This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
libunwind/
-
src/
1/2
UnwindCursor.hpp
-
test/
-
bad_unwind_info.pass.cpp

Differential D129856

[libunwind][SystemZ] Use process_vm_readv to avoid potential segfaults
ClosedPublic

Authored by uweigand on Jul 15 2022, 7:42 AM.

Download Raw Diff

Details

Reviewers

smeenai
MaskRay
rprichard

Group Reviewers

Restricted Project

Commits

rG24ec521cd7bb: [libunwind][SystemZ] Use process_vm_readv to avoid potential segfaults

Summary

Fix potential crashes during unwind when checking for signal frames and the current PC is invalid.

The same bug was fixed for aarch64 in https://reviews.llvm.org/D126343.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

uweigand created this revision.Jul 15 2022, 7:42 AM

Herald added projects: Restricted Project, Restricted Project. · View Herald TranscriptJul 15 2022, 7:42 AM

Herald added 1 blocking reviewer(s): Restricted Project. · View Herald Transcript

Herald added subscribers: libcxx-commits, StephenFan, kristof.beyls. · View Herald Transcript

uweigand requested review of this revision.Jul 15 2022, 7:42 AM

Herald added a project: Restricted Project. · View Herald TranscriptJul 15 2022, 7:42 AM

Herald added a subscriber: llvm-commits. · View Herald Transcript

uweigand mentioned this in D126343: [libunwind] Use process_vm_readv to avoid potential segfaults.Jul 15 2022, 7:43 AM

Harbormaster completed remote builds in B175638: Diff 444980.Jul 15 2022, 9:11 AM

MaskRay accepted this revision.Jul 16 2022, 12:06 AM

This revision is now accepted and ready to land.Jul 16 2022, 12:06 AM

process_vm_readv was introduced in Linux 3.2; is it okay to use it unconditionally for you? (aarch64 support was only added in Linux 3.7, so we were guaranteed to have the syscall available for it.)

libunwind/src/UnwindCursor.hpp
2705	For aarch64, I went through `syscall` instead of the libc `process_vm_readv` wrapper because the latter wasn't guaranteed to be present even when the kernel supported the syscall (e.g. on Android 5). If you don't have that constraint, it'd be cleaner to just use the libc wrapper (assuming it's available on SystemZ).

This revision was landed with ongoing or failed builds.Jul 18 2022, 7:57 AM

Closed by commit rG24ec521cd7bb: [libunwind][SystemZ] Use process_vm_readv to avoid potential segfaults (authored by uweigand). · Explain Why

This revision was automatically updated to reflect the committed changes.

uweigand added a commit: rG24ec521cd7bb: [libunwind][SystemZ] Use process_vm_readv to avoid potential segfaults.

In D129856#3657718, @smeenai wrote:

process_vm_readv was introduced in Linux 3.2; is it okay to use it unconditionally for you? (aarch64 support was only added in Linux 3.7, so we were guaranteed to have the syscall available for it.)

Well, while s390x Linux support long precedes Linux 3.2, it's still over 10 years old and all Linux distributions currently in support have a more recent kernel. So I think it's fine to rely on in unconditionally.

libunwind/src/UnwindCursor.hpp
2705	Good point. All supported SystemZ Linux distributions have a recent enough glibc, so I've switched to the glibc wrapper.

Revision Contents

Path

Size

libunwind/

src/

UnwindCursor.hpp

10 lines

test/

bad_unwind_info.pass.cpp

18 lines

Diff 445504

libunwind/src/UnwindCursor.hpp

	Show First 20 Lines • Show All 2,689 Lines • ▼ Show 20 Lines
	template <typename A, typename R>			template <typename A, typename R>
	bool UnwindCursor<A, R>::setInfoForSigReturn(Registers_s390x &) {			bool UnwindCursor<A, R>::setInfoForSigReturn(Registers_s390x &) {
	// Look for the sigreturn trampoline. The trampoline's body is a			// Look for the sigreturn trampoline. The trampoline's body is a
	// specific instruction (see below). Typically the trampoline comes from the			// specific instruction (see below). Typically the trampoline comes from the
	// vDSO (i.e. the __kernel_[rt_]sigreturn function). A libc might provide its			// vDSO (i.e. the __kernel_[rt_]sigreturn function). A libc might provide its
	// own restorer function, though, or user-mode QEMU might write a trampoline			// own restorer function, though, or user-mode QEMU might write a trampoline
	// onto the stack.			// onto the stack.
	const pint_t pc = static_cast<pint_t>(this->getReg(UNW_REG_IP));			const pint_t pc = static_cast<pint_t>(this->getReg(UNW_REG_IP));
	const uint16_t inst = _addressSpace.get16(pc);			// The PC might contain an invalid address if the unwind info is bad, so
	if (inst == 0x0a77 \|\| inst == 0x0aad) {			// directly accessing it could cause a segfault. Use process_vm_readv to
				// read the memory safely instead.
				uint16_t inst;
				struct iovec local_iov = {&inst, sizeof inst};
				struct iovec remote_iov = {reinterpret_cast<void *>(pc), sizeof inst};
				long bytesRead = process_vm_readv(getpid(), &local_iov, 1, &remote_iov, 1, 0);
				if (bytesRead == sizeof inst && (inst == 0x0a77 \|\| inst == 0x0aad)) {
				smeenaiUnsubmitted Not Done Reply Inline Actions For aarch64, I went through `syscall` instead of the libc `process_vm_readv` wrapper because the latter wasn't guaranteed to be present even when the kernel supported the syscall (e.g. on Android 5). If you don't have that constraint, it'd be cleaner to just use the libc wrapper (assuming it's available on SystemZ). smeenai: For aarch64, I went through `syscall` instead of the libc `process_vm_readv` wrapper because…
				uweigandAuthorUnsubmitted Done Reply Inline Actions Good point. All supported SystemZ Linux distributions have a recent enough glibc, so I've switched to the glibc wrapper. uweigand: Good point. All supported SystemZ Linux distributions have a recent enough glibc, so I've…
	_info = {};			_info = {};
	_info.start_ip = pc;			_info.start_ip = pc;
	_info.end_ip = pc + 2;			_info.end_ip = pc + 2;
	_isSigReturn = true;			_isSigReturn = true;
	return true;			return true;
	}			}
	return false;			return false;
	}			}
	▲ Show 20 Lines • Show All 146 Lines • Show Last 20 Lines

