Download Raw Diff

Details

Reviewers

Commits

rGdd943ebc6d2e: [hwasan] print exact mismatch offset for short granules.
rG2a60ab76a796: [hwasan] print exact mismatch offset for short granules.
rG7e3f8b8affd0: [hwasan] print exact mismatch offset for short granules.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

fmayer requested review of this revision.Jun 17 2021, 7:27 AM

fmayer created this revision.

Herald added a project: Restricted Project. · View Herald TranscriptJun 17 2021, 7:27 AM

Herald added a subscriber: Restricted Project. · View Herald Transcript

fmayer added a reviewer: eugenis.Jun 17 2021, 7:29 AM

The reason it was done this way was that what looks like a short granule might not be one - sometimes a low tag value is simply a low tag value, and the last byte of the granule is user memory that can match by chance.

On the other hand, the chance of that happening is very low and perhaps this is a good tradeoff for better report quality.

@pcc @hctim WDYT?

compiler-rt/test/hwasan/TestCases/heap-buffer-overflow-into.c
16	why offset 10 and not 5?

fmayer added inline comments.Jun 17 2021, 12:36 PM

compiler-rt/test/hwasan/TestCases/heap-buffer-overflow-into.c
16	The first 5 bytes, [5, 10) are the valid access, and the invalid one is [10, 26).

In D104463#2825430, @eugenis wrote:

The reason it was done this way was that what looks like a short granule might not be one - sometimes a low tag value is simply a low tag value, and the last byte of the granule is user memory that can match by chance.

On the other hand, the chance of that happening is very low and perhaps this is a good tradeoff for better report quality.

@pcc @hctim WDYT?

isn't the chance of this lower than a normal tag matching by accident (also producing an incorrect report)? The chance of this should be (16 / 256) * (1 / 256).

fmayer marked an inline comment as not done.Jun 17 2021, 12:41 PM

fmayer added inline comments.

compiler-rt/test/hwasan/TestCases/heap-buffer-overflow-into.c
16	Sorry, my mistake, replied too fast. Will look tomorrow.

isn't the chance of this lower than a normal tag matching by accident (also producing an incorrect report)? The chance of this should be (16 / 256) * (1 / 256).

Right, we can find an unrelated alloc/dealloc stack trace because of an accidental tag match. That happens.

Harbormaster completed remote builds in B109710: Diff 352717.Jun 17 2021, 4:58 PM

Fixed logic.

fmayer added inline comments.Jun 18 2021, 2:22 AM

compiler-rt/test/hwasan/TestCases/heap-buffer-overflow-into.c
16	Fixed. Sorry about that, added second test as well.

eugenis added inline comments.Jun 18 2021, 11:31 AM

compiler-rt/lib/hwasan/hwasan_report.cpp
710	Is this really different from ShadowToMem(tag_ptr) ? If you prefer this form, please put (untagged_addr + offset) in brackets to make operator precedence clear. But if I read __hwasan_test_shadow correctly, (untagged_addr + offset) must be granule-aligned already.

Harbormaster completed remote builds in B109883: Diff 352945.Jun 18 2021, 5:21 PM

Improve readability.

Add test for aligned (untagged_addr + offset).

fmayer added inline comments.Jun 21 2021, 4:39 AM

compiler-rt/lib/hwasan/hwasan_report.cpp
710	Is this really different from ShadowToMem(tag_ptr) ? I wrote it this way so it's easy to see I am separating the low from the high bits from this and the line below. If you prefer this form, please put (untagged_addr + offset) in brackets to make operator precedence clear. Done. But if I read __hwasan_test_shadow correctly, (untagged_addr + offset) must be granule-aligned already. There is the edge case where offset == 0, then untagged_addr + offset is not necessarily aligned. I added more test cases to cover both the aligned and non-aligned scenarios.

Harbormaster completed remote builds in B110174: Diff 353338.Jun 21 2021, 7:09 AM

eugenis added inline comments.Jun 21 2021, 3:45 PM

compiler-rt/lib/hwasan/hwasan_report.cpp
716	This line assumes that the first bad access has to be 1 byte past the end. What if ex. the short granule is 5 byte in size, and the access is for offsets [10, 12) ?

Correctly handle accesses out of range of granule.

fmayer marked 2 inline comments as done.Jun 22 2021, 7:18 AM

Harbormaster completed remote builds in B110407: Diff 353641.Jun 22 2021, 7:54 AM

Please add a test where the bad access starts after the end of the allocation.

