This is an archive of the discontinued LLVM Phabricator instance.

scudo: Make prepareTaggedChunk() and resizeTaggedChunk() generic.
ClosedPublic

Authored by pcc on Apr 20 2021, 4:27 PM.

Download Raw Diff

Details

Reviewers

eugenis
hctim
cryptoad
vitalybuka

Commits

rG3d47e003e922: scudo: Make prepareTaggedChunk() and resizeTaggedChunk() generic.

Summary

Now that we have a more efficient implementation of storeTags(),
we should start using it from resizeTaggedChunk(). With that, plus
a new storeTag() function, resizeTaggedChunk() can be made generic,
and so can prepareTaggedChunk(). Make it so.

Now that the functions are generic, move them to combined.h so that
memtag.h no longer needs to know about chunks.

Depends on D100910

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

pcc requested review of this revision.Apr 20 2021, 4:27 PM

pcc created this revision.

Herald added a project: Restricted Project. · View Herald TranscriptApr 20 2021, 4:27 PM

Herald added a subscriber: Restricted Project. · View Herald Transcript

vitalybuka added a reviewer: vitalybuka.Apr 20 2021, 4:31 PM

vitalybuka added inline comments.

compiler-rt/lib/scudo/standalone/combined.h
1146	Why we don't tag entire unused tail? It may detect UseAfterFree.

pcc added inline comments.Apr 20 2021, 4:47 PM

compiler-rt/lib/scudo/standalone/combined.h
1146	We detect UAF by retagging on free. So from that perspective there's no advantage to retagging the tail here.

Harbormaster completed remote builds in B99843: Diff 339038.Apr 20 2021, 6:06 PM

vitalybuka added inline comments.Apr 21 2021, 9:52 AM

compiler-rt/lib/scudo/standalone/combined.h
1146	then why do we need to remove a tag on a single granule here? To distinguish UAF and out of bounds?

eugenis added inline comments.Apr 21 2021, 10:56 AM

compiler-rt/lib/scudo/standalone/combined.h
1146	For guaranteed linear overflow detection. In fact, by not retagging the tail, we have guaranteed false negative for overflow by 16 bytes, right? Should we change this? It should be pretty cheap in the primary allocator.

pcc added inline comments.Apr 21 2021, 11:12 AM

compiler-rt/lib/scudo/standalone/combined.h
1146	Hmm, I would expect the cost increase to correspond to the average ratio between size classes (i.e. around sqrt(2)). Let's investigate doing that as part of a separate change. It should be easier to implement once we have the generic resizeTaggedChunk() implementation in.

vitalybuka added inline comments.Apr 21 2021, 11:21 AM

compiler-rt/lib/scudo/standalone/combined.h
1146	So UAF is not guaranteed, but we want linear overflow guaranteed and without spending cycles to retag entire [RoundNewPtr, BlockEnd)?

vitalybuka added inline comments.Apr 21 2021, 11:26 AM

compiler-rt/lib/scudo/standalone/combined.h
1146	Hmm, I would expect the cost increase to correspond to the average ratio between size classes (i.e. around sqrt(2)). Let's investigate doing that as part of a separate change. It should be easier to implement once we have the generic resizeTaggedChunk() implementation in. Agree, this is unchanged in the patch and better addressed (if needed) separately.

pcc added inline comments.Apr 21 2021, 11:35 AM

compiler-rt/lib/scudo/standalone/combined.h
1146	Immediate UAF is guaranteed due to retag on free -- that retags the entire previous allocation (of course, we don't know how large the next allocation to use that chunk will be). Yes, the reason why we didn't retag that entire region with 0 was to save cycles.

vitalybuka accepted this revision.Apr 21 2021, 1:21 PM

This revision is now accepted and ready to land.Apr 21 2021, 1:21 PM

eugenis accepted this revision.Apr 21 2021, 1:37 PM

eugenis added inline comments.

compiler-rt/lib/scudo/standalone/combined.h
1146	well probably half of that, on average. SGTM, let's not worry about that for now.

Closed by commit rG3d47e003e922: scudo: Make prepareTaggedChunk() and resizeTaggedChunk() generic. (authored by pcc). · Explain WhyApr 21 2021, 1:54 PM

This revision was automatically updated to reflect the committed changes.

pcc added a commit: rG3d47e003e922: scudo: Make prepareTaggedChunk() and resizeTaggedChunk() generic..

