This is an archive of the discontinued LLVM Phabricator instance.

sanitizer_common: fix crashes in parsing of memory profiles
ClosedPublic

Authored by dvyukov on Oct 29 2021, 2:48 AM.

Download Raw Diff

Details

Reviewers

vitalybuka
melver

Commits

rGe8861fa6c3fd: sanitizer_common: fix crashes in parsing of memory profiles

Summary

ParseUnixMemoryProfile assumes well-formed input with \n at the end, etc.
It can over-read the input and crash on basically every line
in the case of malformed input.
ReadFileToBuffer has cap the max file size (64MB) and returns
truncated contents if the file is larger. Thus even if kernel behaves,
ParseUnixMemoryProfile crashes on too large /proc/self/smaps.
Fix input over-reading in ParseUnixMemoryProfile.

Depends on D112792.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

dvyukov requested review of this revision.Oct 29 2021, 2:48 AM

dvyukov created this revision.

Herald added a project: Restricted Project. · View Herald TranscriptOct 29 2021, 2:48 AM

Herald added a subscriber: Restricted Project. · View Herald Transcript

dvyukov added a child revision: D112794: sanitizer_common: bump default file max size to 256MB.Oct 29 2021, 2:48 AM

Harbormaster completed remote builds in B131373: Diff 383276.Oct 29 2021, 3:10 AM

melver accepted this revision.Oct 29 2021, 3:34 AM

melver added inline comments.

compiler-rt/lib/sanitizer_common/sanitizer_procmaps_common.cpp
163–174	why is the (char) cast needed? smaps is already a char.
171	s/well-format/well-formed/ ?
compiler-rt/lib/sanitizer_common/tests/sanitizer_procmaps_test.cpp
124	Just normal lambda function instead

This revision is now accepted and ready to land.Oct 29 2021, 3:34 AM

adderessed comments

This revision was landed with ongoing or failed builds.Oct 29 2021, 5:03 AM

Closed by commit rGe8861fa6c3fd: sanitizer_common: fix crashes in parsing of memory profiles (authored by dvyukov). · Explain Why

This revision was automatically updated to reflect the committed changes.

dvyukov added a commit: rGe8861fa6c3fd: sanitizer_common: fix crashes in parsing of memory profiles.

Harbormaster completed remote builds in B131399: Diff 383314.Oct 29 2021, 5:14 AM

I suspect this broke the Mac build bot: https://green.lab.llvm.org/green/job/clang-stage1-RA/25101/console

Can you please take a look and revert if the fix would take a while?

Hi Jan,

I am looking into this. Thanks for the report.

I've sent https://reviews.llvm.org/D112815

Revision Contents

Path

Size

compiler-rt/

lib/

sanitizer_common/

sanitizer_common.h

2 lines

sanitizer_procmaps_common.cpp

17 lines

tests/

sanitizer_procmaps_test.cpp

40 lines

Diff 383318

compiler-rt/lib/sanitizer_common/sanitizer_common.h

	Show First 20 Lines • Show All 191 Lines • ▼ Show 20 Lines
	};			};

	typedef void (*fill_profile_f)(uptr start, uptr rss, bool file,			typedef void (*fill_profile_f)(uptr start, uptr rss, bool file,
	/out/ uptr *stats);			/out/ uptr *stats);

	// Parse the contents of /proc/self/smaps and generate a memory profile.			// Parse the contents of /proc/self/smaps and generate a memory profile.
	// \|cb\| is a tool-specific callback that fills the \|stats\| array.			// \|cb\| is a tool-specific callback that fills the \|stats\| array.
	void GetMemoryProfile(fill_profile_f cb, uptr *stats);			void GetMemoryProfile(fill_profile_f cb, uptr *stats);
	void ParseUnixMemoryProfile(fill_profile_f cb, uptr stats, const char smaps,			void ParseUnixMemoryProfile(fill_profile_f cb, uptr stats, char smaps,
	uptr smaps_len);			uptr smaps_len);