LGTM with that and the other comments.

compiler-rt/lib/hwasan/hwasan_report.cpp
709	call it "granule_ptr" or something like that.
713	"this is the offset of the leftmost accessed byte within the bad granule" or something more literate. I.e. it's not the bad address, it's the start of the accessed ranged clamped to the granule bounds.
718	"if the access starts after the end of the short granule, then the first bad byte is the first byte of the access; otherwise it is the first byte past the end of the short granule" or something like that in your own words. This is not really obvious from the code.
compiler-rt/test/hwasan/TestCases/heap-buffer-overflow-into.c
23	I was really confused why the size is 10 until I realized that in "%t 5 2>&1" 2 is the file descriptor and not the argument. Please make all arguments explicit in the command lines and remove the argc checks (or rather turn them into asserts).

Update comments and tests.

Thanks!

Harbormaster completed remote builds in B110591: Diff 353916.Jun 23 2021, 4:05 AM

LGTM

This revision is now accepted and ready to land.Jun 23 2021, 1:30 PM

Closed by commit rG7e3f8b8affd0: [hwasan] print exact mismatch offset for short granules. (authored by fmayer). · Explain WhyJun 24 2021, 1:58 AM

This revision was automatically updated to reflect the committed changes.

fmayer added a commit: rG7e3f8b8affd0: [hwasan] print exact mismatch offset for short granules..

Probably caused by this patch https://lab.llvm.org/buildbot/#/builders/77/builds/7379

vitalybuka added a reverting change: rGa9f3ac9e3dbb: Revert "[hwasan] print exact mismatch offset for short granules.".Jun 24 2021, 5:33 PM

vitalybuka reopened this revision.Jun 24 2021, 5:33 PM

This revision is now accepted and ready to land.Jun 24 2021, 5:33 PM

Fix test on aarch64.

Tested on Android and x86.

Harbormaster completed remote builds in B111250: Diff 354845.Jun 28 2021, 5:28 AM

Closed by commit rG2a60ab76a796: [hwasan] print exact mismatch offset for short granules. (authored by fmayer). · Explain WhyJun 28 2021, 11:01 AM

This revision was automatically updated to reflect the committed changes.

fmayer added a commit: rG2a60ab76a796: [hwasan] print exact mismatch offset for short granules..

(untested) maybe broke the x64 LAM under QEMU bot: https://lab.llvm.org/buildbot/#/builders/169/builds/1199/steps/25/logs/stdio

fmayer added a reverting change: rG400509238a0f: Revert "[hwasan] print exact mismatch offset for short granules.".Jun 29 2021, 3:57 AM

In D104463#2845289, @hctim wrote:

(untested) maybe broke the x64 LAM under QEMU bot: https://lab.llvm.org/buildbot/#/builders/169/builds/1199/steps/25/logs/stdio

Sorry about that, reverted in rG400509238a0ff71f62fbf3a5d0cb576bc163b4b8.

fmayer reopened this revision.Jun 29 2021, 4:12 AM

This revision is now accepted and ready to land.Jun 29 2021, 4:12 AM

do not check short granule if mem tag is 0.

fmayer marked an inline comment as done.Oct 27 2021, 7:21 PM

This revision was landed with ongoing or failed builds.Oct 27 2021, 7:31 PM

Closed by commit rGdd943ebc6d2e: [hwasan] print exact mismatch offset for short granules. (authored by fmayer). · Explain Why

This revision was automatically updated to reflect the committed changes.

fmayer added a commit: rGdd943ebc6d2e: [hwasan] print exact mismatch offset for short granules..

Harbormaster completed remote builds in B131105: Diff 382887.Oct 27 2021, 7:41 PM

Diff 382888

compiler-rt/lib/hwasan/hwasan_report.cpp

Show First 20 Lines • Show All 699 Lines • ▼ Show 20 Lines	void ReportTagMismatch(StackTrace *stack, uptr tagged_addr, uptr access_size,
tag_t *tag_ptr =		tag_t *tag_ptr =
reinterpret_cast<tag_t *>(MemToShadow(untagged_addr + offset));		reinterpret_cast<tag_t *>(MemToShadow(untagged_addr + offset));
tag_t mem_tag = *tag_ptr;		tag_t mem_tag = *tag_ptr;

