This is an archive of the discontinued LLVM Phabricator instance.

Differential D5253

PR20721: Don't let UBSan print inaccessible memory
ClosedPublic

Authored by samsonov on Sep 8 2014, 4:56 PM.

Details

Reviewers
glider
eugenis
Commits
rG1947bf99217a: PR20721: Don't let UBSan print inaccessible memory
rCRT217971: PR20721: Don't let UBSan print inaccessible memory
rL217971: PR20721: Don't let UBSan print inaccessible memory
Summary

UBSan needs to check if memory snippet it's going to print resides
in addressable memory. Similar check might be helpful in ASan with
dump_instruction_bytes option (see http://reviews.llvm.org/D5167).

Instead of scanning /proc/self/maps manually, delegate this check to
the OS kernel: try to write this memory in a syscall and assume that
memory is inaccessible if the syscall failed (e.g. with EFAULT).

Fixes PR20721.

Diff Detail

Event Timeline

samsonov updated this revision to Diff 13431.Sep 8 2014, 4:56 PM
samsonov retitled this revision from to PR20721: Don't let UBSan print inaccessible memory.
samsonov updated this object.
samsonov edited the test plan for this revision. (Show Details)
samsonov added a reviewer: eugenis.
samsonov added subscribers: rsmith, glider, Unknown Object (MLST).
ygribov added a subscriber: ygribov.Sep 8 2014, 11:42 PM
ygribov added inline comments.
lib/sanitizer_common/sanitizer_posix_libcdep.cc
177

Perhaps assert that write_errno == EFAULT in case of error?

glider added a comment.Sep 9 2014, 12:06 AM

I've checked that IsAccessibleMemoryRange works on Linux and OSX on the following examples:

char *mem = (char*)mmap(0, 4096 * 2, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANON, -1, 0);
mprotect(mem + 4096, 4096, PROT_NONE);
printf("mem: %p\n", mem);
IsAccessibleMemoryRange(mem, 4095);  // 1
IsAccessibleMemoryRange(mem, 4096);  // 1
IsAccessibleMemoryRange(mem, 4097);  // 0
IsAccessibleMemoryRange(mem + 4095, 1);  // 1
IsAccessibleMemoryRange(mem + 4095, 2);  // 0
IsAccessibleMemoryRange(0, 2);  // 0

Care to add a unittest?

lib/sanitizer_common/sanitizer_posix_libcdep.cc
169

Any limits on |size|?
I think it must be an sptr greater than -1 (you're going to compare bytes_written to it) and less than kPageSize (otherwise it'll take too much time to check chunks of too big size)

173

internal_write() returns sptr, not uptr (at least it must).
Also, when bytes_written == size (assuming size != -1), internal_iserror() is always false.

eugenis added inline comments.Sep 9 2014, 1:40 AM
lib/sanitizer_common/sanitizer_posix_libcdep.cc
171

Pipes have capacity, and large writes can block.
Maybe write to /dev/null instead?

glider added a comment.Sep 9 2014, 1:52 AM

A too restrictive seccomp policy may prohibit opening /dev/null

samsonov added inline comments.Sep 9 2014, 3:28 PM
lib/sanitizer_common/sanitizer_posix_libcdep.cc
171

See http://stackoverflow.com/questions/4611776/isbadreadptr-analogue-on-unix#comment23029943_4611930 - writing to /dev/null may always succeed.

171

If handling EINTR is not enough, I'd rather assert that "size" argument is reasonable small.

173

I believe we have a custom calling convention for returning errno from syscalls on Linux...

samsonov updated this revision to Diff 13657.Sep 12 2014, 1:34 PM

Address reviewers' comments. Add a unit test for IsAccessibleMemoryRange.

glider accepted this revision.Sep 17 2014, 5:33 AM
glider added a reviewer: glider.

