This is an archive of the discontinued LLVM Phabricator instance.

Differential D107938

[hwasan] Don't report short-granule shadow as overwritten.
ClosedPublic

Authored by hctim on Aug 11 2021, 5:59 PM.

Details

Reviewers
eugenis
fmayer
Commits
rGfd51ab634143: [hwasan] Don't report short-granule shadow as overwritten.
Summary

The shadow for a short granule is stored in the last byte of the
granule. Currently, if there's a tail-overwrite report (a
buffer-overflow-write in uninstrumented code), we report the shadow byte
as a mismatch against the magic.

Fix this bug by slapping the shadow into the expected value. This also
makes sure that if the uninstrumented WRITE does clobber the shadow
byte, it reports the shadow was actually clobbered as well.

Diff Detail

Event Timeline

hctim requested review of this revision.Aug 11 2021, 5:59 PM
hctim created this revision.
Herald added a project: Restricted Project. · View Herald TranscriptAug 11 2021, 5:59 PM
Herald added a subscriber: Restricted Project. · View Herald Transcript
hctim added inline comments.Aug 11 2021, 6:00 PM
compiler-rt/test/hwasan/TestCases/tail-magic.c
39

(side note, maybe we should add a __hwasan_get_tag() interface function now that it's not just "grab the top byte". this is a nice test hack for now though.)

Harbormaster completed remote builds in B119168: Diff 365884.Aug 11 2021, 6:28 PM
fmayer added a comment.Aug 13 2021, 4:38 AM

Is there any particular reason we need the last byte in the output, even though it doesn't even get compared in the caller? Otherwise it might be cleaner to just propagate the tail_size from the caller.

hctim added a comment.Aug 13 2021, 9:42 AM
In D107938#2943453, @fmayer wrote:

Is there any particular reason we need the last byte in the output, even though it doesn't even get compared in the caller? Otherwise it might be cleaner to just propagate the tail_size from the caller.

An overwrite of the last granule containing the shadow tag can also be reported.

fmayer added a comment.Aug 13 2021, 10:09 AM
In D107938#2943986, @hctim wrote:
In D107938#2943453, @fmayer wrote:

Is there any particular reason we need the last byte in the output, even though it doesn't even get compared in the caller? Otherwise it might be cleaner to just propagate the tail_size from the caller.

An overwrite of the last granule containing the shadow tag can also be reported.

Wouldn't that be reported as a tag mismatch instead?

Maybe I am missing something, but as far as I can tell the only callsite into this is

uptr tail_size = tagged_size - orig_size - 1;
CHECK_LT(tail_size, kShadowAlignment);
void *tail_beg = reinterpret_cast<void *>(
    reinterpret_cast<uptr>(aligned_ptr) + orig_size);
if (tail_size && internal_memcmp(tail_beg, tail_magic, tail_size))
  ReportTailOverwritten(stack, reinterpret_cast<uptr>(tagged_ptr),
                        orig_size, tail_magic);

This doesn't look at the last byte of the tail (actual_expected[tail_size - 1]) that contains the tag for a short granule (because of the -1 in the tail_size computation) at all.

So we only call this function if some other byte of the tail also mismatches.

eugenis accepted this revision.Aug 13 2021, 10:13 AM

LGTM

This revision is now accepted and ready to land.Aug 13 2021, 10:13 AM
eugenis added a comment.Aug 13 2021, 10:18 AM

Right so if the last byte does not match, we would crash earlier with an invalid-free error, I think. So it should match, and then there is no harm in printing it and highlighting any difference.

fmayer added a comment.Aug 13 2021, 10:47 AM
In D107938#2944051, @eugenis wrote:

Right so if the last byte does not match, we would crash earlier with an invalid-free error, I think. So it should match, and then there is no harm in printing it and highlighting any difference.

No strong opinion, I just thought it would make the code a bit simpler without leaving out any information (because by construction the two always match).

hctim added a comment.Aug 13 2021, 10:55 AM
In D107938#2944051, @eugenis wrote:

Right so if the last byte does not match, we would crash earlier with an invalid-free error, I think. So it should match, and then there is no harm in printing it and highlighting any difference.

