This is an archive of the discontinued LLVM Phabricator instance.

Differential D19576

[sanitizer] [SystemZ] Abort if the kernel might be vulnerable to CVE-2016-2143.
ClosedPublic

Authored by koriakin on Apr 26 2016, 7:06 PM.

Details

Reviewers
kcc
Commits
rGb7b5ac60c470: [sanitizer] [SystemZ] Abort if the kernel might be vulnerable to CVE-2016-2143.
rCRT267747: [sanitizer] [SystemZ] Abort if the kernel might be vulnerable to CVE-2016-2143.
rL267747: [sanitizer] [SystemZ] Abort if the kernel might be vulnerable to CVE-2016-2143.
Summary

In short, CVE-2016-2143 will crash the machine if a process uses both >4TB
virtual addresses and fork(). ASan, TSan, and MSan will, by necessity, map
a sizable chunk of virtual address space, which is much larger than 4TB.
Even worse, sanitizers will always use fork() for llvm-symbolizer when a bug
is detected. Disable all three by aborting on process initialization if
the running kernel version is not known to contain a fix.

Unfortunately, there's no reliable way to detect the fix without crashing
the kernel. So, we rely on whitelisting - I've included a list of upstream
kernel versions that will work. In case someone uses a distribution kernel
or applied the fix themselves, an override switch is also included.

Diff Detail

Repository
rL LLVM

Event Timeline

koriakin updated this revision to Diff 55155.Apr 26 2016, 7:06 PM
koriakin retitled this revision from to [sanitizer] [SystemZ] Abort if the kernel might be vulnerable to CVE-2016-2143..
koriakin updated this object.
koriakin added a reviewer: kcc.
koriakin set the repository for this revision to rL LLVM.
koriakin added a project: Restricted Project.
koriakin added a subscriber: llvm-commits.
Herald added a subscriber: kubamracek. · View Herald TranscriptApr 26 2016, 7:06 PM
koriakin added a comment.Apr 26 2016, 7:08 PM

Second attempt at D18915. Compared to the previous version:

  • function is declared in sanitizer_common.h, called unconditionally, and is an empty stub on everything but s390x-linux
  • code is moved to sanitizer_linux_s390.cc
  • I've added a call in lsan and dfsan init as well, as they also involve huge memory reservations
kcc accepted this revision.Apr 27 2016, 10:43 AM
kcc edited edge metadata.

LGTM

This revision is now accepted and ready to land.Apr 27 2016, 10:43 AM
Closed by commit rL267747: [sanitizer] [SystemZ] Abort if the kernel might be vulnerable to CVE-2016-2143. (authored by koriakin). · Explain WhyApr 27 2016, 10:47 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
compiler-rt/
trunk/
lib/
asan/
1 line
dfsan/
1 line
lsan/
1 line
msan/
1 line
sanitizer_common/
10 lines
69 lines
tsan/
rtl/
1 line

Diff 55261

compiler-rt/trunk/lib/asan/asan_rtl.cc

Show First 20 LinesShow All 409 Lines▼ Show 20 Linesstatic void AsanInitInternal() {
CacheBinaryName(); CacheBinaryName();
// Initialize flags. This must be done early, because most of the // Initialize flags. This must be done early, because most of the
// initialization steps look at flags(). // initialization steps look at flags().
InitializeFlags(); InitializeFlags();
AsanCheckIncompatibleRT(); AsanCheckIncompatibleRT();
AsanCheckDynamicRTPrereqs(); AsanCheckDynamicRTPrereqs();
AvoidCVE_2016_2143();
SetCanPoisonMemory(flags()->poison_heap); SetCanPoisonMemory(flags()->poison_heap);
SetMallocContextSize(common_flags()->malloc_context_size); SetMallocContextSize(common_flags()->malloc_context_size);
InitializeHighMemEnd(); InitializeHighMemEnd();
// Make sure we are not statically linked. // Make sure we are not statically linked.
AsanDoesNotSupportStaticLinkage(); AsanDoesNotSupportStaticLinkage();
▲ Show 20 LinesShow All 205 LinesShow Last 20 Lines

