This is an archive of the discontinued LLVM Phabricator instance.

Differential D139885

[GWP-ASan] Fix up bad report for in-page underflow w/ UaF
ClosedPublic

Authored by hctim on Dec 12 2022, 3:06 PM.

Details

Reviewers
vitalybuka
eugenis
Commits
rGdcf23e13615f: [GWP-ASan] Fix up bad report for in-page underflow w/ UaF
Summary

Complex scenario, but reports when there's both a use-after-free and
buffer-underflow that is in-page (i.e. doesn't touch the guard page)
ended up generating a pretty bad report:

'Use After Free at 0x7ff392e88fef (18446744073709551615 bytes into a
1-byte allocation at 0x7ff392e88ff0) by thread 3836722 here:'

(note the 2^64-bytes-into-alloc, very cool and good!)

Fix up that case, and add a diagnostic about when you have both a
use-after-free and a buffer-overflow that it's probably a bogus report
(assuming the developer didn't *really* screw up and have a uaf+overflow
bug at the same time).

Diff Detail

Event Timeline

hctim created this revision.Dec 12 2022, 3:06 PM
Herald added a project: Restricted Project. · View Herald TranscriptDec 12 2022, 3:06 PM
Herald added a subscriber: Enna1. · View Herald Transcript
hctim requested review of this revision.Dec 12 2022, 3:06 PM
Herald added a project: Restricted Project. · View Herald TranscriptDec 12 2022, 3:06 PM
Herald added a subscriber: Restricted Project. · View Herald Transcript
Harbormaster completed remote builds in B202696: Diff 482281.Dec 12 2022, 3:34 PM
hctim updated this revision to Diff 482305.Dec 12 2022, 4:21 PM

Make it so overflow+uaf reports uaf first, which is probably the more important bit of information, and makes the reporting more consistent.

Harbormaster completed remote builds in B202717: Diff 482305.Dec 12 2022, 5:06 PM
hctim added a parent revision: D139731: [GWP-ASan] Fix atfork handlers being installed multiple times in tests.Dec 15 2022, 3:28 PM
hctim added a parent revision: D140173: [GWP-ASan] Add recoverable mode..
hctim removed a parent revision: D140173: [GWP-ASan] Add recoverable mode..
hctim added a child revision: D140173: [GWP-ASan] Add recoverable mode..
hctim removed a child revision: D140173: [GWP-ASan] Add recoverable mode..
hctim added a child revision: D140173: [GWP-ASan] Add recoverable mode..
hctim updated this revision to Diff 486073.Jan 3 2023, 1:49 PM

Rebased. vitalybuka / eugenis, PTAL

Harbormaster completed remote builds in B205526: Diff 486073.Jan 3 2023, 2:25 PM
vitalybuka accepted this revision.Jan 4 2023, 11:51 AM
This revision is now accepted and ready to land.Jan 4 2023, 11:51 AM
vitalybuka added inline comments.Jan 4 2023, 12:03 PM
compiler-rt/lib/gwp_asan/crash_handler.cpp
56–58

not a fan of unnecessary local vars, can be source of bugs
e.g. use after scope

Some more reasoning: https://abseil.io/tips/161

58

{} use is inconsistent

vitalybuka added inline comments.Jan 4 2023, 12:07 PM
compiler-rt/lib/gwp_asan/crash_handler.cpp
75

here another one with the same name, reader can be confused which one is used
but this one is hard to remove.

hctim updated this revision to Diff 487876.Jan 10 2023, 10:29 AM
hctim marked 3 inline comments as done.

Touch up a local variable.

compiler-rt/lib/gwp_asan/crash_handler.cpp
56–58

yeah, especially as it shadows the same name in the scope below. thanks.

