This is an archive of the discontinued LLVM Phabricator instance.

Differential D150496

ASan: fix potential use-after-free in backtrace interceptor
ClosedPublic

Authored by thurston on May 12 2023, 4:27 PM.

Download Raw Diff

Details

Reviewers

vitalybuka

Commits

rGbd1170d2c371: ASan: fix potential use-after-free in backtrace interceptor

Summary

Various ASan interceptors may corrupt memory if passed a
pointer to freed memory (https://github.com/google/sanitizers/issues/321).
This patch fixes the issue for the backtrace interceptor,
by calling REAL(backtrace) with a known-good scratch buffer,
and performing an addressability check on the user-provided
buffer prior to writing to it.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

thurston created this revision.May 12 2023, 4:27 PM

Herald added a project: Restricted Project. · View Herald TranscriptMay 12 2023, 4:27 PM

Herald added a subscriber: Enna1. · View Herald Transcript

thurston requested review of this revision.May 12 2023, 4:27 PM

Herald added a project: Restricted Project. · View Herald TranscriptMay 12 2023, 4:27 PM

Herald added a subscriber: Restricted Project. · View Herald Transcript

thurston added a reviewer: vitalybuka.May 12 2023, 4:28 PM

Harbormaster completed remote builds in B231736: Diff 521836.May 12 2023, 5:26 PM

vitalybuka added inline comments.May 12 2023, 10:28 PM

compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc
4408	why we can't check with COMMON_INTERCEPTOR_WRITE_RANGE before real and after? before for asan, after for msan
4414	internal_memcpy?

thurston added inline comments.May 12 2023, 10:33 PM

compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc
4408	That would be a stricter check than currently done, because it would have to performed with 'size' rather than 'res'. For example, if the user calls backtrace with a buffer of 100 elements but a size parameter of 1000000, COMMON_INTERCEPTOR_WRITE_RANGE before REAL would complain because the buffer is not large enough. However, if the REAL(backtrace) function only ends up returning 50 items, then the buffer is large enough in practice, and it doesn't really matter that the size parameter was too large. The current implementation only checks that the buffer was large enough for the actual number of items written by REAL(backtrace).
4414	Will do.

Use internal_memcpy as suggested by Vitaly

thurston marked an inline comment as done.May 12 2023, 11:04 PM

vitalybuka accepted this revision.May 12 2023, 11:06 PM

This revision is now accepted and ready to land.May 12 2023, 11:06 PM

Harbormaster completed remote builds in B231765: Diff 521871.May 12 2023, 11:22 PM

This revision was landed with ongoing or failed builds.May 13 2023, 4:22 PM

Closed by commit rGbd1170d2c371: ASan: fix potential use-after-free in backtrace interceptor (authored by thurston). · Explain Why

This revision was automatically updated to reflect the committed changes.

thurston added a commit: rGbd1170d2c371: ASan: fix potential use-after-free in backtrace interceptor.

Revision Contents

Path

Size

compiler-rt/

lib/

sanitizer_common/

sanitizer_common_interceptors.inc

14 lines

test/

asan/

TestCases/

backtrace_interceptor.cpp

6 lines

Diff 521954

compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc

This file is larger than 256 KB, so syntax highlighting is disabled by default.

	Show First 20 Lines • Show All 4,398 Lines • ▼ Show 20 Lines
	#else			#else
	#define INIT_PTHREAD_SIGMASK			#define INIT_PTHREAD_SIGMASK
	#endif			#endif