Printf("%s", d.Access());		Printf("%s", d.Access());
Printf("%s of size %zu at %p tags: %02x/%02x (ptr/mem) in thread T%zd\n",		Printf("%s of size %zu at %p tags: %02x/%02x (ptr/mem) in thread T%zd\n",
is_store ? "WRITE" : "READ", access_size, untagged_addr, ptr_tag,		is_store ? "WRITE" : "READ", access_size, untagged_addr, ptr_tag,
mem_tag, t->unique_id());		mem_tag, t->unique_id());
		if (mem_tag && mem_tag < kShadowAlignment) {
		tag_t granule_ptr = reinterpret_cast<tag_t >((untagged_addr + offset) &
		eugenisUnsubmitted Done Reply Inline Actions call it "granule_ptr" or something like that. eugenis: call it "granule_ptr" or something like that.
		~(kShadowAlignment - 1));
		eugenisUnsubmitted Done Reply Inline Actions Is this really different from ShadowToMem(tag_ptr) ? If you prefer this form, please put (untagged_addr + offset) in brackets to make operator precedence clear. But if I read __hwasan_test_shadow correctly, (untagged_addr + offset) must be granule-aligned already. eugenis: Is this really different from ShadowToMem(tag_ptr) ? If you prefer this form, please put…
		fmayerAuthorUnsubmitted Done Reply Inline Actions Is this really different from ShadowToMem(tag_ptr) ? I wrote it this way so it's easy to see I am separating the low from the high bits from this and the line below. If you prefer this form, please put (untagged_addr + offset) in brackets to make operator precedence clear. Done. But if I read __hwasan_test_shadow correctly, (untagged_addr + offset) must be granule-aligned already. There is the edge case where offset == 0, then untagged_addr + offset is not necessarily aligned. I added more test cases to cover both the aligned and non-aligned scenarios. fmayer: > Is this really different from ShadowToMem(tag_ptr) ? I wrote it this way so it's easy to see…
		// If offset is 0, (untagged_addr + offset) is not aligned to granules.
		// This is the offset of the leftmost accessed byte within the bad granule.
		u8 in_granule_offset = (untagged_addr + offset) & (kShadowAlignment - 1);
		eugenisUnsubmitted Done Reply Inline Actions "this is the offset of the leftmost accessed byte within the bad granule" or something more literate. I.e. it's not the bad address, it's the start of the accessed ranged clamped to the granule bounds. eugenis: "this is the offset of the leftmost accessed byte within the bad granule" or something more…
		// The first mismatch was a short granule that matched the ptr_tag.
		if (granule_ptr[kShadowAlignment - 1] == ptr_tag) {
		// If the access starts after the end of the short granule, then the first
		eugenisUnsubmitted Done Reply Inline Actions This line assumes that the first bad access has to be 1 byte past the end. What if ex. the short granule is 5 byte in size, and the access is for offsets [10, 12) ? eugenis: This line assumes that the first bad access has to be 1 byte past the end. What if ex. the…
		// bad byte is the first byte of the access; otherwise it is the first
		// byte past the end of the short granule
		eugenisUnsubmitted Done Reply Inline Actions "if the access starts after the end of the short granule, then the first bad byte is the first byte of the access; otherwise it is the first byte past the end of the short granule" or something like that in your own words. This is not really obvious from the code. eugenis: "if the access starts after the end of the short granule, then the first bad byte is the first…
		if (mem_tag > in_granule_offset) {
		offset += mem_tag - in_granule_offset;
		}
		}
		}
if (offset != 0)		if (offset != 0)
Printf("Invalid access starting at offset [%zu, %zu)\n", offset,		Printf("Invalid access starting at offset %zu\n", offset);
Min(access_size, static_cast<uptr>(offset) + (1 << kShadowScale)));
Printf("%s", d.Default());		Printf("%s", d.Default());

stack->Print();		stack->Print();

PrintAddressDescription(tagged_addr, access_size,		PrintAddressDescription(tagged_addr, access_size,
current_stack_allocations.get());		current_stack_allocations.get());
t->Announce();		t->Announce();

▲ Show 20 Lines • Show All 42 Lines • Show Last 20 Lines

compiler-rt/test/hwasan/TestCases/heap-buffer-overflow-into.c

	// RUN: %clang_hwasan %s -o %t			// RUN: %clang_hwasan %s -o %t
	// RUN: not %run %t 2>&1 \| FileCheck %s --check-prefix=CHECK			// RUN: not %run %t 5 10 2>&1 \| FileCheck %s --check-prefix=CHECK5
				// RUN: not %run %t 7 10 2>&1 \| FileCheck %s --check-prefix=CHECK7
				// RUN: not %run %t 8 20 2>&1 \| FileCheck %s --check-prefix=CHECK8
				// RUN: not %run %t 32 20 2>&1 \| FileCheck %s --check-prefix=CHECK32

