This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
lib/sanitizer_common/
-
sanitizer_common/
2
sanitizer_allocator.h

Differential D15008

[sanitizer] Fix a crash in SizeClassAllocator32 with an out-of-range pointer
ClosedPublic

Authored by kubamracek on Nov 26 2015, 1:52 AM.

Download Raw Diff

Details

Reviewers

kcc
glider
dvyukov
samsonov

Commits

rGa90528bb8991: [sanitizer] Fix a crash in SizeClassAllocator32 with an out-of-range pointer
rCRT268243: [sanitizer] Fix a crash in SizeClassAllocator32 with an out-of-range pointer
rL268243: [sanitizer] Fix a crash in SizeClassAllocator32 with an out-of-range pointer

Summary

This only happens on a 64-bit platform that uses SizeClassAllocator32 (e.g. ASan on AArch64). When querying a large invalid pointer about its size, e.g. with:

__sanitizer_get_allocated_size(0xdeadbeefdeadbeef);

...an assertion will fail:

AddressSanitizer CHECK failed: .../sanitizer_allocator.h "((res)) < ((kNumPossibleRegions))"

This patch changes PointerIsMine to return false if the pointer is outside of [kSpaceBeg, kSpaceBeg + kSpaceSize).

Diff Detail

Event Timeline

kubamracek updated this revision to Diff 41217.Nov 26 2015, 1:52 AM

kubamracek retitled this revision from to [sanitizer] Fix a crash in SizeClassAllocator32 with an out-of-range pointer.

kubamracek updated this object.

kubamracek added reviewers: samsonov, glider, kcc, dvyukov.

kubamracek added subscribers: llvm-commits, zaks.anna.

Herald added a subscriber: aemerson. · View Herald TranscriptNov 26 2015, 1:52 AM

dvyukov added inline comments.Nov 30 2015, 6:14 AM

lib/sanitizer_common/sanitizer_allocator.h
753	The condition in GetSizeClass->ComputeRegionId is different. It effectively checks that mem < kSpaceSize. At least ComputeRegionId assumes that kSpaceBeg==0. We seem to be missing some tests. Kostya?

kubamracek added inline comments.Dec 7 2015, 3:28 AM

lib/sanitizer_common/sanitizer_allocator.h
753	How should this be fixed? All uses of SizeClassAllocator32 currently use "0" as kSpaceBeg, so we could just assume that as a requirement.

I will ask Kostya.

Where is "__sanitizer_get_allocated_size(0xdeadbeefdeadbeef);" called?
I'd say this is a misuse of the function, you should not pass a pointer outside of the AS there.

Kostya, I think we should remove kSpaceBeg and replace it with zero. What do you think?

In D15008#304630, @dvyukov wrote:

Kostya, I think we should remove kSpaceBeg and replace it with zero. What do you think?

You mean, only SizeClassAllocator32::kSpaceBeg, right?
Why?

Theoretically, we may gain something by making kSpaceBeg non-zero.
Before we actually do it, SizeClassAllocator32::kSpaceBeg is kind of useless, but it also doesn't harm much.

It is broken. We never used it. We don't have tests for it.
See previous comments.

No strong opinion here. If you think we should remove it -- ok, let's do it.
We can reinstate it back if needed.

Ping. Adding a test case.

Herald added a subscriber: kubamracek. · View Herald TranscriptMay 2 2016, 8:06 AM

dvyukov accepted this revision.May 2 2016, 8:10 AM

dvyukov edited edge metadata.

This revision is now accepted and ready to land.May 2 2016, 8:10 AM

Closed by commit rL268243: [sanitizer] Fix a crash in SizeClassAllocator32 with an out-of-range pointer (authored by kuba.brecka). · Explain WhyMay 2 2016, 8:28 AM

This revision was automatically updated to reflect the committed changes.

yln mentioned this in D115947: [TSan][Darwin] Make malloc_size interceptor more robust.Dec 17 2021, 9:32 AM

yln mentioned this in rG4399f3b6b0df: [TSan][Darwin] Make malloc_size interceptor more robust.Dec 17 2021, 3:38 PM

Revision Contents

Path

Size

lib/

sanitizer_common/

sanitizer_allocator.h

3 lines

Diff 41217

lib/sanitizer_common/sanitizer_allocator.h

Show First 20 Lines • Show All 743 Lines • ▼ Show 20 Lines	NOINLINE void DeallocateBatch(AllocatorStats stat, uptr class_id, Batch b) {
CHECK_LT(class_id, kNumClasses);		CHECK_LT(class_id, kNumClasses);
SizeClassInfo *sci = GetSizeClassInfo(class_id);		SizeClassInfo *sci = GetSizeClassInfo(class_id);
SpinMutexLock l(&sci->mutex);		SpinMutexLock l(&sci->mutex);
CHECK_GT(b->count, 0);		CHECK_GT(b->count, 0);
sci->free_list.push_front(b);		sci->free_list.push_front(b);
}		}

bool PointerIsMine(const void *p) {		bool PointerIsMine(const void *p) {
		uptr mem = reinterpret_cast<uptr>(p);
		if (mem < kSpaceBeg \|\| mem >= kSpaceBeg + kSpaceSize)
		dvyukovUnsubmitted Not Done Reply Inline Actions The condition in GetSizeClass->ComputeRegionId is different. It effectively checks that mem < kSpaceSize. At least ComputeRegionId assumes that kSpaceBeg==0. We seem to be missing some tests. Kostya? dvyukov: The condition in GetSizeClass->ComputeRegionId is different. It effectively checks that mem <…
		kubamracekAuthorUnsubmitted Not Done Reply Inline Actions How should this be fixed? All uses of SizeClassAllocator32 currently use "0" as kSpaceBeg, so we could just assume that as a requirement. kubamracek: How should this be fixed? All uses of SizeClassAllocator32 currently use "0" as kSpaceBeg, so…
		return false;
return GetSizeClass(p) != 0;		return GetSizeClass(p) != 0;
}		}

uptr GetSizeClass(const void *p) {		uptr GetSizeClass(const void *p) {
return possible_regions[ComputeRegionId(reinterpret_cast<uptr>(p))];		return possible_regions[ComputeRegionId(reinterpret_cast<uptr>(p))];
}		}

void GetBlockBegin(const void p) {		void GetBlockBegin(const void p) {
▲ Show 20 Lines • Show All 696 Lines • Show Last 20 Lines