Overwrite of the short granule only results in invalid free if the allocation only consists a single granule.

In D107938#2944030, @fmayer wrote:

Wouldn't that be reported as a tag mismatch instead?

Only would be caught as a tag mismatch if dereferenced by instrumented code before the free :).

Maybe I am missing something, but as far as I can tell the only callsite into this is

uptr tail_size = tagged_size - orig_size - 1;
CHECK_LT(tail_size, kShadowAlignment);
void *tail_beg = reinterpret_cast<void *>(
    reinterpret_cast<uptr>(aligned_ptr) + orig_size);
if (tail_size && internal_memcmp(tail_beg, tail_magic, tail_size))
  ReportTailOverwritten(stack, reinterpret_cast<uptr>(tagged_ptr),
                        orig_size, tail_magic);

This doesn't look at the last byte of the tail (actual_expected[tail_size - 1]) that contains the tag for a short granule (because of the -1 in the tail_size computation) at all.

So we only call this function if some other byte of the tail also mismatches.

Yeah, this was just a "free reporting" of whether the short granule tag was clobbered by uninstrumented code. In saying that, the change is actually pretty cheap to detect magic-overwrite of only the short granule tag as well.

fmayer added a comment.Aug 13 2021, 11:10 AM
In D107938#2944117, @hctim wrote:
In D107938#2944051, @eugenis wrote:

Right so if the last byte does not match, we would crash earlier with an invalid-free error, I think. So it should match, and then there is no harm in printing it and highlighting any difference.

Overwrite of the short granule only results in invalid free if the allocation only consists a single granule.

In D107938#2944030, @fmayer wrote:

Wouldn't that be reported as a tag mismatch instead?

Only would be caught as a tag mismatch if dereferenced by instrumented code before the free :).

The free does check this, look at CheckInvalidFree.

if (!allocator.PointerIsMine(untagged_ptr) ||
    !PointerAndMemoryTagsMatch(tagged_ptr)) {
  ReportInvalidFree(stack, reinterpret_cast<uptr>(tagged_ptr));
fmayer added a comment.EditedAug 13 2021, 11:13 AM

Overwrite of the short granule only results in invalid free if the allocation only consists a single granule.

Ah, sorry, of course! Then I suggest we change this to also do the correct memcmp in the caller?

So something like internal_memcmp(tail_beg, tail_magic, tail_size) || tail_beg[tail_size] != pointer_tag)

hctim updated this revision to Diff 366328.Aug 13 2021, 11:48 AM

Detect only-short-granule overwrites.

hctim added a comment.Aug 13 2021, 11:48 AM
In D107938#2944136, @fmayer wrote:

Overwrite of the short granule only results in invalid free if the allocation only consists a single granule.

Ah, sorry, of course! Then I suggest we change this to also do the correct memcmp in the caller?

So something like internal_memcmp(tail_beg, tail_magic, tail_size) || tail_beg[tail_size] != pointer_tag)

Roughly speaking, yep :).

fmayer accepted this revision.Aug 13 2021, 11:51 AM

LGTM thanks!

Harbormaster completed remote builds in B119479: Diff 366328.Aug 13 2021, 12:21 PM
Closed by commit rGfd51ab634143: [hwasan] Don't report short-granule shadow as overwritten. (authored by hctim). · Explain WhyAug 18 2021, 11:26 AM
This revision was automatically updated to reflect the committed changes.
hctim added a commit: rGfd51ab634143: [hwasan] Don't report short-granule shadow as overwritten..
zatrazz added a subscriber: zatrazz.Aug 23 2021, 1:48 PM

Hi, I am not 100% sure but it seems to trigger a regression on aarch64 bot [1]. I can reproduce with current master as well:

