This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
compiler-rt/lib/scudo/standalone/
-
lib/
-
scudo/
-
standalone/
1/2
combined.h

Differential D102379

scudo: Check for UAF in ring buffer before OOB in more distant blocks.
ClosedPublic

Authored by pcc on May 12 2021, 5:07 PM.

Download Raw Diff

Details

Reviewers

eugenis
cryptoad
hctim

Commits

rG9567131d0365: scudo: Check for UAF in ring buffer before OOB in more distant blocks.

Summary

It's more likely that we have a UAF than an OOB in blocks that are
more than 1 block away from the fault address, so the UAF should
appear first in the error report.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

pcc requested review of this revision.May 12 2021, 5:07 PM

pcc created this revision.

Herald added a project: Restricted Project. · View Herald TranscriptMay 12 2021, 5:07 PM

Herald added a subscriber: Restricted Project. · View Herald Transcript

Harbormaster completed remote builds in B104163: Diff 344985.May 12 2021, 5:46 PM

eugenis added inline comments.May 13 2021, 5:49 PM

compiler-rt/lib/scudo/standalone/combined.h
1325	Did you mean if (CheckOOB(Info.BlockBegin) \|\| MinDistance == 0) ?

pcc added inline comments.May 13 2021, 5:54 PM

compiler-rt/lib/scudo/standalone/combined.h
1325	I think that would result in us not checking the surrounding blocks if `MinDistance == 0`, even if `MaxDistance` was some larger number.

LGTM

This revision is now accepted and ready to land.May 13 2021, 6:04 PM

Closed by commit rG9567131d0365: scudo: Check for UAF in ring buffer before OOB in more distant blocks. (authored by pcc). · Explain WhyMay 13 2021, 6:14 PM

This revision was automatically updated to reflect the committed changes.

pcc added a commit: rG9567131d0365: scudo: Check for UAF in ring buffer before OOB in more distant blocks..

Revision Contents

Path

Size

compiler-rt/

lib/

scudo/

standalone/

combined.h

24 lines

Diff 345325

compiler-rt/lib/scudo/standalone/combined.h

Show First 20 Lines • Show All 921 Lines • ▼ Show 20 Lines	static void getErrorInfo(struct scudo_error_info *ErrorInfo,
uintptr_t MemoryAddr, size_t MemorySize) {		uintptr_t MemoryAddr, size_t MemorySize) {
*ErrorInfo = {};		*ErrorInfo = {};
if (!allocatorSupportsMemoryTagging<Params>() \|\|		if (!allocatorSupportsMemoryTagging<Params>() \|\|
MemoryAddr + MemorySize < MemoryAddr)		MemoryAddr + MemorySize < MemoryAddr)
return;		return;

auto Depot = reinterpret_cast<const StackDepot >(DepotPtr);		auto Depot = reinterpret_cast<const StackDepot >(DepotPtr);
size_t NextErrorReport = 0;		size_t NextErrorReport = 0;

		// Check for OOB in the current block and the two surrounding blocks. Beyond
		// that, UAF is more likely.
if (extractTag(FaultAddr) != 0)		if (extractTag(FaultAddr) != 0)
getInlineErrorInfo(ErrorInfo, NextErrorReport, FaultAddr, Depot,		getInlineErrorInfo(ErrorInfo, NextErrorReport, FaultAddr, Depot,
RegionInfoPtr, Memory, MemoryTags, MemoryAddr,		RegionInfoPtr, Memory, MemoryTags, MemoryAddr,
MemorySize);		MemorySize, 0, 2);

		// Check the ring buffer. For primary allocations this will only find UAF;
		// for secondary allocations we can find either UAF or OOB.
getRingBufferErrorInfo(ErrorInfo, NextErrorReport, FaultAddr, Depot,		getRingBufferErrorInfo(ErrorInfo, NextErrorReport, FaultAddr, Depot,
RingBufferPtr);		RingBufferPtr);

		// Check for OOB in the 28 blocks surrounding the 3 we checked earlier.
		// Beyond that we are likely to hit false positives.
		if (extractTag(FaultAddr) != 0)
		getInlineErrorInfo(ErrorInfo, NextErrorReport, FaultAddr, Depot,
		RegionInfoPtr, Memory, MemoryTags, MemoryAddr,
		MemorySize, 2, 16);
}		}

private:		private:
using SecondaryT = MapAllocator<Params>;		using SecondaryT = MapAllocator<Params>;
typedef typename PrimaryT::SizeClassMap SizeClassMap;		typedef typename PrimaryT::SizeClassMap SizeClassMap;

