This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
compiler-rt/
-
lib/asan/
-
asan/
9/11
asan_interceptors.cpp
-
asan_internal.h
3/7
asan_linux.cpp
-
test/asan/TestCases/Linux/
-
asan/
-
TestCases/
-
Linux/
2/5
swapcontext_test.cpp

Differential D137654

[runtimes][asan] Fix swapcontext interception
ClosedPublic

Authored by itrofimow on Nov 8 2022, 9:43 AM.

Download Raw Diff

Details

Reviewers

vitalybuka
eugenis

Commits

rGb380e8b68951: [runtimes][asan] Fix swapcontext interception

Summary

Resetting oucp's stack to zero in swapcontext interception is incorrect,
since it breaks ucp cleanup after swapcontext returns in some cases:

Say we have two contexts, A and B, and we swapcontext from A to B, do
some work on Bs stack and then swapcontext back from B to A. At this
point shadow memory of Bs stack is in arbitrary state, but since we
can't know whether B will ever swapcontext-ed to again we clean up it's
shadow memory, because otherwise it remains poisoned and blows in
completely unrelated places when heap-allocated memory of Bs context
gets reused later (see https://github.com/llvm/llvm-project/issues/58633
for example). swapcontext prototype is swapcontext(ucontext* oucp,
ucontext* ucp), so in this example A is oucp and B is ucp, and i refer
to the process of cleaning up Bs shadow memory as ucp cleanup.

About how it breaks:
Take the same example with A and B: when we swapcontext back from B to A
the oucp parameter of swapcontext is actually B, and current trunk
resets its stack in a way that it becomes "uncleanupable" later. It
works fine if we do A->B->A, but if we do A->B->A->B->A no cleanup is
performed for Bs stack after B "returns" to A second time. That's
exactly what happens in the test i provided, and it's actually a pretty
common real world scenario.

Instead of resetting oucp's we make use of uc_stack.ss_flags to mark
context as "cleanup-able" by storing stack specific hash. It should be
safe since this field is not used in [get|make|swap]context functions
and is hopefully never meaningfully used in real-world scenarios (and i
haven't seen any).

Fixes https://github.com/llvm/llvm-project/issues/58633

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

itrofimow created this revision.Nov 8 2022, 9:43 AM

Herald added a project: Restricted Project. · View Herald TranscriptNov 8 2022, 9:43 AM

Herald added a subscriber: Enna1. · View Herald Transcript

itrofimow requested review of this revision.Nov 8 2022, 9:43 AM

Herald added a project: Restricted Project. · View Herald TranscriptNov 8 2022, 9:43 AM

Herald added a subscriber: Restricted Project. · View Herald Transcript

Harbormaster completed remote builds in B196736: Diff 474033.Nov 8 2022, 10:03 AM

Hi! Could you please have a look at this?

This patch is an attempt to fix bugs introduced by https://reviews.llvm.org/D129219 and https://reviews.llvm.org/D130218,
and the test added is failing with current clang++-15 with -fsanitize-address-use-after-return=never.

Actually about that -fsanitize-address-use-after-return, which default value was changed to
runtime in clang-15 - doesn't that render all that cleanup machinery useless, since fake stack is used instead of the stack specified in ucontext_t?

In D137654#3919620, @itrofimow wrote:

Hi! Could you please have a look at this?

This patch is an attempt to fix bugs introduced by https://reviews.llvm.org/D129219 and https://reviews.llvm.org/D130218,
and the test added is failing with current clang++-15 with -fsanitize-address-use-after-return=never.

Actually about that -fsanitize-address-use-after-return, which default value was changed to
runtime in clang-15 - doesn't that render all that cleanup machinery useless, since fake stack is used instead of the stack specified in ucontext_t?

Yes, it's less important. UAR moves most variables to the fake, stack, but not all.
Also if UAR allocator overflows it falls back to non-UAR stack.

compiler-rt/lib/asan/asan_interceptors.cpp
259–260	so if we do: getcontext update fields, including flags makecontext we will not be able to tell a difference?
306	if you change ReadContextStack, please make it return bool: true - need cleanaup, false does not then hide kAsanContextStackFlagsMagic into ReadContextStack and you don't need return flags after that
319	I still think that intercepting makecontext is the better solution. INTERCEPTOR( ... makecontext { ... ucp->uc_stack.ss_size -= sizeof(u64); (ucp->uc_stack.ss_sp + ucp->uc_stack.ss_size) = kMagic. return REAL(makecontext) ... } Then we need only to check: (ucp->uc_stack.ss_sp + ucp->uc_stack.ss_size) == magic to decide
compiler-rt/lib/asan/asan_linux.cpp
230	It looks "ss_flags == kAsanContextStackFlagsMagic" only if "ss_sp == nullptr"

itrofimow added inline comments.Nov 10 2022, 11:51 AM

compiler-rt/lib/asan/asan_interceptors.cpp
259–260	Yes, but that's the point of using `ss_flags` for this: nobody uses them for anything meaningful, this field is either set to 0 or left unchanged after `getcontext` call. I mean, some people might use `ss_flags`, but for them we at least would break in a realistically debuggable way, not just some random use-after-scope in a completely unrelated places.
319	I see a couple of problems with intercepting `makecontext`: first, `makecontext` takes ellipsis (`...`) args, and i'm not sure how to pass that to real makecontext without too much hassle second, saving magic to users stack is unreliable, and the exact approach you provided might break boost.context for instance (https://github.com/boostorg/context/blob/develop/include/boost/context/continuation_ucontext.hpp#L279)
compiler-rt/lib/asan/asan_linux.cpp
230	Not necessary: `ss_sp\|ss_size` could be changed by user after `getcontext` call The idea is that there are 3 major cases: context is initialized with `getcontext` for later usage with `makecontext`. Since nobody uses `ss_flags` (see my other comment for explanation) we can reliably tell that we should cleanup its stack context is some global variable that is just set to zeroes (that's what happens in tests, for example) - we can't distinguish this case from 1. but can assume that `ss_sp` is either implicitly zeroed or set by user, who also explicitly set `ss_flags` to zero context is uninitialized and used as `oucp` for `swapcontext` - then its flags would never be equal to magic, so we won't try to clean it up

itrofimow added inline comments.Nov 10 2022, 11:55 AM

compiler-rt/lib/asan/asan_interceptors.cpp
259–260	You are right, setting `ss_flags` in `makecontext` would be better, but idk how to do that

cr fixes

Harbormaster completed remote builds in B197310: Diff 474864.Nov 11 2022, 3:23 PM

Hi @vitalybuka!
Did you have a chance to make yourself familiar with my reasoning?