******************** TEST 'HWAddressSanitizer-aarch64 :: TestCases/Linux/create-thread-stress.cpp' FAILED ********************
Script:
--
: 'RUN: at line 2';      /home/adhemerval.zanella/projects/llvm/llvm-src-build-stage2/./bin/clang  --driver-mode=g++   -Wthread-safety -Wthread-safety-reference -Wthread-safety-beta   -gline-tables-only -fsanitize=hwaddress -fuse-ld=lld -mllvm -hwasan-globals -mllvm -hwasan-use-short-granules -mllvm -hwasan-instrument-landing-pads=0 -mllvm -hwasan-instrument-personality-functions -DREUSE=0 /home/adhemerval.zanella/projects/llvm/llvm-project-git/compiler-rt/test/hwasan/TestCases/Linux/create-thread-stress.cpp -pthread -O2 -o /home/adhemerval.zanella/projects/llvm/llvm-src-build-stage2/projects/compiler-rt/test/hwasan/AARCH64/TestCases/Linux/Output/create-thread-stress.cpp.tmp &&  /home/adhemerval.zanella/projects/llvm/llvm-src-build-stage2/projects/compiler-rt/test/hwasan/AARCH64/TestCases/Linux/Output/create-thread-stress.cpp.tmp 2>&1
: 'RUN: at line 3';      /home/adhemerval.zanella/projects/llvm/llvm-src-build-stage2/./bin/clang  --driver-mode=g++   -Wthread-safety -Wthread-safety-reference -Wthread-safety-beta   -gline-tables-only -fsanitize=hwaddress -fuse-ld=lld -mllvm -hwasan-globals -mllvm -hwasan-use-short-granules -mllvm -hwasan-instrument-landing-pads=0 -mllvm -hwasan-instrument-personality-functions -DREUSE=1 /home/adhemerval.zanella/projects/llvm/llvm-project-git/compiler-rt/test/hwasan/TestCases/Linux/create-thread-stress.cpp -pthread -O2 -o /home/adhemerval.zanella/projects/llvm/llvm-src-build-stage2/projects/compiler-rt/test/hwasan/AARCH64/TestCases/Linux/Output/create-thread-stress.cpp.tmp_reuse &&  /home/adhemerval.zanella/projects/llvm/llvm-src-build-stage2/projects/compiler-rt/test/hwasan/AARCH64/TestCases/Linux/Output/create-thread-stress.cpp.tmp_reuse 2>&1
--
Exit Code: 1

Command Output (stdout):
--
==2654179==ERROR: HWAddressSanitizer: allocation-tail-overwritten; heap object [0xefdeffff0300,0xefdeffff0308) of size 8

Stack of invalid access unknown. Issue detected at deallocation time.
deallocated here:
    #0 0xaaaac4855e74 in operator delete(void*) /home/adhemerval.zanella/projects/llvm/llvm-project-git/compiler-rt/lib/hwasan/hwasan_new_delete.cpp:78:3
    #1 0xaaaac4857890 in deallocate /usr/lib/gcc/aarch64-linux-gnu/10/../../../../include/c++/10/ext/new_allocator.h:133:2
    #2 0xaaaac4857890 in deallocate /usr/lib/gcc/aarch64-linux-gnu/10/../../../../include/c++/10/bits/alloc_traits.h:492:13
    #3 0xaaaac4857890 in _M_deallocate /usr/lib/gcc/aarch64-linux-gnu/10/../../../../include/c++/10/bits/stl_vector.h:354:4
    #4 0xaaaac4857890 in _M_realloc_insert<(lambda at /home/adhemerval.zanella/projects/llvm/llvm-project-git/compiler-rt/test/hwasan/TestCases/Linux/create-thread-stress.cpp:24:28)> /usr/lib/gcc/aarch64-linux-gnu/10/../../../../include/c++/10/bits/vector.tcc:500:7
    #5 0xaaaac4857890 in emplace_back<(lambda at /home/adhemerval.zanella/projects/llvm/llvm-project-git/compiler-rt/test/hwasan/TestCases/Linux/create-thread-stress.cpp:24:28)> /usr/lib/gcc/aarch64-linux-gnu/10/../../../../include/c++/10/bits/vector.tcc:121:4
    #6 0xaaaac4857890 in Thread() /home/adhemerval.zanella/projects/llvm/llvm-project-git/compiler-rt/test/hwasan/TestCases/Linux/create-thread-stress.cpp:24:15
    #7 0xffffa1364c28  (/lib/aarch64-linux-gnu/libstdc++.so.6+0xccc28)
    #8 0xffffa11c34f8 in start_thread /build/glibc-iW00TY/glibc-2.31/nptl/pthread_create.c:477:8
    #9 0xffffa10c9678  /build/glibc-iW00TY/glibc-2.31/misc/../sysdeps/unix/sysv/linux/aarch64/clone.S:78

