Download Raw Diff

Details

Reviewers

vitalybuka
gregstoll
mstorsjo

Commits

rG78c033b541f0: [sanitizers][windows] Correctly override functions with backward jmps

Summary

To reproduce: Download and run the latest Firefox ASAN build (https://firefox-ci-tc.services.mozilla.com/api/index/v1/task/gecko.v2.mozilla-central.latest.firefox.win64-asan-opt/artifacts/public/build/target.zip) on Windows 11 (version 10.0.22621 Build 22621); it will crash on launch. Note that this doesn't seem to crash on another Windows 11 VM I've tried, so I'm not sure how reproducible it is across machines, but it reproduces on my machine every time.

The problem seems to be that when overriding the memset function in OverrideFunctionWithRedirectJump(), the relative_offset is stored as a uptr. Per the Intel x64 instruction set reference (https://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-instruction-set-reference-manual-325383.pdf - warning: large PDF), on page 646 the jmp instruction (specifically the near jump flavors that start with E9, which are the ones the OverrideFunctionWithRedirectJump() considers) treats the offset as a signed displacement. This causes an incorrect value to be stored for REAL(memset) which points to uninitialized memory, and a crash the next time that gets called.

The fix is to simply treat that offset as signed. I have also added a test case.

Bug: https://github.com/llvm/llvm-project/issues/58846

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

gregstoll created this revision.Nov 10 2022, 8:07 AM

Herald added a project: Restricted Project. · View Herald TranscriptNov 10 2022, 8:07 AM

Herald added subscribers: Enna1, dberris. · View Herald Transcript

gregstoll requested review of this revision.Nov 10 2022, 8:07 AM

Herald added a project: Restricted Project. · View Herald TranscriptNov 10 2022, 8:07 AM

Herald added a subscriber: Restricted Project. · View Herald Transcript

Harbormaster completed remote builds in B197083: Diff 474553.Nov 10 2022, 8:49 AM

Attempt to fix linting

Harbormaster completed remote builds in B197102: Diff 474575.Nov 10 2022, 11:11 AM

Another attempt to fix linting

Harbormaster completed remote builds in B197108: Diff 474586.Nov 10 2022, 12:34 PM

Another attempt at fixing linting

Harbormaster completed remote builds in B197126: Diff 474614.Nov 10 2022, 3:17 PM

gregstoll retitled this revision from [compiler-rt] [windows] Correctly override functions with backward jmps to [sanitizers] [windows] Correctly override functions with backward jmps.Nov 10 2022, 6:08 PM

gregstoll edited the summary of this revision. (Show Details)

gregstoll added a reviewer: vitalybuka.

mstorsjo added a subscriber: llvm-commits.Nov 11 2022, 12:48 AM

alvinhochun added a subscriber: alvinhochun.Nov 11 2022, 1:06 AM

Overall, the patch does look reasonable - but it doesn't seem to work as is.

compiler-rt/lib/interception/interception_win.cpp
741	There's no `i32` type defined here - there is `s32` though.
compiler-rt/lib/interception/tests/interception_win_test.cpp
447	This is a typo here, there's no `FunctionPrefixNode`, it should be `-None` right? Even with that fixed, the new test doesn't seem to pass for me. Can you verify - that the newly added test does fail before applying the functional fix, and that it passes afterwards?

In D137788#3921370, @mstorsjo wrote:

Overall, the patch does look reasonable - but it doesn't seem to work as is.

Sorry about this! I've had trouble getting LLVM building on my machine, and was hoping the Phabricator builds would verify that the test passed. I'll work more on getting a local build going so I can address these issues.

zero9178 added a subscriber: zero9178.Dec 5 2022, 9:59 AM

FWIW, after updating to Windows 11 today I started experiencing the same crashes with ASAN builds, remembered this patch and applied it to my local clang build. Works without issues now with the patch applied.

In D137788#3971968, @zero9178 wrote:

FWIW, after updating to Windows 11 today I started experiencing the same crashes with ASAN builds, remembered this patch and applied it to my local clang build. Works without issues now with the patch applied.

Thanks for the data point! Are you able to look into running and fixing the tests so that they cover this issue (so that they fail before applying the functional change and succeed afterwards)?

In D137788#3972045, @mstorsjo wrote:

In D137788#3971968, @zero9178 wrote:

FWIW, after updating to Windows 11 today I started experiencing the same crashes with ASAN builds, remembered this patch and applied it to my local clang build. Works without issues now with the patch applied.