Using flags is to easy to find example when it fails.

With makecontext the only issues is ... handling, I can look into this a little bit later.
Also with makecontext we can handle uc_link, we need to clean the stack before moving to the next.

compiler-rt/lib/asan/asan_interceptors.cpp
319	I see a couple of problems with intercepting `makecontext`: first, `makecontext` takes ellipsis (`...`) args, and i'm not sure how to pass that to real makecontext without too much hassle Can be tricky, but we do something like this for printf interceptors second, saving magic to users stack is unreliable, and the exact approach you provided might break boost.context for instance (https://github.com/boostorg/context/blob/develop/include/boost/context/continuation_ucontext.hpp#L279) It should not be a problem, makecontext implementation already cut off a piece of buffer for own data.
compiler-rt/lib/asan/asan_linux.cpp
214–215	can you make it more "random", I suspect probability of this constant in unrelated place is above average.
compiler-rt/test/asan/TestCases/Linux/swapcontext_test.cpp
28	is this clang format? if so please move out reformating into a separate CL, or just revert here
95	I can imagine someone clears poll_context.uc_stack before setting ss_sp and ss_size

In D137654#3925990, @vitalybuka wrote:

Using flags is to easy to find example when it fails.

Maybe i'm having a brain lag here, but what would that example be?
One has to explicitly set this field to non-zero after getcontext (or makecontext if i manage to intercept it somehow and move the assignment of flags there),
and it seems to me like literally nobody does that - it's either left unchanged or zeroed.

ss_flags is either set to Magic by me or set to 0 by user (and maybe i should add checks for SS_DISABLE/SS_ONSTACK as well),
and as long as it's set to something meaningful we can almost reliably identify this context as cleanup-able,
because having meaningful values implies it was set up by user manually, and the context isn't used just as oucp for swapcontext without prior setup.
What am i missing here?

P.S. I do understand that this is still an heuristic and can fail in some cases, but i would argue that those cases are uncommon to say the least

compiler-rt/lib/asan/asan_interceptors.cpp
319	Can be tricky, but we do something like this for printf interceptors I might be mistaken, but it seems to me that for printf/scanf functions Asan just proxies to their analogues in libc taking va_list (vprintf/vscanf and the likes of). However there is no such thing for `makecontext`, sadly. It should not be a problem, makecontext implementation already cut off a piece of buffer for own data. You are right, in this exact case it would work, but the idea of manipulating user input in such ways makes me uneasy: people might rely on their layout/sizes, and we can unintentionally bring them all kinds of not-that-easy-to-debug UBs.
compiler-rt/lib/asan/asan_linux.cpp
214–215	I hope it is) I was thinking about scenarios where manipulating `ss_flags` breaks someones logic, and they start to debug what's going on and why are there mismatches in this value. For me this screams "i am not random garbage" and should give a hint that this is intentional. Would be better to have this set in makecontext, that's true.
compiler-rt/test/asan/TestCases/Linux/swapcontext_test.cpp
28	Yes, it's clang-format. Will revert
95	Not sure if i understood this, could you please elaborate?

more exhaustive check for flags

Harbormaster completed remote builds in B198002: Diff 475823.Nov 16 2022, 8:15 AM

@vitalybuka gently pinging you on this. Can you see this ever landing or am i going the wrong direction with the idea of using ss_flags?

In D137654#3963774, @itrofimow wrote:

@vitalybuka gently pinging you on this. Can you see this ever landing or am i going the wrong direction with the idea of using ss_flags?

@dvyukov @eugenis

Sorry I wanted to try makecontext interceptor and it works fine, but I hit other issues I have no idea how to solve.
I think we can't have reasonable context switch support and rather recommend to remove existing "INTERCEPTOR(int, swapcontext" and make poisoning users responsibility.

Or simplify interceptors to:

INTERCEPTOR(int, swapcontext, struct ucontext_t *oucp,
            struct ucontext_t *ucp) {
  static bool reported_warning = false;
  if (!reported_warning) {
    Report("WARNING: ASan doesn't fully support makecontext/swapcontext "
           "functions and may produce false positives in some cases!\n");
    reported_warning = true;
  }
  ___asan_handle_no_return();
  int res = real_swapcontext(oucp, ucp);
  __asan_handle_no_return();
  return res;
}

and make users to use existing sanitizer_start_switch_fiber/sanitizer_finish_switch_fiber to make sure __asan_handle_no_return does the job.

don't use flags

switch back to flags

vitalybuka accepted this revision.Dec 8 2022, 3:03 PM

This revision is now accepted and ready to land.Dec 8 2022, 3:03 PM

Harbormaster completed remote builds in B202092: Diff 481456.Dec 8 2022, 3:22 PM

since it breaks ucp cleanup after swapcontext returns in some cases.

Can you elaborate a bit what is "ucp cleanup" and how it breaks?

compiler-rt/lib/asan/asan_linux.cpp
231	`^` has lower precedence than `==`. This may not work as intended.

In D137654#4030513, @MaskRay wrote:

since it breaks ucp cleanup after swapcontext returns in some cases.

Can you elaborate a bit what is "ucp cleanup" and how it breaks?

Sure.
Say we have two contexts, A and B, and we swapcontext from A to B, do some work on Bs stack and then swapcontext back from B to A.
At this point shadow memory of Bs stack is in arbitrary state, but since we can't know whether B will ever swapcontext-ed to again we clean up it's shadow memory,
because otherwise it remains poisoned and blows in completely unrelated places when heap-allocated memory of Bs context gets reused later (see https://github.com/llvm/llvm-project/issues/58633 for example).
swapcontext prototype is swapcontext(ucontext* oucp, ucontext* ucp), so in this example A is oucp and B is ucp, and i refer to the process of cleaning up Bs shadow memory as ucp cleanup.