allocated here:
    #0 0xaaaac4855bc4 in operator new(unsigned long) /home/adhemerval.zanella/projects/llvm/llvm-project-git/compiler-rt/lib/hwasan/hwasan_new_delete.cpp:64:35
    #1 0xaaaac48576ec in allocate /usr/lib/gcc/aarch64-linux-gnu/10/../../../../include/c++/10/ext/new_allocator.h:115:27
    #2 0xaaaac48576ec in allocate /usr/lib/gcc/aarch64-linux-gnu/10/../../../../include/c++/10/bits/alloc_traits.h:460:20
    #3 0xaaaac48576ec in _M_allocate /usr/lib/gcc/aarch64-linux-gnu/10/../../../../include/c++/10/bits/stl_vector.h:346:20
    #4 0xaaaac48576ec in _M_realloc_insert<(lambda at /home/adhemerval.zanella/projects/llvm/llvm-project-git/compiler-rt/test/hwasan/TestCases/Linux/create-thread-stress.cpp:24:28)> /usr/lib/gcc/aarch64-linux-gnu/10/../../../../include/c++/10/bits/vector.tcc:440:33
    #5 0xaaaac48576ec in emplace_back<(lambda at /home/adhemerval.zanella/projects/llvm/llvm-project-git/compiler-rt/test/hwasan/TestCases/Linux/create-thread-stress.cpp:24:28)> /usr/lib/gcc/aarch64-linux-gnu/10/../../../../include/c++/10/bits/vector.tcc:121:4
    #6 0xaaaac48576ec in Thread() /home/adhemerval.zanella/projects/llvm/llvm-project-git/compiler-rt/test/hwasan/TestCases/Linux/create-thread-stress.cpp:24:15
    #7 0xffffa1364c28  (/lib/aarch64-linux-gnu/libstdc++.so.6+0xccc28)
    #8 0xffffa11c34f8 in start_thread /build/glibc-iW00TY/glibc-2.31/nptl/pthread_create.c:477:8
    #9 0xffffa10c9678  /build/glibc-iW00TY/glibc-2.31/misc/../sysdeps/unix/sysv/linux/aarch64/clone.S:78
                                                            ^^ 
This error occurs when a buffer overflow overwrites memory
to the right of a heap object, but within the 16-byte granule, e.g.
   char *x = new char[20];
   x[25] = 42;
HWAddressSanitizer does not detect such bugs in uninstrumented code at the time of write,
but can detect them at the time of free/delete.
To disable this feature set HWASAN_OPTIONS=free_checks_tail_magic=0
Thread: T1 0xeffe00006000 stack: [0xffff9dfb3000,0xffff9e7b21a0) sz: 8384928 tls: [0xffff9e7b21a0,0xffff9e7b3000)
Memory tags around the buggy address (one tag corresponds to 16 bytes):
  0xfefcefffefb0: 00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00 
  0xfefcefffefc0: 00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00 
  0xfefcefffefd0: 00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00 
  0xfefcefffefe0: 00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00 
  0xfefcefffeff0: 00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00 
  0xfefceffff000: 00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00 
  0xfefceffff010: 00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00 
  0xfefceffff020: 00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00 
=>0xfefceffff030:[00] 00  00  00  00  00  00  00  00  00  00  00  00  00  00  00 
  0xfefceffff040: 00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00 
  0xfefceffff050: 00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00 
  0xfefceffff060: 00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00 
  0xfefceffff070: 00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00 
  0xfefceffff080: 00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00 
  0xfefceffff090: 00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00 
  0xfefceffff0a0: 00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00 
  0xfefceffff0b0: 00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00 
Tags for short granules around the buggy address (one tag corresponds to 16 bytes):
  0xfefceffff020: ..  ..  ..  ..  ..  ..  ..  ..  ..  ..  ..  ..  ..  ..  ..  .. 
=>0xfefceffff030:[..] ..  ..  ..  ..  ..  ..  ..  ..  ..  ..  ..  ..  ..  ..  .. 
  0xfefceffff040: ..  ..  ..  ..  ..  ..  ..  ..  ..  ..  ..  ..  ..  ..  ..  .. 
See https://clang.llvm.org/docs/HardwareAssistedAddressSanitizerDesign.html#short-granules for a description of short granule tags
SUMMARY: HWAddressSanitizer: allocation-tail-overwritten /home/adhemerval.zanella/projects/llvm/llvm-project-git/compiler-rt/lib/hwasan/hwasan_new_delete.cpp:78:3 in operator delete(void*)
failed at iteration 0 / 20