This revision was landed with ongoing or failed builds.Jan 10 2023, 10:30 AM
Closed by commit rGdcf23e13615f: [GWP-ASan] Fix up bad report for in-page underflow w/ UaF (authored by hctim). · Explain Why
This revision was automatically updated to reflect the committed changes.
hctim added a commit: rGdcf23e13615f: [GWP-ASan] Fix up bad report for in-page underflow w/ UaF.
Harbormaster completed remote builds in B206845: Diff 487876.Jan 10 2023, 12:18 PM

Revision Contents

PathSize
compiler-rt/
lib/
gwp_asan/
19 lines
optional/
32 lines
test/
gwp_asan/
26 lines
26 lines
3 lines
3 lines

Diff 482305

compiler-rt/lib/gwp_asan/crash_handler.cpp

Show First 20 LinesShow All 46 Lines▼ Show 20 Lines__gwp_asan_diagnose_error(const gwp_asan::AllocatorState *State,
const gwp_asan::AllocationMetadata *Metadata, const gwp_asan::AllocationMetadata *Metadata,
uintptr_t ErrorPtr) { uintptr_t ErrorPtr) {
if (!__gwp_asan_error_is_mine(State, ErrorPtr)) if (!__gwp_asan_error_is_mine(State, ErrorPtr))
return Error::UNKNOWN; return Error::UNKNOWN;
if (State->FailureType != Error::UNKNOWN) if (State->FailureType != Error::UNKNOWN)
return State->FailureType; return State->FailureType;
// Let's try and figure out what the source of this error is. // Check for use-after-free.
const AllocationMetadata *SlotMeta =
addrToMetadata(State, Metadata, ErrorPtr);
if (SlotMeta->IsDeallocated) {
vitalybukaUnsubmitted
Done
ReplyInline Actions

{} use is inconsistent

vitalybuka: {} use is inconsistent
vitalybukaUnsubmitted
Done
ReplyInline Actions
// Check for use-after-free.
- const AllocationMetadata *SlotMeta =
- addrToMetadata(State, Metadata, ErrorPtr);
- if (SlotMeta->IsDeallocated) {
+ if (addrToMetadata(State, Metadata, ErrorPtr)->IsDeallocated) {
return Error::USE_AFTER_FREE;

not a fan of unnecessary local vars, can be source of bugs
e.g. use after scope

Some more reasoning: https://abseil.io/tips/161

vitalybuka: not a fan of unnecessary local vars, can be source of bugs e.g. use after scope Some more…
hctimAuthorUnsubmitted
Done
ReplyInline Actions

yeah, especially as it shadows the same name in the scope below. thanks.

hctim: yeah, especially as it shadows the same name in the scope below. thanks.
return Error::USE_AFTER_FREE;
}
// Check for buffer-overflow. Because of allocation alignment or left/right
// page placement, we can have buffer-overflows that don't touch a guarded
// page, but these are not possible to detect unless it's also a
// use-after-free, which is handled above.
if (State->isGuardPage(ErrorPtr)) { if (State->isGuardPage(ErrorPtr)) {
size_t Slot = State->getNearestSlot(ErrorPtr); size_t Slot = State->getNearestSlot(ErrorPtr);
const AllocationMetadata *SlotMeta = const AllocationMetadata *SlotMeta =
addrToMetadata(State, Metadata, State->slotToAddr(Slot)); addrToMetadata(State, Metadata, State->slotToAddr(Slot));
// Ensure that this slot was allocated once upon a time. // Ensure that this slot was allocated once upon a time.
if (!SlotMeta->Addr) if (!SlotMeta->Addr)
return Error::UNKNOWN; return Error::UNKNOWN;
if (SlotMeta->Addr < ErrorPtr) if (SlotMeta->Addr < ErrorPtr)
vitalybukaUnsubmitted
Done
ReplyInline Actions

here another one with the same name, reader can be confused which one is used
but this one is hard to remove.