About how it breaks:
Take the same example with A and B: when we swapcontext back from B to A the oucp parameter of swapcontext is actually B, and current trunk resets its stack in a way that it becomes "uncleanupable" later.
It works fine if we do A->B->A, but if we do A->B->A->B->A no cleanup is performed for Bs stack after after B "returns" to A second time.
That's exactly what happens in the test i provided, and it's actually a pretty common real world scenario.

Hope this clarifies things at least a bit.

In D137654#4031095, @itrofimow wrote:

In D137654#4030513, @MaskRay wrote:

since it breaks ucp cleanup after swapcontext returns in some cases.

Can you elaborate a bit what is "ucp cleanup" and how it breaks?

Sure.
Say we have two contexts, A and B, and we swapcontext from A to B, do some work on Bs stack and then swapcontext back from B to A.
At this point shadow memory of Bs stack is in arbitrary state, but since we can't know whether B will ever swapcontext-ed to again we clean up it's shadow memory,
because otherwise it remains poisoned and blows in completely unrelated places when heap-allocated memory of Bs context gets reused later (see https://github.com/llvm/llvm-project/issues/58633 for example).
swapcontext prototype is swapcontext(ucontext* oucp, ucontext* ucp), so in this example A is oucp and B is ucp, and i refer to the process of cleaning up Bs shadow memory as ucp cleanup.

About how it breaks:
Take the same example with A and B: when we swapcontext back from B to A the oucp parameter of swapcontext is actually B, and current trunk resets its stack in a way that it becomes "uncleanupable" later.
It works fine if we do A->B->A, but if we do A->B->A->B->A no cleanup is performed for Bs stack after after B "returns" to A second time.
That's exactly what happens in the test i provided, and it's actually a pretty common real world scenario.

Hope this clarifies things at least a bit.

Thanks! You may fold the description into the commit message/Differential summary and perhaps add a brief comment (including A->B->A->B->A) to the test function Poll.

itrofimow edited the summary of this revision. (Show Details)Jan 7 2023, 7:06 PM

In D137654#4032187, @MaskRay wrote:

In D137654#4031095, @itrofimow wrote:

In D137654#4030513, @MaskRay wrote:

since it breaks ucp cleanup after swapcontext returns in some cases.

Can you elaborate a bit what is "ucp cleanup" and how it breaks?

Sure.
Say we have two contexts, A and B, and we swapcontext from A to B, do some work on Bs stack and then swapcontext back from B to A.
At this point shadow memory of Bs stack is in arbitrary state, but since we can't know whether B will ever swapcontext-ed to again we clean up it's shadow memory,
because otherwise it remains poisoned and blows in completely unrelated places when heap-allocated memory of Bs context gets reused later (see https://github.com/llvm/llvm-project/issues/58633 for example).
swapcontext prototype is swapcontext(ucontext* oucp, ucontext* ucp), so in this example A is oucp and B is ucp, and i refer to the process of cleaning up Bs shadow memory as ucp cleanup.

About how it breaks:
Take the same example with A and B: when we swapcontext back from B to A the oucp parameter of swapcontext is actually B, and current trunk resets its stack in a way that it becomes "uncleanupable" later.
It works fine if we do A->B->A, but if we do A->B->A->B->A no cleanup is performed for Bs stack after after B "returns" to A second time.
That's exactly what happens in the test i provided, and it's actually a pretty common real world scenario.

Hope this clarifies things at least a bit.

Thanks! You may fold the description into the commit message/Differential summary and perhaps add a brief comment (including A->B->A->B->A) to the test function Poll.

Updated the summary with the more detailed explanation of the problem and a brief of proposed changes.

Actually, what's the state of this patch? It feels to me that there are 3 competing possibilities of what to do with the swapcontext issue:

Land this, see how it goes and what/where it breaks, if any
Completely abandon all cleanup machinery and make it users responsibility, as @vitalybuka suggested
Revert https://reviews.llvm.org/D129219 together with https://reviews.llvm.org/D130218

I could try to ping folks from github issue to try this patch out before merging, to check if it's actually working

Hi!
Is there anything i can do to help resolving the issue (https://github.com/llvm/llvm-project/issues/58633), be that this patch or reverting some other patches?
Right now i'm a bit confused as what to do with this and how to advance any further.

@MaskRay @vitalybuka

In D137654#4094514, @itrofimow wrote:

Hi!
Is there anything i can do to help resolving the issue (https://github.com/llvm/llvm-project/issues/58633), be that this patch or reverting some other patches?
Right now i'm a bit confused as what to do with this and how to advance any further.

@MaskRay @vitalybuka

Sorry, the problem totally slipped my mind.
I will review it in the first half of the weak, can't do today.
Feel free to ping me any other day, If I stop replying.

compiler-rt/test/asan/TestCases/Linux/swapcontext_test.cpp
104	I suspect with higher O levels it will be converted into stack buffer

Actually, what's the state of this patch? It feels to me that there are 3 competing possibilities of what to do with the swapcontext issue:

Land this, see how it goes and what/where it breaks, if any

Completely abandon all cleanup machinery and make it users responsibility, as @vitalybuka suggested

Revert https://reviews.llvm.org/D129219 together with https://reviews.llvm.org/D130218

So I would prefer no.1, likely some cases would need some user side workaround like no.2
Do you see issues with the current state of the patch? If not, I can land it.
Would you prefer if I submit the patch into your name, as it was started by you? If you don't want to accept the blame for this version, I can land with my name.

