This is an archive of the discontinued LLVM Phabricator instance.

Differential D114022

[scudo] Fix MTE crash in storeEndMarker.
ClosedPublic

Authored by eugenis on Nov 16 2021, 12:18 PM.

Details

Reviewers
pcc
hctim
fmayer
Commits
rG913d78c40c37: [scudo] Regression test for the MTE crash in storeEndMarker.
Summary

The bounds check in storeEndMarker incorrectly compares tagged against
untagged address in the in-place realloc case. This can cause the tag
store to go into an unmapped page to the right of the region mapping.

Diff Detail

Event Timeline

eugenis created this revision.Nov 16 2021, 12:18 PM
Herald added a subscriber: cryptoad. · View Herald TranscriptNov 16 2021, 12:18 PM
eugenis requested review of this revision.Nov 16 2021, 12:18 PM
Herald added a project: Restricted Project. · View Herald TranscriptNov 16 2021, 12:18 PM
Herald added a subscriber: Restricted Project. · View Herald Transcript
hctim added inline comments.Nov 16 2021, 12:25 PM
compiler-rt/lib/scudo/standalone/combined.h
1167 ↗(On Diff #387732)

this invariant no longer relevant?

pcc added inline comments.Nov 16 2021, 12:29 PM
compiler-rt/lib/scudo/standalone/combined.h
1169 ↗(On Diff #387732)

Can we fix the caller to untag BlockEnd instead?

pcc added inline comments.Nov 16 2021, 12:35 PM
compiler-rt/lib/scudo/standalone/combined.h
1169 ↗(On Diff #387732)

...which we already did in D105261. I reckon we'll need to cherry-pick that everywhere.

eugenis updated this revision to Diff 387735.Nov 16 2021, 12:45 PM

Remove the fix, keep the test.

compiler-rt/lib/scudo/standalone/combined.h
1169 ↗(On Diff #387732)

Oh right. I hacked this on an older version of the code :(

pcc accepted this revision.Nov 16 2021, 12:48 PM

LGTM

This revision is now accepted and ready to land.Nov 16 2021, 12:48 PM
Harbormaster completed remote builds in B134592: Diff 387735.Nov 16 2021, 1:23 PM
Closed by commit rG913d78c40c37: [scudo] Regression test for the MTE crash in storeEndMarker. (authored by eugenis). · Explain WhyNov 16 2021, 1:43 PM
This revision was automatically updated to reflect the committed changes.
eugenis added a commit: rG913d78c40c37: [scudo] Regression test for the MTE crash in storeEndMarker..

Revision Contents

PathSize
compiler-rt/
lib/
scudo/
standalone/
tests/
20 lines

Diff 387735

compiler-rt/lib/scudo/standalone/tests/combined_test.cpp

Show First 20 LinesShow All 673 Lines▼ Show 20 Lines for (unsigned I = 0; I != Ptrs.size(); ++I) {
Ptrs[I] = Allocator->allocate(Size, Origin, 1U << MinAlignLog, true); Ptrs[I] = Allocator->allocate(Size, Origin, 1U << MinAlignLog, true);
for (scudo::uptr J = 0; J < Size; ++J) for (scudo::uptr J = 0; J < Size; ++J)
ASSERT_EQ((reinterpret_cast<char *>(Ptrs[I]))[J], 0); ASSERT_EQ((reinterpret_cast<char *>(Ptrs[I]))[J], 0);
} }
} }
Allocator->setOption(scudo::Option::ThreadDisableMemInit, 0); Allocator->setOption(scudo::Option::ThreadDisableMemInit, 0);
} }
SCUDO_TYPED_TEST(ScudoCombinedTest, ReallocateInPlaceStress) {
auto *Allocator = this->Allocator.get();
// Regression test: make realloc-in-place happen at the very right end of a
// mapped region.
constexpr int nPtrs = 10000;
for (int i = 1; i < 32; ++i) {
scudo::uptr Size = 16 * i - 1;
std::vector<void *> Ptrs;
for (int i = 0; i < nPtrs; ++i) {
void *P = Allocator->allocate(Size, Origin);
P = Allocator->reallocate(P, Size + 1);
Ptrs.push_back(P);
}
for (int i = 0; i < nPtrs; ++i)
Allocator->deallocate(Ptrs[i], Origin);
}
}