vitalybuka: here another one with the same name, reader can be confused which one is used but this one is…
return Error::BUFFER_OVERFLOW; return Error::BUFFER_OVERFLOW;
return Error::BUFFER_UNDERFLOW; return Error::BUFFER_UNDERFLOW;
} }
// Access wasn't a guard page, check for use-after-free.
const AllocationMetadata *SlotMeta =
addrToMetadata(State, Metadata, ErrorPtr);
if (SlotMeta->IsDeallocated) {
return Error::USE_AFTER_FREE;
}
// If we have reached here, the error is still unknown. // If we have reached here, the error is still unknown.
return Error::UNKNOWN; return Error::UNKNOWN;
} }
const gwp_asan::AllocationMetadata * const gwp_asan::AllocationMetadata *
__gwp_asan_get_metadata(const gwp_asan::AllocatorState *State, __gwp_asan_get_metadata(const gwp_asan::AllocatorState *State,
const gwp_asan::AllocationMetadata *Metadata, const gwp_asan::AllocationMetadata *Metadata,
uintptr_t ErrorPtr) { uintptr_t ErrorPtr) {
▲ Show 20 LinesShow All 70 LinesShow Last 20 Lines

compiler-rt/lib/gwp_asan/optional/segv_handler_posix.cpp

Show First 20 LinesShow All 41 Lines▼ Show 20 Lines
void printHeader(Error E, uintptr_t AccessPtr, void printHeader(Error E, uintptr_t AccessPtr,
const gwp_asan::AllocationMetadata *Metadata, const gwp_asan::AllocationMetadata *Metadata,
Printf_t Printf) { Printf_t Printf) {
// Print using intermediate strings. Platforms like Android don't like when // Print using intermediate strings. Platforms like Android don't like when
// you print multiple times to the same line, as there may be a newline // you print multiple times to the same line, as there may be a newline
// appended to a log file automatically per Printf() call. // appended to a log file automatically per Printf() call.
constexpr size_t kDescriptionBufferLen = 128; constexpr size_t kDescriptionBufferLen = 128;
char DescriptionBuffer[kDescriptionBufferLen] = ""; char DescriptionBuffer[kDescriptionBufferLen] = "";
bool AccessWasInBounds = false;
if (E != Error::UNKNOWN && Metadata != nullptr) { if (E != Error::UNKNOWN && Metadata != nullptr) {
uintptr_t Address = __gwp_asan_get_allocation_address(Metadata); uintptr_t Address = __gwp_asan_get_allocation_address(Metadata);
size_t Size = __gwp_asan_get_allocation_size(Metadata); size_t Size = __gwp_asan_get_allocation_size(Metadata);
if (E == Error::USE_AFTER_FREE) { if (AccessPtr < Address) {
snprintf(DescriptionBuffer, kDescriptionBufferLen,
"(%zu byte%s into a %zu-byte allocation at 0x%zx) ",
AccessPtr - Address, (AccessPtr - Address == 1) ? "" : "s", Size,
Address);
} else if (AccessPtr < Address) {
snprintf(DescriptionBuffer, kDescriptionBufferLen, snprintf(DescriptionBuffer, kDescriptionBufferLen,
"(%zu byte%s to the left of a %zu-byte allocation at 0x%zx) ", "(%zu byte%s to the left of a %zu-byte allocation at 0x%zx) ",
Address - AccessPtr, (Address - AccessPtr == 1) ? "" : "s", Size, Address - AccessPtr, (Address - AccessPtr == 1) ? "" : "s", Size,
Address); Address);
} else if (AccessPtr > Address) { } else if (AccessPtr > Address) {
snprintf(DescriptionBuffer, kDescriptionBufferLen, snprintf(DescriptionBuffer, kDescriptionBufferLen,
"(%zu byte%s to the right of a %zu-byte allocation at 0x%zx) ", "(%zu byte%s to the right of a %zu-byte allocation at 0x%zx) ",
AccessPtr - Address, (AccessPtr - Address == 1) ? "" : "s", Size, AccessPtr - Address, (AccessPtr - Address == 1) ? "" : "s", Size,
Address); Address);
} else { } else if (E == Error::DOUBLE_FREE) {
