This is an archive of the discontinued LLVM Phabricator instance.

Differential D126343

[libunwind] Use process_vm_readv to avoid potential segfaults
ClosedPublic

Authored by smeenai on May 24 2022, 4:23 PM.

Details

Reviewers
danielkiss
MaskRay
rprichard
uweigand
Group Reviewers
Restricted Project
Commits
rG0be0a53df65c: [libunwind] Use process_vm_readv to avoid potential segfaults
Summary

We've observed segfaults in libunwind when attempting to check for the
Linux aarch64 sigreturn frame, presumably because of bad unwind info
leading to an incorrect PC that we attempt to read from. Use
process_vm_readv to read the memory safely instead.

The s390x code path should likely follow suit, but I don't have the
hardware to be able to test that, so I didn't modify it here either.

Diff Detail

Event Timeline

smeenai created this revision.May 24 2022, 4:23 PM
Herald added projects: Restricted Project, Restricted Project. · View Herald TranscriptMay 24 2022, 4:23 PM
Herald added a reviewer: Restricted Project. · View Herald Transcript
Herald added subscribers: libcxx-commits, StephenFan, kristof.beyls. · View Herald Transcript
smeenai requested review of this revision.May 24 2022, 4:23 PM
Herald added a project: Restricted Project. · View Herald TranscriptMay 24 2022, 4:23 PM
Herald added a subscriber: llvm-commits. · View Herald Transcript
smeenai added a parent revision: D126342: [libunwind] Factor out sigreturn check condition. NFC.May 24 2022, 4:23 PM
smeenai mentioned this in D123428: [libunwind] Add configuration to disable sigreturn frame check.
smeenai updated this revision to Diff 431840.May 24 2022, 4:51 PM

Use sizeof instead of raw number

Harbormaster completed remote builds in B166169: Diff 431840.May 24 2022, 6:34 PM
smeenai updated this revision to Diff 431884.May 24 2022, 10:49 PM

XFAIL with MSAN, similar to other tests

smeenai updated this revision to Diff 431887.May 24 2022, 11:00 PM

Better MSAN suppression

MaskRay accepted this revision.May 24 2022, 11:02 PM

LGTM, but hope @rprichard can verify this.

libunwind/test/bad_unwind_info.pass.cpp
56

only supported on aarch64 and x86-64.

#error does not need a quoted argument.

71

Use __attribute__((naked)) with basic asm (https://gcc.gnu.org/onlinedocs/gcc/Basic-Asm.html), then get rid of the inline assembly language at file scope.

This revision is now accepted and ready to land.May 24 2022, 11:02 PM
MaskRay added inline comments.May 24 2022, 11:05 PM
libunwind/test/bad_unwind_info.pass.cpp
24

move aarch64 before x86_64 for an alphabetical order.

smeenai added inline comments.May 24 2022, 11:07 PM
libunwind/test/bad_unwind_info.pass.cpp
71

I wanted to do this originally, but GCC doesn't support __attribute__((naked)) on aarch64: https://godbolt.org/z/15rbv6GEG. I'm not sure if we need to support gcc in the test suite, but I thought at least libc++ tried to.

smeenai added inline comments.May 24 2022, 11:23 PM
libunwind/test/bad_unwind_info.pass.cpp
71

That being said, it looks like GCC isn't performing any stack manipulation in this case anyway, just adding a nop and a ret, which should be harmless. Not sure if we can rely on that in general though.

Harbormaster completed remote builds in B166201: Diff 431887.May 25 2022, 12:46 AM
smeenai updated this revision to Diff 432100.May 25 2022, 1:09 PM
smeenai marked 3 inline comments as done.