	#if SANITIZER_INTERCEPT_BACKTRACE			#if SANITIZER_INTERCEPT_BACKTRACE
	INTERCEPTOR(int, backtrace, void **buffer, int size) {			INTERCEPTOR(int, backtrace, void **buffer, int size) {
	void *ctx;			void *ctx;
	COMMON_INTERCEPTOR_ENTER(ctx, backtrace, buffer, size);			COMMON_INTERCEPTOR_ENTER(ctx, backtrace, buffer, size);
	// FIXME: under ASan the call below may write to freed memory and corrupt			// 'buffer' might be freed memory, hence it is unsafe to directly call
	// its metadata. See			// REAL(backtrace)(buffer, size). Instead, we use our own known-good
				vitalybukaUnsubmitted Not Done Reply Inline Actions why we can't check with COMMON_INTERCEPTOR_WRITE_RANGE before real and after? before for asan, after for msan vitalybuka: why we can't check with COMMON_INTERCEPTOR_WRITE_RANGE before real and after? before for asan…
				thurstonAuthorUnsubmitted Done Reply Inline Actions That would be a stricter check than currently done, because it would have to performed with 'size' rather than 'res'. For example, if the user calls backtrace with a buffer of 100 elements but a size parameter of 1000000, COMMON_INTERCEPTOR_WRITE_RANGE before REAL would complain because the buffer is not large enough. However, if the REAL(backtrace) function only ends up returning 50 items, then the buffer is large enough in practice, and it doesn't really matter that the size parameter was too large. The current implementation only checks that the buffer was large enough for the actual number of items written by REAL(backtrace). thurston: That would be a stricter check than currently done, because it would have to performed with…
	// https://github.com/google/sanitizers/issues/321.			// scratch buffer.
	int res = REAL(backtrace)(buffer, size);			void scratch = (void)InternalAlloc(sizeof(void) size);
	if (res && buffer)			int res = REAL(backtrace)(scratch, size);
				if (res && buffer) {
	COMMON_INTERCEPTOR_WRITE_RANGE(ctx, buffer, res * sizeof(*buffer));			COMMON_INTERCEPTOR_WRITE_RANGE(ctx, buffer, res * sizeof(*buffer));
				internal_memcpy(buffer, scratch, res * sizeof(*buffer));
				vitalybukaUnsubmitted Done Reply Inline Actions internal_memcpy? vitalybuka: internal_memcpy?
				thurstonAuthorUnsubmitted Done Reply Inline Actions Will do. thurston: Will do.
				}
				InternalFree(scratch);
	return res;			return res;
	}			}

	INTERCEPTOR(char , backtrace_symbols, void buffer, int size) {			INTERCEPTOR(char , backtrace_symbols, void buffer, int size) {
	void *ctx;			void *ctx;
	COMMON_INTERCEPTOR_ENTER(ctx, backtrace_symbols, buffer, size);			COMMON_INTERCEPTOR_ENTER(ctx, backtrace_symbols, buffer, size);
	if (buffer && size)			if (buffer && size)
	COMMON_INTERCEPTOR_READ_RANGE(ctx, buffer, size * sizeof(*buffer));			COMMON_INTERCEPTOR_READ_RANGE(ctx, buffer, size * sizeof(*buffer));
	▲ Show 20 Lines • Show All 6,257 Lines • Show Last 20 Lines

compiler-rt/test/asan/TestCases/backtrace_interceptor.cpp

	// RUN: %clangxx_asan -O0 %s -o %t && not %run %t 2>&1 \| FileCheck %s			// RUN: %clangxx_asan -O0 %s -o %t && not %run %t 2>&1 \| FileCheck %s

	// Windows does not have execinfo.h. For now, be conservative and			// Windows does not have execinfo.h. For now, be conservative and
	// restrict the test to glibc.			// restrict the test to glibc.
	// REQUIRES: glibc-2.27			// REQUIRES: glibc-2.27

	// Interceptor can cause use-after-free
	// (https://github.com/google/sanitizers/issues/321)
	// XFAIL: *

	// Test the backtrace() interceptor.			// Test the backtrace() interceptor.

	#include <assert.h>			#include <assert.h>
	#include <execinfo.h>			#include <execinfo.h>
	#include <math.h>			#include <math.h>
	#include <stdio.h>			#include <stdio.h>
	#include <stdlib.h>			#include <stdlib.h>

	#define MAX_BT 100			#define MAX_BT 100

	int main() {			int main() {
	void buffer = (void )malloc(sizeof(void ) MAX_BT);			void buffer = (void )malloc(sizeof(void ) MAX_BT);
	assert(buffer != NULL);			assert(buffer != NULL);
	free(buffer);			free(buffer);

				// Deliberate use-after-free of 'buffer'. We expect ASan to
				// catch this, without triggering internal sanitizer errors.
	int numEntries = backtrace(buffer, MAX_BT);			int numEntries = backtrace(buffer, MAX_BT);
	printf("backtrace returned %d entries\n", numEntries);			printf("backtrace returned %d entries\n", numEntries);

	// CHECK: use-after-free			// CHECK: use-after-free
	// CHECK: SUMMARY			// CHECK: SUMMARY
	return 0;			return 0;
	}			}