In D137654#4101055, @vitalybuka wrote:

Actually, what's the state of this patch? It feels to me that there are 3 competing possibilities of what to do with the swapcontext issue:

Land this, see how it goes and what/where it breaks, if any

Completely abandon all cleanup machinery and make it users responsibility, as @vitalybuka suggested

Revert https://reviews.llvm.org/D129219 together with https://reviews.llvm.org/D130218

So I would prefer no.1, likely some cases would need some user side workaround like no.2
Do you see issues with the current state of the patch? If not, I can land it.
Would you prefer if I submit the patch into your name, as it was started by you? If you don't want to accept the blame for this version, I can land with my name.

Left some inline comments, please have a look.

I'm fine with taking the blame for this. In github it should be shown as co-authored by us anyway, so people would be able to reach out if something goes wrong.

compiler-rt/lib/asan/asan_interceptors.cpp
262	My (limited) knowledge of C tells me, that there is no portable way to forward an invocation of variadic function (https://c-faq.com/varargs/handoff.html). Are you sure that this indeed does what it's supposed to do?
compiler-rt/lib/asan/asan_linux.cpp
231	Nice catch

I will look into makecontext issue

compiler-rt/lib/asan/asan_interceptors.cpp
262	somehow it works on test, but replacing ... with va_list does not look right

This revision now requires changes to proceed.Feb 7 2023, 12:59 PM

Hi @vitalybuka! Did you have a chance to look into makecontext issue?

compiler-rt/lib/asan/asan_interceptors.cpp
262	I'm almost sure that it breaks as soon as there are more than 6 (on x86 that is) parameters, or more than sizeof(va_list) / sizeof(int64). Might be worth to add a test for that

Hi @vitalybuka ! Pinging you about this

fix makecontext interceptor

up to 64 args

This works for me

rebase

Harbormaster completed remote builds in B225196: Diff 512990.Apr 12 2023, 4:07 PM

Hi @vitalybuka! Thank you for getting back to this.

I really like your idea of marking flags in makecontext instead of getcontext, and i'm glad you've found a solution to ellipsis args forwarding - neat!
I can confirm that this fixes all the standalone repros i had, and i'm working on testing some larger projects with this patch applied to clang.

There seems to be one last issue with operator precedence in ReadContextStack left, and i guess we are done after that?

fix ^, == precedence

I can confirm that this patch (with parentheses added around comparison in ReadContextStack)
applied atop of clang-15.0.7 fixes https://github.com/userver-framework/userver/issues/170

Use existing hash function

vitalybuka added inline comments.Apr 13 2023, 11:28 AM

compiler-rt/lib/asan/asan_linux.cpp
231	Done.

Thanks for verifying. I am going to merge this.

This revision is now accepted and ready to land.Apr 13 2023, 11:38 AM

vitalybuka edited the summary of this revision. (Show Details)Apr 13 2023, 11:45 AM

This revision was landed with ongoing or failed builds.Apr 13 2023, 11:47 AM

Closed by commit rGb380e8b68951: [runtimes][asan] Fix swapcontext interception (authored by itrofimow, committed by vitalybuka). · Explain Why

This revision was automatically updated to reflect the committed changes.

vitalybuka added a commit: rGb380e8b68951: [runtimes][asan] Fix swapcontext interception.

Harbormaster completed remote builds in B225407: Diff 513314.Apr 13 2023, 12:31 PM

Revision Contents

Path

Size

compiler-rt/

lib/

asan/

asan_interceptors.cpp

47 lines

asan_internal.h

2 lines

asan_linux.cpp

30 lines

test/

asan/

TestCases/

Linux/

swapcontext_test.cpp

72 lines

Diff 513323

compiler-rt/lib/asan/asan_interceptors.cpp

Show First 20 Lines • Show All 250 Lines • ▼ Show 20 Lines	static void ClearShadowMemoryForContextStack(uptr stack, uptr ssize) {
uptr PageSize = GetPageSizeCached();		uptr PageSize = GetPageSizeCached();
uptr bottom = RoundDownTo(stack, PageSize);		uptr bottom = RoundDownTo(stack, PageSize);
if (!AddrIsInMem(bottom))		if (!AddrIsInMem(bottom))
return;		return;
ssize += stack - bottom;		ssize += stack - bottom;
ssize = RoundUpTo(ssize, PageSize);		ssize = RoundUpTo(ssize, PageSize);
PoisonShadow(bottom, ssize, 0);		PoisonShadow(bottom, ssize, 0);
}		}

INTERCEPTOR(int, getcontext, struct ucontext_t *ucp) {		INTERCEPTOR(void, makecontext, struct ucontext_t ucp, void (func)(), int argc,
		vitalybukaUnsubmitted Done Reply Inline Actions so if we do: getcontext update fields, including flags makecontext we will not be able to tell a difference? vitalybuka: so if we do: getcontext update fields, including flags makecontext we will not be able to tell…
		itrofimowAuthorUnsubmitted Done Reply Inline Actions Yes, but that's the point of using `ss_flags` for this: nobody uses them for anything meaningful, this field is either set to 0 or left unchanged after `getcontext` call. I mean, some people might use `ss_flags`, but for them we at least would break in a realistically debuggable way, not just some random use-after-scope in a completely unrelated places. itrofimow: Yes, but that's the point of using `ss_flags` for this: nobody uses them for anything…
		itrofimowAuthorUnsubmitted Done Reply Inline Actions You are right, setting `ss_flags` in `makecontext` would be better, but idk how to do that itrofimow: You are right, setting `ss_flags` in `makecontext` would be better, but idk how to do that
// API does not requires to have ucp clean, and sets only part of fields. We		...) {
// use ucp->uc_stack to unpoison new stack. We prefer to have zeroes then		va_list ap;
		itrofimowAuthorUnsubmitted Done Reply Inline Actions My (limited) knowledge of C tells me, that there is no portable way to forward an invocation of variadic function (https://c-faq.com/varargs/handoff.html). Are you sure that this indeed does what it's supposed to do? itrofimow: My (limited) knowledge of C tells me, that there is no portable way to forward an invocation of…
		vitalybukaUnsubmitted Not Done Reply Inline Actions somehow it works on test, but replacing ... with va_list does not look right vitalybuka: somehow it works on test, but replacing ... with va_list does not look right
		itrofimowAuthorUnsubmitted Done Reply Inline Actions I'm almost sure that it breaks as soon as there are more than 6 (on x86 that is) parameters, or more than sizeof(va_list) / sizeof(int64). Might be worth to add a test for that itrofimow: I'm almost sure that it breaks as soon as there are more than 6 (on x86 that is) parameters, or…
// uninitialized bytes.		uptr args[64];
ResetContextStack(ucp);		// We don't know a better way to forward ... into REAL function. We can
return REAL(getcontext)(ucp);		// increase args size if neccecary.
		CHECK_LE(argc, ARRAY_SIZE(args));
		internal_memset(args, 0, sizeof(args));
		va_start(ap, argc);
		for (int i = 0; i < argc; ++i) args[i] = va_arg(ap, uptr);
		va_end(ap);