However I can't reliable reproduce it by issuing the tests command directly, only with 'check-all' with some system load. Any ideas? This test is being triggering the regression for a couple of days.

[1] https://lab.llvm.org/buildbot/#/builders/185/builds/359

hctim added a comment.Aug 23 2021, 2:37 PM

Thanks for the pointer. Not immediately obvious what could cause that breakage. Digging into it now.

hctim added a comment.Aug 23 2021, 4:14 PM

Found the bug:

  1. Allocator tagging is disabled.
  2. void* p = malloc(16); memset(p, 16, 16); free(p); - Allocate and use the full memory. Magic string is still written when allocator tagging is disabled. Magic string does NOT write the last granule tag when allocator tagging is disabled.
  3. void* p = malloc(8); free(p); - Re-use the allocation from #2, but with a short granule. Because allocator tagging is disabled, magic string short granule is the 16 leftover from the previous allocation, which causes magic mismatch.

I'll send a fix ASAP. Might end up being tomorrow morning though.

hctim added a comment.Aug 24 2021, 11:24 AM

Fix sent for review: https://reviews.llvm.org/D108650

Revision Contents

PathSize
compiler-rt/
lib/
hwasan/
17 lines
14 lines
test/
hwasan/
TestCases/
28 lines

Diff 367280

compiler-rt/lib/hwasan/hwasan_allocator.cpp

Show First 20 LinesShow All 213 Lines▼ Show 20 Lines if (!allocator.PointerIsMine(untagged_ptr) ||
return true; return true;
} }
return false; return false;
} }
static void HwasanDeallocate(StackTrace *stack, void *tagged_ptr) { static void HwasanDeallocate(StackTrace *stack, void *tagged_ptr) {
CHECK(tagged_ptr); CHECK(tagged_ptr);
HWASAN_FREE_HOOK(tagged_ptr); HWASAN_FREE_HOOK(tagged_ptr);
void *untagged_ptr = InTaggableRegion(reinterpret_cast<uptr>(tagged_ptr))
? UntagPtr(tagged_ptr) bool in_taggable_region =
: tagged_ptr; InTaggableRegion(reinterpret_cast<uptr>(tagged_ptr));
void *untagged_ptr = in_taggable_region ? UntagPtr(tagged_ptr) : tagged_ptr;
if (CheckInvalidFree(stack, untagged_ptr, tagged_ptr)) if (CheckInvalidFree(stack, untagged_ptr, tagged_ptr))
return; return;
void *aligned_ptr = reinterpret_cast<void *>( void *aligned_ptr = reinterpret_cast<void *>(
RoundDownTo(reinterpret_cast<uptr>(untagged_ptr), kShadowAlignment)); RoundDownTo(reinterpret_cast<uptr>(untagged_ptr), kShadowAlignment));
tag_t pointer_tag = GetTagFromPointer(reinterpret_cast<uptr>(tagged_ptr)); tag_t pointer_tag = GetTagFromPointer(reinterpret_cast<uptr>(tagged_ptr));
Metadata *meta = Metadata *meta =
reinterpret_cast<Metadata *>(allocator.GetMetaData(aligned_ptr)); reinterpret_cast<Metadata *>(allocator.GetMetaData(aligned_ptr));
if (!meta) { if (!meta) {
ReportInvalidFree(stack, reinterpret_cast<uptr>(tagged_ptr)); ReportInvalidFree(stack, reinterpret_cast<uptr>(tagged_ptr));
return; return;
} }
uptr orig_size = meta->get_requested_size(); uptr orig_size = meta->get_requested_size();
