This is an archive of the discontinued LLVM Phabricator instance.

Differential D143660

[sanitizer] Support v2 and v3 capabilities
ClosedPublic

Authored by iii on Feb 9 2023, 8:25 AM.

Details

Reviewers
eugenis
vitalybuka
Commits
rG0ce057c5925d: [sanitizer] Support v2 and v3 capabilities
Summary

capget() and capset() may read or write more than one cap_user_data_t,
depending on the version field of cap_user_header_t. Currently the
code assumes it's just one, so MSan complains if an application uses
version 2 or 3, where two cap_user_data_ts are used.

Parse the header in order to determine the number of cap_user_data_ts.
Also add a test.

Diff Detail

Event Timeline

iii created this revision.Feb 9 2023, 8:25 AM
Herald added a project: Restricted Project. · View Herald TranscriptFeb 9 2023, 8:25 AM
Herald added a subscriber: Enna1. · View Herald Transcript
iii requested review of this revision.Feb 9 2023, 8:25 AM
Herald added a project: Restricted Project. · View Herald TranscriptFeb 9 2023, 8:25 AM
Herald added a subscriber: Restricted Project. · View Herald Transcript
Harbormaster completed remote builds in B212825: Diff 496144.Feb 9 2023, 8:51 AM
iii updated this revision to Diff 496237.Feb 9 2023, 2:15 PM
  • Do not define the constants, the kernel provides them since v2.6.
  • Rewrite the test in C.
iii edited the summary of this revision. (Show Details)Feb 9 2023, 2:16 PM
Harbormaster completed remote builds in B212891: Diff 496237.Feb 9 2023, 2:56 PM
iii added a comment.Feb 23 2023, 1:17 AM

Ping.

glider added a subscriber: glider.Feb 23 2023, 8:07 AM

LGTM with a nit.

compiler-rt/lib/sanitizer_common/sanitizer_platform_limits_posix.cpp
252

Do we want to do anything in the case of incorrect version?

compiler-rt/test/sanitizer_common/TestCases/Linux/cap.c
36

If we do, can you please add a test case for it?

iii added inline comments.Feb 23 2023, 3:17 PM
compiler-rt/lib/sanitizer_common/sanitizer_platform_limits_posix.cpp
252

I used 1 here in order to keep the old sanitizer behavior, but, come to think of it, it doesn't really make sense: if a buggy program passes a bad version, we don't want to unpoison the buffer. There can be new versions added in the future too, but this code would have to be updated in order to support them anyway.

So I'll change this to 0 and think of a way to test this.

iii updated this revision to Diff 500004.Feb 23 2023, 4:08 PM
iii edited the summary of this revision. (Show Details)
  • Do not touch memory if the version is incorrect.
  • Test this.
iii marked 2 inline comments as done.Feb 23 2023, 4:08 PM
Harbormaster completed remote builds in B215617: Diff 500004.Feb 23 2023, 4:42 PM
vitalybuka accepted this revision.Feb 23 2023, 10:57 PM
vitalybuka added inline comments.
compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc
5762–5768
5780

same

This revision is now accepted and ready to land.Feb 23 2023, 10:57 PM
iii updated this revision to Diff 500137.Feb 24 2023, 4:06 AM
  • Compute datasz only when necessary.
Harbormaster completed remote builds in B215713: Diff 500137.Feb 24 2023, 4:44 AM
This revision was landed with ongoing or failed builds.Feb 24 2023, 5:12 AM
Closed by commit rG0ce057c5925d: [sanitizer] Support v2 and v3 capabilities (authored by iii). · Explain Why
This revision was automatically updated to reflect the committed changes.
iii added a commit: rG0ce057c5925d: [sanitizer] Support v2 and v3 capabilities.