	// Simple low-level (mmap-based) allocator for internal use. Doesn't have			// Simple low-level (mmap-based) allocator for internal use. Doesn't have
	// constructor, so all instances of LowLevelAllocator should be			// constructor, so all instances of LowLevelAllocator should be
	// linker initialized.			// linker initialized.
	class LowLevelAllocator {			class LowLevelAllocator {
	public:			public:
	// Requires an external lock.			// Requires an external lock.
	▲ Show 20 Lines • Show All 867 Lines • Show Last 20 Lines

compiler-rt/lib/sanitizer_common/sanitizer_procmaps_common.cpp

Show First 20 Lines • Show All 149 Lines • ▼ Show 20 Lines	void GetMemoryProfile(fill_profile_f cb, uptr *stats) {
uptr smaps_cap = 0;		uptr smaps_cap = 0;
uptr smaps_len = 0;		uptr smaps_len = 0;
if (!ReadFileToBuffer("/proc/self/smaps", &smaps, &smaps_cap, &smaps_len))		if (!ReadFileToBuffer("/proc/self/smaps", &smaps, &smaps_cap, &smaps_len))
return;		return;
ParseUnixMemoryProfile(cb, stats, smaps, smaps_len);		ParseUnixMemoryProfile(cb, stats, smaps, smaps_len);
UnmapOrDie(smaps, smaps_cap);		UnmapOrDie(smaps, smaps_cap);
}		}

void ParseUnixMemoryProfile(fill_profile_f cb, uptr stats, const char smaps,		void ParseUnixMemoryProfile(fill_profile_f cb, uptr stats, char smaps,
uptr smaps_len) {		uptr smaps_len) {
uptr start = 0;		uptr start = 0;
bool file = false;		bool file = false;
const char *pos = smaps;		const char *pos = smaps;
while (pos < smaps + smaps_len) {		char *end = smaps + smaps_len;
		if (smaps_len < 2)
		return;
		// The following parsing can crash on almost every line
		// in the case of malformed/truncated input.
		// Fixing that is hard b/c e.g. ParseDecimal does not
		// even accept end of the buffer and assumes well-formed input.
		// So instead we patch end of the input a bit,
		// it does not affect well-formed complete inputs.
		melverUnsubmitted Done Reply Inline Actions s/well-format/well-formed/ ? melver: s/well-format/well-formed/ ?
		*--end = 0;
		*--end = '\n';
		while (pos < end) {
		melverUnsubmitted Done Reply Inline Actions why is the (char) cast needed? smaps is already a char. melver: why is the (char) cast needed? smaps is already a char.
if (IsHex(pos[0])) {		if (IsHex(pos[0])) {
start = ParseHex(&pos);		start = ParseHex(&pos);
for (; pos != '/' && pos > '\n'; pos++) {}		for (; pos != '/' && pos > '\n'; pos++) {}
file = *pos == '/';		file = *pos == '/';
} else if (internal_strncmp(pos, "Rss:", 4) == 0) {		} else if (internal_strncmp(pos, "Rss:", 4) == 0) {
while (!IsDecimal(*pos)) pos++;		while (pos < end && !IsDecimal(*pos)) pos++;
uptr rss = ParseDecimal(&pos) * 1024;		uptr rss = ParseDecimal(&pos) * 1024;
cb(start, rss, file, stats);		cb(start, rss, file, stats);
}		}
while (*pos++ != '\n') {}		while (*pos++ != '\n') {}
}		}
}		}

} // namespace __sanitizer		} // namespace __sanitizer

#endif		#endif

compiler-rt/lib/sanitizer_common/tests/sanitizer_procmaps_test.cpp

Show First 20 Lines • Show All 72 Lines • ▼ Show 20 Lines	for (uptr i = 0; i < modules.size(); ++i) {
}		}
const u8 *uuid = modules[i].uuid();		const u8 *uuid = modules[i].uuid();
u8 null_uuid[kModuleUUIDSize] = {0};		u8 null_uuid[kModuleUUIDSize] = {0};
EXPECT_NE(memcmp(null_uuid, uuid, kModuleUUIDSize), 0);		EXPECT_NE(memcmp(null_uuid, uuid, kModuleUUIDSize), 0);
}		}
}		}
}		}