Revision Contents

Path

Size

compiler-rt/

lib/

scudo/

standalone/

combined.h

44 lines

memtag.h

95 lines

Diff 339377

compiler-rt/lib/scudo/standalone/combined.h

Show First 20 Lines • Show All 1,097 Lines • ▼ Show 20 Lines	#endif

static uptr getChunkOffsetFromBlock(const char *Block) {		static uptr getChunkOffsetFromBlock(const char *Block) {
u32 Offset = 0;		u32 Offset = 0;
if (reinterpret_cast<const u32 *>(Block)[0] == BlockMarker)		if (reinterpret_cast<const u32 *>(Block)[0] == BlockMarker)
Offset = reinterpret_cast<const u32 *>(Block)[1];		Offset = reinterpret_cast<const u32 *>(Block)[1];
return Offset + Chunk::getHeaderSize();		return Offset + Chunk::getHeaderSize();
}		}

		void prepareTaggedChunk(void Ptr, uptr Size, uptr ExcludeMask,
		uptr BlockEnd) {
		// Prepare the granule before the chunk to store the chunk header by setting
		// its tag to 0. Normally its tag will already be 0, but in the case where a
		// chunk holding a low alignment allocation is reused for a higher alignment
		// allocation, the chunk may already have a non-zero tag from the previous
		// allocation.
		storeTag(reinterpret_cast<uptr>(Ptr) - archMemoryTagGranuleSize());

		uptr TaggedBegin, TaggedEnd;
		setRandomTag(Ptr, Size, ExcludeMask, &TaggedBegin, &TaggedEnd);

		// Finally, set the tag of the granule past the end of the allocation to 0,
		// to catch linear overflows even if a previous larger allocation used the
		// same block and tag. Only do this if the granule past the end is in our
		// block, because this would otherwise lead to a SEGV if the allocation
		// covers the entire block and our block is at the end of a mapping. The tag
		// of the next block's header granule will be set to 0, so it will serve the
		// purpose of catching linear overflows in this case.
		uptr UntaggedEnd = untagPointer(TaggedEnd);
		if (UntaggedEnd != BlockEnd)
		storeTag(UntaggedEnd);
		return reinterpret_cast<void *>(TaggedBegin);
		}

		void resizeTaggedChunk(uptr OldPtr, uptr NewPtr, uptr BlockEnd) {
		uptr RoundOldPtr = roundUpTo(OldPtr, archMemoryTagGranuleSize());
		uptr RoundNewPtr;
		if (RoundOldPtr >= NewPtr) {
		// If the allocation is shrinking we just need to set the tag past the end
		// of the allocation to 0. See explanation in prepareTaggedChunk above.
		RoundNewPtr = roundUpTo(NewPtr, archMemoryTagGranuleSize());
		} else {
		// Set the memory tag of the region
		// [RoundOldPtr, roundUpTo(NewPtr, archMemoryTagGranuleSize()))
		// to the pointer tag stored in OldPtr.
		RoundNewPtr = storeTags(RoundOldPtr, NewPtr);
		}

		uptr UntaggedNewPtr = untagPointer(RoundNewPtr);
		if (UntaggedNewPtr != BlockEnd)
		vitalybukaUnsubmitted Not Done Reply Inline Actions Why we don't tag entire unused tail? It may detect UseAfterFree. vitalybuka: Why we don't tag entire unused tail? It may detect UseAfterFree.
		pccAuthorUnsubmitted Done Reply Inline Actions We detect UAF by retagging on free. So from that perspective there's no advantage to retagging the tail here. pcc: We detect UAF by retagging on free. So from that perspective there's no advantage to retagging…
		vitalybukaUnsubmitted Not Done Reply Inline Actions then why do we need to remove a tag on a single granule here? To distinguish UAF and out of bounds? vitalybuka: then why do we need to remove a tag on a single granule here? To distinguish UAF and out of…
		eugenisUnsubmitted Not Done Reply Inline Actions For guaranteed linear overflow detection. In fact, by not retagging the tail, we have guaranteed false negative for overflow by 16 bytes, right? Should we change this? It should be pretty cheap in the primary allocator. eugenis: For guaranteed linear overflow detection. In fact, by not retagging the tail, we have…
		pccAuthorUnsubmitted Done Reply Inline Actions Hmm, I would expect the cost increase to correspond to the average ratio between size classes (i.e. around sqrt(2)). Let's investigate doing that as part of a separate change. It should be easier to implement once we have the generic resizeTaggedChunk() implementation in. pcc: Hmm, I would expect the cost increase to correspond to the average ratio between size classes…
		vitalybukaUnsubmitted Not Done Reply Inline Actions Hmm, I would expect the cost increase to correspond to the average ratio between size classes (i.e. around sqrt(2)). Let's investigate doing that as part of a separate change. It should be easier to implement once we have the generic resizeTaggedChunk() implementation in. Agree, this is unchanged in the patch and better addressed (if needed) separately. vitalybuka: > Hmm, I would expect the cost increase to correspond to the average ratio between size classes…
		eugenisUnsubmitted Not Done Reply Inline Actions well probably half of that, on average. SGTM, let's not worry about that for now. eugenis: well probably half of that, on average. SGTM, let's not worry about that for now.
		vitalybukaUnsubmitted Not Done Reply Inline Actions So UAF is not guaranteed, but we want linear overflow guaranteed and without spending cycles to retag entire [RoundNewPtr, BlockEnd)? vitalybuka: So UAF is not guaranteed, but we want linear overflow guaranteed and without spending cycles to…
		pccAuthorUnsubmitted Done Reply Inline Actions Immediate UAF is guaranteed due to retag on free -- that retags the entire previous allocation (of course, we don't know how large the next allocation to use that chunk will be). Yes, the reason why we didn't retag that entire region with 0 was to save cycles. pcc: Immediate UAF is guaranteed due to retag on free -- that retags the entire previous allocation…
		storeTag(UntaggedNewPtr);
		}