Address review comments

libunwind/test/bad_unwind_info.pass.cpp
71

I ended up just unsupporting the test on gcc, because __attribute__((naked)) makes it much cleaner. Thanks for the suggestion :)

Harbormaster completed remote builds in B166350: Diff 432100.May 25 2022, 7:10 PM
rprichard accepted this revision.May 25 2022, 8:58 PM

The fix and the test both look good to me.

smeenai updated this revision to Diff 432191.May 25 2022, 9:49 PM

Rebase

rprichard accepted this revision.May 25 2022, 10:01 PM
Harbormaster completed remote builds in B166414: Diff 432191.May 26 2022, 12:53 AM
Closed by commit rG0be0a53df65c: [libunwind] Use process_vm_readv to avoid potential segfaults (authored by smeenai). · Explain WhyMay 26 2022, 9:21 AM
This revision was automatically updated to reflect the committed changes.
smeenai added a commit: rG0be0a53df65c: [libunwind] Use process_vm_readv to avoid potential segfaults.
uweigand mentioned this in D129856: [libunwind][SystemZ] Use process_vm_readv to avoid potential segfaults.Jul 15 2022, 7:42 AM

The s390x code path should likely follow suit, but I don't have the
hardware to be able to test that, so I didn't modify it here either.

Thanks for the heads-up! It look me a while to get around to it, but I've now fixed the bug on s390x here: https://reviews.llvm.org/D129856

uweigand mentioned this in rG24ec521cd7bb: [libunwind][SystemZ] Use process_vm_readv to avoid potential segfaults.Jul 18 2022, 7:57 AM
mpdenton added a subscriber: mpdenton.Jun 26 2023, 4:12 PM

The Chrome sandbox disallows process_vm_readv() (I think most seccomp sandboxes would) so this causes crashes when trying to collect backtraces at runtime.

What would happen if I caused process_vm_read() to return EPERM here? Would the unwinder still be able to unwind past the sigreturn trampoline with heuristics?

If not, is it possible to introduce a fallback that reads from the address directly, or possibly uses mincore() to check if the address is valid (a small race is possible)?

smeenai added a comment.Jun 26 2023, 4:20 PM
In D126343#4450731, @mpdenton wrote:

The Chrome sandbox disallows process_vm_readv() (I think most seccomp sandboxes would) so this causes crashes when trying to collect backtraces at runtime.

What would happen if I caused process_vm_read() to return EPERM here? Would the unwinder still be able to unwind past the sigreturn trampoline with heuristics?

If not, is it possible to introduce a fallback that reads from the address directly, or possibly uses mincore() to check if the address is valid (a small race is possible)?

With the code as currently written, I believe we'd just fail to unwind past the sigreturn frame if process_vm_readv failed.

How would mincore work in this scenario? It tells you if a page is resident, but a non-resident page could still be accessible, right? On the flip side, ENOMEM would tell you if the page was unmapped, but an execute-only page would be mapped but still unreadable.

mpdenton added a comment.Jun 26 2023, 5:10 PM
In D126343#4450750, @smeenai wrote:

With the code as currently written, I believe we'd just fail to unwind past the sigreturn frame if process_vm_readv failed.

Ah, too bad.

How would mincore work in this scenario? It tells you if a page is resident, but a non-resident page could still be accessible, right? On the flip side, ENOMEM would tell you if the page was unmapped, but an execute-only page would be mapped but still unreadable.

I didn't realize ARM supported execute-only pages. I was thinking that if mincore returned EFAULT this would work to detect if an address was readable. It looks like a "write-to-pipe" works for checking if an address is readable: https://github.com/libunwind/libunwind/blob/0e9119698dfad47f8afb88c2a7ee3d36f9efd568/src/mi/Gaddress_validator.c#L97