Thanks for the data point! Are you able to look into running and fixing the tests so that they cover this issue (so that they fail before applying the functional change and succeed afterwards)?

Sure, I'll try to find some time for it soon.
@gregstoll would you mind if I commandeer the revision if I can fix the tests?

In D137788#3972062, @zero9178 wrote:

In D137788#3972045, @mstorsjo wrote:

In D137788#3971968, @zero9178 wrote:

FWIW, after updating to Windows 11 today I started experiencing the same crashes with ASAN builds, remembered this patch and applied it to my local clang build. Works without issues now with the patch applied.

Thanks for the data point! Are you able to look into running and fixing the tests so that they cover this issue (so that they fail before applying the functional change and succeed afterwards)?

Sure, I'll try to find some time for it soon.
@gregstoll would you mind if I commandeer the revision if I can fix the tests?

Nope, go for it! I was hoping to get back to it sometime but that probably won't happen until the new year, and I'd really just rather have it fixed 🙂

Address review comments:

Make use of s32 and sptr
Adjust test x86 code to correctly jump to the beginning of the code
Fix test to correctly override the relative jump

zero9178 added a reviewer: mstorsjo.Dec 5 2022, 3:24 PM

Harbormaster completed remote builds in B201230: Diff 480262.Dec 5 2022, 3:47 PM

Thanks a bunch!

This revision is now accepted and ready to land.Dec 5 2022, 5:33 PM

@mstorsjo do you have any further comments on the state of the tests? I'd like to land this on Monday if possible

LGTM, this seems to run fine for me in x86_64 mode - I didn't build and run the tests in 32 bit mode though, but I presume that you did.

Closed by commit rG78c033b541f0: [sanitizers][windows] Correctly override functions with backward jmps (authored by zero9178). · Explain WhyDec 12 2022, 2:45 AM

This revision was automatically updated to reflect the committed changes.

zero9178 added a commit: rG78c033b541f0: [sanitizers][windows] Correctly override functions with backward jmps.

Diff 482049

compiler-rt/lib/interception/interception_win.cpp

	Show First 20 Lines • Show All 732 Lines • ▼ Show 20 Lines

	bool OverrideFunctionWithRedirectJump(			bool OverrideFunctionWithRedirectJump(
	uptr old_func, uptr new_func, uptr *orig_old_func) {			uptr old_func, uptr new_func, uptr *orig_old_func) {
	// Check whether the first instruction is a relative jump.			// Check whether the first instruction is a relative jump.
	if ((u8)old_func != 0xE9)			if ((u8)old_func != 0xE9)
	return false;			return false;

	if (orig_old_func) {			if (orig_old_func) {
	uptr relative_offset = (u32)(old_func + 1);			sptr relative_offset = (s32 )(old_func + 1);
				mstorsjoUnsubmitted Not Done Reply Inline Actions There's no `i32` type defined here - there is `s32` though. mstorsjo: There's no `i32` type defined here - there is `s32` though.
	uptr absolute_target = old_func + relative_offset + kJumpInstructionLength;			uptr absolute_target = old_func + relative_offset + kJumpInstructionLength;
	*orig_old_func = absolute_target;			*orig_old_func = absolute_target;
	}			}

	#if SANITIZER_WINDOWS64			#if SANITIZER_WINDOWS64
	// If needed, get memory space for a trampoline jump.			// If needed, get memory space for a trampoline jump.
	uptr trampoline = AllocateMemoryForTrampoline(old_func, kDirectBranchLength);			uptr trampoline = AllocateMemoryForTrampoline(old_func, kDirectBranchLength);
	if (!trampoline)			if (!trampoline)
	▲ Show 20 Lines • Show All 322 Lines • Show Last 20 Lines

compiler-rt/lib/interception/tests/interception_win_test.cpp

Show First 20 Lines • Show All 79 Lines • ▼ Show 20 Lines
const u8 kIdentityCodeWithJump[] = {		const u8 kIdentityCodeWithJump[] = {
0xE9, 0x04, 0x00, 0x00,		0xE9, 0x04, 0x00, 0x00,
0x00, // jmp + 4		0x00, // jmp + 4
0xCC, 0xCC, 0xCC, 0xCC,		0xCC, 0xCC, 0xCC, 0xCC,
0x89, 0xC8, // mov eax, ecx		0x89, 0xC8, // mov eax, ecx
0xC3, // ret		0xC3, // ret
};		};

		const u8 kIdentityCodeWithJumpBackwards[] = {
		0x89, 0xC8, // mov eax, ecx
		0xC3, // ret
		0xE9, 0xF8, 0xFF, 0xFF,
		0xFF, // jmp - 8
		0xCC, 0xCC, 0xCC, 0xCC,
		};
		const u8 kIdentityCodeWithJumpBackwardsOffset = 3;