	// REQUIRES: stable-runtime			// REQUIRES: stable-runtime

	#include <sanitizer/hwasan_interface.h>			#include <sanitizer/hwasan_interface.h>
	#include <stdio.h>			#include <stdio.h>
	#include <stdlib.h>			#include <stdlib.h>
	#include <string.h>			#include <string.h>

	int main(int argc, char **argv) {			int main(int argc, char **argv) {
	__hwasan_enable_allocator_tagging();			__hwasan_enable_allocator_tagging();
	char volatile x = (char )malloc(10);			if (argc < 2) {
				eugenisUnsubmitted Done Reply Inline Actions why offset 10 and not 5? eugenis: why offset 10 and not 5?
				fmayerAuthorUnsubmitted Done Reply Inline Actions The first 5 bytes, [5, 10) are the valid access, and the invalid one is [10, 26). fmayer: The first 5 bytes, [5, 10) are the valid access, and the invalid one is [10, 26).
				fmayerAuthorUnsubmitted Done Reply Inline Actions Sorry, my mistake, replied too fast. Will look tomorrow. fmayer: Sorry, my mistake, replied too fast. Will look tomorrow.
				fmayerAuthorUnsubmitted Done Reply Inline Actions Fixed. Sorry about that, added second test as well. fmayer: Fixed. Sorry about that, added second test as well.
	memset(x + 5, 0, 26);			fprintf(stderr, "Invalid number of arguments.");
	// CHECK: is located 5 bytes inside 10-byte region			abort();
				}
				int read_offset = argc < 2 ? 5 : atoi(argv[1]);
				int size = argc < 3 ? 10 : atoi(argv[2]);
				char volatile x = (char )malloc(size);
				memset(x + read_offset, 0, 26);
				eugenisUnsubmitted Done Reply Inline Actions I was really confused why the size is 10 until I realized that in "%t 5 2>&1" 2 is the file descriptor and not the argument. Please make all arguments explicit in the command lines and remove the argc checks (or rather turn them into asserts). eugenis: I was really confused why the size is 10 until I realized that in "%t 5 2>&1" 2 is the file…
				// CHECK5: Invalid access starting at offset 5
				// CHECK5: is located 5 bytes inside 10-byte region
				// CHECK7: Invalid access starting at offset 3
				// CHECK7: is located 7 bytes inside 10-byte region
				// CHECK8: Invalid access starting at offset 12
				// CHECK8: is located 8 bytes inside 20-byte region
				// CHECK32: is located 12 bytes to the right of 20-byte region
	free(x);			free(x);
	}			}

compiler-rt/test/hwasan/TestCases/heap-buffer-overflow.c

	Show First 20 Lines • Show All 52 Lines • ▼ Show 20 Lines
	// CHECKMm30: Cause: heap-buffer-overflow			// CHECKMm30: Cause: heap-buffer-overflow
	// CHECKMm30: is located 30 bytes to the left of 1000000-byte region			// CHECKMm30: is located 30 bytes to the left of 1000000-byte region
	//			//
	// CHECKM: is a large allocated heap chunk; size: 1003520 offset: 1000000			// CHECKM: is a large allocated heap chunk; size: 1003520 offset: 1000000
	// CHECKM: Cause: heap-buffer-overflow			// CHECKM: Cause: heap-buffer-overflow
	// CHECKM: is located 0 bytes to the right of 1000000-byte region			// CHECKM: is located 0 bytes to the right of 1000000-byte region
	//			//
	// CHECK31: tags: [[TAG:..]]/0e (ptr/mem)			// CHECK31: tags: [[TAG:..]]/0e (ptr/mem)
				// CHECK31-NOT: Invalid access starting at offset
	// CHECK31: Cause: heap-buffer-overflow			// CHECK31: Cause: heap-buffer-overflow
	// CHECK31: is located 1 bytes to the right of 30-byte region			// CHECK31: is located 1 bytes to the right of 30-byte region
	// CHECK31: Memory tags around the buggy address			// CHECK31: Memory tags around the buggy address
	// CHECK31: [0e]			// CHECK31: [0e]
	// CHECK31: Tags for short granules around the buggy address			// CHECK31: Tags for short granules around the buggy address
	// CHECK31: {{\[}}[[TAG]]]			// CHECK31: {{\[}}[[TAG]]]
	//			//
				// CHECK20-NOT: Invalid access starting at offset
	// CHECK20: Cause: heap-buffer-overflow			// CHECK20: Cause: heap-buffer-overflow
	// CHECK20: is located 10 bytes to the right of 20-byte region [0x{{.}}0,0x{{.}}4)			// CHECK20: is located 10 bytes to the right of 20-byte region [0x{{.}}0,0x{{.}}4)
	free(x);			free(x);
	}			}

