This is an archive of the discontinued LLVM Phabricator instance.

[hwasan] Add report for wild frees.
ClosedPublic

Authored by fmayer on Aug 5 2021, 9:06 AM.

Diff Detail

Event Timeline

fmayer updated this revision to Diff 364503.Aug 5 2021, 9:06 AM
fmayer created this revision.

cosmetic change

fmayer published this revision for review.Aug 5 2021, 9:31 AM
fmayer added a reviewer: pcc.
Herald added a project: Restricted Project. · View Herald TranscriptAug 5 2021, 9:32 AM
Herald added a subscriber: Restricted Project. · View Herald Transcript
fmayer updated this revision to Diff 364531.Aug 5 2021, 10:14 AM

also cover realloc

eugenis added a subscriber: eugenis.Aug 9 2021, 2:30 PM

From the user PoV, wild-free is not different from invalid-free, and the extra info in the invalid-free reports helps. It's useful to know that the bad free-ed pointer is actually a stack pointer, or maybe a valid heap pointer + 4 bytes, or something like that.

If the concern is with the shadow access in ReportInvalidFree overflowing, that can be checked.

fmayer updated this revision to Diff 365724.Aug 11 2021, 5:17 AM

report wild free as invalid free.

fmayer updated this revision to Diff 365725.Aug 11 2021, 5:18 AM

add test case for free() on shadow memory.

From the user PoV, wild-free is not different from invalid-free, and the extra info in the invalid-free reports helps. It's useful to know that the bad free-ed pointer is actually a stack pointer, or maybe a valid heap pointer + 4 bytes, or something like that.

If the concern is with the shadow access in ReportInvalidFree overflowing, that can be checked.

Done.

fmayer updated this revision to Diff 365726.Aug 11 2021, 5:28 AM

simplify condition

Add a test case for something like free(malloc() + 4) - it should include the original allocation info.

compiler-rt/lib/hwasan/hwasan_allocator.cpp
212

Merge this with the previous if() block.

compiler-rt/lib/hwasan/hwasan_checks.h
70

Why? This is implied by the following check.

fmayer updated this revision to Diff 366013.Aug 12 2021, 9:03 AM
fmayer marked 2 inline comments as done.

address comments

Add a test case for something like free(malloc() + 4) - it should include the original allocation info.

Thanks! Added test and fixed division by null triggered by this.

compiler-rt/lib/hwasan/hwasan_checks.h
70

Ah yes of course, with sz > 0 you are correct.

This was to make sure we don't try to access memory that's not mapped (so it should not have shadow memory).

eugenis accepted this revision.Aug 12 2021, 3:26 PM

LGTM

This revision is now accepted and ready to land.Aug 12 2021, 3:26 PM
This revision was landed with ongoing or failed builds.Aug 13 2021, 1:05 AM
This revision was automatically updated to reflect the committed changes.
hctim added a subscriber: hctim.Aug 18 2021, 10:33 AM
hctim added inline comments.
compiler-rt/lib/hwasan/hwasan_allocator.cpp
207

This is now an mmap -> copy of secondary metadata -> O(n) walk of the secondary on each secondary-deallocation.

For performance reasons, I think we should only do this for the primary (guard with allocator.FromPrimary(..)). Secondary invalid-free is possible, but requires some changes to the secondary allocator itself.