This is an archive of the discontinued LLVM Phabricator instance.

Differential D107577

[hwasan] Add report for wild frees.
ClosedPublic

Authored by fmayer on Aug 5 2021, 9:06 AM.

Details

Reviewers
pcc
eugenis
Commits
rGbae9527c2044: [hwasan] Add report for wild frees.

Diff Detail

Event Timeline

fmayer updated this revision to Diff 364503.Aug 5 2021, 9:06 AM
fmayer created this revision.

cosmetic change

fmayer updated this revision to Diff 364510.Aug 5 2021, 9:31 AM

rebase

fmayer published this revision for review.Aug 5 2021, 9:31 AM
fmayer added a parent revision: D107578: [hwasan] State correct PC in first error message..
fmayer added a reviewer: pcc.
Herald added a project: Restricted Project. · View Herald TranscriptAug 5 2021, 9:32 AM
Herald added a subscriber: Restricted Project. · View Herald Transcript
fmayer updated this revision to Diff 364520.Aug 5 2021, 9:46 AM

rebase

fmayer updated this revision to Diff 364531.Aug 5 2021, 10:14 AM

also cover realloc

Harbormaster completed remote builds in B118204: Diff 364531.Aug 5 2021, 10:37 AM
eugenis added a subscriber: eugenis.Aug 9 2021, 2:30 PM

From the user PoV, wild-free is not different from invalid-free, and the extra info in the invalid-free reports helps. It's useful to know that the bad free-ed pointer is actually a stack pointer, or maybe a valid heap pointer + 4 bytes, or something like that.

If the concern is with the shadow access in ReportInvalidFree overflowing, that can be checked.

fmayer updated this revision to Diff 365724.Aug 11 2021, 5:17 AM

report wild free as invalid free.

fmayer updated this revision to Diff 365725.Aug 11 2021, 5:18 AM

add test case for free() on shadow memory.

fmayer added a comment.Aug 11 2021, 5:21 AM
In D107577#2935501, @eugenis wrote:

From the user PoV, wild-free is not different from invalid-free, and the extra info in the invalid-free reports helps. It's useful to know that the bad free-ed pointer is actually a stack pointer, or maybe a valid heap pointer + 4 bytes, or something like that.

If the concern is with the shadow access in ReportInvalidFree overflowing, that can be checked.

Done.

fmayer updated this revision to Diff 365726.Aug 11 2021, 5:28 AM

simplify condition

Harbormaster completed remote builds in B119055: Diff 365726.Aug 11 2021, 5:58 AM
eugenis added a comment.Aug 11 2021, 3:10 PM

Add a test case for something like free(malloc() + 4) - it should include the original allocation info.

compiler-rt/lib/hwasan/hwasan_allocator.cpp
214

Merge this with the previous if() block.

compiler-rt/lib/hwasan/hwasan_checks.h
70 ↗(On Diff #365726)

Why? This is implied by the following check.

fmayer updated this revision to Diff 366013.Aug 12 2021, 9:03 AM
fmayer marked 2 inline comments as done.

address comments

fmayer added a comment.Aug 12 2021, 9:04 AM
In D107577#2940461, @eugenis wrote:

Add a test case for something like free(malloc() + 4) - it should include the original allocation info.

Thanks! Added test and fixed division by null triggered by this.

compiler-rt/lib/hwasan/hwasan_checks.h
70 ↗(On Diff #365726)

Ah yes of course, with sz > 0 you are correct.

This was to make sure we don't try to access memory that's not mapped (so it should not have shadow memory).

Harbormaster completed remote builds in B119272: Diff 366013.Aug 12 2021, 9:44 AM
eugenis accepted this revision.Aug 12 2021, 3:26 PM

LGTM

This revision is now accepted and ready to land.Aug 12 2021, 3:26 PM
This revision was landed with ongoing or failed builds.Aug 13 2021, 1:05 AM
Closed by commit rGbae9527c2044: [hwasan] Add report for wild frees. (authored by fmayer). · Explain Why
This revision was automatically updated to reflect the committed changes.
fmayer added a commit: rGbae9527c2044: [hwasan] Add report for wild frees..
hctim added a subscriber: hctim.Aug 18 2021, 10:33 AM
hctim added inline comments.
compiler-rt/lib/hwasan/hwasan_allocator.cpp
207

This is now an mmap -> copy of secondary metadata -> O(n) walk of the secondary on each secondary-deallocation.