libunwind/test/bad_unwind_info.pass.cpp

// -- C++ --		// -- C++ --
//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//
//		//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.		// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.		// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception		// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//		//
//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//

// Ensure that libunwind doesn't crash on invalid info; the Linux aarch64		// Ensure that libunwind doesn't crash on invalid info; the Linux aarch64
// sigreturn frame check would previously attempt to access invalid memory in		// sigreturn frame check would previously attempt to access invalid memory in
// this scenario.		// this scenario.
// REQUIRES: linux && (target={{aarch64-.+}} \|\| target={{x86_64-.+}})		// REQUIRES: linux && (target={{aarch64-.+}} \|\| target={{s390x-.+}} \|\| target={{x86_64-.+}})

// GCC doesn't support __attribute__((naked)) on AArch64.		// GCC doesn't support __attribute__((naked)) on AArch64.
// UNSUPPORTED: gcc		// UNSUPPORTED: gcc

// Inline assembly is incompatible with MSAN.		// Inline assembly is incompatible with MSAN.
// UNSUPPORTED: msan		// UNSUPPORTED: msan

#undef NDEBUG		#undef NDEBUG
Show All 9 Lines	__asm__("// not using 0 because unwinder was already resilient to that\n"
".cfi_def_cfa_offset 16\n"		".cfi_def_cfa_offset 16\n"
"// purposely use incorrect offset for x30\n"		"// purposely use incorrect offset for x30\n"
".cfi_offset x30, -8\n"		".cfi_offset x30, -8\n"
"bl stepper\n"		"bl stepper\n"
"ldr x30, [sp], #16\n"		"ldr x30, [sp], #16\n"
".cfi_def_cfa_offset 0\n"		".cfi_def_cfa_offset 0\n"
".cfi_restore x30\n"		".cfi_restore x30\n"
"ret\n");		"ret\n");
		#elif defined(__s390x__)
		__asm__("stmg %r14,%r15,112(%r15)\n"
		"mvghi 104(%r15),4\n"
		"# purposely use incorrect offset for %r14\n"
		".cfi_offset 14, -56\n"
		".cfi_offset 15, -40\n"
		"lay %r15,-160(%r15)\n"
		".cfi_def_cfa_offset 320\n"
		"brasl %r14,stepper\n"
		"lmg %r14,%r15,272(%r15)\n"
		".cfi_restore 15\n"
		".cfi_restore 14\n"
		".cfi_def_cfa_offset 160\n"
		"br %r14\n");
#elif defined(__x86_64__)		#elif defined(__x86_64__)
__asm__("pushq %rbx\n"		__asm__("pushq %rbx\n"
".cfi_def_cfa_offset 16\n"		".cfi_def_cfa_offset 16\n"
"movq 8(%rsp), %rbx\n"		"movq 8(%rsp), %rbx\n"
"# purposely corrupt return value on stack\n"		"# purposely corrupt return value on stack\n"
"movq $4, 8(%rsp)\n"		"movq $4, 8(%rsp)\n"
"callq stepper\n"		"callq stepper\n"
"movq %rbx, 8(%rsp)\n"		"movq %rbx, 8(%rsp)\n"
"popq %rbx\n"		"popq %rbx\n"
".cfi_def_cfa_offset 8\n"		".cfi_def_cfa_offset 8\n"
"ret\n");		"ret\n");
#else		#else
#error This test is only supported on aarch64 or x86-64		#error This test is only supported on aarch64, s390x, or x86-64
#endif		#endif
}		}

extern "C" void stepper() {		extern "C" void stepper() {
unw_cursor_t cursor;		unw_cursor_t cursor;
unw_context_t uc;		unw_context_t uc;
unw_getcontext(&uc);		unw_getcontext(&uc);
unw_init_local(&cursor, &uc);		unw_init_local(&cursor, &uc);
// stepping to bad_unwind_info should succeed		// stepping to bad_unwind_info should succeed
assert(unw_step(&cursor) > 0);		assert(unw_step(&cursor) > 0);
// stepping past bad_unwind_info should fail but not crash		// stepping past bad_unwind_info should fail but not crash
assert(unw_step(&cursor) <= 0);		assert(unw_step(&cursor) <= 0);
}		}

int main() { bad_unwind_info(); }		int main() { bad_unwind_info(); }