compiler-rt/test/hwasan/TestCases/mem-intrinsics.c

	Show All 17 Lines
	#elif TEST_NO == 2			#elif TEST_NO == 2
	memmove(Q, Q + 16, 16);			memmove(Q, Q + 16, 16);
	#elif TEST_NO == 3			#elif TEST_NO == 3
	memcpy(Q, P, 32);			memcpy(Q, P, 32);
	#endif			#endif
	write(STDOUT_FILENO, "recovered\n", 10);			write(STDOUT_FILENO, "recovered\n", 10);
	// WRITE: ERROR: HWAddressSanitizer: tag-mismatch on address			// WRITE: ERROR: HWAddressSanitizer: tag-mismatch on address
	// WRITE: WRITE of size 32 at {{.*}} tags: [[PTR_TAG:..]]/[[MEM_TAG:..]] (ptr/mem)			// WRITE: WRITE of size 32 at {{.*}} tags: [[PTR_TAG:..]]/[[MEM_TAG:..]] (ptr/mem)
	// WRITE: Invalid access starting at offset [16, 32)			// WRITE: Invalid access starting at offset 16
	// WRITE: Memory tags around the buggy address (one tag corresponds to 16 bytes):			// WRITE: Memory tags around the buggy address (one tag corresponds to 16 bytes):
	// WRITE: =>{{.*}}[[PTR_TAG]]{{[[:space:]]\[}}[[MEM_TAG]]			// WRITE: =>{{.*}}[[PTR_TAG]]{{[[:space:]]\[}}[[MEM_TAG]]
	// WRITE-NOT: recovered			// WRITE-NOT: recovered

	// READ: ERROR: HWAddressSanitizer: tag-mismatch on address			// READ: ERROR: HWAddressSanitizer: tag-mismatch on address
	// READ-NOT: Invalid access starting at offset			// READ-NOT: Invalid access starting at offset
	// READ: READ {{.*}} tags: [[PTR_TAG:..]]/[[MEM_TAG:..]] (ptr/mem)			// READ: READ {{.*}} tags: [[PTR_TAG:..]]/[[MEM_TAG:..]] (ptr/mem)
	// READ: Memory tags around the buggy address (one tag corresponds to 16 bytes):			// READ: Memory tags around the buggy address (one tag corresponds to 16 bytes):
	// READ: =>{{.*}}[[PTR_TAG]]{{[[:space:]]\[}}[[MEM_TAG]]			// READ: =>{{.*}}[[PTR_TAG]]{{[[:space:]]\[}}[[MEM_TAG]]
	// READ-NOT: recovered			// READ-NOT: recovered

	// RECOVER: recovered			// RECOVER: recovered
	return 0;			return 0;
	}			}

This is an archive of the discontinued LLVM Phabricator instance.

[hwasan] print exact mismatch offset for short granules.
ClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 382888

compiler-rt/lib/hwasan/hwasan_report.cpp

compiler-rt/test/hwasan/TestCases/heap-buffer-overflow-into.c

compiler-rt/test/hwasan/TestCases/heap-buffer-overflow.c

compiler-rt/test/hwasan/TestCases/mem-intrinsics.c

This is an archive of the discontinued LLVM Phabricator instance.

[hwasan] print exact mismatch offset for short granules.ClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 382888

compiler-rt/lib/hwasan/hwasan_report.cpp

compiler-rt/test/hwasan/TestCases/heap-buffer-overflow-into.c

compiler-rt/test/hwasan/TestCases/heap-buffer-overflow.c

compiler-rt/test/hwasan/TestCases/mem-intrinsics.c

[hwasan] print exact mismatch offset for short granules.
ClosedPublic