#else		# else

const u8 kIdentityCodeWithPrologue[] = {		const u8 kIdentityCodeWithPrologue[] = {
0x55, // push ebp		0x55, // push ebp
0x8B, 0xEC, // mov ebp,esp		0x8B, 0xEC, // mov ebp,esp
0x8B, 0x45, 0x08, // mov eax,dword ptr [ebp + 8]		0x8B, 0x45, 0x08, // mov eax,dword ptr [ebp + 8]
0x5D, // pop ebp		0x5D, // pop ebp
0xC3, // ret		0xC3, // ret
};		};
Show All 32 Lines
const u8 kIdentityCodeWithJump[] = {		const u8 kIdentityCodeWithJump[] = {
0xE9, 0x04, 0x00, 0x00,		0xE9, 0x04, 0x00, 0x00,
0x00, // jmp + 4		0x00, // jmp + 4
0xCC, 0xCC, 0xCC, 0xCC,		0xCC, 0xCC, 0xCC, 0xCC,
0x8B, 0x44, 0x24, 0x04, // mov eax,dword ptr [esp + 4]		0x8B, 0x44, 0x24, 0x04, // mov eax,dword ptr [esp + 4]
0xC3, // ret		0xC3, // ret
};		};

		const u8 kIdentityCodeWithJumpBackwards[] = {
		0x8B, 0x44, 0x24, 0x04, // mov eax,dword ptr [esp + 4]
		0xC3, // ret
		0xE9, 0xF6, 0xFF, 0xFF,
		0xFF, // jmp - 10
		0xCC, 0xCC, 0xCC, 0xCC,
		};
		const u8 kIdentityCodeWithJumpBackwardsOffset = 5;

#endif		# endif

const u8 kPatchableCode1[] = {		const u8 kPatchableCode1[] = {
0xB8, 0x4B, 0x00, 0x00, 0x00, // mov eax,4B		0xB8, 0x4B, 0x00, 0x00, 0x00, // mov eax,4B
0x33, 0xC9, // xor ecx,ecx		0x33, 0xC9, // xor ecx,ecx
0xC3, // ret		0xC3, // ret
};		};

const u8 kPatchableCode2[] = {		const u8 kPatchableCode2[] = {
▲ Show 20 Lines • Show All 215 Lines • ▼ Show 20 Lines	TEST(Interception, InternalGetProcAddress) {
uptr DbgPrint_adddress = InternalGetProcAddress(ntdll_handle, "DbgPrint");		uptr DbgPrint_adddress = InternalGetProcAddress(ntdll_handle, "DbgPrint");
uptr isdigit_address = InternalGetProcAddress(ntdll_handle, "isdigit");		uptr isdigit_address = InternalGetProcAddress(ntdll_handle, "isdigit");

EXPECT_EQ(DbgPrint_expected, DbgPrint_adddress);		EXPECT_EQ(DbgPrint_expected, DbgPrint_adddress);
EXPECT_EQ(isdigit_expected, isdigit_address);		EXPECT_EQ(isdigit_expected, isdigit_address);
EXPECT_NE(DbgPrint_adddress, isdigit_address);		EXPECT_NE(DbgPrint_adddress, isdigit_address);
}		}

template<class T>		template <class T>
static void TestIdentityFunctionPatching(		static void TestIdentityFunctionPatching(
const T &code,		const T &code, TestOverrideFunction override,
TestOverrideFunction override,		FunctionPrefixKind prefix_kind = FunctionPrefixNone,
FunctionPrefixKind prefix_kind = FunctionPrefixNone) {		int function_start_offset = 0) {
uptr identity_address;		uptr identity_address;
LoadActiveCode(code, &identity_address, prefix_kind);		LoadActiveCode(code, &identity_address, prefix_kind);
		identity_address += function_start_offset;
IdentityFunction identity = (IdentityFunction)identity_address;		IdentityFunction identity = (IdentityFunction)identity_address;