Revision Contents

PathSize
compiler-rt/
lib/
sanitizer_common/
6 lines
4 lines
2 lines
18 lines
test/
sanitizer_common/
TestCases/
Linux/
48 lines

Diff 500004

compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 5,753 Lines▼ Show 20 Lines
#endif #endif
#if SANITIZER_INTERCEPT_CAPGET #if SANITIZER_INTERCEPT_CAPGET
INTERCEPTOR(int, capget, void *hdrp, void *datap) { INTERCEPTOR(int, capget, void *hdrp, void *datap) {
void *ctx; void *ctx;
COMMON_INTERCEPTOR_ENTER(ctx, capget, hdrp, datap); COMMON_INTERCEPTOR_ENTER(ctx, capget, hdrp, datap);
if (hdrp) if (hdrp)
COMMON_INTERCEPTOR_READ_RANGE(ctx, hdrp, __user_cap_header_struct_sz); COMMON_INTERCEPTOR_READ_RANGE(ctx, hdrp, __user_cap_header_struct_sz);
unsigned datasz = __user_cap_data_struct_sz(hdrp);
// FIXME: under ASan the call below may write to freed memory and corrupt // FIXME: under ASan the call below may write to freed memory and corrupt
// its metadata. See // its metadata. See
// https://github.com/google/sanitizers/issues/321. // https://github.com/google/sanitizers/issues/321.
int res = REAL(capget)(hdrp, datap); int res = REAL(capget)(hdrp, datap);
if (res == 0 && datap) if (res == 0 && datap)
COMMON_INTERCEPTOR_WRITE_RANGE(ctx, datap, __user_cap_data_struct_sz); COMMON_INTERCEPTOR_WRITE_RANGE(ctx, datap, datasz);
vitalybukaUnsubmitted
Not Done
ReplyInline Actions
COMMON_INTERCEPTOR_READ_RANGE(ctx, hdrp, __user_cap_header_struct_sz);
- unsigned datasz = __user_cap_data_struct_sz(hdrp);
// FIXME: under ASan the call below may write to freed memory and corrupt
// its metadata. See
// https://github.com/google/sanitizers/issues/321.
int res = REAL(capget)(hdrp, datap);
if (res == 0 && datap)
+ unsigned datasz = __user_cap_data_struct_sz(hdrp);
COMMON_INTERCEPTOR_WRITE_RANGE(ctx, datap, datasz);
+ }
// We can also return -1 and write to hdrp->version if the version passed in
vitalybuka:
// We can also return -1 and write to hdrp->version if the version passed in // We can also return -1 and write to hdrp->version if the version passed in
// hdrp->version is unsupported. But that's not a trivial condition to check, // hdrp->version is unsupported. But that's not a trivial condition to check,
// and anyway COMMON_INTERCEPTOR_READ_RANGE protects us to some extent. // and anyway COMMON_INTERCEPTOR_READ_RANGE protects us to some extent.
return res; return res;
} }
INTERCEPTOR(int, capset, void *hdrp, const void *datap) { INTERCEPTOR(int, capset, void *hdrp, const void *datap) {
void *ctx; void *ctx;
COMMON_INTERCEPTOR_ENTER(ctx, capset, hdrp, datap); COMMON_INTERCEPTOR_ENTER(ctx, capset, hdrp, datap);
if (hdrp) if (hdrp)
COMMON_INTERCEPTOR_READ_RANGE(ctx, hdrp, __user_cap_header_struct_sz); COMMON_INTERCEPTOR_READ_RANGE(ctx, hdrp, __user_cap_header_struct_sz);
unsigned datasz = __user_cap_data_struct_sz(hdrp);
if (datap) if (datap)
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

same

vitalybuka: same
COMMON_INTERCEPTOR_READ_RANGE(ctx, datap, __user_cap_data_struct_sz); COMMON_INTERCEPTOR_READ_RANGE(ctx, datap, datasz);
return REAL(capset)(hdrp, datap); return REAL(capset)(hdrp, datap);
} }
#define INIT_CAPGET \ #define INIT_CAPGET \
COMMON_INTERCEPT_FUNCTION(capget); \ COMMON_INTERCEPT_FUNCTION(capget); \
COMMON_INTERCEPT_FUNCTION(capset); COMMON_INTERCEPT_FUNCTION(capset);
#else #else
#define INIT_CAPGET #define INIT_CAPGET
#endif #endif
▲ Show 20 LinesShow All 4,928 LinesShow Last 20 Lines