u32 free_context_id = StackDepotPut(*stack); u32 free_context_id = StackDepotPut(*stack);
u32 alloc_context_id = meta->alloc_context_id; u32 alloc_context_id = meta->alloc_context_id;
// Check tail magic. // Check tail magic.
uptr tagged_size = TaggedSize(orig_size); uptr tagged_size = TaggedSize(orig_size);
if (flags()->free_checks_tail_magic && orig_size && if (flags()->free_checks_tail_magic && orig_size &&
tagged_size != orig_size) { tagged_size != orig_size) {
uptr tail_size = tagged_size - orig_size - 1; uptr tail_size = tagged_size - orig_size - 1;
CHECK_LT(tail_size, kShadowAlignment); CHECK_LT(tail_size, kShadowAlignment);
void *tail_beg = reinterpret_cast<void *>( void *tail_beg = reinterpret_cast<void *>(
reinterpret_cast<uptr>(aligned_ptr) + orig_size); reinterpret_cast<uptr>(aligned_ptr) + orig_size);
if (tail_size && internal_memcmp(tail_beg, tail_magic, tail_size)) tag_t short_granule_memtag = *(reinterpret_cast<tag_t *>(
reinterpret_cast<uptr>(tail_beg) + tail_size));
if (tail_size &&
(internal_memcmp(tail_beg, tail_magic, tail_size) ||
(in_taggable_region && pointer_tag != short_granule_memtag)))
ReportTailOverwritten(stack, reinterpret_cast<uptr>(tagged_ptr), ReportTailOverwritten(stack, reinterpret_cast<uptr>(tagged_ptr),
orig_size, tail_magic); orig_size, tail_magic);
} }
meta->set_requested_size(0); meta->set_requested_size(0);
meta->alloc_context_id = 0; meta->alloc_context_id = 0;
// This memory will not be reused by anyone else, so we are free to keep it // This memory will not be reused by anyone else, so we are free to keep it
// poisoned. // poisoned.
Thread *t = GetCurrentThread(); Thread *t = GetCurrentThread();
if (flags()->max_free_fill_size > 0) { if (flags()->max_free_fill_size > 0) {
uptr fill_size = uptr fill_size =
Min(TaggedSize(orig_size), (uptr)flags()->max_free_fill_size); Min(TaggedSize(orig_size), (uptr)flags()->max_free_fill_size);
internal_memset(aligned_ptr, flags()->free_fill_byte, fill_size); internal_memset(aligned_ptr, flags()->free_fill_byte, fill_size);
} }
if (InTaggableRegion(reinterpret_cast<uptr>(tagged_ptr)) && if (in_taggable_region && flags()->tag_in_free && malloc_bisect(stack, 0) &&
flags()->tag_in_free && malloc_bisect(stack, 0) &&
atomic_load_relaxed(&hwasan_allocator_tagging_enabled)) { atomic_load_relaxed(&hwasan_allocator_tagging_enabled)) {
// Always store full 8-bit tags on free to maximize UAF detection. // Always store full 8-bit tags on free to maximize UAF detection.
tag_t tag; tag_t tag;
if (t) { if (t) {
// Make sure we are not using a short granule tag as a poison tag. This // Make sure we are not using a short granule tag as a poison tag. This
// would make us attempt to read the memory on a UaF. // would make us attempt to read the memory on a UaF.
// The tag can be zero if tagging is disabled on this thread. // The tag can be zero if tagging is disabled on this thread.
do { do {
▲ Show 20 LinesShow All 198 LinesShow Last 20 Lines

