This is an archive of the discontinued LLVM Phabricator instance.

Differential D104304

[hwasan] Do not use short granule tags as poison tags.
ClosedPublic

Authored by fmayer on Jun 15 2021, 8:30 AM.

Download Raw Diff

Details

Reviewers

Commits

rG18070723ef5c: [hwasan] Do not use short granule tags as poison tags.

Summary

Short granule tags as poison cause a UaF to read the referenced
memory to retrieve the tag, and means we do not detect the UaF
if the last granule's tag is still around.

This only increases the change of not catching a UaF from
0.39 % (1 / 256) to 0.42 % (1 / (256 - 17)).

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

fmayer requested review of this revision.Jun 15 2021, 8:30 AM

fmayer created this revision.

Herald added a project: Restricted Project. · View Herald TranscriptJun 15 2021, 8:30 AM

Herald added a subscriber: Restricted Project. · View Herald Transcript

Static assert for fallback tag.

fmayer added a reviewer: eugenis.Jun 15 2021, 8:35 AM

fmayer edited the summary of this revision. (Show Details)Jun 15 2021, 8:50 AM

Harbormaster completed remote builds in B109310: Diff 352155.Jun 15 2021, 9:16 AM

Fix formatting.

eugenis added inline comments.Jun 15 2021, 1:07 PM

compiler-rt/lib/hwasan/hwasan_allocator.cpp
240	I think it would be cleaner and faster to loop until GenerateRandomTag returns something >=kShadowAlignment - that would be just 1 unlikely branch compared to all the stuff GenerateRandomTag does on each call. Or even pass a minimum tag value as an argument - there is a loop like that inside GenerateRandomTag already.

Harbormaster completed remote builds in B109349: Diff 352204.Jun 15 2021, 1:31 PM

Simplify logic.

fmayer marked an inline comment as done.Jun 16 2021, 4:06 AM

Harbormaster completed remote builds in B109484: Diff 352390.Jun 16 2021, 9:41 AM

LGTM

This revision is now accepted and ready to land.Jun 16 2021, 10:58 AM

Closed by commit rG18070723ef5c: [hwasan] Do not use short granule tags as poison tags. (authored by fmayer). · Explain WhyJun 17 2021, 4:00 AM

This revision was automatically updated to reflect the committed changes.

fmayer added a commit: rG18070723ef5c: [hwasan] Do not use short granule tags as poison tags..

Revision Contents

Path

Size

compiler-rt/

lib/

hwasan/

hwasan_allocator.cpp

14 lines

Diff 352670

compiler-rt/lib/hwasan/hwasan_allocator.cpp

	Show First 20 Lines • Show All 223 Lines • ▼ Show 20 Lines		if (flags()->max_free_fill_size > 0) {
	uptr fill_size =			uptr fill_size =
	Min(TaggedSize(orig_size), (uptr)flags()->max_free_fill_size);			Min(TaggedSize(orig_size), (uptr)flags()->max_free_fill_size);
	internal_memset(aligned_ptr, flags()->free_fill_byte, fill_size);			internal_memset(aligned_ptr, flags()->free_fill_byte, fill_size);
	}			}
	if (InTaggableRegion(reinterpret_cast<uptr>(tagged_ptr)) &&			if (InTaggableRegion(reinterpret_cast<uptr>(tagged_ptr)) &&
	flags()->tag_in_free && malloc_bisect(stack, 0) &&			flags()->tag_in_free && malloc_bisect(stack, 0) &&
	atomic_load_relaxed(&hwasan_allocator_tagging_enabled)) {			atomic_load_relaxed(&hwasan_allocator_tagging_enabled)) {
	// Always store full 8-bit tags on free to maximize UAF detection.			// Always store full 8-bit tags on free to maximize UAF detection.
	tag_t tag = t ? t->GenerateRandomTag(/num_bits=/8) : kFallbackFreeTag;			tag_t tag;
				if (t) {
				// Make sure we are not using a short granule tag as a poison tag. This
				// would make us attempt to read the memory on a UaF.
				// The tag can be zero if tagging is disabled on this thread.
				do {
				tag = t->GenerateRandomTag(/num_bits=/8);
				} while (UNLIKELY(tag < kShadowAlignment && tag != 0));
				} else {
				eugenisUnsubmitted Done Reply Inline Actions I think it would be cleaner and faster to loop until GenerateRandomTag returns something >=kShadowAlignment - that would be just 1 unlikely branch compared to all the stuff GenerateRandomTag does on each call. Or even pass a minimum tag value as an argument - there is a loop like that inside GenerateRandomTag already. eugenis: I think it would be cleaner and faster to loop until GenerateRandomTag returns something…
				static_assert(kFallbackFreeTag >= kShadowAlignment,
				"fallback tag must not be a short granule tag.");
				tag = kFallbackFreeTag;
				}
	TagMemoryAligned(reinterpret_cast<uptr>(aligned_ptr), TaggedSize(orig_size),			TagMemoryAligned(reinterpret_cast<uptr>(aligned_ptr), TaggedSize(orig_size),
	tag);			tag);
	}			}
	if (t) {			if (t) {
	allocator.Deallocate(t->allocator_cache(), aligned_ptr);			allocator.Deallocate(t->allocator_cache(), aligned_ptr);
	if (auto *ha = t->heap_allocations())			if (auto *ha = t->heap_allocations())
	ha->push({reinterpret_cast<uptr>(tagged_ptr), alloc_context_id,			ha->push({reinterpret_cast<uptr>(tagged_ptr), alloc_context_id,
	free_context_id, static_cast<u32>(orig_size)});			free_context_id, static_cast<u32>(orig_size)});
	▲ Show 20 Lines • Show All 178 Lines • Show Last 20 Lines