compiler-rt/lib/sanitizer_common/sanitizer_common_syscalls.inc

Show First 20 LinesShow All 411 Lines▼ Show 20 Lines
PRE_SYSCALL(capget)(void *header, void *dataptr) { PRE_SYSCALL(capget)(void *header, void *dataptr) {
if (header) if (header)
PRE_READ(header, __user_cap_header_struct_sz); PRE_READ(header, __user_cap_header_struct_sz);
} }
POST_SYSCALL(capget)(long res, void *header, void *dataptr) { POST_SYSCALL(capget)(long res, void *header, void *dataptr) {
if (res >= 0) if (res >= 0)
if (dataptr) if (dataptr)
POST_WRITE(dataptr, __user_cap_data_struct_sz); POST_WRITE(dataptr, __user_cap_data_struct_sz(header));
} }
PRE_SYSCALL(capset)(void *header, const void *data) { PRE_SYSCALL(capset)(void *header, const void *data) {
if (header) if (header)
PRE_READ(header, __user_cap_header_struct_sz); PRE_READ(header, __user_cap_header_struct_sz);
if (data) if (data)
PRE_READ(data, __user_cap_data_struct_sz); PRE_READ(data, __user_cap_data_struct_sz(header));
} }
POST_SYSCALL(capset)(long res, void *header, const void *data) {} POST_SYSCALL(capset)(long res, void *header, const void *data) {}
PRE_SYSCALL(personality)(long personality) {} PRE_SYSCALL(personality)(long personality) {}
POST_SYSCALL(personality)(long res, long personality) {} POST_SYSCALL(personality)(long res, long personality) {}
▲ Show 20 LinesShow All 2,745 LinesShow Last 20 Lines

compiler-rt/lib/sanitizer_common/sanitizer_platform_limits_posix.h

Show First 20 LinesShow All 129 Lines▼ Show 20 Linesstruct __sanitizer_perf_event_attr {
unsigned type; unsigned type;
unsigned size; unsigned size;
// More fields that vary with the kernel version. // More fields that vary with the kernel version.
}; };
extern unsigned struct_epoll_event_sz; extern unsigned struct_epoll_event_sz;
extern unsigned struct_sysinfo_sz; extern unsigned struct_sysinfo_sz;
extern unsigned __user_cap_header_struct_sz; extern unsigned __user_cap_header_struct_sz;
extern unsigned __user_cap_data_struct_sz; extern unsigned __user_cap_data_struct_sz(void *hdrp);
extern unsigned struct_new_utsname_sz; extern unsigned struct_new_utsname_sz;
extern unsigned struct_old_utsname_sz; extern unsigned struct_old_utsname_sz;
extern unsigned struct_oldold_utsname_sz; extern unsigned struct_oldold_utsname_sz;
const unsigned struct_kexec_segment_sz = 4 * sizeof(unsigned long); const unsigned struct_kexec_segment_sz = 4 * sizeof(unsigned long);
#endif // SANITIZER_LINUX #endif // SANITIZER_LINUX
#if SANITIZER_LINUX #if SANITIZER_LINUX
▲ Show 20 LinesShow All 1,363 LinesShow Last 20 Lines

compiler-rt/lib/sanitizer_common/sanitizer_platform_limits_posix.cpp

Show First 20 LinesShow All 242 Lines▼ Show 20 Lines# endif
} }
# endif // !SANITIZER_ANDROID # endif // !SANITIZER_ANDROID
# if SANITIZER_LINUX # if SANITIZER_LINUX
unsigned struct_epoll_event_sz = sizeof(struct epoll_event); unsigned struct_epoll_event_sz = sizeof(struct epoll_event);
unsigned struct_sysinfo_sz = sizeof(struct sysinfo); unsigned struct_sysinfo_sz = sizeof(struct sysinfo);
unsigned __user_cap_header_struct_sz = unsigned __user_cap_header_struct_sz =
sizeof(struct __user_cap_header_struct); sizeof(struct __user_cap_header_struct);
unsigned __user_cap_data_struct_sz = sizeof(struct __user_cap_data_struct); unsigned __user_cap_data_struct_sz(void *hdrp) {
int u32s = 0;
gliderUnsubmitted
Done
ReplyInline Actions

Do we want to do anything in the case of incorrect version?

glider: Do we want to do anything in the case of incorrect version?
iiiAuthorUnsubmitted
Done
ReplyInline Actions

I used 1 here in order to keep the old sanitizer behavior, but, come to think of it, it doesn't really make sense: if a buggy program passes a bad version, we don't want to unpoison the buffer. There can be new versions added in the future too, but this code would have to be updated in order to support them anyway.

