This is an archive of the discontinued LLVM Phabricator instance.

Differential D152763

[HWASAN] Implement munmap interceptor for HWASAN
ClosedPublic

Authored by kstoimenov on Jun 12 2023, 5:25 PM.

Details

Reviewers
vitalybuka
thurston
Commits
rGfba9fd1afa70: [HWASAN] Implement munmap interceptor for HWASAN

Diff Detail

Event Timeline

kstoimenov created this revision.Jun 12 2023, 5:25 PM
Herald added a project: Restricted Project. · View Herald TranscriptJun 12 2023, 5:25 PM
Herald added a subscriber: Enna1. · View Herald Transcript
kstoimenov requested review of this revision.Jun 12 2023, 5:25 PM
Herald added a project: Restricted Project. · View Herald TranscriptJun 12 2023, 5:25 PM
Herald added a subscriber: Restricted Project. · View Herald Transcript
kstoimenov updated this revision to Diff 530730.Jun 12 2023, 5:27 PM

Updated comment.

kstoimenov updated this revision to Diff 530731.Jun 12 2023, 5:28 PM

Updated order.

kstoimenov added reviewers: vitalybuka, thurston.Jun 12 2023, 5:28 PM
thurston added inline comments.Jun 12 2023, 5:34 PM
compiler-rt/lib/hwasan/hwasan_interceptors.cpp
216

HWASan's mmap interceptor does not tag memory or allow MAP_FIXED with a tagged address, so there should be no need to zero-tag memory in the munmap interceptor. (To the extent that zero-tagging fixes anything, it means there is a bug elsewhere.)

thurston added inline comments.Jun 12 2023, 5:36 PM
compiler-rt/test/hwasan/TestCases/munmap.c
26

What is the purpose of testing that this works? Tagging the pointer and memory for an mmap'ed allocation is not something that should happen in practice.

Harbormaster completed remote builds in B238358: Diff 530731.Jun 12 2023, 5:48 PM
kstoimenov added inline comments.Jun 13 2023, 9:16 AM
compiler-rt/test/hwasan/TestCases/munmap.c
26

Here is my understanding of what is going on. Feel free to double-check with vitalybuka@. While we investigated a bug we figured out that the area for the stack is mmaped. After that HWASAN tags that memory during execution from instrumented code to detect UAR. What happens after that the process uses vfork to spawn a child process where we get the tag mismatch error. The reason is that the memory is unmmaped in the child process without being untagged and then the next mmap request returns the same memory with tagged shadow memory.

thurston added inline comments.Jun 13 2023, 9:42 AM
compiler-rt/test/hwasan/TestCases/munmap.c
26

Wouldn't it be better to zero-tag the memory in the mmap interceptor, rather than the munmap interceptor? It would mean that un-mmap'ed pages would continue to be protected against illegal accesses, until such time that the memory is actually reused by mmap.

kstoimenov updated this revision to Diff 531025.Jun 13 2023, 12:10 PM

Fixed unmap.

Harbormaster completed remote builds in B238587: Diff 531025.Jun 13 2023, 1:08 PM
vitalybuka added a comment.Jun 13 2023, 1:36 PM

we need the same for Asan, in a separate patch

compiler-rt/lib/hwasan/hwasan_interceptors.cpp
208

Let's do __hwasan::TagMemoryAligned(reinterpret_cast<uptr>(addr), length, 0); here as well

compiler-rt/test/hwasan/TestCases/munmap.c
26

pages are already protected as they are not mapped, so you'll get segv
TagMemoryAligned(...0) will also release unused physical pages

I guess it will not hurt to zero tag in mmap as well.
Reason is that some user code can mmap/munmap avoiding our interceptors, so these two checkpoints to fix them up

30

as this is hwasan test, you can use __hwasan_test_shadow, it's going to be simple:

__hwasan_tag_memory
mmap(fixed)
__hwasan_test_shadow

__hwasan_tag_memory
munmap
__hwasan_test_shadow
kstoimenov updated this revision to Diff 531100.Jun 13 2023, 3:55 PM
kstoimenov marked an inline comment as done.

Updated the test.

kstoimenov marked an inline comment as done.Jun 13 2023, 3:57 PM
kstoimenov added inline comments.
compiler-rt/test/hwasan/TestCases/munmap.c
30

Also added some extra checks. PTAL.

