This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
compiler-rt/lib/
-
lib/
-
lsan/
-
lsan_common_mac.cpp
-
sanitizer_common/
-
sanitizer_procmaps_mac.cpp

Differential D116240

[ASan][Darwin] Avoid crash during ASan initialization
ClosedPublic

Authored by yln on Dec 23 2021, 2:05 PM.

Download Raw Diff

Details

Reviewers

delcypher
kubamracek
aralisza

Commits

rG6f480655e69a: [ASan][Darwin] Avoid crash during ASan initialization

Summary

Always pass depth=1 to vm_region_recurse_64(). depth is a in-out
parameter and gets reset to 0 after the first call, so we incorrectly
pass depth=0 on subsequent calls.

We want to avoid the following crash:

Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Subtype: KERN_INVALID_ADDRESS at 0x0000000180000000
Exception Codes: 0x0000000000000001, 0x0000000180000000
VM Region Info: 0x180000000 is not in any region. Bytes after previous region: 277577729 Bytes before following region: 384270336
   REGION TYPE         START - END   [ VSIZE] PRT/MAX SHRMOD REGION DETAIL
   Stack          16f64c000-16f748000 [ 1008K] rw-/rwx SM=PRV thread 0
---> GAP OF 0x27730000 BYTES
   unused shlib __TEXT   196e78000-196eac000 [ 208K] r-x/r-x SM=COW ... this process
Termination Reason: SIGNAL 11 Segmentation fault: 11
Terminating Process: exc handler [767]

Crashing code:

static mach_header *get_dyld_image_header() {
 unsigned depth = 1;
 vm_size_t size = 0;
 vm_address_t address = 0;
 kern_return_t err = KERN_SUCCESS;
 mach_msg_type_number_t count = VM_REGION_SUBMAP_INFO_COUNT_64;

 while (true) {
  struct vm_region_submap_info_64 info;
  err = vm_region_recurse_64(mach_task_self(), &address, &size, &depth,
                (vm_region_info_t)&info, &count);
  if (err != KERN_SUCCESS) return nullptr;

  if (size >= sizeof(mach_header) && info.protection & kProtectionRead) {
   mach_header *hdr = (mach_header *)address;
   if ((hdr->magic == MH_MAGIC || hdr->magic == MH_MAGIC_64) &&   // << CRASH: sanitizer_procmaps_mac.cpp:176
     hdr->filetype == MH_DYLINKER) {
    return hdr;
   }
  }
  address += size;
 }
}

Radar-Id: rdar://problem/86773501

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

yln requested review of this revision.Dec 23 2021, 2:05 PM

yln created this revision.

Herald added a project: Restricted Project. · View Herald TranscriptDec 23 2021, 2:05 PM

Herald added a subscriber: Restricted Project. · View Herald Transcript

Harbormaster completed remote builds in B140552: Diff 396087.Dec 23 2021, 2:22 PM

kubamracek accepted this revision.Jan 7 2022, 12:03 PM

This revision is now accepted and ready to land.Jan 7 2022, 12:03 PM

LGTM.

This revision was landed with ongoing or failed builds.Jan 7 2022, 12:28 PM

Closed by commit rG6f480655e69a: [ASan][Darwin] Avoid crash during ASan initialization (authored by yln). · Explain Why

This revision was automatically updated to reflect the committed changes.

yln added a commit: rG6f480655e69a: [ASan][Darwin] Avoid crash during ASan initialization.

Revision Contents

Path

Size

compiler-rt/

lib/

lsan/

lsan_common_mac.cpp

6 lines

sanitizer_common/

sanitizer_procmaps_mac.cpp

12 lines

Diff 398216

compiler-rt/lib/lsan/lsan_common_mac.cpp

Show First 20 Lines • Show All 137 Lines • ▼ Show 20 Lines	for (const __sanitizer::LoadedModule::AddressRange &range :
}		}

