This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
compiler-rt/lib/scudo/standalone/
-
lib/
-
scudo/
-
standalone/
3/4
combined.h
-
tests/
-
combined_test.cpp

Differential D137352

[scudo] Detect double free when running with MTE.
ClosedPublic

Authored by eugenis on Nov 3 2022, 1:24 PM.

Download Raw Diff

Details

Reviewers

pcc
fmayer

Commits

rG1dd54691b20d: [scudo] Detect double free when running with MTE.

Summary

Try to trigger an MTE fault on double/invalid free by touching the first
byte of the allocation with the provided pointer.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

eugenis created this revision.Nov 3 2022, 1:24 PM

Herald added a project: Restricted Project. · View Herald TranscriptNov 3 2022, 1:24 PM

Herald added subscribers: Enna1, cryptoad. · View Herald Transcript

eugenis requested review of this revision.Nov 3 2022, 1:24 PM

Herald added a project: Restricted Project. · View Herald TranscriptNov 3 2022, 1:24 PM

Herald added a subscriber: Restricted Project. · View Herald Transcript

Harbormaster completed remote builds in B195986: Diff 473013.Nov 3 2022, 1:45 PM

pcc added inline comments.Nov 4 2022, 3:41 PM

compiler-rt/lib/scudo/standalone/combined.h
565	For zero-sized allocations I'd expect the correct allocation tag to be stored in the first byte of the granule. It may be simpler to say that we skip this for zero-sized allocations because it is not expected to succeed even for valid allocations.

eugenis added inline comments.Nov 7 2022, 11:02 AM

compiler-rt/lib/scudo/standalone/combined.h
565	Not always - ex. zero size, 32 byte aligned allocation in a 32-byte size class will end up with header at offset 16 in the block, payload at offset 32, and no space to store the tag. We could bump the allocated size a little to handle this case, but I don't know if it is worth it. It will also make the deallocation logic more costly. I've benchmarked the current change and could not see any overhead.

ping

pcc added inline comments.Nov 10 2022, 11:07 AM

compiler-rt/lib/scudo/standalone/combined.h
565	Oh right, I forgot about that case. So can we add this example to the comment?

expanded comments

eugenis marked an inline comment as done.Nov 16 2022, 3:54 PM

Harbormaster completed remote builds in B198085: Diff 475942.Nov 16 2022, 4:24 PM

ping

fmayer added a subscriber: fmayer.Nov 18 2022, 11:04 AM

fmayer added inline comments.

compiler-rt/lib/scudo/standalone/combined.h
568	nit: afaict llvm uses `const char`, so I think this should be `volatile char` for consistency.

addressed Florian's comment

eugenis marked an inline comment as done.Nov 18 2022, 12:46 PM

fmayer accepted this revision.Nov 18 2022, 12:54 PM

This revision is now accepted and ready to land.Nov 18 2022, 12:54 PM

Harbormaster completed remote builds in B198534: Diff 476573.Nov 18 2022, 1:16 PM

This revision was landed with ongoing or failed builds.Nov 18 2022, 1:18 PM

Closed by commit rG1dd54691b20d: [scudo] Detect double free when running with MTE. (authored by eugenis). · Explain Why

This revision was automatically updated to reflect the committed changes.

eugenis added a commit: rG1dd54691b20d: [scudo] Detect double free when running with MTE..

eugenis added a reverting change: rG8add770417ca: Revert "[scudo] Detect double free when running with MTE.".Nov 21 2022, 4:58 PM

Revision Contents

Path

Size

compiler-rt/

lib/

scudo/

standalone/

combined.h

6 lines

tests/

combined_test.cpp

21 lines

Diff 473013

compiler-rt/lib/scudo/standalone/combined.h

Show First 20 Lines • Show All 554 Lines • ▼ Show 20 Lines	if (Options.get(OptionBit::DeallocTypeMismatch)) {
// With the exception of memalign'd chunks, that can be still be free'd.		// With the exception of memalign'd chunks, that can be still be free'd.
if (Header.OriginOrWasZeroed != Chunk::Origin::Memalign \|\|		if (Header.OriginOrWasZeroed != Chunk::Origin::Memalign \|\|
Origin != Chunk::Origin::Malloc)		Origin != Chunk::Origin::Malloc)
reportDeallocTypeMismatch(AllocatorAction::Deallocating, Ptr,		reportDeallocTypeMismatch(AllocatorAction::Deallocating, Ptr,
Header.OriginOrWasZeroed, Origin);		Header.OriginOrWasZeroed, Origin);
}		}
}		}