		# define ENUMERATE_ARRAY_4(start) \
		args[start], args[start + 1], args[start + 2], args[start + 3]
		# define ENUMERATE_ARRAY_16(start) \
		ENUMERATE_ARRAY_4(start), ENUMERATE_ARRAY_4(start + 4), \
		ENUMERATE_ARRAY_4(start + 8), ENUMERATE_ARRAY_4(start + 12)
		# define ENUMERATE_ARRAY_64() \
		ENUMERATE_ARRAY_16(0), ENUMERATE_ARRAY_16(16), ENUMERATE_ARRAY_16(32), \
		ENUMERATE_ARRAY_16(48)

		REAL(makecontext)
		((struct ucontext_t *)ucp, func, argc, ENUMERATE_ARRAY_64());

		# undef ENUMERATE_ARRAY_4
		# undef ENUMERATE_ARRAY_16
		# undef ENUMERATE_ARRAY_64

		// Sign the stack so we can identify it for unpoisoning.
		SignContextStack(ucp);
}		}

INTERCEPTOR(int, swapcontext, struct ucontext_t *oucp,		INTERCEPTOR(int, swapcontext, struct ucontext_t *oucp,
struct ucontext_t *ucp) {		struct ucontext_t *ucp) {
static bool reported_warning = false;		static bool reported_warning = false;
if (!reported_warning) {		if (!reported_warning) {
Report("WARNING: ASan doesn't fully support makecontext/swapcontext "		Report("WARNING: ASan doesn't fully support makecontext/swapcontext "
"functions and may produce false positives in some cases!\n");		"functions and may produce false positives in some cases!\n");
reported_warning = true;		reported_warning = true;
}		}
// Clear shadow memory for new context (it may share stack		// Clear shadow memory for new context (it may share stack
// with current context).		// with current context).
uptr stack, ssize;		uptr stack, ssize;
ReadContextStack(ucp, &stack, &ssize);		ReadContextStack(ucp, &stack, &ssize);
ClearShadowMemoryForContextStack(stack, ssize);		ClearShadowMemoryForContextStack(stack, ssize);

// See getcontext interceptor.
ResetContextStack(oucp);

# if __has_attribute(__indirect_return__) && \		# if __has_attribute(__indirect_return__) && \
		vitalybukaUnsubmitted Done Reply Inline Actions if you change ReadContextStack, please make it return bool: true - need cleanaup, false does not then hide kAsanContextStackFlagsMagic into ReadContextStack and you don't need return flags after that vitalybuka: if you change ReadContextStack, please make it return bool: true - need cleanaup, false does…
(defined(__x86_64__) \|\| defined(__i386__))		(defined(__x86_64__) \|\| defined(__i386__))
int (real_swapcontext)(struct ucontext_t , struct ucontext_t *)		int (real_swapcontext)(struct ucontext_t , struct ucontext_t *)
__attribute__((__indirect_return__)) = REAL(swapcontext);		__attribute__((__indirect_return__)) = REAL(swapcontext);
int res = real_swapcontext(oucp, ucp);		int res = real_swapcontext(oucp, ucp);
# else		# else
int res = REAL(swapcontext)(oucp, ucp);		int res = REAL(swapcontext)(oucp, ucp);
# endif		# endif
// swapcontext technically does not return, but program may swap context to		// swapcontext technically does not return, but program may swap context to
// "oucp" later, that would look as if swapcontext() returned 0.		// "oucp" later, that would look as if swapcontext() returned 0.
// We need to clear shadow for ucp once again, as it may be in arbitrary		// We need to clear shadow for ucp once again, as it may be in arbitrary
// state.		// state.
ClearShadowMemoryForContextStack(stack, ssize);		ClearShadowMemoryForContextStack(stack, ssize);
return res;		return res;
		vitalybukaUnsubmitted Done Reply Inline Actions I still think that intercepting makecontext is the better solution. INTERCEPTOR( ... makecontext { ... ucp->uc_stack.ss_size -= sizeof(u64); (ucp->uc_stack.ss_sp + ucp->uc_stack.ss_size) = kMagic. return REAL(makecontext) ... } Then we need only to check: (ucp->uc_stack.ss_sp + ucp->uc_stack.ss_size) == magic to decide vitalybuka: I still think that intercepting makecontext is the better solution. INTERCEPTOR( ...
		itrofimowAuthorUnsubmitted Done Reply Inline Actions I see a couple of problems with intercepting `makecontext`: first, `makecontext` takes ellipsis (`...`) args, and i'm not sure how to pass that to real makecontext without too much hassle second, saving magic to users stack is unreliable, and the exact approach you provided might break boost.context for instance (https://github.com/boostorg/context/blob/develop/include/boost/context/continuation_ucontext.hpp#L279) itrofimow: I see a couple of problems with intercepting `makecontext`: first, `makecontext` takes…
		vitalybukaUnsubmitted Not Done Reply Inline Actions I see a couple of problems with intercepting `makecontext`: first, `makecontext` takes ellipsis (`...`) args, and i'm not sure how to pass that to real makecontext without too much hassle Can be tricky, but we do something like this for printf interceptors second, saving magic to users stack is unreliable, and the exact approach you provided might break boost.context for instance (https://github.com/boostorg/context/blob/develop/include/boost/context/continuation_ucontext.hpp#L279) It should not be a problem, makecontext implementation already cut off a piece of buffer for own data. vitalybuka: > I see a couple of problems with intercepting `makecontext`: > > first, `makecontext` takes…
		itrofimowAuthorUnsubmitted Done Reply Inline Actions Can be tricky, but we do something like this for printf interceptors I might be mistaken, but it seems to me that for printf/scanf functions Asan just proxies to their analogues in libc taking va_list (vprintf/vscanf and the likes of). However there is no such thing for `makecontext`, sadly. It should not be a problem, makecontext implementation already cut off a piece of buffer for own data. You are right, in this exact case it would work, but the idea of manipulating user input in such ways makes me uneasy: people might rely on their layout/sizes, and we can unintentionally bring them all kinds of not-that-easy-to-debug UBs. itrofimow: > Can be tricky, but we do something like this for printf interceptors I might be mistaken…
}		}
#endif // ASAN_INTERCEPT_SWAPCONTEXT		#endif // ASAN_INTERCEPT_SWAPCONTEXT