Harbormaster completed remote builds in B238640: Diff 531100.Jun 13 2023, 4:18 PM
vitalybuka added inline comments.Jun 13 2023, 4:52 PM
compiler-rt/lib/hwasan/hwasan_interceptors.cpp
210

it need to be under
if (res != (void *)-1) {

compiler-rt/test/hwasan/TestCases/munmap.c
43

please add __hwasan_test_shadow(r) just after munmap

43

and then tag again before mmap(r, FIXED

vitalybuka added a comment.Jun 13 2023, 4:52 PM

LGTM with fixes above

vitalybuka accepted this revision.Jun 13 2023, 4:52 PM
This revision is now accepted and ready to land.Jun 13 2023, 4:52 PM
kstoimenov updated this revision to Diff 531119.Jun 13 2023, 5:10 PM
kstoimenov marked an inline comment as done.

Address comments.

kstoimenov marked 3 inline comments as done.Jun 13 2023, 5:11 PM
Harbormaster completed remote builds in B238654: Diff 531119.Jun 13 2023, 5:34 PM
vitalybuka accepted this revision.Jun 13 2023, 7:29 PM
kstoimenov updated this revision to Diff 531172.Jun 13 2023, 10:30 PM

Updated to TagMem.

This revision was landed with ongoing or failed builds.Jun 13 2023, 10:37 PM
Closed by commit rGfba9fd1afa70: [HWASAN] Implement munmap interceptor for HWASAN (authored by kstoimenov). · Explain Why
This revision was automatically updated to reflect the committed changes.
kstoimenov added a commit: rGfba9fd1afa70: [HWASAN] Implement munmap interceptor for HWASAN.
Harbormaster completed remote builds in B238695: Diff 531172.Jun 13 2023, 10:50 PM
kstoimenov reopened this revision.Jun 14 2023, 7:25 AM

Breaks the build bot. Will fix forward.

This revision is now accepted and ready to land.Jun 14 2023, 7:25 AM
kstoimenov updated this revision to Diff 531333.Jun 14 2023, 7:47 AM

Switched to unaligned.

kstoimenov closed this revision.Jun 14 2023, 7:54 AM

Will submit as separate patch.

kstoimenov mentioned this in rGceab8e3af7d8: [HWASAN] Fix bot test failure caused by D152763 by switching to.Jun 14 2023, 7:57 AM
Harbormaster completed remote builds in B238809: Diff 531333.Jun 14 2023, 8:12 AM

Revision Contents

PathSize
compiler-rt/
lib/
hwasan/
12 lines
test/
hwasan/
TestCases/
30 lines

Diff 530729

compiler-rt/lib/hwasan/hwasan_interceptors.cpp

Show First 20 LinesShow All 199 Lines▼ Show 20 Lines if (res != (void *)-1) {
void *end_res = (char *)res + (rounded_length - 1); void *end_res = (char *)res + (rounded_length - 1);
if (!MemIsApp(reinterpret_cast<uptr>(res)) || if (!MemIsApp(reinterpret_cast<uptr>(res)) ||
!MemIsApp(reinterpret_cast<uptr>(end_res))) { !MemIsApp(reinterpret_cast<uptr>(end_res))) {
// Application has attempted to map more memory than is supported by // Application has attempted to map more memory than is supported by
// HWASan. Act as if we ran out of memory. // HWASan. Act as if we ran out of memory.
internal_munmap(res, length); internal_munmap(res, length);
errno = errno_ENOMEM; errno = errno_ENOMEM;
return (void *)-1; return (void *)-1;
} }
vitalybukaUnsubmitted
Done
ReplyInline Actions

Let's do __hwasan::TagMemoryAligned(reinterpret_cast<uptr>(addr), length, 0); here as well

vitalybuka: Let's do __hwasan::TagMemoryAligned(reinterpret_cast<uptr>(addr), length, 0); here as well
} }
vitalybukaUnsubmitted
Done
ReplyInline Actions

it need to be under
if (res != (void *)-1) {

vitalybuka: it need to be under if (res != (void *)-1) {
return res; return res;
} }
template <class Munmap>
static int munmap_interceptor(Munmap real_munmap, void *addr, SIZE_T length) {
__hwasan::TagMemoryAligned(reinterpret_cast<uptr>(addr), length, 0);
thurstonUnsubmitted
Not Done
ReplyInline Actions

HWASan's mmap interceptor does not tag memory or allow MAP_FIXED with a tagged address, so there should be no need to zero-tag memory in the munmap interceptor. (To the extent that zero-tagging fixes anything, it means there is a bug elsewhere.)