// Validate behavior before dynamic patching.		// Validate behavior before dynamic patching.
InterceptorFunctionCalled = 0;		InterceptorFunctionCalled = 0;
EXPECT_EQ(0, identity(0));		EXPECT_EQ(0, identity(0));
EXPECT_EQ(42, identity(42));		EXPECT_EQ(42, identity(42));
EXPECT_EQ(0, InterceptorFunctionCalled);		EXPECT_EQ(0, InterceptorFunctionCalled);

Show All 21 Lines	static void TestIdentityFunctionPatching(
InterceptorFunctionCalled = 0;		InterceptorFunctionCalled = 0;
EXPECT_EQ(0, real_identity(0));		EXPECT_EQ(0, real_identity(0));
EXPECT_EQ(42, real_identity(42));		EXPECT_EQ(42, real_identity(42));
EXPECT_EQ(0, InterceptorFunctionCalled);		EXPECT_EQ(0, InterceptorFunctionCalled);

TestOnlyReleaseTrampolineRegions();		TestOnlyReleaseTrampolineRegions();
}		}

#if !SANITIZER_WINDOWS64		# if !SANITIZER_WINDOWS64
TEST(Interception, OverrideFunctionWithDetour) {		TEST(Interception, OverrideFunctionWithDetour) {
TestOverrideFunction override = OverrideFunctionWithDetour;		TestOverrideFunction override = OverrideFunctionWithDetour;
FunctionPrefixKind prefix = FunctionPrefixDetour;		FunctionPrefixKind prefix = FunctionPrefixDetour;
TestIdentityFunctionPatching(kIdentityCodeWithPrologue, override, prefix);		TestIdentityFunctionPatching(kIdentityCodeWithPrologue, override, prefix);
TestIdentityFunctionPatching(kIdentityCodeWithPushPop, override, prefix);		TestIdentityFunctionPatching(kIdentityCodeWithPushPop, override, prefix);
TestIdentityFunctionPatching(kIdentityCodeWithMov, override, prefix);		TestIdentityFunctionPatching(kIdentityCodeWithMov, override, prefix);
TestIdentityFunctionPatching(kIdentityCodeWithJump, override, prefix);		TestIdentityFunctionPatching(kIdentityCodeWithJump, override, prefix);
}		}
#endif // !SANITIZER_WINDOWS64		#endif // !SANITIZER_WINDOWS64

TEST(Interception, OverrideFunctionWithRedirectJump) {		TEST(Interception, OverrideFunctionWithRedirectJump) {
TestOverrideFunction override = OverrideFunctionWithRedirectJump;		TestOverrideFunction override = OverrideFunctionWithRedirectJump;
TestIdentityFunctionPatching(kIdentityCodeWithJump, override);		TestIdentityFunctionPatching(kIdentityCodeWithJump, override);
		TestIdentityFunctionPatching(kIdentityCodeWithJumpBackwards, override,
		FunctionPrefixNone,
		mstorsjoUnsubmitted Not Done Reply Inline Actions This is a typo here, there's no `FunctionPrefixNode`, it should be `-None` right? Even with that fixed, the new test doesn't seem to pass for me. Can you verify - that the newly added test does fail before applying the functional fix, and that it passes afterwards? mstorsjo: This is a typo here, there's no `FunctionPrefixNode`, it should be `-None` right? Even with…
		kIdentityCodeWithJumpBackwardsOffset);
}		}

TEST(Interception, OverrideFunctionWithHotPatch) {		TEST(Interception, OverrideFunctionWithHotPatch) {
TestOverrideFunction override = OverrideFunctionWithHotPatch;		TestOverrideFunction override = OverrideFunctionWithHotPatch;
FunctionPrefixKind prefix = FunctionPrefixHotPatch;		FunctionPrefixKind prefix = FunctionPrefixHotPatch;
TestIdentityFunctionPatching(kIdentityCodeWithMov, override, prefix);		TestIdentityFunctionPatching(kIdentityCodeWithMov, override, prefix);
}		}

▲ Show 20 Lines • Show All 268 Lines • Show Last 20 Lines

This is an archive of the discontinued LLVM Phabricator instance.

[sanitizers] [windows] Correctly override functions with backward jmps
ClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 482049

compiler-rt/lib/interception/interception_win.cpp

compiler-rt/lib/interception/tests/interception_win_test.cpp

This is an archive of the discontinued LLVM Phabricator instance.

[sanitizers] [windows] Correctly override functions with backward jmpsClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 482049

compiler-rt/lib/interception/interception_win.cpp

compiler-rt/lib/interception/tests/interception_win_test.cpp

[sanitizers] [windows] Correctly override functions with backward jmps
ClosedPublic