#if SANITIZER_NETBSD		#if SANITIZER_NETBSD
#define longjmp __longjmp14		#define longjmp __longjmp14
#define siglongjmp __siglongjmp14		#define siglongjmp __siglongjmp14
#endif		#endif

▲ Show 20 Lines • Show All 350 Lines • ▼ Show 20 Lines
#if ASAN_INTERCEPT_ATOLL_AND_STRTOLL		#if ASAN_INTERCEPT_ATOLL_AND_STRTOLL
ASAN_INTERCEPT_FUNC(atoll);		ASAN_INTERCEPT_FUNC(atoll);
ASAN_INTERCEPT_FUNC(strtoll);		ASAN_INTERCEPT_FUNC(strtoll);
#endif		#endif

// Intecept jump-related functions.		// Intecept jump-related functions.
ASAN_INTERCEPT_FUNC(longjmp);		ASAN_INTERCEPT_FUNC(longjmp);

#if ASAN_INTERCEPT_SWAPCONTEXT		# if ASAN_INTERCEPT_SWAPCONTEXT
ASAN_INTERCEPT_FUNC(getcontext);
ASAN_INTERCEPT_FUNC(swapcontext);		ASAN_INTERCEPT_FUNC(swapcontext);
		ASAN_INTERCEPT_FUNC(makecontext);
#endif		# endif
#if ASAN_INTERCEPT__LONGJMP		# if ASAN_INTERCEPT__LONGJMP
ASAN_INTERCEPT_FUNC(_longjmp);		ASAN_INTERCEPT_FUNC(_longjmp);
#endif		#endif
#if ASAN_INTERCEPT___LONGJMP_CHK		#if ASAN_INTERCEPT___LONGJMP_CHK
ASAN_INTERCEPT_FUNC(__longjmp_chk);		ASAN_INTERCEPT_FUNC(__longjmp_chk);
#endif		#endif
#if ASAN_INTERCEPT_SIGLONGJMP		#if ASAN_INTERCEPT_SIGLONGJMP
ASAN_INTERCEPT_FUNC(siglongjmp);		ASAN_INTERCEPT_FUNC(siglongjmp);
#endif		#endif
▲ Show 20 Lines • Show All 53 Lines • Show Last 20 Lines

compiler-rt/lib/asan/asan_internal.h

	Show First 20 Lines • Show All 99 Lines • ▼ Show 20 Lines
	// loaded image containing `needle' and then enumerates all global metadata			// loaded image containing `needle' and then enumerates all global metadata
	// structures declared in that image, applying `op' (e.g.,			// structures declared in that image, applying `op' (e.g.,
	// __asan_(un)register_globals) to them.			// __asan_(un)register_globals) to them.
	typedef void (globals_op_fptr)(__asan_global , uptr);			typedef void (globals_op_fptr)(__asan_global , uptr);
	void AsanApplyToGlobals(globals_op_fptr op, const void *needle);			void AsanApplyToGlobals(globals_op_fptr op, const void *needle);

	void AsanOnDeadlySignal(int, void siginfo, void context);			void AsanOnDeadlySignal(int, void siginfo, void context);

				void SignContextStack(void *context);
	void ReadContextStack(void context, uptr stack, uptr *ssize);			void ReadContextStack(void context, uptr stack, uptr *ssize);
	void ResetContextStack(void *context);
	void StopInitOrderChecking();			void StopInitOrderChecking();

	// Wrapper for TLS/TSD.			// Wrapper for TLS/TSD.
	void AsanTSDInit(void (destructor)(void tsd));			void AsanTSDInit(void (destructor)(void tsd));
	void *AsanTSDGet();			void *AsanTSDGet();
	void AsanTSDSet(void *tsd);			void AsanTSDSet(void *tsd);
	void PlatformTSDDtor(void *tsd);			void PlatformTSDDtor(void *tsd);

	▲ Show 20 Lines • Show All 45 Lines • Show Last 20 Lines

compiler-rt/lib/asan/asan_linux.cpp

Show All 28 Lines
# include <unwind.h>		# include <unwind.h>

# include "asan_interceptors.h"		# include "asan_interceptors.h"
# include "asan_internal.h"		# include "asan_internal.h"
# include "asan_premap_shadow.h"		# include "asan_premap_shadow.h"
# include "asan_thread.h"		# include "asan_thread.h"
# include "sanitizer_common/sanitizer_flags.h"		# include "sanitizer_common/sanitizer_flags.h"
# include "sanitizer_common/sanitizer_freebsd.h"		# include "sanitizer_common/sanitizer_freebsd.h"
		# include "sanitizer_common/sanitizer_hash.h"
# include "sanitizer_common/sanitizer_libc.h"		# include "sanitizer_common/sanitizer_libc.h"
# include "sanitizer_common/sanitizer_procmaps.h"		# include "sanitizer_common/sanitizer_procmaps.h"

