This is an archive of the discontinued LLVM Phabricator instance.

Differential D105032

[hwasan] Check for overflow when searching candidates.
ClosedPublic

Authored by fmayer on Jun 28 2021, 7:35 AM.

Details

Reviewers
eugenis
Commits
rGa0b1f3aac57a: [hwasan] Check for overflow when searching candidates.
Summary

If the fault address is at the boundary of memory regions, this could
cause us to segfault otherwise.

Ran test with old compiler_rt to make sure it fails.

Diff Detail

Event Timeline

fmayer requested review of this revision.Jun 28 2021, 7:35 AM
fmayer created this revision.
Herald added a project: Restricted Project. · View Herald TranscriptJun 28 2021, 7:35 AM
Herald added a subscriber: Restricted Project. · View Herald Transcript
Harbormaster completed remote builds in B111291: Diff 354898.Jun 28 2021, 8:12 AM
eugenis added inline comments.Jun 29 2021, 3:16 PM
compiler-rt/lib/hwasan/hwasan_report.cpp
299

There is MemIsApp in hwasan_linux.cpp. Rename this one to MemIsShadow, and maybe move both definitions to hwasan_mapping.h.

300

kLowShadowEnd and kHighShadowEnd are inclusive - a bit unusual but consider that on 32-bit (in other sanitizers) ex. kHighMemEnd may be 0xffffffff, and kHighMemEnd+1 is not representable in uptr.

fmayer updated this revision to Diff 355498.Jun 30 2021, 3:38 AM
fmayer marked an inline comment as done.

Rename & move IsShadow(...)

fmayer marked an inline comment as done.Jun 30 2021, 3:40 AM
fmayer added inline comments.
compiler-rt/lib/hwasan/hwasan_report.cpp
299

Left MemIsApp in the old place, as it uses a function defined in hwasan.h, which I guess is the reason it is there in the first place.

fmayer marked an inline comment as done.Jun 30 2021, 3:42 AM
Harbormaster completed remote builds in B111718: Diff 355498.Jun 30 2021, 4:05 AM
eugenis accepted this revision.Jun 30 2021, 1:16 PM

LGTM

This revision is now accepted and ready to land.Jun 30 2021, 1:16 PM
Closed by commit rGa0b1f3aac57a: [hwasan] Check for overflow when searching candidates. (authored by fmayer). · Explain WhyJul 6 2021, 3:22 AM
This revision was automatically updated to reflect the committed changes.
fmayer added a commit: rGa0b1f3aac57a: [hwasan] Check for overflow when searching candidates..

Revision Contents

PathSize
compiler-rt/
lib/
hwasan/
5 lines
6 lines
test/
hwasan/
TestCases/
30 lines

Diff 356658

compiler-rt/lib/hwasan/hwasan_mapping.h

Show First 20 LinesShow All 59 Lines▼ Show 20 Linesinline uptr ShadowToMem(uptr shadow_addr) {
return (shadow_addr - GetShadowOffset()) << kShadowScale; return (shadow_addr - GetShadowOffset()) << kShadowScale;
} }
inline uptr MemToShadowSize(uptr size) { inline uptr MemToShadowSize(uptr size) {
return size >> kShadowScale; return size >> kShadowScale;
} }
bool MemIsApp(uptr p); bool MemIsApp(uptr p);
inline bool MemIsShadow(uptr p) {
return (kLowShadowStart <= p && p <= kLowShadowEnd) ||
(kHighShadowStart <= p && p <= kHighShadowEnd);
}
} // namespace __hwasan } // namespace __hwasan
#endif // HWASAN_MAPPING_H #endif // HWASAN_MAPPING_H

compiler-rt/lib/hwasan/hwasan_report.cpp

Show First 20 LinesShow All 290 Lines▼ Show 20 Linesstatic uptr GetGlobalSizeFromDescriptor(uptr ptr) {
for (const hwasan_global &global : for (const hwasan_global &global :
HwasanGlobalsFor(load_bias, phdr_begin, ehdr->e_phnum)) HwasanGlobalsFor(load_bias, phdr_begin, ehdr->e_phnum))
if (global.addr() <= ptr && ptr < global.addr() + global.size()) if (global.addr() <= ptr && ptr < global.addr() + global.size())
return global.size(); return global.size();
return 0; return 0;
} }
static void ShowCandidate(uptr untagged_addr, tag_t *candidate, tag_t *left, static void ShowCandidate(uptr untagged_addr, tag_t *candidate, tag_t *left,
eugenisUnsubmitted
Done
ReplyInline Actions

There is MemIsApp in hwasan_linux.cpp. Rename this one to MemIsShadow, and maybe move both definitions to hwasan_mapping.h.