static const uptr MinAlignmentLog = SCUDO_MIN_ALIGNMENT_LOG;		static const uptr MinAlignmentLog = SCUDO_MIN_ALIGNMENT_LOG;
static const uptr MaxAlignmentLog = 24U; // 16 MB seems reasonable.		static const uptr MaxAlignmentLog = 24U; // 16 MB seems reasonable.
▲ Show 20 Lines • Show All 298 Lines • ▼ Show 20 Lines	static const size_t NumErrorReports =
sizeof(((scudo_error_info *)0)->reports) /		sizeof(((scudo_error_info *)0)->reports) /
sizeof(((scudo_error_info *)0)->reports[0]);		sizeof(((scudo_error_info *)0)->reports[0]);

static void getInlineErrorInfo(struct scudo_error_info *ErrorInfo,		static void getInlineErrorInfo(struct scudo_error_info *ErrorInfo,
size_t &NextErrorReport, uintptr_t FaultAddr,		size_t &NextErrorReport, uintptr_t FaultAddr,
const StackDepot *Depot,		const StackDepot *Depot,
const char RegionInfoPtr, const char Memory,		const char RegionInfoPtr, const char Memory,
const char *MemoryTags, uintptr_t MemoryAddr,		const char *MemoryTags, uintptr_t MemoryAddr,
size_t MemorySize) {		size_t MemorySize, size_t MinDistance,
		size_t MaxDistance) {
uptr UntaggedFaultAddr = untagPointer(FaultAddr);		uptr UntaggedFaultAddr = untagPointer(FaultAddr);
u8 FaultAddrTag = extractTag(FaultAddr);		u8 FaultAddrTag = extractTag(FaultAddr);
BlockInfo Info =		BlockInfo Info =
PrimaryT::findNearestBlock(RegionInfoPtr, UntaggedFaultAddr);		PrimaryT::findNearestBlock(RegionInfoPtr, UntaggedFaultAddr);

auto GetGranule = [&](uptr Addr, const char *Data, uint8_t Tag) -> bool {		auto GetGranule = [&](uptr Addr, const char *Data, uint8_t Tag) -> bool {
if (Addr < MemoryAddr \|\| Addr + archMemoryTagGranuleSize() < Addr \|\|		if (Addr < MemoryAddr \|\| Addr + archMemoryTagGranuleSize() < Addr \|\|
Addr + archMemoryTagGranuleSize() > MemoryAddr + MemorySize)		Addr + archMemoryTagGranuleSize() > MemoryAddr + MemorySize)
▲ Show 20 Lines • Show All 44 Lines • ▼ Show 20 Lines	auto CheckOOB = [&](uptr BlockAddr) {
R->allocation_address = ChunkAddr;		R->allocation_address = ChunkAddr;
R->allocation_size = Header.SizeOrUnusedBytes;		R->allocation_size = Header.SizeOrUnusedBytes;
collectTraceMaybe(Depot, R->allocation_trace,		collectTraceMaybe(Depot, R->allocation_trace,
Data[MemTagAllocationTraceIndex]);		Data[MemTagAllocationTraceIndex]);
R->allocation_tid = Data[MemTagAllocationTidIndex];		R->allocation_tid = Data[MemTagAllocationTidIndex];
return NextErrorReport == NumErrorReports;		return NextErrorReport == NumErrorReports;
};		};

if (CheckOOB(Info.BlockBegin))		if (MinDistance == 0 && CheckOOB(Info.BlockBegin))
		eugenisUnsubmitted Not Done Reply Inline Actions Did you mean if (CheckOOB(Info.BlockBegin) \|\| MinDistance == 0) ? eugenis: Did you mean ``` if (CheckOOB(Info.BlockBegin) \|\| MinDistance == 0) ``` ?
		pccAuthorUnsubmitted Done Reply Inline Actions I think that would result in us not checking the surrounding blocks if `MinDistance == 0`, even if `MaxDistance` was some larger number. pcc: I think that would result in us not checking the surrounding blocks if `MinDistance == 0`, even…
return;		return;

// Check for OOB in the 30 surrounding blocks. Beyond that we are likely to		for (size_t I = Max<size_t>(MinDistance, 1); I != MaxDistance; ++I)
// hit false positives.
for (int I = 1; I != 16; ++I)
if (CheckOOB(Info.BlockBegin + I * Info.BlockSize) \|\|		if (CheckOOB(Info.BlockBegin + I * Info.BlockSize) \|\|
CheckOOB(Info.BlockBegin - I * Info.BlockSize))		CheckOOB(Info.BlockBegin - I * Info.BlockSize))
return;		return;
}		}

static void getRingBufferErrorInfo(struct scudo_error_info *ErrorInfo,		static void getRingBufferErrorInfo(struct scudo_error_info *ErrorInfo,
size_t &NextErrorReport,		size_t &NextErrorReport,
uintptr_t FaultAddr,		uintptr_t FaultAddr,
▲ Show 20 Lines • Show All 79 Lines • Show Last 20 Lines