compiler-rt/lib/hwasan/hwasan_report.cpp

Show First 20 LinesShow All 598 Lines▼ Show 20 Lines if (tag_ptr)
PrintTagsAroundAddr(tag_ptr); PrintTagsAroundAddr(tag_ptr);
ReportErrorSummary(bug_type, stack); ReportErrorSummary(bug_type, stack);
} }
void ReportTailOverwritten(StackTrace *stack, uptr tagged_addr, uptr orig_size, void ReportTailOverwritten(StackTrace *stack, uptr tagged_addr, uptr orig_size,
const u8 *expected) { const u8 *expected) {
uptr tail_size = kShadowAlignment - (orig_size % kShadowAlignment); uptr tail_size = kShadowAlignment - (orig_size % kShadowAlignment);
u8 actual_expected[kShadowAlignment];
internal_memcpy(actual_expected, expected, tail_size);
tag_t ptr_tag = GetTagFromPointer(tagged_addr);
// Short granule is stashed in the last byte of the magic string. To avoid
// confusion, make the expected magic string contain the short granule tag.
if (orig_size % kShadowAlignment != 0) {
actual_expected[tail_size - 1] = ptr_tag;
}
ScopedReport R(flags()->halt_on_error); ScopedReport R(flags()->halt_on_error);
Decorator d; Decorator d;
uptr untagged_addr = UntagAddr(tagged_addr); uptr untagged_addr = UntagAddr(tagged_addr);
Printf("%s", d.Error()); Printf("%s", d.Error());
const char *bug_type = "allocation-tail-overwritten"; const char *bug_type = "allocation-tail-overwritten";
Report("ERROR: %s: %s; heap object [%p,%p) of size %zd\n", SanitizerToolName, Report("ERROR: %s: %s; heap object [%p,%p) of size %zd\n", SanitizerToolName,
bug_type, untagged_addr, untagged_addr + orig_size, orig_size); bug_type, untagged_addr, untagged_addr + orig_size, orig_size);
Printf("\n%s", d.Default()); Printf("\n%s", d.Default());
Show All 20 Linesvoid ReportTailOverwritten(StackTrace *stack, uptr tagged_addr, uptr orig_size,
for (uptr i = 0; i < kShadowAlignment - tail_size; i++) for (uptr i = 0; i < kShadowAlignment - tail_size; i++)
s.append(".. "); s.append(".. ");
for (uptr i = 0; i < tail_size; i++) for (uptr i = 0; i < tail_size; i++)
s.append("%02x ", tail[i]); s.append("%02x ", tail[i]);
s.append("\n"); s.append("\n");
s.append("Expected: "); s.append("Expected: ");
for (uptr i = 0; i < kShadowAlignment - tail_size; i++) for (uptr i = 0; i < kShadowAlignment - tail_size; i++)
s.append(".. "); s.append(".. ");
for (uptr i = 0; i < tail_size; i++) for (uptr i = 0; i < tail_size; i++) s.append("%02x ", actual_expected[i]);
s.append("%02x ", expected[i]);
s.append("\n"); s.append("\n");
s.append(" "); s.append(" ");
for (uptr i = 0; i < kShadowAlignment - tail_size; i++) for (uptr i = 0; i < kShadowAlignment - tail_size; i++)
s.append(" "); s.append(" ");
for (uptr i = 0; i < tail_size; i++) for (uptr i = 0; i < tail_size; i++)
s.append("%s ", expected[i] != tail[i] ? "^^" : " "); s.append("%s ", actual_expected[i] != tail[i] ? "^^" : " ");
s.append("\nThis error occurs when a buffer overflow overwrites memory\n" s.append("\nThis error occurs when a buffer overflow overwrites memory\n"
"to the right of a heap object, but within the %zd-byte granule, e.g.\n" "to the right of a heap object, but within the %zd-byte granule, e.g.\n"
" char *x = new char[20];\n" " char *x = new char[20];\n"
" x[25] = 42;\n" " x[25] = 42;\n"
"%s does not detect such bugs in uninstrumented code at the time of write," "%s does not detect such bugs in uninstrumented code at the time of write,"
"\nbut can detect them at the time of free/delete.\n" "\nbut can detect them at the time of free/delete.\n"
"To disable this feature set HWASAN_OPTIONS=free_checks_tail_magic=0\n", "To disable this feature set HWASAN_OPTIONS=free_checks_tail_magic=0\n",
▲ Show 20 LinesShow All 92 LinesShow Last 20 Lines