LGTM

lib/sanitizer_common/sanitizer_win.cc
526

I suggest making this function always return true and adding a FIXME

This revision is now accepted and ready to land.Sep 17 2014, 5:33 AM
emaste added a subscriber: emaste.Sep 17 2014, 6:01 AM
samsonov added inline comments.Sep 17 2014, 11:02 AM
lib/sanitizer_common/sanitizer_posix_libcdep.cc
169

I pass beg/end instead and check that beg <= end and end - beg < 10*pagesize

177

Done

lib/sanitizer_common/sanitizer_win.cc
526

Done.

samsonov updated this object.Sep 17 2014, 11:04 AM
samsonov edited edge metadata.
samsonov closed this revision.Sep 17 2014, 11:05 AM

Revision Contents

PathSize
lib/
sanitizer_common/
2 lines
22 lines
4 lines
tests/
18 lines
ubsan/
6 lines
test/
ubsan/
TestCases/
TypeCheck/
11 lines

Diff 13657

lib/sanitizer_common/sanitizer_common.h

Show First 20 LinesShow All 161 Lines▼ Show 20 Lines
uptr ReadFileToBuffer(const char *file_name, char **buff, uptr ReadFileToBuffer(const char *file_name, char **buff,
uptr *buff_size, uptr max_len); uptr *buff_size, uptr max_len);
// Maps given file to virtual memory, and returns pointer to it // Maps given file to virtual memory, and returns pointer to it
// (or NULL if the mapping failes). Stores the size of mmaped region // (or NULL if the mapping failes). Stores the size of mmaped region
// in '*buff_size'. // in '*buff_size'.
void *MapFileToMemory(const char *file_name, uptr *buff_size); void *MapFileToMemory(const char *file_name, uptr *buff_size);
void *MapWritableFileToMemory(void *addr, uptr size, uptr fd, uptr offset); void *MapWritableFileToMemory(void *addr, uptr size, uptr fd, uptr offset);
bool IsAccessibleMemoryRange(uptr beg, uptr size);
// Error report formatting. // Error report formatting.
const char *StripPathPrefix(const char *filepath, const char *StripPathPrefix(const char *filepath,
const char *strip_file_prefix); const char *strip_file_prefix);
void PrintSourceLocation(InternalScopedString *buffer, const char *file, void PrintSourceLocation(InternalScopedString *buffer, const char *file,
int line, int column); int line, int column);
void PrintModuleAndOffset(InternalScopedString *buffer, void PrintModuleAndOffset(InternalScopedString *buffer,
const char *module, uptr offset); const char *module, uptr offset);
▲ Show 20 LinesShow All 390 LinesShow Last 20 Lines

lib/sanitizer_common/sanitizer_posix_libcdep.cc

Show First 20 LinesShow All 160 Lines▼ Show 20 Linesvoid InstallDeadlySignalHandlers(SignalHandlerType handler) {
// This will cause SetAlternateSignalStack to be called twice, but the stack // This will cause SetAlternateSignalStack to be called twice, but the stack
// will be actually set only once. // will be actually set only once.
if (common_flags()->use_sigaltstack) SetAlternateSignalStack(); if (common_flags()->use_sigaltstack) SetAlternateSignalStack();
MaybeInstallSigaction(SIGSEGV, handler); MaybeInstallSigaction(SIGSEGV, handler);
MaybeInstallSigaction(SIGBUS, handler); MaybeInstallSigaction(SIGBUS, handler);
} }
#endif // SANITIZER_GO #endif // SANITIZER_GO
bool IsAccessibleMemoryRange(uptr beg, uptr size) {
gliderUnsubmitted
Not Done
ReplyInline Actions

Any limits on |size|?
I think it must be an sptr greater than -1 (you're going to compare bytes_written to it) and less than kPageSize (otherwise it'll take too much time to check chunks of too big size)

glider: Any limits on |size|? I think it must be an sptr greater than -1 (you're going to compare…
samsonovAuthorUnsubmitted
Not Done
ReplyInline Actions

I pass beg/end instead and check that beg <= end and end - beg < 10*pagesize

samsonov: I pass beg/end instead and check that beg <= end and end - beg < 10*pagesize
uptr page_size = GetPageSizeCached();
// Checking too large memory ranges is slow.
eugenisUnsubmitted
Not Done
ReplyInline Actions

Pipes have capacity, and large writes can block.
Maybe write to /dev/null instead?

eugenis: Pipes have capacity, and large writes can block. Maybe write to /dev/null instead?
samsonovAuthorUnsubmitted
Not Done
ReplyInline Actions

See http://stackoverflow.com/questions/4611776/isbadreadptr-analogue-on-unix#comment23029943_4611930 - writing to /dev/null may always succeed.

samsonov: See http://stackoverflow.com/questions/4611776/isbadreadptr-analogue-on…
samsonovAuthorUnsubmitted
Not Done
ReplyInline Actions