void storePrimaryAllocationStackMaybe(Options Options, void *Ptr) {		void storePrimaryAllocationStackMaybe(Options Options, void *Ptr) {
if (!UNLIKELY(Options.get(OptionBit::TrackAllocationStacks)))		if (!UNLIKELY(Options.get(OptionBit::TrackAllocationStacks)))
return;		return;
auto Ptr32 = reinterpret_cast<u32 >(Ptr);		auto Ptr32 = reinterpret_cast<u32 >(Ptr);
Ptr32[MemTagAllocationTraceIndex] = collectStackTrace();		Ptr32[MemTagAllocationTraceIndex] = collectStackTrace();
Ptr32[MemTagAllocationTidIndex] = getThreadID();		Ptr32[MemTagAllocationTidIndex] = getThreadID();
}		}

▲ Show 20 Lines • Show All 206 Lines • Show Last 20 Lines

compiler-rt/lib/scudo/standalone/memtag.h

Show All 12 Lines

#if SCUDO_LINUX		#if SCUDO_LINUX
#include <sys/auxv.h>		#include <sys/auxv.h>
#include <sys/prctl.h>		#include <sys/prctl.h>
#endif		#endif

namespace scudo {		namespace scudo {

void setRandomTag(void Ptr, uptr Size, uptr ExcludeMask, uptr TaggedBegin,
uptr *TaggedEnd);

#if defined(__aarch64__) \|\| defined(SCUDO_FUZZ)		#if defined(__aarch64__) \|\| defined(SCUDO_FUZZ)

// We assume that Top-Byte Ignore is enabled if the architecture supports memory		// We assume that Top-Byte Ignore is enabled if the architecture supports memory
// tagging. Not all operating systems enable TBI, so we only claim architectural		// tagging. Not all operating systems enable TBI, so we only claim architectural
// support for memory tagging if the operating system enables TBI.		// support for memory tagging if the operating system enables TBI.
#if SCUDO_LINUX && !defined(SCUDO_DISABLE_TBI)		#if SCUDO_LINUX && !defined(SCUDO_DISABLE_TBI)
inline constexpr bool archSupportsMemoryTagging() { return true; }		inline constexpr bool archSupportsMemoryTagging() { return true; }
#else		#else
▲ Show 20 Lines • Show All 177 Lines • ▼ Show 20 Lines	inline uptr storeTags(uptr Begin, uptr End) {
)"		)"
: [Cur] "+&r"(Begin), [LineSize] "=&r"(LineSize), [Next] "=&r"(Next),		: [Cur] "+&r"(Begin), [LineSize] "=&r"(LineSize), [Next] "=&r"(Next),
[Tmp] "=&r"(Tmp)		[Tmp] "=&r"(Tmp)
: [End] "r"(End)		: [End] "r"(End)
: "memory");		: "memory");
return Begin;		return Begin;
}		}

inline void prepareTaggedChunk(void Ptr, uptr Size, uptr ExcludeMask,		inline void storeTag(uptr Ptr) {
uptr BlockEnd) {		__asm__ __volatile__(R"(
// Prepare the granule before the chunk to store the chunk header by setting
// its tag to 0. Normally its tag will already be 0, but in the case where a
// chunk holding a low alignment allocation is reused for a higher alignment
// allocation, the chunk may already have a non-zero tag from the previous
// allocation.
__asm__ __volatile__(
R"(
.arch_extension memtag
stg %0, [%0, #-16]
)"
:
: "r"(Ptr)
: "memory");

uptr TaggedBegin, TaggedEnd;
setRandomTag(Ptr, Size, ExcludeMask, &TaggedBegin, &TaggedEnd);