snprintf(DescriptionBuffer, kDescriptionBufferLen, snprintf(DescriptionBuffer, kDescriptionBufferLen,
"(a %zu-byte allocation) ", Size); "(a %zu-byte allocation) ", Size);
} else {
AccessWasInBounds = true;
snprintf(DescriptionBuffer, kDescriptionBufferLen,
"(%zu byte%s into a %zu-byte allocation at 0x%zx) ",
AccessPtr - Address, (AccessPtr - Address == 1) ? "" : "s", Size,
Address);
} }
} }
// Possible number of digits of a 64-bit number: ceil(log10(2^64)) == 20. Add // Possible number of digits of a 64-bit number: ceil(log10(2^64)) == 20. Add
// a null terminator, and round to the nearest 8-byte boundary. // a null terminator, and round to the nearest 8-byte boundary.
uint64_t ThreadID = gwp_asan::getThreadID(); uint64_t ThreadID = gwp_asan::getThreadID();
constexpr size_t kThreadBufferLen = 24; constexpr size_t kThreadBufferLen = 24;
char ThreadBuffer[kThreadBufferLen]; char ThreadBuffer[kThreadBufferLen];
if (ThreadID == gwp_asan::kInvalidThreadID) if (ThreadID == gwp_asan::kInvalidThreadID)
snprintf(ThreadBuffer, kThreadBufferLen, "<unknown>"); snprintf(ThreadBuffer, kThreadBufferLen, "<unknown>");
else else
snprintf(ThreadBuffer, kThreadBufferLen, "%" PRIu64, ThreadID); snprintf(ThreadBuffer, kThreadBufferLen, "%" PRIu64, ThreadID);
Printf("%s at 0x%zx %sby thread %s here:\n", gwp_asan::ErrorToString(E), const char *OutOfBoundsAndUseAfterFreeWarning = "";
AccessPtr, DescriptionBuffer, ThreadBuffer); if (E == Error::USE_AFTER_FREE && !AccessWasInBounds) {
OutOfBoundsAndUseAfterFreeWarning =
" (warning: buffer overflow/underflow detected on a free()'d "
"allocation. This either means you have a buffer-overflow and a "
"use-after-free at the same time, or you have a long-lived "
"use-after-free bug where the allocation/deallocation metadata below "
"has already been overwritten and is likely bogus)";
}
Printf("%s%s at 0x%zx %sby thread %s here:\n", gwp_asan::ErrorToString(E),
OutOfBoundsAndUseAfterFreeWarning, AccessPtr, DescriptionBuffer,
ThreadBuffer);
} }
void dumpReport(uintptr_t ErrorPtr, const gwp_asan::AllocatorState *State, void dumpReport(uintptr_t ErrorPtr, const gwp_asan::AllocatorState *State,
const gwp_asan::AllocationMetadata *Metadata, const gwp_asan::AllocationMetadata *Metadata,
SegvBacktrace_t SegvBacktrace, Printf_t Printf, SegvBacktrace_t SegvBacktrace, Printf_t Printf,
PrintBacktrace_t PrintBacktrace, void *Context) { PrintBacktrace_t PrintBacktrace, void *Context) {
assert(State && "dumpReport missing Allocator State."); assert(State && "dumpReport missing Allocator State.");
assert(Metadata && "dumpReport missing Metadata."); assert(Metadata && "dumpReport missing Metadata.");
▲ Show 20 LinesShow All 132 LinesShow Last 20 Lines

compiler-rt/test/gwp_asan/free_then_overflow.cpp

  • This file was added.
// REQUIRES: gwp_asan
// RUN: %clangxx_gwp_asan %s -o %t
// RUN: %expect_crash %run %t 2>&1 | FileCheck %s
// RUN: %clangxx_gwp_asan %s -o %t -DTOUCH_GUARD_PAGE
// RUN: %expect_crash %run %t 2>&1 | FileCheck %s
// CHECK: GWP-ASan detected a memory error
// CHECK: Use After Free
// CHECK-SAME: warning: buffer overflow/underflow detected on a free()'d allocation
// CHECK-SAME: at 0x{{[a-f0-9]+}} ({{[0-9]+}} byte{{s?}} to the right
#include <cstdlib>
#include "page_size.h"
int main() {
unsigned malloc_size = 1;
#ifdef TOUCH_GUARD_PAGE
malloc_size = pageSize();
#endif // TOUCH_GUARD_PAGE
char *Ptr = reinterpret_cast<char *>(malloc(malloc_size));
free(Ptr);
volatile char x = *(Ptr + malloc_size);
return 0;
}