If handling EINTR is not enough, I'd rather assert that "size" argument is reasonable small.

samsonov: If handling EINTR is not enough, I'd rather assert that "size" argument is reasonable small.
CHECK_LT(size, page_size * 10);
int sock_pair[2];
gliderUnsubmitted
Not Done
ReplyInline Actions

internal_write() returns sptr, not uptr (at least it must).
Also, when bytes_written == size (assuming size != -1), internal_iserror() is always false.

glider: internal_write() returns sptr, not uptr (at least it must). Also, when bytes_written == size…
samsonovAuthorUnsubmitted
Not Done
ReplyInline Actions

I believe we have a custom calling convention for returning errno from syscalls on Linux...

samsonov: I believe we have a custom calling convention for returning errno from syscalls on Linux...
if (pipe(sock_pair))
return false;
uptr bytes_written =
internal_write(sock_pair[1], reinterpret_cast<void *>(beg), size);
ygribovUnsubmitted
Not Done
ReplyInline Actions

Perhaps assert that write_errno == EFAULT in case of error?

ygribov: Perhaps assert that write_errno == EFAULT in case of error?
samsonovAuthorUnsubmitted
Not Done
ReplyInline Actions

Done

samsonov: Done
int write_errno;
bool result;
if (internal_iserror(bytes_written, &write_errno)) {
CHECK_EQ(EFAULT, write_errno);
result = false;
} else {
result = (bytes_written == size);
}
internal_close(sock_pair[0]);
internal_close(sock_pair[1]);
return result;
}
} // namespace __sanitizer } // namespace __sanitizer
#endif // SANITIZER_POSIX #endif // SANITIZER_POSIX

lib/sanitizer_common/sanitizer_win.cc

Show First 20 LinesShow All 516 Lines▼ Show 20 Linesvoid InstallDeadlySignalHandlers(SignalHandlerType handler) {
// FIXME: Decide what to do on Windows. // FIXME: Decide what to do on Windows.
} }
bool IsDeadlySignal(int signum) { bool IsDeadlySignal(int signum) {
// FIXME: Decide what to do on Windows. // FIXME: Decide what to do on Windows.
return false; return false;
} }
bool IsAccessibleMemoryRange(uptr beg, uptr size) {
UNIMPLEMENTED();
gliderUnsubmitted
Not Done
ReplyInline Actions

I suggest making this function always return true and adding a FIXME

glider: I suggest making this function always return true and adding a FIXME
samsonovAuthorUnsubmitted
Not Done
ReplyInline Actions

Done.

samsonov: Done.
}
} // namespace __sanitizer } // namespace __sanitizer
#endif // _WIN32 #endif // _WIN32

lib/sanitizer_common/tests/sanitizer_posix_test.cc

Show All 12 Lines
#include "sanitizer_common/sanitizer_platform.h" #include "sanitizer_common/sanitizer_platform.h"
#if SANITIZER_POSIX #if SANITIZER_POSIX
#include "sanitizer_common/sanitizer_common.h" #include "sanitizer_common/sanitizer_common.h"
#include "gtest/gtest.h" #include "gtest/gtest.h"
#include <pthread.h> #include <pthread.h>
#include <sys/mman.h>
namespace __sanitizer { namespace __sanitizer {
static pthread_key_t key; static pthread_key_t key;
static bool destructor_executed; static bool destructor_executed;
extern "C" extern "C"
void destructor(void *arg) { void destructor(void *arg) {
Show All 23 Lines
TEST(SanitizerCommon, PthreadDestructorIterations) { TEST(SanitizerCommon, PthreadDestructorIterations) {
ASSERT_EQ(0, pthread_key_create(&key, &destructor)); ASSERT_EQ(0, pthread_key_create(&key, &destructor));
SpawnThread(kPthreadDestructorIterations); SpawnThread(kPthreadDestructorIterations);
EXPECT_TRUE(destructor_executed); EXPECT_TRUE(destructor_executed);
SpawnThread(kPthreadDestructorIterations + 1); SpawnThread(kPthreadDestructorIterations + 1);
EXPECT_FALSE(destructor_executed); EXPECT_FALSE(destructor_executed);
} }
TEST(SanitizerCommon, IsAccessibleMemoryRange) {
const int page_size = GetPageSize();
uptr mem = (uptr)mmap(0, 3 * page_size, PROT_READ | PROT_WRITE,
MAP_PRIVATE | MAP_ANON, -1, 0);
// Protect the middle page.
mprotect((void *)(mem + page_size), page_size, PROT_NONE);
EXPECT_TRUE(IsAccessibleMemoryRange(mem, page_size - 1));
EXPECT_TRUE(IsAccessibleMemoryRange(mem, page_size));
EXPECT_FALSE(IsAccessibleMemoryRange(mem, page_size + 1));
EXPECT_TRUE(IsAccessibleMemoryRange(mem + page_size - 1, 1));
EXPECT_FALSE(IsAccessibleMemoryRange(mem + page_size - 1, 2));
EXPECT_FALSE(IsAccessibleMemoryRange(mem + 2 * page_size - 1, 1));
EXPECT_TRUE(IsAccessibleMemoryRange(mem + 2 * page_size, page_size));
EXPECT_FALSE(IsAccessibleMemoryRange(mem, 3 * page_size));
EXPECT_FALSE(IsAccessibleMemoryRange(0x0, 2));
}
} // namespace __sanitizer } // namespace __sanitizer
#endif // SANITIZER_POSIX #endif // SANITIZER_POSIX