Revision Contents

PathSize
libunwind/
src/
33 lines
test/
66 lines

Diff 432311

libunwind/src/UnwindCursor.hpp

Show All 26 Lines
#ifdef _AIX #ifdef _AIX
#include <dlfcn.h> #include <dlfcn.h>
#include <sys/debug.h> #include <sys/debug.h>
#include <sys/pseg.h> #include <sys/pseg.h>
#endif #endif
#if defined(_LIBUNWIND_TARGET_LINUX) && \ #if defined(_LIBUNWIND_TARGET_LINUX) && \
(defined(_LIBUNWIND_TARGET_AARCH64) || defined(_LIBUNWIND_TARGET_S390X)) (defined(_LIBUNWIND_TARGET_AARCH64) || defined(_LIBUNWIND_TARGET_S390X))
#include <sys/syscall.h>
#include <sys/uio.h>
#include <unistd.h>
#define _LIBUNWIND_CHECK_LINUX_SIGRETURN 1 #define _LIBUNWIND_CHECK_LINUX_SIGRETURN 1
#endif #endif
#if defined(_LIBUNWIND_SUPPORT_SEH_UNWIND) #if defined(_LIBUNWIND_SUPPORT_SEH_UNWIND)
// Provide a definition for the DISPATCHER_CONTEXT struct for old (Win7 and // Provide a definition for the DISPATCHER_CONTEXT struct for old (Win7 and
// earlier) SDKs. // earlier) SDKs.
// MinGW-w64 has always provided this struct. // MinGW-w64 has always provided this struct.
#if defined(_WIN32) && defined(_LIBUNWIND_TARGET_X86_64) && \ #if defined(_WIN32) && defined(_LIBUNWIND_TARGET_X86_64) && \
▲ Show 20 LinesShow All 2,572 Lines▼ Show 20 Linesbool UnwindCursor<A, R>::setInfoForSigReturn(Registers_arm64 &) {
// constant for the PC needs to be defined before DWARF can handle a signal // constant for the PC needs to be defined before DWARF can handle a signal
// trampoline. This code may segfault if the target PC is unreadable, e.g.: // trampoline. This code may segfault if the target PC is unreadable, e.g.:
// - The PC points at a function compiled without unwind info, and which is // - The PC points at a function compiled without unwind info, and which is
// part of an execute-only mapping (e.g. using -Wl,--execute-only). // part of an execute-only mapping (e.g. using -Wl,--execute-only).
// - The PC is invalid and happens to point to unreadable or unmapped memory. // - The PC is invalid and happens to point to unreadable or unmapped memory.
// //
// [1] https://github.com/torvalds/linux/blob/master/arch/arm64/kernel/vdso/sigreturn.S // [1] https://github.com/torvalds/linux/blob/master/arch/arm64/kernel/vdso/sigreturn.S
const pint_t pc = static_cast<pint_t>(this->getReg(UNW_REG_IP)); const pint_t pc = static_cast<pint_t>(this->getReg(UNW_REG_IP));
// The PC might contain an invalid address if the unwind info is bad, so
// directly accessing it could cause a segfault. Use process_vm_readv to read
// the memory safely instead. process_vm_readv was added in Linux 3.2, and
// AArch64 supported was added in Linux 3.7, so the syscall is guaranteed to
// be present. Unfortunately, there are Linux AArch64 environments where the
// libc wrapper for the syscall might not be present (e.g. Android 5), so call
// the syscall directly instead.
uint32_t instructions[2];
struct iovec local_iov = {&instructions, sizeof instructions};
struct iovec remote_iov = {reinterpret_cast<void *>(pc), sizeof instructions};
long bytesRead =
syscall(SYS_process_vm_readv, getpid(), &local_iov, 1, &remote_iov, 1, 0);
// Look for instructions: mov x8, #0x8b; svc #0x0 // Look for instructions: mov x8, #0x8b; svc #0x0
if (_addressSpace.get32(pc) == 0xd2801168 && if (bytesRead != sizeof instructions || instructions[0] != 0xd2801168 ||
_addressSpace.get32(pc + 4) == 0xd4000001) { instructions[1] != 0xd4000001)
return false;
_info = {}; _info = {};
_info.start_ip = pc; _info.start_ip = pc;
_info.end_ip = pc + 4; _info.end_ip = pc + 4;
_isSigReturn = true; _isSigReturn = true;
return true; return true;
} }
return false;
}
template <typename A, typename R> template <typename A, typename R>
int UnwindCursor<A, R>::stepThroughSigReturn(Registers_arm64 &) { int UnwindCursor<A, R>::stepThroughSigReturn(Registers_arm64 &) {
// In the signal trampoline frame, sp points to an rt_sigframe[1], which is: // In the signal trampoline frame, sp points to an rt_sigframe[1], which is:
// - 128-byte siginfo struct // - 128-byte siginfo struct
// - ucontext struct: // - ucontext struct:
// - 8-byte long (uc_flags) // - 8-byte long (uc_flags)
// - 8-byte pointer (uc_link) // - 8-byte pointer (uc_link)
▲ Show 20 LinesShow All 193 LinesShow Last 20 Lines