eugenis: There is MemIsApp in hwasan_linux.cpp. Rename this one to MemIsShadow, and maybe move both…
fmayerAuthorUnsubmitted
Done
ReplyInline Actions

Left MemIsApp in the old place, as it uses a function defined in hwasan.h, which I guess is the reason it is there in the first place.

fmayer: Left MemIsApp in the old place, as it uses a function defined in hwasan.h, which I guess is the…
tag_t *right) { tag_t *right) {
eugenisUnsubmitted
Done
ReplyInline Actions

kLowShadowEnd and kHighShadowEnd are inclusive - a bit unusual but consider that on 32-bit (in other sanitizers) ex. kHighMemEnd may be 0xffffffff, and kHighMemEnd+1 is not representable in uptr.

eugenis: kLowShadowEnd and kHighShadowEnd are inclusive - a bit unusual but consider that on 32-bit (in…
Decorator d; Decorator d;
uptr mem = ShadowToMem(reinterpret_cast<uptr>(candidate)); uptr mem = ShadowToMem(reinterpret_cast<uptr>(candidate));
HwasanChunkView chunk = FindHeapChunkByAddress(mem); HwasanChunkView chunk = FindHeapChunkByAddress(mem);
if (chunk.IsAllocated()) { if (chunk.IsAllocated()) {
uptr offset; uptr offset;
const char *whence; const char *whence;
if (untagged_addr < chunk.End() && untagged_addr >= chunk.Beg()) { if (untagged_addr < chunk.End() && untagged_addr >= chunk.Beg()) {
offset = untagged_addr - chunk.Beg(); offset = untagged_addr - chunk.Beg();
▲ Show 20 LinesShow All 81 Lines▼ Show 20 Linesvoid PrintAddressDescription(
// the shadow left and right and looking for the first adjacent // the shadow left and right and looking for the first adjacent
// object with a different memory tag. If that tag matches addr_tag, // object with a different memory tag. If that tag matches addr_tag,
// check the allocator if it has a live chunk there. // check the allocator if it has a live chunk there.
tag_t addr_tag = GetTagFromPointer(tagged_addr); tag_t addr_tag = GetTagFromPointer(tagged_addr);
tag_t *tag_ptr = reinterpret_cast<tag_t*>(MemToShadow(untagged_addr)); tag_t *tag_ptr = reinterpret_cast<tag_t*>(MemToShadow(untagged_addr));
tag_t *candidate = nullptr, *left = tag_ptr, *right = tag_ptr; tag_t *candidate = nullptr, *left = tag_ptr, *right = tag_ptr;
uptr candidate_distance = 0; uptr candidate_distance = 0;
for (; candidate_distance < 1000; candidate_distance++) { for (; candidate_distance < 1000; candidate_distance++) {
if (TagsEqual(addr_tag, left)) { if (MemIsShadow(reinterpret_cast<uptr>(left)) &&
TagsEqual(addr_tag, left)) {
candidate = left; candidate = left;
break; break;
} }
--left; --left;
if (TagsEqual(addr_tag, right)) { if (MemIsShadow(reinterpret_cast<uptr>(right)) &&
TagsEqual(addr_tag, right)) {
candidate = right; candidate = right;
break; break;
} }
++right; ++right;
} }
constexpr auto kCloseCandidateDistance = 1; constexpr auto kCloseCandidateDistance = 1;
▲ Show 20 LinesShow All 306 LinesShow Last 20 Lines

compiler-rt/test/hwasan/TestCases/tag-mismatch-border-address.c

  • This file was added.
// Make sure we do not segfault when checking an address close to kLowMemEnd.
// RUN: %clang_hwasan %s -o %t
// RUN: not %run %t 2>&1 | FileCheck %s --check-prefix=CHECK
// REQUIRES: stable-runtime
// REQUIRES: aarch64-target-arch
#include <sanitizer/hwasan_interface.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/mman.h>
static volatile char sink;
extern void *__hwasan_shadow_memory_dynamic_address;
int main(int argc, char **argv) {
void *high_addr = (char *)__hwasan_shadow_memory_dynamic_address - 0x1000;
void *r = mmap(high_addr, 4096, PROT_READ, MAP_FIXED | MAP_ANON | MAP_PRIVATE,
-1, 0);
if (r == MAP_FAILED) {
fprintf(stderr, "Failed to mmap\n");
abort();
}
volatile char *x = (char *)__hwasan_tag_pointer(r, 4);
sink = *x;
}
// CHECK-NOT: Failed to mmap
// CHECK-NOT: Segmentation fault
// CHECK-NOT: SEGV