lib/ubsan/ubsan_diag.cc

Show First 20 LinesShow All 216 Lines▼ Show 20 Linesstatic void renderMemorySnippet(const Decorator &Decor, MemoryLocation Loc,
} }
// If we have too many interesting bytes, prefer to show bytes after Loc. // If we have too many interesting bytes, prefer to show bytes after Loc.
const unsigned BytesToShow = 32; const unsigned BytesToShow = 32;
if (Max - Min > BytesToShow) if (Max - Min > BytesToShow)
Min = __sanitizer::Min(Max - BytesToShow, OrigMin); Min = __sanitizer::Min(Max - BytesToShow, OrigMin);
Max = addNoOverflow(Min, BytesToShow); Max = addNoOverflow(Min, BytesToShow);
if (!IsAccessibleMemoryRange(Min, Max - Min)) {
Printf("<memory cannot be printed>\n");
return;
}
// Emit data. // Emit data.
for (uptr P = Min; P != Max; ++P) { for (uptr P = Min; P != Max; ++P) {
// FIXME: Check that the address is readable before printing it.
unsigned char C = *reinterpret_cast<const unsigned char*>(P); unsigned char C = *reinterpret_cast<const unsigned char*>(P);
Printf("%s%02x", (P % 8 == 0) ? " " : " ", C); Printf("%s%02x", (P % 8 == 0) ? " " : " ", C);
} }
Printf("\n"); Printf("\n");
// Emit highlights. // Emit highlights.
Printf(Decor.Highlight()); Printf(Decor.Highlight());
Range *InRange = upperBound(Min, Ranges, NumRanges); Range *InRange = upperBound(Min, Ranges, NumRanges);
▲ Show 20 LinesShow All 98 LinesShow Last 20 Lines