For performance reasons, I think we should only do this for the primary (guard with allocator.FromPrimary(..)). Secondary invalid-free is possible, but requires some changes to the secondary allocator itself.

Revision Contents

PathSize
compiler-rt/
lib/
hwasan/
9 lines
2 lines
14 lines
test/
hwasan/
TestCases/
15 lines

Diff 364520

compiler-rt/lib/hwasan/hwasan_allocator.cpp

Show First 20 LinesShow All 198 Lines▼ Show 20 Linesstatic bool PointerAndMemoryTagsMatch(void *tagged_ptr) {
tag_t mem_tag = *reinterpret_cast<tag_t *>( tag_t mem_tag = *reinterpret_cast<tag_t *>(
MemToShadow(reinterpret_cast<uptr>(UntagPtr(tagged_ptr)))); MemToShadow(reinterpret_cast<uptr>(UntagPtr(tagged_ptr))));
return PossiblyShortTagMatches(mem_tag, tagged_uptr, 1); return PossiblyShortTagMatches(mem_tag, tagged_uptr, 1);
} }
static void HwasanDeallocate(StackTrace *stack, void *tagged_ptr) { static void HwasanDeallocate(StackTrace *stack, void *tagged_ptr) {
CHECK(tagged_ptr); CHECK(tagged_ptr);
HWASAN_FREE_HOOK(tagged_ptr); HWASAN_FREE_HOOK(tagged_ptr);
void *untagged_ptr = InTaggableRegion(reinterpret_cast<uptr>(tagged_ptr))
hctimUnsubmitted
Not Done
ReplyInline Actions

This is now an mmap -> copy of secondary metadata -> O(n) walk of the secondary on each secondary-deallocation.

For performance reasons, I think we should only do this for the primary (guard with allocator.FromPrimary(..)). Secondary invalid-free is possible, but requires some changes to the secondary allocator itself.

hctim: This is now an mmap -> copy of secondary metadata -> O(n) walk of the secondary on each…
? UntagPtr(tagged_ptr)
: tagged_ptr;
if (!allocator.PointerIsMine(untagged_ptr))
ReportWildFree(stack,
reinterpret_cast<uptr>(untagged_ptr)); // does not return.
if (!PointerAndMemoryTagsMatch(tagged_ptr)) if (!PointerAndMemoryTagsMatch(tagged_ptr))
eugenisUnsubmitted
Done
ReplyInline Actions

Merge this with the previous if() block.

eugenis: Merge this with the previous if() block.
ReportInvalidFree(stack, reinterpret_cast<uptr>(tagged_ptr)); ReportInvalidFree(stack, reinterpret_cast<uptr>(tagged_ptr));
void *untagged_ptr = InTaggableRegion(reinterpret_cast<uptr>(tagged_ptr))
? UntagPtr(tagged_ptr)
: tagged_ptr;
void *aligned_ptr = reinterpret_cast<void *>( void *aligned_ptr = reinterpret_cast<void *>(
RoundDownTo(reinterpret_cast<uptr>(untagged_ptr), kShadowAlignment)); RoundDownTo(reinterpret_cast<uptr>(untagged_ptr), kShadowAlignment));
tag_t pointer_tag = GetTagFromPointer(reinterpret_cast<uptr>(tagged_ptr)); tag_t pointer_tag = GetTagFromPointer(reinterpret_cast<uptr>(tagged_ptr));
Metadata *meta = Metadata *meta =
reinterpret_cast<Metadata *>(allocator.GetMetaData(aligned_ptr)); reinterpret_cast<Metadata *>(allocator.GetMetaData(aligned_ptr));
uptr orig_size = meta->get_requested_size(); uptr orig_size = meta->get_requested_size();
u32 free_context_id = StackDepotPut(*stack); u32 free_context_id = StackDepotPut(*stack);
u32 alloc_context_id = meta->alloc_context_id; u32 alloc_context_id = meta->alloc_context_id;
▲ Show 20 LinesShow All 228 LinesShow Last 20 Lines