// Finally, set the tag of the granule past the end of the allocation to 0,
// to catch linear overflows even if a previous larger allocation used the
// same block and tag. Only do this if the granule past the end is in our
// block, because this would otherwise lead to a SEGV if the allocation
// covers the entire block and our block is at the end of a mapping. The tag
// of the next block's header granule will be set to 0, so it will serve the
// purpose of catching linear overflows in this case.
uptr UntaggedEnd = untagPointer(TaggedEnd);
if (UntaggedEnd != BlockEnd)
__asm__ __volatile__(
R"(
.arch_extension memtag
stg %0, [%0]
)"
:
: "r"(UntaggedEnd)
: "memory");
return reinterpret_cast<void *>(TaggedBegin);
}

inline void resizeTaggedChunk(uptr OldPtr, uptr NewPtr, uptr BlockEnd) {
uptr RoundOldPtr = roundUpTo(OldPtr, 16);
if (RoundOldPtr >= NewPtr) {
// If the allocation is shrinking we just need to set the tag past the end
// of the allocation to 0. See explanation in prepareTaggedChunk above.
uptr RoundNewPtr = untagPointer(roundUpTo(NewPtr, 16));
if (RoundNewPtr != BlockEnd)
__asm__ __volatile__(
R"(
.arch_extension memtag		.arch_extension memtag
stg %0, [%0]		stg %0, [%0]
)"		)"
:		:
: "r"(RoundNewPtr)		: "r"(Ptr)
: "memory");
return;
}

__asm__ __volatile__(R"(
.arch_extension memtag

// Set the memory tag of the region
// [roundUpTo(OldPtr, 16), roundUpTo(NewPtr, 16))
// to the pointer tag stored in OldPtr.
1:
stzg %[Cur], [%[Cur]], #16
cmp %[Cur], %[End]
b.lt 1b

// Finally, set the tag of the granule past the end of the allocation to 0.
and %[Cur], %[Cur], #(1 << 56) - 1
cmp %[Cur], %[BlockEnd]
b.eq 2f
stg %[Cur], [%[Cur]]

2:
)"
: [Cur] "+&r"(RoundOldPtr), [End] "+&r"(NewPtr)
: [BlockEnd] "r"(BlockEnd)
: "memory");		: "memory");
}		}

inline uptr loadTag(uptr Ptr) {		inline uptr loadTag(uptr Ptr) {
uptr TaggedPtr = Ptr;		uptr TaggedPtr = Ptr;
__asm__ __volatile__(		__asm__ __volatile__(
R"(		R"(
.arch_extension memtag		.arch_extension memtag
Show All 40 Lines
}		}

inline uptr storeTags(uptr Begin, uptr End) {		inline uptr storeTags(uptr Begin, uptr End) {
(void)Begin;		(void)Begin;
(void)End;		(void)End;
UNREACHABLE("memory tagging not supported");		UNREACHABLE("memory tagging not supported");
}		}

inline void prepareTaggedChunk(void Ptr, uptr Size, uptr ExcludeMask,		inline void storeTag(uptr Ptr) {
uptr BlockEnd) {
(void)Ptr;		(void)Ptr;
(void)Size;
(void)ExcludeMask;
(void)BlockEnd;
UNREACHABLE("memory tagging not supported");
}

inline void resizeTaggedChunk(uptr OldPtr, uptr NewPtr, uptr BlockEnd) {
(void)OldPtr;
(void)NewPtr;
(void)BlockEnd;
UNREACHABLE("memory tagging not supported");		UNREACHABLE("memory tagging not supported");
}		}

inline uptr loadTag(uptr Ptr) {		inline uptr loadTag(uptr Ptr) {
(void)Ptr;		(void)Ptr;
UNREACHABLE("memory tagging not supported");		UNREACHABLE("memory tagging not supported");
}		}

Show All 29 Lines