test/ubsan/TestCases/TypeCheck/misaligned.cpp

// RUN: %clangxx -fsanitize=alignment -g %s -O3 -o %t // RUN: %clangxx -fsanitize=alignment -g %s -O3 -o %t
// RUN: %run %t l0 && %run %t s0 && %run %t r0 && %run %t m0 && %run %t f0 && %run %t n0 // RUN: %run %t l0 && %run %t s0 && %run %t r0 && %run %t m0 && %run %t f0 && %run %t n0
// RUN: %run %t l1 2>&1 | FileCheck %s --check-prefix=CHECK-LOAD --strict-whitespace // RUN: %run %t l1 2>&1 | FileCheck %s --check-prefix=CHECK-LOAD --strict-whitespace
// RUN: %run %t s1 2>&1 | FileCheck %s --check-prefix=CHECK-STORE // RUN: %run %t s1 2>&1 | FileCheck %s --check-prefix=CHECK-STORE
// RUN: %run %t r1 2>&1 | FileCheck %s --check-prefix=CHECK-REFERENCE // RUN: %run %t r1 2>&1 | FileCheck %s --check-prefix=CHECK-REFERENCE
// RUN: %run %t m1 2>&1 | FileCheck %s --check-prefix=CHECK-MEMBER // RUN: %run %t m1 2>&1 | FileCheck %s --check-prefix=CHECK-MEMBER
// RUN: %run %t f1 2>&1 | FileCheck %s --check-prefix=CHECK-MEMFUN // RUN: %run %t f1 2>&1 | FileCheck %s --check-prefix=CHECK-MEMFUN
// RUN: %run %t n1 2>&1 | FileCheck %s --check-prefix=CHECK-NEW // RUN: %run %t n1 2>&1 | FileCheck %s --check-prefix=CHECK-NEW
// RUN: UBSAN_OPTIONS=print_stacktrace=1 %run %t l1 2>&1 | FileCheck %s --check-prefix=CHECK-LOAD --check-prefix=CHECK-%os-STACK-LOAD // RUN: UBSAN_OPTIONS=print_stacktrace=1 %run %t l1 2>&1 | FileCheck %s --check-prefix=CHECK-LOAD --check-prefix=CHECK-%os-STACK-LOAD
// RUN: %clangxx -fsanitize=alignment -fno-sanitize-recover %s -O3 -o %t
// RUN: not %run %t w1 2>&1 | FileCheck %s --check-prefix=CHECK-WILD
#include <new> #include <new>
struct S { struct S {
S() {} S() {}
int f() { return 0; } int f() { return 0; }
int k; int k;
}; };
int main(int, char **argv) { int main(int, char **argv) {
char c[] __attribute__((aligned(8))) = { 0, 0, 0, 0, 1, 2, 3, 4, 5 }; char c[] __attribute__((aligned(8))) = { 0, 0, 0, 0, 1, 2, 3, 4, 5 };
// Pointer value may be unspecified here, but behavior is not undefined. // Pointer value may be unspecified here, but behavior is not undefined.
int *p = (int*)&c[4 + argv[1][1] - '0']; int *p = (int*)&c[4 + argv[1][1] - '0'];
S *s = (S*)p; S *s = (S*)p;
void *wild = reinterpret_cast<void *>(0x123L);
(void)*p; // ok! (void)*p; // ok!
switch (argv[1][0]) { switch (argv[1][0]) {
case 'l': case 'l':
// CHECK-LOAD: misaligned.cpp:[[@LINE+4]]:12: runtime error: load of misaligned address [[PTR:0x[0-9a-f]*]] for type 'int', which requires 4 byte alignment // CHECK-LOAD: misaligned.cpp:[[@LINE+4]]:12: runtime error: load of misaligned address [[PTR:0x[0-9a-f]*]] for type 'int', which requires 4 byte alignment
// CHECK-LOAD-NEXT: [[PTR]]: note: pointer points here // CHECK-LOAD-NEXT: [[PTR]]: note: pointer points here
// CHECK-LOAD-NEXT: {{^ 00 00 00 01 02 03 04 05}} // CHECK-LOAD-NEXT: {{^ 00 00 00 01 02 03 04 05}}
// CHECK-LOAD-NEXT: {{^ \^}} // CHECK-LOAD-NEXT: {{^ \^}}
Show All 35 Lines case 'f':
return s->f() && 0; return s->f() && 0;
case 'n': case 'n':
// CHECK-NEW: misaligned.cpp:[[@LINE+4]]:5: runtime error: constructor call on misaligned address [[PTR:0x[0-9a-f]*]] for type 'S', which requires 4 byte alignment // CHECK-NEW: misaligned.cpp:[[@LINE+4]]:5: runtime error: constructor call on misaligned address [[PTR:0x[0-9a-f]*]] for type 'S', which requires 4 byte alignment
// CHECK-NEW-NEXT: [[PTR]]: note: pointer points here // CHECK-NEW-NEXT: [[PTR]]: note: pointer points here
// CHECK-NEW-NEXT: {{^ 00 00 00 01 02 03 04 05}} // CHECK-NEW-NEXT: {{^ 00 00 00 01 02 03 04 05}}
// CHECK-NEW-NEXT: {{^ \^}} // CHECK-NEW-NEXT: {{^ \^}}
return (new (s) S)->k && 0; return (new (s) S)->k && 0;
case 'w':
// CHECK-WILD: misaligned.cpp:[[@LINE+3]]:35: runtime error: member access within misaligned address 0x000000000123 for type 'S', which requires 4 byte alignment
// CHECK-WILD-NEXT: 0x000000000123: note: pointer points here
// CHECK-WILD-NEXT: <memory cannot be printed>
return static_cast<S*>(wild)->k;
} }
} }