compiler-rt/trunk/lib/dfsan/dfsan.cc

Show First 20 LinesShow All 362 Lines▼ Show 20 Linesstatic void InitializeFlags() {
RegisterDfsanFlags(&parser, &flags()); RegisterDfsanFlags(&parser, &flags());
parser.ParseString(GetEnv("DFSAN_OPTIONS")); parser.ParseString(GetEnv("DFSAN_OPTIONS"));
InitializeCommonFlags(); InitializeCommonFlags();
if (Verbosity()) ReportUnrecognizedFlags(); if (Verbosity()) ReportUnrecognizedFlags();
if (common_flags()->help) parser.PrintFlagDescriptions(); if (common_flags()->help) parser.PrintFlagDescriptions();
} }
static void InitializePlatformEarly() { static void InitializePlatformEarly() {
AvoidCVE_2016_2143();
#ifdef DFSAN_RUNTIME_VMA #ifdef DFSAN_RUNTIME_VMA
__dfsan::vmaSize = __dfsan::vmaSize =
(MostSignificantSetBitIndex(GET_CURRENT_FRAME()) + 1); (MostSignificantSetBitIndex(GET_CURRENT_FRAME()) + 1);
if (__dfsan::vmaSize == 39 || __dfsan::vmaSize == 42) { if (__dfsan::vmaSize == 39 || __dfsan::vmaSize == 42) {
__dfsan_shadow_ptr_mask = ShadowMask(); __dfsan_shadow_ptr_mask = ShadowMask();
} else { } else {
Printf("FATAL: DataFlowSanitizer: unsupported VMA range\n"); Printf("FATAL: DataFlowSanitizer: unsupported VMA range\n");
Printf("FATAL: Found %d - Supported 39 and 42\n", __dfsan::vmaSize); Printf("FATAL: Found %d - Supported 39 and 42\n", __dfsan::vmaSize);
▲ Show 20 LinesShow All 51 LinesShow Last 20 Lines

compiler-rt/trunk/lib/lsan/lsan.cc

Show First 20 LinesShow All 66 Lines▼ Show 20 Lines
extern "C" void __lsan_init() { extern "C" void __lsan_init() {
CHECK(!lsan_init_is_running); CHECK(!lsan_init_is_running);
if (lsan_inited) if (lsan_inited)
return; return;
lsan_init_is_running = true; lsan_init_is_running = true;
SanitizerToolName = "LeakSanitizer"; SanitizerToolName = "LeakSanitizer";
CacheBinaryName(); CacheBinaryName();
AvoidCVE_2016_2143();
InitializeFlags(); InitializeFlags();
InitCommonLsan(); InitCommonLsan();
InitializeAllocator(); InitializeAllocator();
InitTlsSize(); InitTlsSize();
InitializeInterceptors(); InitializeInterceptors();
InitializeThreadRegistry(); InitializeThreadRegistry();
u32 tid = ThreadCreate(0, 0, true); u32 tid = ThreadCreate(0, 0, true);
CHECK_EQ(tid, 0); CHECK_EQ(tid, 0);
Show All 17 Lines

compiler-rt/trunk/lib/msan/msan.cc

Show First 20 LinesShow All 369 Lines▼ Show 20 Lines
} }
void __msan_init() { void __msan_init() {
CHECK(!msan_init_is_running); CHECK(!msan_init_is_running);
if (msan_inited) return; if (msan_inited) return;
msan_init_is_running = 1; msan_init_is_running = 1;
SanitizerToolName = "MemorySanitizer"; SanitizerToolName = "MemorySanitizer";
AvoidCVE_2016_2143();
InitTlsSize(); InitTlsSize();
CacheBinaryName(); CacheBinaryName();
InitializeFlags(); InitializeFlags();
__sanitizer_set_report_path(common_flags()->log_path); __sanitizer_set_report_path(common_flags()->log_path);
InitializeInterceptors(); InitializeInterceptors();
▲ Show 20 LinesShow All 252 LinesShow Last 20 Lines

compiler-rt/trunk/lib/sanitizer_common/sanitizer_common.h

Show First 20 LinesShow All 803 Lines▼ Show 20 Lines
// A simple scope guard. Usage: // A simple scope guard. Usage:
// auto cleanup = at_scope_exit([]{ do_cleanup; }); // auto cleanup = at_scope_exit([]{ do_cleanup; });
template <typename Fn> template <typename Fn>
RunOnDestruction<Fn> at_scope_exit(Fn fn) { RunOnDestruction<Fn> at_scope_exit(Fn fn) {
return RunOnDestruction<Fn>(fn); return RunOnDestruction<Fn>(fn);
} }
// Linux on 64-bit s390 had a nasty bug that crashes the whole machine
// if a process uses virtual memory over 4TB (as many sanitizers like
// to do). This function will abort the process if running on a kernel
// that looks vulnerable.
#if SANITIZER_LINUX && SANITIZER_S390_64
void AvoidCVE_2016_2143();
#else
INLINE void AvoidCVE_2016_2143() {}
#endif
} // namespace __sanitizer } // namespace __sanitizer
inline void *operator new(__sanitizer::operator_new_size_type size, inline void *operator new(__sanitizer::operator_new_size_type size,
__sanitizer::LowLevelAllocator &alloc) { __sanitizer::LowLevelAllocator &alloc) {
return alloc.Allocate(size); return alloc.Allocate(size);
} }
struct StackDepotStats { struct StackDepotStats {
uptr n_uniq_ids; uptr n_uniq_ids;
uptr allocated; uptr allocated;
}; };
#endif // SANITIZER_COMMON_H #endif // SANITIZER_COMMON_H