TEST(MemoryMapping, ParseUnixMemoryProfile) {		const char *const parse_unix_input = R"(
struct entry {
uptr p;
uptr rss;
bool file;
};
typedef std::vector<entry> entries_t;
const char *input = R"(
7fb9862f1000-7fb9862f3000 rw-p 00000000 00:00 0		7fb9862f1000-7fb9862f3000 rw-p 00000000 00:00 0
Size: 8 kB		Size: 8 kB
Rss: 4 kB		Rss: 4 kB
7fb9864ae000-7fb9864b1000 r--p 001ba000 fd:01 22413919 /lib/x86_64-linux-gnu/libc-2.32.so		7fb9864ae000-7fb9864b1000 r--p 001ba000 fd:01 22413919 /lib/x86_64-linux-gnu/libc-2.32.so
Size: 12 kB		Size: 12 kB
Rss: 12 kB		Rss: 12 kB
)";		)";

		TEST(MemoryMapping, ParseUnixMemoryProfile) {
		struct entry {
		uptr p;
		uptr rss;
		bool file;
		};
		typedef std::vector<entry> entries_t;
entries_t entries;		entries_t entries;
		std::vector<char> input(parse_unix_input,
		parse_unix_input + strlen(parse_unix_input));
ParseUnixMemoryProfile(		ParseUnixMemoryProfile(
[](uptr p, uptr rss, bool file, uptr *mem) {		[](uptr p, uptr rss, bool file, uptr *mem) {
reinterpret_cast<entries_t *>(mem)->push_back({p, rss, file});		reinterpret_cast<entries_t *>(mem)->push_back({p, rss, file});
},		},
reinterpret_cast<uptr *>(&entries), input, strlen(input));		reinterpret_cast<uptr *>(&entries), &input[0], input.size());
EXPECT_EQ(entries.size(), 2ul);		EXPECT_EQ(entries.size(), 2ul);
EXPECT_EQ(entries[0].p, 0x7fb9862f1000ul);		EXPECT_EQ(entries[0].p, 0x7fb9862f1000ul);
EXPECT_EQ(entries[0].rss, 4ul << 10);		EXPECT_EQ(entries[0].rss, 4ul << 10);
EXPECT_EQ(entries[0].file, false);		EXPECT_EQ(entries[0].file, false);
EXPECT_EQ(entries[1].p, 0x7fb9864ae000ul);		EXPECT_EQ(entries[1].p, 0x7fb9864ae000ul);
EXPECT_EQ(entries[1].rss, 12ul << 10);		EXPECT_EQ(entries[1].rss, 12ul << 10);
EXPECT_EQ(entries[1].file, true);		EXPECT_EQ(entries[1].file, true);
}		}

		TEST(MemoryMapping, ParseUnixMemoryProfileTruncated) {
		// ParseUnixMemoryProfile used to crash on truncated inputs.
		// This test allocates 2 pages, protects the second one
		// and places the input at the very end of the first page
		// to test for over-reads.
		uptr page = GetPageSizeCached();
		char mem = static_cast<char >(
		MmapOrDie(2 * page, "ParseUnixMemoryProfileTruncated"));
		EXPECT_TRUE(MprotectNoAccess(reinterpret_cast<uptr>(mem + page), page));
		const uptr len = strlen(parse_unix_input);
		for (uptr i = 0; i < len; i++) {
		melverUnsubmitted Done Reply Inline Actions Just normal lambda function instead melver: Just normal lambda function instead
		char *smaps = mem + page - len + i;
		memcpy(smaps, parse_unix_input, len - i);
		ParseUnixMemoryProfile([](uptr p, uptr rss, bool file, uptr *mem) {},
		nullptr, smaps, len - i);
		}
		UnmapOrDie(mem, 2 * page);
		}

} // namespace __sanitizer		} // namespace __sanitizer
#endif // !defined(_WIN32)		#endif // !defined(_WIN32)