This is an archive of the discontinued LLVM Phabricator instance.

scudo: Require fault address to be in bounds for UAF.
ClosedPublic

Authored by pcc on May 12 2021, 3:53 PM.

Download Raw Diff

Details

Reviewers

eugenis
hctim
cryptoad

Commits

rG6732a5328cf0: scudo: Require fault address to be in bounds for UAF.

Summary

The bounds check that we previously had here was suitable for secondary
allocations but not for UAF on primary allocations, where it is likely
to result in false positives. Fix it by using a different bounds check
for UAF that requires the fault address to be in bounds.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

pcc created this revision.May 12 2021, 3:53 PM

Herald added a subscriber: jfb. · View Herald TranscriptMay 12 2021, 3:53 PM

pcc requested review of this revision.May 12 2021, 3:53 PM

Herald added a project: Restricted Project. · View Herald TranscriptMay 12 2021, 3:53 PM

Herald added a subscriber: Restricted Project. · View Herald Transcript

eugenis added inline comments.May 12 2021, 4:14 PM

compiler-rt/lib/scudo/standalone/combined.h
1350	getPageSizeCached is an arbitrary threshold for reporting secondary oob, right? That could use a comment. In general, it would be great to list the assumption reporting code makes about the buffer contents - ex. the fact that allocation-without-deallocation entries are only possible for secondary.

pcc added inline comments.May 12 2021, 4:47 PM

compiler-rt/lib/scudo/standalone/combined.h
1350	It's based on the size of the guard region on either side of the allocation, which is guaranteed to be at least a page (guard page on the right, guard page + tagged region on the left). I'll add some comments here.

eugenis added inline comments.May 12 2021, 4:49 PM

compiler-rt/lib/scudo/standalone/combined.h
1350	Ah good point. Since we do not tag secondary allocations, we would not know what to do with anything we find beyond the guard page anyway!

Add comments

pcc marked an inline comment as done.May 12 2021, 5:03 PM

LGTM

This revision is now accepted and ready to land.May 12 2021, 5:06 PM

Harbormaster completed remote builds in B104162: Diff 344984.May 12 2021, 5:41 PM

Closed by commit rG6732a5328cf0: scudo: Require fault address to be in bounds for UAF. (authored by pcc). · Explain WhyMay 12 2021, 6:02 PM

This revision was automatically updated to reflect the committed changes.

pcc added a commit: rG6732a5328cf0: scudo: Require fault address to be in bounds for UAF..

Revision Contents

Path

Size

compiler-rt/

lib/

scudo/

standalone/

combined.h

31 lines

Diff 344997

compiler-rt/lib/scudo/standalone/combined.h

Show First 20 Lines • Show All 1,327 Lines • ▼ Show 20 Lines	auto *RingBuffer =
reinterpret_cast<const AllocationRingBuffer *>(RingBufferPtr);		reinterpret_cast<const AllocationRingBuffer *>(RingBufferPtr);
uptr Pos = atomic_load_relaxed(&RingBuffer->Pos);		uptr Pos = atomic_load_relaxed(&RingBuffer->Pos);

for (uptr I = Pos - 1; I != Pos - 1 - AllocationRingBuffer::NumEntries &&		for (uptr I = Pos - 1; I != Pos - 1 - AllocationRingBuffer::NumEntries &&
NextErrorReport != NumErrorReports;		NextErrorReport != NumErrorReports;
--I) {		--I) {
auto *Entry = &RingBuffer->Entries[I % AllocationRingBuffer::NumEntries];		auto *Entry = &RingBuffer->Entries[I % AllocationRingBuffer::NumEntries];
uptr EntryPtr = atomic_load_relaxed(&Entry->Ptr);		uptr EntryPtr = atomic_load_relaxed(&Entry->Ptr);
uptr UntaggedEntryPtr = untagPointer(EntryPtr);		if (!EntryPtr)
uptr EntrySize = atomic_load_relaxed(&Entry->AllocationSize);
if (!EntryPtr \|\| FaultAddr < EntryPtr - getPageSizeCached() \|\|
FaultAddr >= EntryPtr + EntrySize + getPageSizeCached())
continue;		continue;

		uptr UntaggedEntryPtr = untagPointer(EntryPtr);
		uptr EntrySize = atomic_load_relaxed(&Entry->AllocationSize);
u32 AllocationTrace = atomic_load_relaxed(&Entry->AllocationTrace);		u32 AllocationTrace = atomic_load_relaxed(&Entry->AllocationTrace);
u32 AllocationTid = atomic_load_relaxed(&Entry->AllocationTid);		u32 AllocationTid = atomic_load_relaxed(&Entry->AllocationTid);
u32 DeallocationTrace = atomic_load_relaxed(&Entry->DeallocationTrace);		u32 DeallocationTrace = atomic_load_relaxed(&Entry->DeallocationTrace);
u32 DeallocationTid = atomic_load_relaxed(&Entry->DeallocationTid);		u32 DeallocationTid = atomic_load_relaxed(&Entry->DeallocationTid);

		if (DeallocationTid) {
		// For UAF we only consider in-bounds fault addresses because
		// out-of-bounds UAF is rare and attempting to detect it is very likely
		// to result in false positives.
		if (FaultAddr < EntryPtr \|\| FaultAddr >= EntryPtr + EntrySize)
		eugenisUnsubmitted Not Done Reply Inline Actions getPageSizeCached is an arbitrary threshold for reporting secondary oob, right? That could use a comment. In general, it would be great to list the assumption reporting code makes about the buffer contents - ex. the fact that allocation-without-deallocation entries are only possible for secondary. eugenis: getPageSizeCached is an arbitrary threshold for reporting secondary oob, right? That could use…
		pccAuthorUnsubmitted Done Reply Inline Actions It's based on the size of the guard region on either side of the allocation, which is guaranteed to be at least a page (guard page on the right, guard page + tagged region on the left). I'll add some comments here. pcc: It's based on the size of the guard region on either side of the allocation, which is…
		eugenisUnsubmitted Done Reply Inline Actions Ah good point. Since we do not tag secondary allocations, we would not know what to do with anything we find beyond the guard page anyway! eugenis: Ah good point. Since we do not tag secondary allocations, we would not know what to do with…
		continue;
		} else {
		// Ring buffer OOB is only possible with secondary allocations. In this
		// case we are guaranteed a guard region of at least a page on either
		// side of the allocation (guard page on the right, guard page + tagged
		// region on the left), so ignore any faults outside of that range.
		if (FaultAddr < EntryPtr - getPageSizeCached() \|\|
		FaultAddr >= EntryPtr + EntrySize + getPageSizeCached())
		continue;

// For UAF the ring buffer will contain two entries, one for the		// For UAF the ring buffer will contain two entries, one for the
// allocation and another for the deallocation. Don't report buffer		// allocation and another for the deallocation. Don't report buffer
// overflow/underflow using the allocation entry if we have already		// overflow/underflow using the allocation entry if we have already
// collected a report from the deallocation entry.		// collected a report from the deallocation entry.
if (!DeallocationTrace) {
bool Found = false;		bool Found = false;
for (uptr J = 0; J != NextErrorReport; ++J) {		for (uptr J = 0; J != NextErrorReport; ++J) {
if (ErrorInfo->reports[J].allocation_address == UntaggedEntryPtr) {		if (ErrorInfo->reports[J].allocation_address == UntaggedEntryPtr) {
Found = true;		Found = true;
break;		break;
}		}
}		}
if (Found)		if (Found)
Show All 31 Lines