ScanGlobalRange(range.beg, range.end, frontier);		ScanGlobalRange(range.beg, range.end, frontier);
}		}
}		}
}		}

void ProcessPlatformSpecificAllocations(Frontier *frontier) {		void ProcessPlatformSpecificAllocations(Frontier *frontier) {
unsigned depth = 1;
vm_size_t size = 0;
vm_address_t address = 0;		vm_address_t address = 0;
kern_return_t err = KERN_SUCCESS;		kern_return_t err = KERN_SUCCESS;
mach_msg_type_number_t count = VM_REGION_SUBMAP_INFO_COUNT_64;

InternalMmapVectorNoCtor<RootRegion> const *root_regions = GetRootRegions();		InternalMmapVectorNoCtor<RootRegion> const *root_regions = GetRootRegions();

while (err == KERN_SUCCESS) {		while (err == KERN_SUCCESS) {
		vm_size_t size = 0;
		unsigned depth = 1;
struct vm_region_submap_info_64 info;		struct vm_region_submap_info_64 info;
		mach_msg_type_number_t count = VM_REGION_SUBMAP_INFO_COUNT_64;
err = vm_region_recurse_64(mach_task_self(), &address, &size, &depth,		err = vm_region_recurse_64(mach_task_self(), &address, &size, &depth,
(vm_region_info_t)&info, &count);		(vm_region_info_t)&info, &count);

uptr end_address = address + size;		uptr end_address = address + size;

// libxpc stashes some pointers in the Kernel Alloc Once page,		// libxpc stashes some pointers in the Kernel Alloc Once page,
// make sure not to report those as leaks.		// make sure not to report those as leaks.
if (info.user_tag == kSanitizerVmMemoryOsAllocOnce) {		if (info.user_tag == kSanitizerVmMemoryOsAllocOnce) {
▲ Show 20 Lines • Show All 41 Lines • Show Last 20 Lines

compiler-rt/lib/sanitizer_common/sanitizer_procmaps_mac.cpp

	Show First 20 Lines • Show All 137 Lines • ▼ Show 20 Lines

	// _dyld_get_image_header() and related APIs don't report dyld itself.			// _dyld_get_image_header() and related APIs don't report dyld itself.
	// We work around this by manually recursing through the memory map			// We work around this by manually recursing through the memory map
	// until we hit a Mach header matching dyld instead. These recurse			// until we hit a Mach header matching dyld instead. These recurse
	// calls are expensive, but the first memory map generation occurs			// calls are expensive, but the first memory map generation occurs
	// early in the process, when dyld is one of the only images loaded,			// early in the process, when dyld is one of the only images loaded,
	// so it will be hit after only a few iterations.			// so it will be hit after only a few iterations.
	static mach_header *get_dyld_image_header() {			static mach_header *get_dyld_image_header() {
	unsigned depth = 1;
	vm_size_t size = 0;
	vm_address_t address = 0;			vm_address_t address = 0;
	kern_return_t err = KERN_SUCCESS;
	mach_msg_type_number_t count = VM_REGION_SUBMAP_INFO_COUNT_64;

	while (true) {			while (true) {
				vm_size_t size = 0;
				unsigned depth = 1;
	struct vm_region_submap_info_64 info;			struct vm_region_submap_info_64 info;
	err = vm_region_recurse_64(mach_task_self(), &address, &size, &depth,			mach_msg_type_number_t count = VM_REGION_SUBMAP_INFO_COUNT_64;
				kern_return_t err =
				vm_region_recurse_64(mach_task_self(), &address, &size, &depth,
	(vm_region_info_t)&info, &count);			(vm_region_info_t)&info, &count);
	if (err != KERN_SUCCESS) return nullptr;			if (err != KERN_SUCCESS) return nullptr;

	if (size >= sizeof(mach_header) && info.protection & kProtectionRead) {			if (size >= sizeof(mach_header) && info.protection & kProtectionRead) {
	mach_header hdr = (mach_header )address;			mach_header hdr = (mach_header )address;
	if ((hdr->magic == MH_MAGIC \|\| hdr->magic == MH_MAGIC_64) &&			if ((hdr->magic == MH_MAGIC \|\| hdr->magic == MH_MAGIC_64) &&
	hdr->filetype == MH_DYLINKER) {			hdr->filetype == MH_DYLINKER) {
	return hdr;			return hdr;
	}			}
	▲ Show 20 Lines • Show All 216 Lines • Show Last 20 Lines