compiler-rt/test/gwp_asan/free_then_underflow.cpp

  • This file was added.
// REQUIRES: gwp_asan
// RUN: %clangxx_gwp_asan %s -o %t
// RUN: %expect_crash %run %t 2>&1 | FileCheck %s
// RUN: %clangxx_gwp_asan %s -o %t -DTOUCH_GUARD_PAGE
// RUN: %expect_crash %run %t 2>&1 | FileCheck %s
// CHECK: GWP-ASan detected a memory error
// CHECK: Use After Free
// CHECK-SAME: warning: buffer overflow/underflow detected on a free()'d allocation
// CHECK-SAME: at 0x{{[a-f0-9]+}} (1 byte to the left
#include <cstdlib>
#include "page_size.h"
int main() {
unsigned malloc_size = 1;
#ifdef TOUCH_GUARD_PAGE
malloc_size = pageSize();
#endif // TOUCH_GUARD_PAGE
char *Ptr = reinterpret_cast<char *>(malloc(malloc_size));
free(Ptr);
volatile char x = *(Ptr - 1);
return 0;
}

compiler-rt/test/gwp_asan/heap_buffer_overflow.cpp

// REQUIRES: gwp_asan // REQUIRES: gwp_asan
// RUN: %clangxx_gwp_asan %s -o %t // RUN: %clangxx_gwp_asan %s -o %t
// RUN: %expect_crash %run %t 2>&1 | FileCheck %s // RUN: %expect_crash %run %t 2>&1 | FileCheck %s
// CHECK: GWP-ASan detected a memory error // CHECK: GWP-ASan detected a memory error
// CHECK: Buffer Overflow at 0x{{[a-f0-9]+}} ({{[1-9][0-9]*}} bytes to the right // CHECK: Buffer Overflow at 0x{{[a-f0-9]+}} ({{[1-9][0-9]*}} bytes to the right
// CHECK-SAME: of a {{[1-9][0-9]*}}-byte allocation // CHECK-SAME: of a {{[1-9][0-9]*}}-byte allocation
#include <cstdlib> #include <cstdlib>
#include "page_size.h" #include "page_size.h"
int main() { int main() {
char *Ptr = char *Ptr = reinterpret_cast<char *>(malloc(pageSize()));
reinterpret_cast<char *>(malloc(pageSize()));
volatile char x = *(Ptr + pageSize()); volatile char x = *(Ptr + pageSize());
return 0; return 0;
} }

compiler-rt/test/gwp_asan/heap_buffer_underflow.cpp

// REQUIRES: gwp_asan // REQUIRES: gwp_asan
// RUN: %clangxx_gwp_asan %s -o %t // RUN: %clangxx_gwp_asan %s -o %t
// RUN: %expect_crash %run %t 2>&1 | FileCheck %s // RUN: %expect_crash %run %t 2>&1 | FileCheck %s
// CHECK: GWP-ASan detected a memory error // CHECK: GWP-ASan detected a memory error
// CHECK: Buffer Underflow at 0x{{[a-f0-9]+}} (1 byte to the left // CHECK: Buffer Underflow at 0x{{[a-f0-9]+}} (1 byte to the left
// CHECK-SAME: of a {{[1-9][0-9]*}}-byte allocation // CHECK-SAME: of a {{[1-9][0-9]*}}-byte allocation
#include <cstdlib> #include <cstdlib>
#include "page_size.h" #include "page_size.h"
int main() { int main() {
char *Ptr = char *Ptr = reinterpret_cast<char *>(malloc(pageSize()));
reinterpret_cast<char *>(malloc(pageSize()));
volatile char x = *(Ptr - 1); volatile char x = *(Ptr - 1);
return 0; return 0;
} }