thurston: HWASan's mmap interceptor does not tag memory or allow MAP_FIXED with a tagged address, so…
return real_munmap(addr, length);
}
# define COMMON_INTERCEPTOR_MMAP_IMPL(ctx, mmap, addr, length, prot, flags, \ # define COMMON_INTERCEPTOR_MMAP_IMPL(ctx, mmap, addr, length, prot, flags, \
fd, offset) \ fd, offset) \
do { \ do { \
(void)(ctx); \ (void)(ctx); \
return mmap_interceptor(REAL(mmap), addr, sz, prot, flags, fd, off); \ return mmap_interceptor(REAL(mmap), addr, sz, prot, flags, fd, off); \
} while (false) } while (false)
# define COMMON_INTERCEPTOR_MUNMAP_IMPL(ctx, mmap, addr, length) \
do { \
(void)(ctx); \
return munmap_interceptor(REAL(mmap), addr, sz); \
} while (false)
# include "sanitizer_common/sanitizer_common_interceptors_memintrinsics.inc" # include "sanitizer_common/sanitizer_common_interceptors_memintrinsics.inc"
# include "sanitizer_common/sanitizer_common_interceptors.inc" # include "sanitizer_common/sanitizer_common_interceptors.inc"
struct ThreadStartArg { struct ThreadStartArg {
__sanitizer_sigset_t starting_sigset_; __sanitizer_sigset_t starting_sigset_;
}; };
static void *HwasanThreadStartFunc(void *arg) { static void *HwasanThreadStartFunc(void *arg) {
▲ Show 20 LinesShow All 296 LinesShow Last 20 Lines

compiler-rt/test/hwasan/TestCases/munmap.c

  • This file was added.
// RUN: %clang_hwasan %s -o %t
// RUN: %run %t 2>&1
// REQUIRES: aarch64-target-arch
#include <sanitizer/hwasan_interface.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/mman.h>
int main(int argc, char **argv) {
int size = 4096;
int tag = 74;
int val = 42;
void *r = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_ANON | MAP_PRIVATE,
-1, 0);
int *p1 = __hwasan_tag_pointer(r, tag);
if (r == MAP_FAILED) {
fprintf(stderr, "Failed to mmap\n");
abort();
}
__hwasan_tag_memory(r, tag, size);
*p1 = 42;
munmap(r, size);
// Remap the same address and make sure we can access it with an untagged pointer.
int *p2 = (int*) mmap(r, size, PROT_READ | PROT_WRITE, MAP_ANON | MAP_PRIVATE,
thurstonUnsubmitted
Not Done
ReplyInline Actions

What is the purpose of testing that this works? Tagging the pointer and memory for an mmap'ed allocation is not something that should happen in practice.

thurston: What is the purpose of testing that this works? Tagging the pointer and memory for an mmap'ed…
kstoimenovAuthorUnsubmitted
Done
ReplyInline Actions

Here is my understanding of what is going on. Feel free to double-check with vitalybuka@. While we investigated a bug we figured out that the area for the stack is mmaped. After that HWASAN tags that memory during execution from instrumented code to detect UAR. What happens after that the process uses vfork to spawn a child process where we get the tag mismatch error. The reason is that the memory is unmmaped in the child process without being untagged and then the next mmap request returns the same memory with tagged shadow memory.

kstoimenov: Here is my understanding of what is going on. Feel free to double-check with vitalybuka@. While…
thurstonUnsubmitted
Not Done
ReplyInline Actions

Wouldn't it be better to zero-tag the memory in the mmap interceptor, rather than the munmap interceptor? It would mean that un-mmap'ed pages would continue to be protected against illegal accesses, until such time that the memory is actually reused by mmap.

thurston: Wouldn't it be better to zero-tag the memory in the mmap interceptor, rather than the munmap…
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

pages are already protected as they are not mapped, so you'll get segv
TagMemoryAligned(...0) will also release unused physical pages

I guess it will not hurt to zero tag in mmap as well.
Reason is that some user code can mmap/munmap avoiding our interceptors, so these two checkpoints to fix them up

vitalybuka: pages are already protected as they are not mapped, so you'll get segv TagMemoryAligned(...0)…
-1, 0);
*p2 = 42;
return 0;
}
vitalybukaUnsubmitted
Done
ReplyInline Actions

as this is hwasan test, you can use __hwasan_test_shadow, it's going to be simple:

__hwasan_tag_memory
mmap(fixed)
__hwasan_test_shadow

__hwasan_tag_memory
munmap
__hwasan_test_shadow
vitalybuka: as this is hwasan test, you can use __hwasan_test_shadow, it's going to be simple: ```…
kstoimenovAuthorUnsubmitted
Done
ReplyInline Actions

Also added some extra checks. PTAL.

kstoimenov: Also added some extra checks. PTAL.
No newline at end of file
vitalybukaUnsubmitted
Done
ReplyInline Actions

please add __hwasan_test_shadow(r) just after munmap

vitalybuka: please add __hwasan_test_shadow(r) just after munmap
vitalybukaUnsubmitted
Done
ReplyInline Actions

and then tag again before mmap(r, FIXED

vitalybuka: and then tag again before mmap(r, FIXED