This is an archive of the discontinued LLVM Phabricator instance.

[scudo] Fix MTE crash in storeEndMarker.
ClosedPublic

Authored by eugenis on Nov 16 2021, 12:18 PM.

Download Raw Diff

Details

Reviewers

pcc
hctim
fmayer

Commits

rG913d78c40c37: [scudo] Regression test for the MTE crash in storeEndMarker.

Summary

The bounds check in storeEndMarker incorrectly compares tagged against
untagged address in the in-place realloc case. This can cause the tag
store to go into an unmapped page to the right of the region mapping.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

eugenis created this revision.Nov 16 2021, 12:18 PM

Herald added a subscriber: cryptoad. · View Herald TranscriptNov 16 2021, 12:18 PM

eugenis requested review of this revision.Nov 16 2021, 12:18 PM

Herald added a project: Restricted Project. · View Herald TranscriptNov 16 2021, 12:18 PM

Herald added a subscriber: Restricted Project. · View Herald Transcript

hctim added inline comments.Nov 16 2021, 12:25 PM

compiler-rt/lib/scudo/standalone/combined.h
1167	this invariant no longer relevant?

pcc added inline comments.Nov 16 2021, 12:29 PM

compiler-rt/lib/scudo/standalone/combined.h
1169	Can we fix the caller to untag BlockEnd instead?

pcc added inline comments.Nov 16 2021, 12:35 PM

compiler-rt/lib/scudo/standalone/combined.h
1169	...which we already did in D105261. I reckon we'll need to cherry-pick that everywhere.

Remove the fix, keep the test.

compiler-rt/lib/scudo/standalone/combined.h
1169	Oh right. I hacked this on an older version of the code :(

LGTM

This revision is now accepted and ready to land.Nov 16 2021, 12:48 PM

Harbormaster completed remote builds in B134592: Diff 387735.Nov 16 2021, 1:23 PM

Closed by commit rG913d78c40c37: [scudo] Regression test for the MTE crash in storeEndMarker. (authored by eugenis). · Explain WhyNov 16 2021, 1:43 PM

This revision was automatically updated to reflect the committed changes.

eugenis added a commit: rG913d78c40c37: [scudo] Regression test for the MTE crash in storeEndMarker..

Revision Contents

Path

Size

compiler-rt/

lib/

scudo/

standalone/

combined.h

3 lines

tests/

combined_test.cpp

20 lines

Diff 387732

compiler-rt/lib/scudo/standalone/combined.h

Show First 20 Lines • Show All 1,158 Lines • ▼ Show 20 Lines	#endif
// header granule will be set to 0, so it will serve the purpose of catching		// header granule will be set to 0, so it will serve the purpose of catching
// linear overflows in this case.		// linear overflows in this case.
//		//
// For allocations of size 0 we do not end up storing the address tag to the		// For allocations of size 0 we do not end up storing the address tag to the
// memory tag space, which getInlineErrorInfo() normally relies on to match		// memory tag space, which getInlineErrorInfo() normally relies on to match
// address tags against chunks. To allow matching in this case we store the		// address tags against chunks. To allow matching in this case we store the
// address tag in the first byte of the chunk.		// address tag in the first byte of the chunk.
void storeEndMarker(uptr End, uptr Size, uptr BlockEnd) {		void storeEndMarker(uptr End, uptr Size, uptr BlockEnd) {
DCHECK_EQ(BlockEnd, untagPointer(BlockEnd));		DCHECK_EQ(BlockEnd, untagPointer(BlockEnd));
		hctimUnsubmitted Not Done Reply Inline Actions this invariant no longer relevant? hctim: this invariant no longer relevant?
uptr UntaggedEnd = untagPointer(End);		uptr UntaggedEnd = untagPointer(End);
if (UntaggedEnd != BlockEnd) {		uptr UntaggedBlockEnd = untagPointer(BlockEnd);
		pccUnsubmitted Not Done Reply Inline Actions Can we fix the caller to untag BlockEnd instead? pcc: Can we fix the caller to untag BlockEnd instead?
		pccUnsubmitted Not Done Reply Inline Actions ...which we already did in D105261. I reckon we'll need to cherry-pick that everywhere. pcc: ...which we already did in D105261. I reckon we'll need to cherry-pick that everywhere.
		eugenisAuthorUnsubmitted Done Reply Inline Actions Oh right. I hacked this on an older version of the code :( eugenis: Oh right. I hacked this on an older version of the code :(
		if (UntaggedEnd != UntaggedBlockEnd) {
storeTag(UntaggedEnd);		storeTag(UntaggedEnd);
if (Size == 0)		if (Size == 0)
reinterpret_cast<u8 >(UntaggedEnd) = extractTag(End);		reinterpret_cast<u8 >(UntaggedEnd) = extractTag(End);
}		}
}		}

void prepareTaggedChunk(void Ptr, uptr Size, uptr ExcludeMask,		void prepareTaggedChunk(void Ptr, uptr Size, uptr ExcludeMask,
uptr BlockEnd) {		uptr BlockEnd) {
▲ Show 20 Lines • Show All 263 Lines • Show Last 20 Lines

compiler-rt/lib/scudo/standalone/tests/combined_test.cpp

Show First 20 Lines • Show All 673 Lines • ▼ Show 20 Lines	for (unsigned I = 0; I != Ptrs.size(); ++I) {
Ptrs[I] = Allocator->allocate(Size, Origin, 1U << MinAlignLog, true);		Ptrs[I] = Allocator->allocate(Size, Origin, 1U << MinAlignLog, true);
for (scudo::uptr J = 0; J < Size; ++J)		for (scudo::uptr J = 0; J < Size; ++J)
ASSERT_EQ((reinterpret_cast<char *>(Ptrs[I]))[J], 0);		ASSERT_EQ((reinterpret_cast<char *>(Ptrs[I]))[J], 0);
}		}
}		}

Allocator->setOption(scudo::Option::ThreadDisableMemInit, 0);		Allocator->setOption(scudo::Option::ThreadDisableMemInit, 0);
}		}

		SCUDO_TYPED_TEST(ScudoCombinedTest, ReallocateInPlaceStress) {
		auto *Allocator = this->Allocator.get();

		// Regression test: make realloc-in-place happen at the very right end of a
		// mapped region.
		constexpr int nPtrs = 10000;
		for (int i = 1; i < 32; ++i) {
		scudo::uptr Size = 16 * i - 1;
		std::vector<void *> Ptrs;
		for (int i = 0; i < nPtrs; ++i) {
		void *P = Allocator->allocate(Size, Origin);
		P = Allocator->reallocate(P, Size + 1);
		Ptrs.push_back(P);
		}

		for (int i = 0; i < nPtrs; ++i)
		Allocator->deallocate(Ptrs[i], Origin);
		}
		}