# if SANITIZER_FREEBSD		# if SANITIZER_FREEBSD
# include <sys/link_elf.h>		# include <sys/link_elf.h>
# endif		# endif

# if SANITIZER_SOLARIS		# if SANITIZER_SOLARIS
▲ Show 20 Lines • Show All 160 Lines • ▼ Show 20 Lines	if (__asan_rt_version == ASAN_RT_VERSION_UNDEFINED) {
__asan_rt_version = ASAN_RT_VERSION_STATIC;		__asan_rt_version = ASAN_RT_VERSION_STATIC;
} else if (__asan_rt_version != ASAN_RT_VERSION_STATIC) {		} else if (__asan_rt_version != ASAN_RT_VERSION_STATIC) {
ReportIncompatibleRT();		ReportIncompatibleRT();
}		}
}		}
}		}
# endif // SANITIZER_ANDROID		# endif // SANITIZER_ANDROID

# if ASAN_INTERCEPT_SWAPCONTEXT		# if ASAN_INTERCEPT_SWAPCONTEXT
		constexpr u32 kAsanContextStackFlagsMagic = 0x51260eea;
		vitalybukaUnsubmitted Not Done Reply Inline Actions can you make it more "random", I suspect probability of this constant in unrelated place is above average. vitalybuka: can you make it more "random", I suspect probability of this constant in unrelated place is…
		itrofimowAuthorUnsubmitted Done Reply Inline Actions I hope it is) I was thinking about scenarios where manipulating `ss_flags` breaks someones logic, and they start to debug what's going on and why are there mismatches in this value. For me this screams "i am not random garbage" and should give a hint that this is intentional. Would be better to have this set in makecontext, that's true. itrofimow: I hope it is) I was thinking about scenarios where manipulating `ss_flags` breaks someones…

		static int HashContextStack(const ucontext_t &ucp) {
		MurMur2Hash64Builder hash(kAsanContextStackFlagsMagic);
		hash.add(reinterpret_cast<uptr>(ucp.uc_stack.ss_sp));
		hash.add(ucp.uc_stack.ss_size);
		return static_cast<int>(hash.get());
		}

		void SignContextStack(void *context) {
		ucontext_t ucp = reinterpret_cast<ucontext_t >(context);
		ucp->uc_stack.ss_flags = HashContextStack(*ucp);
		}

void ReadContextStack(void context, uptr stack, uptr *ssize) {		void ReadContextStack(void context, uptr stack, uptr *ssize) {
ucontext_t ucp = (ucontext_t )context;		const ucontext_t ucp = reinterpret_cast<const ucontext_t >(context);
		vitalybukaUnsubmitted Not Done Reply Inline Actions It looks "ss_flags == kAsanContextStackFlagsMagic" only if "ss_sp == nullptr" vitalybuka: It looks "ss_flags == kAsanContextStackFlagsMagic" only if "ss_sp == nullptr"
		itrofimowAuthorUnsubmitted Done Reply Inline Actions Not necessary: `ss_sp\|ss_size` could be changed by user after `getcontext` call The idea is that there are 3 major cases: context is initialized with `getcontext` for later usage with `makecontext`. Since nobody uses `ss_flags` (see my other comment for explanation) we can reliably tell that we should cleanup its stack context is some global variable that is just set to zeroes (that's what happens in tests, for example) - we can't distinguish this case from 1. but can assume that `ss_sp` is either implicitly zeroed or set by user, who also explicitly set `ss_flags` to zero context is uninitialized and used as `oucp` for `swapcontext` - then its flags would never be equal to magic, so we won't try to clean it up itrofimow: Not necessary: `ss_sp\|ss_size` could be changed by user after `getcontext` call The idea is…
*stack = (uptr)ucp->uc_stack.ss_sp;		if (HashContextStack(*ucp) == ucp->uc_stack.ss_flags) {
		MaskRayUnsubmitted Not Done Reply Inline Actions `^` has lower precedence than `==`. This may not work as intended. MaskRay: `^` has lower precedence than `==`. This may not work as intended.
		itrofimowAuthorUnsubmitted Done Reply Inline Actions Nice catch itrofimow: Nice catch
		vitalybukaUnsubmitted Not Done Reply Inline Actions Done. vitalybuka: Done.
		*stack = reinterpret_cast<uptr>(ucp->uc_stack.ss_sp);
*ssize = ucp->uc_stack.ss_size;		*ssize = ucp->uc_stack.ss_size;
		return;
}		}
		*stack = 0;
void ResetContextStack(void *context) {		*ssize = 0;
ucontext_t ucp = (ucontext_t )context;
ucp->uc_stack.ss_sp = nullptr;
ucp->uc_stack.ss_size = 0;
}		}
# endif // ASAN_INTERCEPT_SWAPCONTEXT		# endif // ASAN_INTERCEPT_SWAPCONTEXT

void AsanDlSymNext(const char sym) { return dlsym(RTLD_NEXT, sym); }		void AsanDlSymNext(const char sym) { return dlsym(RTLD_NEXT, sym); }

bool HandleDlopenInit() {		bool HandleDlopenInit() {
// Not supported on this platform.		// Not supported on this platform.
static_assert(!SANITIZER_SUPPORTS_INIT_FOR_DLOPEN,		static_assert(!SANITIZER_SUPPORTS_INIT_FOR_DLOPEN,
"Expected SANITIZER_SUPPORTS_INIT_FOR_DLOPEN to be false");		"Expected SANITIZER_SUPPORTS_INIT_FOR_DLOPEN to be false");
return false;		return false;
}		}

} // namespace __asan		} // namespace __asan

#endif // SANITIZER_FREEBSD \|\| SANITIZER_LINUX \|\| SANITIZER_NETBSD \|\|		#endif // SANITIZER_FREEBSD \|\| SANITIZER_LINUX \|\| SANITIZER_NETBSD \|\|
// SANITIZER_SOLARIS		// SANITIZER_SOLARIS

compiler-rt/test/asan/TestCases/Linux/swapcontext_test.cpp

	Show All 14 Lines
	#include <ucontext.h>			#include <ucontext.h>
	#include <unistd.h>			#include <unistd.h>

	ucontext_t orig_context;			ucontext_t orig_context;
	ucontext_t child_context;			ucontext_t child_context;

	const int kStackSize = 1 << 20;			const int kStackSize = 1 << 20;