		// Try to detect deallocation with a wrong MTE tag by touching the first
		// byte with a correctly tagged pointer. Skip zero-sized allocations that do
		// not always store the correct tag value anywhere.
		pccUnsubmitted Not Done Reply Inline Actions For zero-sized allocations I'd expect the correct allocation tag to be stored in the first byte of the granule. It may be simpler to say that we skip this for zero-sized allocations because it is not expected to succeed even for valid allocations. pcc: For zero-sized allocations I'd expect the correct allocation tag to be stored in the first byte…
		eugenisAuthorUnsubmitted Done Reply Inline Actions Not always - ex. zero size, 32 byte aligned allocation in a 32-byte size class will end up with header at offset 16 in the block, payload at offset 32, and no space to store the tag. We could bump the allocated size a little to handle this case, but I don't know if it is worth it. It will also make the deallocation logic more costly. I've benchmarked the current change and could not see any overhead. eugenis: Not always - ex. zero size, 32 byte aligned allocation in a 32-byte size class will end up with…
		pccUnsubmitted Done Reply Inline Actions Oh right, I forgot about that case. So can we add this example to the comment? pcc: Oh right, I forgot about that case. So can we add this example to the comment?
const uptr Size = getSize(Ptr, &Header);		const uptr Size = getSize(Ptr, &Header);
		if (useMemoryTagging<Params>(Options) && Size != 0)
		(char volatile )TaggedPtr;
		fmayerUnsubmitted Done Reply Inline Actions nit: afaict llvm uses `const char`, so I think this should be `volatile char` for consistency. fmayer: nit: afaict llvm uses `const char`, so I think this should be `volatile char` for consistency.

if (DeleteSize && Options.get(OptionBit::DeleteSizeMismatch)) {		if (DeleteSize && Options.get(OptionBit::DeleteSizeMismatch)) {
if (UNLIKELY(DeleteSize != Size))		if (UNLIKELY(DeleteSize != Size))
reportDeleteSizeMismatch(Ptr, DeleteSize, Size);		reportDeleteSizeMismatch(Ptr, DeleteSize, Size);
}		}

quarantineOrDeallocateChunk(Options, TaggedPtr, &Header, Size);		quarantineOrDeallocateChunk(Options, TaggedPtr, &Header, Size);
}		}

▲ Show 20 Lines • Show All 869 Lines • Show Last 20 Lines

compiler-rt/lib/scudo/standalone/tests/combined_test.cpp

Show First 20 Lines • Show All 389 Lines • ▼ Show 20 Lines	EXPECT_DEATH(
void *P = Allocator->allocate(Size, Origin);		void *P = Allocator->allocate(Size, Origin);
Allocator->deallocate(P, Origin);		Allocator->deallocate(P, Origin);
reinterpret_cast<char *>(P)[Size - 1] = 0xaa;		reinterpret_cast<char *>(P)[Size - 1] = 0xaa;
},		},
"");		"");
}		}
}		}

		SCUDO_TYPED_TEST(ScudoCombinedDeathTest, FreeWithTagMismatch) {
		auto *Allocator = this->Allocator.get();

		if (!Allocator->useMemoryTaggingTestOnly())
		return;

		// Check that double free is detected.
		for (scudo::uptr SizeLog = 0U; SizeLog <= 20U; SizeLog++) {
		const scudo::uptr Size = 1U << SizeLog;
		EXPECT_DEATH(
		{
		disableDebuggerdMaybe();
		void *P = Allocator->allocate(Size, Origin);
		scudo::uptr NewTag = (scudo::extractTag(reinterpret_cast<scudo::uptr>(P)) + 1) % 16;
		void *Q = scudo::addFixedTag(scudo::untagPointer(P), NewTag);
		Allocator->deallocate(Q, Origin);
		},
		"");
		}
		}

SCUDO_TYPED_TEST(ScudoCombinedDeathTest, DisableMemoryTagging) {		SCUDO_TYPED_TEST(ScudoCombinedDeathTest, DisableMemoryTagging) {
auto *Allocator = this->Allocator.get();		auto *Allocator = this->Allocator.get();

if (Allocator->useMemoryTaggingTestOnly()) {		if (Allocator->useMemoryTaggingTestOnly()) {
// Check that disabling memory tagging works correctly.		// Check that disabling memory tagging works correctly.
void *P = Allocator->allocate(2048, Origin);		void *P = Allocator->allocate(2048, Origin);
EXPECT_DEATH(reinterpret_cast<char *>(P)[2048] = 0xaa, "");		EXPECT_DEATH(reinterpret_cast<char *>(P)[2048] = 0xaa, "");
scudo::ScopedDisableMemoryTagChecks NoTagChecks;		scudo::ScopedDisableMemoryTagChecks NoTagChecks;
▲ Show 20 Lines • Show All 328 Lines • Show Last 20 Lines