compiler-rt/lib/hwasan/hwasan_report.h

Show All 22 Lines
void ReportStats(); void ReportStats();
void ReportTagMismatch(StackTrace *stack, uptr addr, uptr access_size, void ReportTagMismatch(StackTrace *stack, uptr addr, uptr access_size,
bool is_store, bool fatal, uptr *registers_frame); bool is_store, bool fatal, uptr *registers_frame);
void ReportInvalidFree(StackTrace *stack, uptr addr); void ReportInvalidFree(StackTrace *stack, uptr addr);
void ReportTailOverwritten(StackTrace *stack, uptr addr, uptr orig_size, void ReportTailOverwritten(StackTrace *stack, uptr addr, uptr orig_size,
const u8 *expected); const u8 *expected);
void ReportRegisters(uptr *registers_frame, uptr pc); void ReportRegisters(uptr *registers_frame, uptr pc);
void ReportAtExitStatistics(); void ReportAtExitStatistics();
void ReportWildFree(StackTrace *stack, uptr addr);
} // namespace __hwasan } // namespace __hwasan
#endif // HWASAN_REPORT_H #endif // HWASAN_REPORT_H

compiler-rt/lib/hwasan/hwasan_report.cpp

Show First 20 LinesShow All 722 Lines▼ Show 20 Linesvoid ReportRegisters(uptr *frame, uptr pc) {
Printf(" x24 %016llx x25 %016llx x26 %016llx x27 %016llx\n", Printf(" x24 %016llx x25 %016llx x26 %016llx x27 %016llx\n",
frame[24], frame[25], frame[26], frame[27]); frame[24], frame[25], frame[26], frame[27]);
// hwasan_check* reduces the stack pointer by 256, then __hwasan_tag_mismatch // hwasan_check* reduces the stack pointer by 256, then __hwasan_tag_mismatch
// passes it to this function. // passes it to this function.
Printf(" x28 %016llx x29 %016llx x30 %016llx sp %016llx\n", frame[28], Printf(" x28 %016llx x29 %016llx x30 %016llx sp %016llx\n", frame[28],
frame[29], frame[30], reinterpret_cast<u8 *>(frame) + 256); frame[29], frame[30], reinterpret_cast<u8 *>(frame) + 256);
} }
void ReportWildFree(StackTrace *stack, uptr untagged_addr) {
ScopedReport report(/*fatal=*/true);
uptr pc = GetTopPc(stack);
const Thread *thread = GetCurrentThread();
if (thread) {
Report("ERROR: %s: wild-free on address %p at pc %p on thread T%zd\n",
SanitizerToolName, untagged_addr, pc, thread->unique_id());
} else {
Report("ERROR: %s: wild-free on address %p at pc %p on unknown thread\n",
SanitizerToolName, untagged_addr, pc);
}
stack->Print();
}
} // namespace __hwasan } // namespace __hwasan
void __hwasan_set_error_report_callback(void (*callback)(const char *)) { void __hwasan_set_error_report_callback(void (*callback)(const char *)) {
__hwasan::ScopedReport::SetErrorReportCallback(callback); __hwasan::ScopedReport::SetErrorReportCallback(callback);
} }

compiler-rt/test/hwasan/TestCases/wild-free.c

  • This file was added.
// RUN: %clang_hwasan %s -o %t && not %run %t 2>&1 | FileCheck %s
// REQUIRES: stable-runtime
#include <stdlib.h>
int main() {
char *p = (char *)malloc(1);
free(p + 0x10000000000);
// CHECK: ERROR: HWAddressSanitizer: wild-free on address {{.*}} at pc {{[0x]+}}[[PC:.*]] on thread T{{[0-9]+}}
// CHECK: #0 {{[0x]+}}{{.*}}[[PC]] in free
// CHECK: #1 {{.*}} in main {{.*}}wild-free.c:[[@LINE-3]]
// CHECK-NOT: Segmentation fault
// CHECK-NOT: SIGSEGV
return 0;
}