compiler-rt/test/hwasan/TestCases/tail-magic.c

// Tests free_checks_tail_magic=1. // Tests free_checks_tail_magic=1.
// RUN: %clang_hwasan %s -o %t // RUN: %clang_hwasan %s -o %t
// RUN: %env_hwasan_opts=free_checks_tail_magic=0 %run %t // RUN: %env_hwasan_opts=free_checks_tail_magic=0 %run %t
// RUN: %env_hwasan_opts=free_checks_tail_magic=1 not %run %t 2>&1 | FileCheck %s // RUN: %env_hwasan_opts=free_checks_tail_magic=1 not %run %t 2>&1 | \
// RUN: not %run %t 2>&1 | FileCheck %s // RUN: FileCheck --check-prefixes=CHECK,CHECK-NONLASTGRANULE --strict-whitespace %s
// RUN: not %run %t 2>&1 | \
// RUN: FileCheck --check-prefixes=CHECK,CHECK-NONLASTGRANULE --strict-whitespace %s
// RUN: %clang_hwasan -DLAST_GRANULE %s -o %t
// RUN: not %run %t 2>&1 | \
// RUN: FileCheck --check-prefixes=CHECK,CHECK-LASTGRANULE --strict-whitespace %s
// REQUIRES: stable-runtime // REQUIRES: stable-runtime
#include <stdlib.h> #include <stdlib.h>
#include <stdio.h> #include <stdio.h>
#include <sanitizer/hwasan_interface.h> #include <sanitizer/hwasan_interface.h>
static volatile char *sink; static volatile char *sink;
// Overwrite the tail in a non-hwasan function so that we don't detect the // Overwrite the tail in a non-hwasan function so that we don't detect the
// stores as OOB. // stores as OOB.
__attribute__((no_sanitize("hwaddress"))) void overwrite_tail() { __attribute__((no_sanitize("hwaddress"))) void overwrite_tail() {
#ifdef LAST_GRANULE
sink[31] = 0x71;
#else // LAST_GRANULE
sink[20] = 0x42; sink[20] = 0x42;
sink[24] = 0x66; sink[24] = 0x66;
#endif // LAST_GRANULE
} }
int main(int argc, char **argv) { int main(int argc, char **argv) {
__hwasan_enable_allocator_tagging(); __hwasan_enable_allocator_tagging();
char *p = (char*)malloc(20); char *p = (char*)malloc(20);
__hwasan_print_shadow(p, 1);
sink = p; sink = p;
overwrite_tail(); overwrite_tail();
free(p); free(p);
// CHECK: HWASan shadow map for {{.*}} (pointer tag [[TAG:[a-f0-9]+]])
hctimAuthorUnsubmitted
Done
ReplyInline Actions

(side note, maybe we should add a __hwasan_get_tag() interface function now that it's not just "grab the top byte". this is a nice test hack for now though.)

hctim: (side note, maybe we should add a `__hwasan_get_tag()` interface function now that it's not…
// CHECK: ERROR: HWAddressSanitizer: allocation-tail-overwritten; heap object [{{.*}}) of size 20 // CHECK: ERROR: HWAddressSanitizer: allocation-tail-overwritten; heap object [{{.*}}) of size 20
// CHECK: Stack of invalid access unknown. Issue detected at deallocation time. // CHECK: Stack of invalid access unknown. Issue detected at deallocation time.
// CHECK: deallocated here: // CHECK: deallocated here:
// CHECK: in main {{.*}}tail-magic.c:[[@LINE-4]] // CHECK: in main {{.*}}tail-magic.c:[[@LINE-5]]
// CHECK: allocated here: // CHECK: allocated here:
// CHECK: in main {{.*}}tail-magic.c:[[@LINE-9]] // CHECK: in main {{.*}}tail-magic.c:[[@LINE-11]]
// CHECK: Tail contains: .. .. .. .. 42 {{.. .. ..}} 66 // CHECK-NONLASTGRANULE: Tail contains: .. .. .. .. 42 {{(([a-f0-9]{2} ){3})}}66
// CHECK-LASTGRANULE: Tail contains: .. .. .. .. {{(([a-f0-9]{2} ?)+)}}71{{ *$}}
// CHECK-NEXT: Expected: {{ +}} .. .. .. .. {{([a-f0-9]{2} )+0?}}[[TAG]]{{ *$}}
// CHECK-NONLASTGRANULE-NEXT: {{ +}}^^{{ +}}^^{{ *$}}
// CHECK-LASTGRANULE-NEXT: {{ +}}^^{{ *$}}
return 0;
} }