This is an archive of the discontinued LLVM Phabricator instance.

[Sanitizers][Darwin] Fix invalid gap found by FindAvailableMemoryRange
ClosedPublic

Authored by wrotki on Sep 28 2022, 3:38 PM.

Download Raw Diff

Details

Reviewers

thetruestblue
rsundahl
yln
delcypher

Commits

rG7850df3de01f: [Sanitizers][Darwin] Fix invalid gap found by FindAvailableMemoryRange

Summary

An application running with ASAN can fail during shadow memory allocation, with an error
indicating a failure to map shadow memory region due to negative size parameter passed to mmap.

It turns out that the mach_vm_region_recurse() call can return an address of a module
which is beyond the range of the VM address space available to the iOS process,
i.e. greater than the value returned by GetMaxVirtualAddress(). It leads the FindAvailableMemoryRange function
to the an incorrect conclusion that it has found a suitable gap where the shadow memory can fit in,
while the shadow memory cannot be really allocated in this case.

The fix just takes the maximum VM address into account, causing the function to return 0,
meaning that the VM gap to fit the requested size could not be found.

rdar://66530705

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

wrotki created this revision.Sep 28 2022, 3:38 PM

Herald added a project: Restricted Project. · View Herald TranscriptSep 28 2022, 3:38 PM

Herald added a subscriber: Enna1. · View Herald Transcript

wrotki requested review of this revision.Sep 28 2022, 3:38 PM

Herald added a project: Restricted Project. · View Herald TranscriptSep 28 2022, 3:38 PM

Herald added a subscriber: Restricted Project. · View Herald Transcript

There are no changes in strncat-verlap.cpp test, correcting.

Harbormaster completed remote builds in B189268: Diff 463692.Sep 28 2022, 4:04 PM

LGTM, thanks for seeing this through @wrotki!

This revision is now accepted and ready to land.Oct 4 2022, 11:27 AM

Closed by commit rG7850df3de01f: [Sanitizers][Darwin] Fix invalid gap found by FindAvailableMemoryRange (authored by wrotki). · Explain WhyOct 6 2022, 12:06 PM

This revision was automatically updated to reflect the committed changes.

wrotki added a commit: rG7850df3de01f: [Sanitizers][Darwin] Fix invalid gap found by FindAvailableMemoryRange.

Revision Contents

Path

Size

compiler-rt/

lib/

sanitizer_common/

sanitizer_mac.cpp

5 lines

Diff 465821

compiler-rt/lib/sanitizer_common/sanitizer_mac.cpp

Show First 20 Lines • Show All 1,245 Lines • ▼ Show 20 Lines	uptr FindAvailableMemoryRange(uptr size, uptr alignment, uptr left_padding,
uptr *max_occupied_addr) {		uptr *max_occupied_addr) {
typedef vm_region_submap_short_info_data_64_t RegionInfo;		typedef vm_region_submap_short_info_data_64_t RegionInfo;
enum { kRegionInfoSize = VM_REGION_SUBMAP_SHORT_INFO_COUNT_64 };		enum { kRegionInfoSize = VM_REGION_SUBMAP_SHORT_INFO_COUNT_64 };
// Start searching for available memory region past PAGEZERO, which is		// Start searching for available memory region past PAGEZERO, which is
// 4KB on 32-bit and 4GB on 64-bit.		// 4KB on 32-bit and 4GB on 64-bit.
mach_vm_address_t start_address =		mach_vm_address_t start_address =
(SANITIZER_WORDSIZE == 32) ? 0x000000001000 : 0x000100000000;		(SANITIZER_WORDSIZE == 32) ? 0x000000001000 : 0x000100000000;

		const mach_vm_address_t max_vm_address = GetMaxVirtualAddress() + 1;
mach_vm_address_t address = start_address;		mach_vm_address_t address = start_address;
mach_vm_address_t free_begin = start_address;		mach_vm_address_t free_begin = start_address;
kern_return_t kr = KERN_SUCCESS;		kern_return_t kr = KERN_SUCCESS;
if (largest_gap_found) *largest_gap_found = 0;		if (largest_gap_found) *largest_gap_found = 0;
if (max_occupied_addr) *max_occupied_addr = 0;		if (max_occupied_addr) *max_occupied_addr = 0;
while (kr == KERN_SUCCESS) {		while (kr == KERN_SUCCESS) {
mach_vm_size_t vmsize = 0;		mach_vm_size_t vmsize = 0;
natural_t depth = 0;		natural_t depth = 0;
RegionInfo vminfo;		RegionInfo vminfo;
mach_msg_type_number_t count = kRegionInfoSize;		mach_msg_type_number_t count = kRegionInfoSize;
kr = mach_vm_region_recurse(mach_task_self(), &address, &vmsize, &depth,		kr = mach_vm_region_recurse(mach_task_self(), &address, &vmsize, &depth,
(vm_region_info_t)&vminfo, &count);		(vm_region_info_t)&vminfo, &count);
if (kr == KERN_INVALID_ADDRESS) {		if (kr == KERN_INVALID_ADDRESS) {
// No more regions beyond "address", consider the gap at the end of VM.		// No more regions beyond "address", consider the gap at the end of VM.
address = GetMaxVirtualAddress() + 1;		address = max_vm_address;
vmsize = 0;		vmsize = 0;
} else {		} else {
if (max_occupied_addr) *max_occupied_addr = address + vmsize;		if (max_occupied_addr) *max_occupied_addr = address + vmsize;
}		}
if (free_begin != address) {		if (free_begin != address) {
// We found a free region [free_begin..address-1].		// We found a free region [free_begin..address-1].
uptr gap_start = RoundUpTo((uptr)free_begin + left_padding, alignment);		uptr gap_start = RoundUpTo((uptr)free_begin + left_padding, alignment);
uptr gap_end = RoundDownTo((uptr)address, alignment);		uptr gap_end = RoundDownTo((uptr)Min(address, max_vm_address), alignment);
uptr gap_size = gap_end > gap_start ? gap_end - gap_start : 0;		uptr gap_size = gap_end > gap_start ? gap_end - gap_start : 0;
if (size < gap_size) {		if (size < gap_size) {
return gap_start;		return gap_start;
}		}

if (largest_gap_found && *largest_gap_found < gap_size) {		if (largest_gap_found && *largest_gap_found < gap_size) {
*largest_gap_found = gap_size;		*largest_gap_found = gap_size;
}		}
▲ Show 20 Lines • Show All 172 Lines • Show Last 20 Lines