	__attribute__((noinline))			__attribute__((noinline)) void Throw() { throw 1; }
	void Throw() {
	throw 1;
	}

	__attribute__((noinline))			__attribute__((noinline)) void ThrowAndCatch() {
	void ThrowAndCatch() {
	try {			try {
	Throw();			Throw();
	} catch(int a) {			} catch (int a) {
				vitalybukaUnsubmitted Not Done Reply Inline Actions is this clang format? if so please move out reformating into a separate CL, or just revert here vitalybuka: is this clang format? if so please move out reformating into a separate CL, or just revert here
				itrofimowAuthorUnsubmitted Done Reply Inline Actions Yes, it's clang-format. Will revert itrofimow: Yes, it's clang-format. Will revert
	printf("ThrowAndCatch: %d\n", a);			printf("ThrowAndCatch: %d\n", a);
	}			}
	}			}

	void Child(int mode) {			void Child(int mode, int a, int b, int c) {
	assert(orig_context.uc_stack.ss_size == 0);
	char x[32] = {0}; // Stack gets poisoned.			char x[32] = {0}; // Stack gets poisoned.
	printf("Child: %p\n", x);			printf("Child: %d\n", x);
				assert(a == 'a');
				assert(b == 'b');
				assert(c == 'c');
	ThrowAndCatch(); // Simulate __asan_handle_no_return().			ThrowAndCatch(); // Simulate __asan_handle_no_return().
	// (a) Do nothing, just return to parent function.			// (a) Do nothing, just return to parent function.
	// (b) Jump into the original function. Stack remains poisoned unless we do			// (b) Jump into the original function. Stack remains poisoned unless we do
	// something.			// something.
	if (mode == 1) {			if (mode == 1) {
	if (swapcontext(&child_context, &orig_context) < 0) {			if (swapcontext(&child_context, &orig_context) < 0) {
	perror("swapcontext");			perror("swapcontext");
	_exit(0);			_exit(0);
	}			}
	}			}
	}			}

	int Run(int arg, int mode, char *child_stack) {			int Run(int arg, int mode, char *child_stack) {
	printf("Child stack: %p\n", child_stack);			printf("Child stack: %p\n", child_stack);
	// Setup child context.			// Setup child context.
	memset(&child_context, 0xff, sizeof(child_context));
	getcontext(&child_context);			getcontext(&child_context);
	assert(child_context.uc_stack.ss_size == 0);
	child_context.uc_stack.ss_sp = child_stack;			child_context.uc_stack.ss_sp = child_stack;
	child_context.uc_stack.ss_size = kStackSize / 2;			child_context.uc_stack.ss_size = kStackSize / 2;
	if (mode == 0) {			if (mode == 0) {
	child_context.uc_link = &orig_context;			child_context.uc_link = &orig_context;
	}			}
	makecontext(&child_context, (void (*)())Child, 1, mode);			makecontext(&child_context, (void (*)())Child, 4, mode, 'a', 'b', 'c');
	memset(&orig_context, 0xff, sizeof(orig_context));
	if (swapcontext(&orig_context, &child_context) < 0) {			if (swapcontext(&orig_context, &child_context) < 0) {
	perror("swapcontext");			perror("swapcontext");
	return 0;			return 0;
	}			}
	// Touch childs's stack to make sure it's unpoisoned.			// Touch childs's stack to make sure it's unpoisoned.
	for (int i = 0; i < kStackSize; i++) {			for (int i = 0; i < kStackSize; i++) {
	child_stack[i] = i;			child_stack[i] = i;
	}			}
	return child_stack[arg];			return child_stack[arg];
	}			}

				ucontext_t poll_context;
				ucontext_t poller_context;

				void Poll() {
				swapcontext(&poll_context, &poller_context);

				{
				char x = 0;
				printf("POLL: %p\n", &x);
				}

				swapcontext(&poll_context, &poller_context);
				}

				void DoRunPoll(char *poll_stack) {
				getcontext(&poll_context);
				poll_context.uc_stack.ss_sp = poll_stack;
				poll_context.uc_stack.ss_size = kStackSize / 2;
				makecontext(&poll_context, Poll, 0);

				getcontext(&poller_context);

				swapcontext(&poller_context, &poll_context);
				swapcontext(&poller_context, &poll_context);
				vitalybukaUnsubmitted Not Done Reply Inline Actions I can imagine someone clears poll_context.uc_stack before setting ss_sp and ss_size vitalybuka: I can imagine someone clears poll_context.uc_stack before setting ss_sp and ss_size
				itrofimowAuthorUnsubmitted Done Reply Inline Actions Not sure if i understood this, could you please elaborate? itrofimow: Not sure if i understood this, could you please elaborate?

				// Touch poll's stack to make sure it's unpoisoned.
				for (int i = 0; i < kStackSize; i++) {
				poll_stack[i] = i;
				}
				}

				void RunPoll() {
				char *poll_stack = new char[kStackSize];
				vitalybukaUnsubmitted Not Done Reply Inline Actions I suspect with higher O levels it will be converted into stack buffer vitalybuka: I suspect with higher O levels it will be converted into stack buffer

				for (size_t i = 0; i < 2; ++i) {
				DoRunPoll(poll_stack);
				}

				delete[] poll_stack;
				}

	int main(int argc, char **argv) {			int main(int argc, char **argv) {
	char stack[kStackSize + 1];			char stack[kStackSize + 1];
	int ret = 0;			int ret = 0;
	ret += Run(argc - 1, 0, stack);			ret += Run(argc - 1, 0, stack);
	ret += Run(argc - 1, 1, stack);			ret += Run(argc - 1, 1, stack);
	char *heap = new char[kStackSize + 1];			char *heap = new char[kStackSize + 1];
	ret += Run(argc - 1, 0, heap);			ret += Run(argc - 1, 0, heap);
	ret += Run(argc - 1, 1, heap);			ret += Run(argc - 1, 1, heap);

				RunPoll();
	delete [] heap;			delete[] heap;
	return ret;			return ret;
	}			}