libunwind/test/bad_unwind_info.pass.cpp

  • This file was added.
// -*- C++ -*-
//===----------------------------------------------------------------------===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
// Ensure that libunwind doesn't crash on invalid info; the Linux aarch64
// sigreturn frame check would previously attempt to access invalid memory in
// this scenario.
// REQUIRES: linux && (target={{aarch64-.+}} || target={{x86_64-.+}})
// GCC doesn't support __attribute__((naked)) on AArch64.
// UNSUPPORTED: gcc
// Inline assembly is incompatible with MSAN.
// UNSUPPORTED: msan
#undef NDEBUG
#include <assert.h>
#include <libunwind.h>
#include <stdio.h>
MaskRayUnsubmitted
Done
ReplyInline Actions

move aarch64 before x86_64 for an alphabetical order.

MaskRay: move aarch64 before x86_64 for an alphabetical order.
__attribute__((naked)) void bad_unwind_info() {
#if defined(__aarch64__)
__asm__("// not using 0 because unwinder was already resilient to that\n"
"mov x8, #4\n"
"stp x30, x8, [sp, #-16]!\n"
".cfi_def_cfa_offset 16\n"
"// purposely use incorrect offset for x30\n"
".cfi_offset x30, -8\n"
"bl stepper\n"
"ldr x30, [sp], #16\n"
".cfi_def_cfa_offset 0\n"
".cfi_restore x30\n"
"ret\n");
#elif defined(__x86_64__)
__asm__("pushq %rbx\n"
".cfi_def_cfa_offset 16\n"
"movq 8(%rsp), %rbx\n"
"# purposely corrupt return value on stack\n"
"movq $4, 8(%rsp)\n"
"callq stepper\n"
"movq %rbx, 8(%rsp)\n"
"popq %rbx\n"
".cfi_def_cfa_offset 8\n"
"ret\n");
#else
#error This test is only supported on aarch64 or x86-64
#endif
}
extern "C" void stepper() {
unw_cursor_t cursor;
MaskRayUnsubmitted
Done
ReplyInline Actions

only supported on aarch64 and x86-64.

#error does not need a quoted argument.

MaskRay: only supported on aarch64 and x86-64. `#error` does not need a quoted argument.
unw_context_t uc;
unw_getcontext(&uc);
unw_init_local(&cursor, &uc);
// stepping to bad_unwind_info should succeed
assert(unw_step(&cursor) > 0);
// stepping past bad_unwind_info should fail but not crash
assert(unw_step(&cursor) <= 0);
}
int main() { bad_unwind_info(); }
MaskRayUnsubmitted
Done
ReplyInline Actions

Use __attribute__((naked)) with basic asm (https://gcc.gnu.org/onlinedocs/gcc/Basic-Asm.html), then get rid of the inline assembly language at file scope.

MaskRay: Use `__attribute__((naked))` with basic asm (https://gcc.gnu.org/onlinedocs/gcc/Basic-Asm.html)…
smeenaiAuthorUnsubmitted
Done
ReplyInline Actions

I wanted to do this originally, but GCC doesn't support __attribute__((naked)) on aarch64: https://godbolt.org/z/15rbv6GEG. I'm not sure if we need to support gcc in the test suite, but I thought at least libc++ tried to.

smeenai: I wanted to do this originally, but GCC doesn't support `__attribute__((naked))` on aarch64…
smeenaiAuthorUnsubmitted
Done
ReplyInline Actions

That being said, it looks like GCC isn't performing any stack manipulation in this case anyway, just adding a nop and a ret, which should be harmless. Not sure if we can rely on that in general though.

smeenai: That being said, it looks like GCC isn't performing any stack manipulation in this case anyway…
smeenaiAuthorUnsubmitted
Done
ReplyInline Actions

I ended up just unsupporting the test on gcc, because __attribute__((naked)) makes it much cleaner. Thanks for the suggestion :)

smeenai: I ended up just unsupporting the test on gcc, because `__attribute__((naked))` makes it much…