So I'll change this to 0 and think of a way to test this.

iii: I used 1 here in order to keep the old sanitizer behavior, but, come to think of it, it doesn't…
if (hdrp) {
switch (((struct __user_cap_header_struct *)hdrp)->version) {
case _LINUX_CAPABILITY_VERSION_1:
u32s = _LINUX_CAPABILITY_U32S_1;
break;
case _LINUX_CAPABILITY_VERSION_2:
u32s = _LINUX_CAPABILITY_U32S_2;
break;
case _LINUX_CAPABILITY_VERSION_3:
u32s = _LINUX_CAPABILITY_U32S_3;
break;
}
}
return sizeof(struct __user_cap_data_struct) * u32s;
}
unsigned struct_new_utsname_sz = sizeof(struct new_utsname); unsigned struct_new_utsname_sz = sizeof(struct new_utsname);
unsigned struct_old_utsname_sz = sizeof(struct old_utsname); unsigned struct_old_utsname_sz = sizeof(struct old_utsname);
unsigned struct_oldold_utsname_sz = sizeof(struct oldold_utsname); unsigned struct_oldold_utsname_sz = sizeof(struct oldold_utsname);
#endif // SANITIZER_LINUX #endif // SANITIZER_LINUX
#if SANITIZER_LINUX #if SANITIZER_LINUX
unsigned struct_rlimit_sz = sizeof(struct rlimit); unsigned struct_rlimit_sz = sizeof(struct rlimit);
unsigned struct_timespec_sz = sizeof(struct timespec); unsigned struct_timespec_sz = sizeof(struct timespec);
▲ Show 20 LinesShow All 1,087 LinesShow Last 20 Lines

compiler-rt/test/sanitizer_common/TestCases/Linux/cap.c

  • This file was added.
// RUN: %clang %s -o %t && %run %t
// capget() and capset() are not intercepted on Android.
// UNSUPPORTED: android
#include <assert.h>
#include <errno.h>
#include <linux/capability.h>
#include <stdio.h>
#include <stdlib.h>
#include "sanitizer_common/sanitizer_specific.h"
/* Use capget() and capset() from glibc. */
int capget(cap_user_header_t header, cap_user_data_t data);
int capset(cap_user_header_t header, const cap_user_data_t data);
static void test(int version, int u32s) {
struct __user_cap_header_struct hdr = {
.version = version,
.pid = 0,
};
struct __user_cap_data_struct data[u32s];
if (capget(&hdr, data)) {
assert(errno == EINVAL);
/* Check that memory is not touched. */
#if __has_feature(memory_sanitizer)
assert(__msan_test_shadow(data, sizeof(data)) == 0);
#endif
hdr.version = version;
int err = capset(&hdr, data);
assert(errno == EINVAL);
} else {
for (int i = 0; i < u32s; i++)
printf("%x %x %x\n", data[i].effective, data[i].permitted,
data[i].inheritable);
int err = capset(&hdr, data);
gliderUnsubmitted
Done
ReplyInline Actions

If we do, can you please add a test case for it?

glider: If we do, can you please add a test case for it?
assert(!err);
}
}
int main() {
test(0, 1); /* Test an incorrect version. */
test(_LINUX_CAPABILITY_VERSION_1, _LINUX_CAPABILITY_U32S_1);
test(_LINUX_CAPABILITY_VERSION_2, _LINUX_CAPABILITY_U32S_2);
test(_LINUX_CAPABILITY_VERSION_3, _LINUX_CAPABILITY_U32S_3);
return EXIT_SUCCESS;
}