This is an archive of the discontinued LLVM Phabricator instance.

Differential D150496

ASan: fix potential use-after-free in backtrace interceptor
ClosedPublic

Authored by thurston on May 12 2023, 4:27 PM.

Details

Reviewers
vitalybuka
Commits
rGbd1170d2c371: ASan: fix potential use-after-free in backtrace interceptor
Summary

Various ASan interceptors may corrupt memory if passed a
pointer to freed memory (https://github.com/google/sanitizers/issues/321).
This patch fixes the issue for the backtrace interceptor,
by calling REAL(backtrace) with a known-good scratch buffer,
and performing an addressability check on the user-provided
buffer prior to writing to it.

Diff Detail

Event Timeline

thurston created this revision.May 12 2023, 4:27 PM
Herald added a project: Restricted Project. · View Herald TranscriptMay 12 2023, 4:27 PM
Herald added a subscriber: Enna1. · View Herald Transcript
thurston requested review of this revision.May 12 2023, 4:27 PM
Herald added a project: Restricted Project. · View Herald TranscriptMay 12 2023, 4:27 PM
Herald added a subscriber: Restricted Project. · View Herald Transcript
thurston added a reviewer: vitalybuka.May 12 2023, 4:28 PM
Harbormaster completed remote builds in B231736: Diff 521836.May 12 2023, 5:26 PM
vitalybuka added inline comments.May 12 2023, 10:28 PM
compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc
4408

why we can't check with COMMON_INTERCEPTOR_WRITE_RANGE before real and after?
before for asan, after for msan

4414

internal_memcpy?

thurston added inline comments.May 12 2023, 10:33 PM
compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc
4408

That would be a stricter check than currently done, because it would have to performed with 'size' rather than 'res'.

For example, if the user calls backtrace with a buffer of 100 elements but a size parameter of 1000000, COMMON_INTERCEPTOR_WRITE_RANGE before REAL would complain because the buffer is not large enough.

However, if the REAL(backtrace) function only ends up returning 50 items, then the buffer is large enough in practice, and it doesn't really matter that the size parameter was too large. The current implementation only checks that the buffer was large enough for the actual number of items written by REAL(backtrace).

4414

Will do.

thurston updated this revision to Diff 521871.May 12 2023, 11:04 PM

Use internal_memcpy as suggested by Vitaly

thurston marked an inline comment as done.May 12 2023, 11:04 PM
vitalybuka accepted this revision.May 12 2023, 11:06 PM
This revision is now accepted and ready to land.May 12 2023, 11:06 PM
Harbormaster completed remote builds in B231765: Diff 521871.May 12 2023, 11:22 PM
This revision was landed with ongoing or failed builds.May 13 2023, 4:22 PM
Closed by commit rGbd1170d2c371: ASan: fix potential use-after-free in backtrace interceptor (authored by thurston). · Explain Why
This revision was automatically updated to reflect the committed changes.
thurston added a commit: rGbd1170d2c371: ASan: fix potential use-after-free in backtrace interceptor.

Revision Contents

PathSize
compiler-rt/
lib/
sanitizer_common/
16 lines
test/
asan/
TestCases/
6 lines

Diff 521836

compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 4,398 Lines▼ Show 20 Lines
#else #else
#define INIT_PTHREAD_SIGMASK #define INIT_PTHREAD_SIGMASK
#endif #endif
#if SANITIZER_INTERCEPT_BACKTRACE #if SANITIZER_INTERCEPT_BACKTRACE
INTERCEPTOR(int, backtrace, void **buffer, int size) { INTERCEPTOR(int, backtrace, void **buffer, int size) {
void *ctx; void *ctx;
COMMON_INTERCEPTOR_ENTER(ctx, backtrace, buffer, size); COMMON_INTERCEPTOR_ENTER(ctx, backtrace, buffer, size);
// FIXME: under ASan the call below may write to freed memory and corrupt // 'buffer' might be freed memory, hence it is unsafe to directly call
// its metadata. See // REAL(backtrace)(buffer, size). Instead, we use our own known-good
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

why we can't check with COMMON_INTERCEPTOR_WRITE_RANGE before real and after?
before for asan, after for msan

vitalybuka: why we can't check with COMMON_INTERCEPTOR_WRITE_RANGE before real and after? before for asan…
thurstonAuthorUnsubmitted
Done
ReplyInline Actions

That would be a stricter check than currently done, because it would have to performed with 'size' rather than 'res'.

