

uptr chunk_beg = p - kChunkHeaderSize;		uptr chunk_beg = p - kChunkHeaderSize;
AsanChunk m = reinterpret_cast<AsanChunk >(chunk_beg);		AsanChunk m = reinterpret_cast<AsanChunk >(chunk_beg);
		if (!IsAccessibleMemoryRange((uptr)m, sizeof(AsanChunk)))
		kccUnsubmitted Not Done Reply Inline Actions Oh, yes, I've totally missed this. For some reason I thought this is on the error-reporting path. Thanks Alexey. Yes, on the main path we can't do this. kcc: Oh, yes, I've totally missed this. For some reason I thought this is on the error-reporting…
		ReportFreeNotMalloced((uptr)ptr, stack);
if (delete_size && flags()->new_delete_type_mismatch &&		if (delete_size && flags()->new_delete_type_mismatch &&
delete_size != m->UsedSize()) {		delete_size != m->UsedSize()) {
ReportNewDeleteSizeMismatch(p, delete_size, stack);		ReportNewDeleteSizeMismatch(p, delete_size, stack);
}		}
ASAN_FREE_HOOK(ptr);		ASAN_FREE_HOOK(ptr);
// Must mark the chunk as quarantined before any changes to its metadata.		// Must mark the chunk as quarantined before any changes to its metadata.
// Do not quarantine given chunk if we failed to set CHUNK_QUARANTINE flag.		// Do not quarantine given chunk if we failed to set CHUNK_QUARANTINE flag.
if (!AtomicallySetQuarantineFlagIfAllocated(m, ptr, stack)) return;		if (!AtomicallySetQuarantineFlagIfAllocated(m, ptr, stack)) return;
QuarantineChunk(m, ptr, stack, alloc_type);		QuarantineChunk(m, ptr, stack, alloc_type);
}		}

void Reallocate(void old_ptr, uptr new_size, BufferedStackTrace *stack) {		void Reallocate(void old_ptr, uptr new_size, BufferedStackTrace *stack) {
CHECK(old_ptr && new_size);		CHECK(old_ptr && new_size);
uptr p = reinterpret_cast<uptr>(old_ptr);		uptr p = reinterpret_cast<uptr>(old_ptr);
uptr chunk_beg = p - kChunkHeaderSize;		uptr chunk_beg = p - kChunkHeaderSize;
AsanChunk m = reinterpret_cast<AsanChunk >(chunk_beg);		AsanChunk m = reinterpret_cast<AsanChunk >(chunk_beg);
		if (!IsAccessibleMemoryRange((uptr)m, sizeof(AsanChunk)))
		ReportFreeNotMalloced((uptr)old_ptr, stack);

AsanStats &thread_stats = GetCurrentThreadStats();		AsanStats &thread_stats = GetCurrentThreadStats();
thread_stats.reallocs++;		thread_stats.reallocs++;
thread_stats.realloced += new_size;		thread_stats.realloced += new_size;

void *new_ptr = Allocate(new_size, 8, stack, FROM_MALLOC, true);		void *new_ptr = Allocate(new_size, 8, stack, FROM_MALLOC, true);
if (new_ptr) {		if (new_ptr) {
u8 chunk_state = m->chunk_state;		u8 chunk_state = m->chunk_state;
▲ Show 20 Lines • Show All 367 Lines • Show Last 20 Lines

test/asan/TestCases/Posix/bad-free-no-segv.cc

This file was added.

				// RUN: %clangxx_asan -O0 %s -o %t
				// RUN: not %run %t f 2>&1 \| FileCheck %s
				// RUN: not %run %t r 2>&1 \| FileCheck %s
				#include <assert.h>
				#include <stdlib.h>
				#include <sanitizer/asan_interface.h>

				// CHECK-NOT: DEADLYSIGNAL
				// CHECK: AddressSanitizer: attempting free on address which was not malloc()-ed
				int main(int argc, char **argv) {
				// The shadow gap is mprotect()ed, so we get an address inside it and pass it
				// along to free. reading from it should be a problem and ASan should notice
				// it before trying to read.
				size_t shadow_scale, shadow_offset;
				__asan_get_shadow_mapping(&shadow_scale, &shadow_offset);
				kccUnsubmitted Not Done Reply Inline Actions I'd prefer the test to use a separate mprotec-ted chunk, not the shadow gap. kcc: I'd prefer the test to use a separate mprotec-ted chunk, not the shadow gap.
				// We add 0x100 because asan_free subtracts sizeof(AsanChunk) to our ptr.
				// Which means we need to make sure that the free()ed/realloc()ed pointer is
				// also in non-addressable memory.
				void p = (void )(shadow_offset + 0x1000 + (shadow_offset >> shadow_scale));
				assert(argc == 2);
				switch (argv[1][0]) {
				case 'f':
				free(p);
				break;
				case 'r':
				realloc(p, 42);
				break;
				default:
				assert(false);
				}
				}