compiler-rt/trunk/lib/sanitizer_common/sanitizer_linux_s390.cc

Show All 10 Lines
// run-time libraries and implements s390-linux-specific functions from // run-time libraries and implements s390-linux-specific functions from
// sanitizer_libc.h. // sanitizer_libc.h.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "sanitizer_platform.h" #include "sanitizer_platform.h"
#if SANITIZER_LINUX && SANITIZER_S390 #if SANITIZER_LINUX && SANITIZER_S390
#include "sanitizer_libc.h"
#include "sanitizer_linux.h" #include "sanitizer_linux.h"
#include <errno.h> #include <errno.h>
#include <sys/syscall.h> #include <sys/syscall.h>
#include <sys/utsname.h>
#include <unistd.h> #include <unistd.h>
namespace __sanitizer { namespace __sanitizer {
// --------------- sanitizer_libc.h // --------------- sanitizer_libc.h
uptr internal_mmap(void *addr, uptr length, int prot, int flags, int fd, uptr internal_mmap(void *addr, uptr length, int prot, int flags, int fd,
OFF_T offset) { OFF_T offset) {
struct s390_mmap_params { struct s390_mmap_params {
▲ Show 20 LinesShow All 78 Lines▼ Show 20 Lines#endif
"r"(__flags), "r"(__flags),
"r"(__ptidptr), "r"(__ptidptr),
"r"(__ctidptr), "r"(__ctidptr),
"r"(__newtls) "r"(__newtls)
: "memory", "cc"); : "memory", "cc");
return res; return res;
} }
#if SANITIZER_S390_64
static bool FixedCVE_2016_2143() {
// Try to determine if the running kernel has a fix for CVE-2016-2143,
// return false if in doubt (better safe than sorry). Distros may want to
// adjust this for their own kernels.
struct utsname buf;
unsigned int major, minor, patch = 0;
// This should never fail, but just in case...
if (uname(&buf))
return false;
char *ptr = buf.release;
major = internal_simple_strtoll(ptr, &ptr, 10);
// At least first 2 should be matched.
if (ptr[0] != '.')
return false;
minor = internal_simple_strtoll(ptr+1, &ptr, 10);
// Third is optional.
if (ptr[0] == '.')
patch = internal_simple_strtoll(ptr+1, &ptr, 10);
if (major < 3) {
// <3.0 is bad.
return false;
} else if (major == 3) {
// 3.2.79+ is OK.
if (minor == 2 && patch >= 79)
return true;
// Otherwise, bad.
return false;
} else if (major == 4) {
// 4.1.21+ is OK.
if (minor == 1 && patch >= 21)
return true;
// 4.4.6+ is OK.
if (minor == 4 && patch >= 6)
return true;
// Otherwise, OK if 4.5+.
return minor >= 5;
} else {
// Linux 5 and up are fine.
return true;
}
}
void AvoidCVE_2016_2143() {
// Older kernels are affected by CVE-2016-2143 - they will crash hard
// if someone uses 4-level page tables (ie. virtual addresses >= 4TB)
// and fork() in the same process. Unfortunately, sanitizers tend to
// require such addresses. Since this is very likely to crash the whole
// machine (sanitizers themselves use fork() for llvm-symbolizer, for one),
// abort the process at initialization instead.
if (FixedCVE_2016_2143())
return;
if (GetEnv("SANITIZER_IGNORE_CVE_2016_2143"))
return;
Report(
"ERROR: Your kernel seems to be vulnerable to CVE-2016-2143. Using ASan,\n"
"MSan, TSan, DFSan or LSan with such kernel can and will crash your\n"
"machine, or worse.\n"
"\n"
"If you are certain your kernel is not vulnerable (you have compiled it\n"
"yourself, or are using an unrecognized distribution kernel), you can\n"
"override this safety check by exporting SANITIZER_IGNORE_CVE_2016_2143\n"
"with any value.\n");
Die();
}
#endif
} // namespace __sanitizer } // namespace __sanitizer
#endif // SANITIZER_LINUX && SANITIZER_S390 #endif // SANITIZER_LINUX && SANITIZER_S390

compiler-rt/trunk/lib/tsan/rtl/tsan_rtl.cc

Show First 20 LinesShow All 315 Lines▼ Show 20 Linesvoid Initialize(ThreadState *thr) {
SanitizerToolName = "ThreadSanitizer"; SanitizerToolName = "ThreadSanitizer";
// Install tool-specific callbacks in sanitizer_common. // Install tool-specific callbacks in sanitizer_common.
SetCheckFailedCallback(TsanCheckFailed); SetCheckFailedCallback(TsanCheckFailed);
ctx = new(ctx_placeholder) Context; ctx = new(ctx_placeholder) Context;
const char *options = GetEnv(kTsanOptionsEnv); const char *options = GetEnv(kTsanOptionsEnv);
CacheBinaryName(); CacheBinaryName();
InitializeFlags(&ctx->flags, options); InitializeFlags(&ctx->flags, options);
AvoidCVE_2016_2143();
InitializePlatformEarly(); InitializePlatformEarly();
#ifndef SANITIZER_GO #ifndef SANITIZER_GO
// Re-exec ourselves if we need to set additional env or command line args. // Re-exec ourselves if we need to set additional env or command line args.
MaybeReexec(); MaybeReexec();
InitializeAllocator(); InitializeAllocator();
ReplaceSystemMalloc(); ReplaceSystemMalloc();
#endif #endif
▲ Show 20 LinesShow All 691 LinesShow Last 20 Lines