For example, if the user calls backtrace with a buffer of 100 elements but a size parameter of 1000000, COMMON_INTERCEPTOR_WRITE_RANGE before REAL would complain because the buffer is not large enough.

However, if the REAL(backtrace) function only ends up returning 50 items, then the buffer is large enough in practice, and it doesn't really matter that the size parameter was too large. The current implementation only checks that the buffer was large enough for the actual number of items written by REAL(backtrace).

thurston: That would be a stricter check than currently done, because it would have to performed with…
// https://github.com/google/sanitizers/issues/321. // scratch buffer.
int res = REAL(backtrace)(buffer, size); void **scratch = (void**)InternalAlloc(sizeof(void*) * size);
if (res && buffer) int res = REAL(backtrace)(scratch, size);
if (res && buffer) {
COMMON_INTERCEPTOR_WRITE_RANGE(ctx, buffer, res * sizeof(*buffer)); COMMON_INTERCEPTOR_WRITE_RANGE(ctx, buffer, res * sizeof(*buffer));
for (int i = 0; i < res; i++) {
vitalybukaUnsubmitted
Done
ReplyInline Actions

internal_memcpy?

vitalybuka: internal_memcpy?
thurstonAuthorUnsubmitted
Done
ReplyInline Actions

Will do.

thurston: Will do.
buffer[i] = scratch[i];
}
}
InternalFree(scratch);
return res; return res;
} }
INTERCEPTOR(char **, backtrace_symbols, void **buffer, int size) { INTERCEPTOR(char **, backtrace_symbols, void **buffer, int size) {
void *ctx; void *ctx;
COMMON_INTERCEPTOR_ENTER(ctx, backtrace_symbols, buffer, size); COMMON_INTERCEPTOR_ENTER(ctx, backtrace_symbols, buffer, size);
if (buffer && size) if (buffer && size)
COMMON_INTERCEPTOR_READ_RANGE(ctx, buffer, size * sizeof(*buffer)); COMMON_INTERCEPTOR_READ_RANGE(ctx, buffer, size * sizeof(*buffer));
▲ Show 20 LinesShow All 6,258 LinesShow Last 20 Lines

compiler-rt/test/asan/TestCases/backtrace_interceptor.cpp

// RUN: %clangxx_asan -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s // RUN: %clangxx_asan -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s
// Interceptor can cause use-after-free
// (https://github.com/google/sanitizers/issues/321)
// XFAIL: *
// Test the backtrace() interceptor. // Test the backtrace() interceptor.
#include <assert.h> #include <assert.h>
#include <execinfo.h> #include <execinfo.h>
#include <math.h> #include <math.h>
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
#define MAX_BT 100 #define MAX_BT 100
int main() { int main() {
void **buffer = (void **)malloc(sizeof(void *) * MAX_BT); void **buffer = (void **)malloc(sizeof(void *) * MAX_BT);
assert(buffer != NULL); assert(buffer != NULL);
free(buffer); free(buffer);
// Deliberate use-after-free of 'buffer'. We expect ASan to
// catch this, without triggering internal sanitizer errors.
int numEntries = backtrace(buffer, MAX_BT); int numEntries = backtrace(buffer, MAX_BT);
printf("backtrace returned %d entries\n", numEntries); printf("backtrace returned %d entries\n", numEntries);
// CHECK: use-after-free // CHECK: use-after-free
// CHECK: SUMMARY // CHECK: SUMMARY
return 0; return 0;
} }