Download Raw Diff

Details

Reviewers

vitalybuka
thurston

Commits

rGfba9fd1afa70: [HWASAN] Implement munmap interceptor for HWASAN

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

kstoimenov created this revision.Jun 12 2023, 5:25 PM

Herald added a project: Restricted Project. · View Herald TranscriptJun 12 2023, 5:25 PM

Herald added a subscriber: Enna1. · View Herald Transcript

kstoimenov requested review of this revision.Jun 12 2023, 5:25 PM

Herald added a project: Restricted Project. · View Herald TranscriptJun 12 2023, 5:25 PM

Herald added a subscriber: Restricted Project. · View Herald Transcript

Updated comment.

Updated order.

kstoimenov added reviewers: vitalybuka, thurston.Jun 12 2023, 5:28 PM

thurston added inline comments.Jun 12 2023, 5:34 PM

compiler-rt/lib/hwasan/hwasan_interceptors.cpp
216	HWASan's mmap interceptor does not tag memory or allow MAP_FIXED with a tagged address, so there should be no need to zero-tag memory in the munmap interceptor. (To the extent that zero-tagging fixes anything, it means there is a bug elsewhere.)

thurston added inline comments.Jun 12 2023, 5:36 PM

compiler-rt/test/hwasan/TestCases/munmap.c
25	What is the purpose of testing that this works? Tagging the pointer and memory for an mmap'ed allocation is not something that should happen in practice.

Harbormaster completed remote builds in B238358: Diff 530731.Jun 12 2023, 5:48 PM

kstoimenov added inline comments.Jun 13 2023, 9:16 AM

compiler-rt/test/hwasan/TestCases/munmap.c
25	Here is my understanding of what is going on. Feel free to double-check with vitalybuka@. While we investigated a bug we figured out that the area for the stack is mmaped. After that HWASAN tags that memory during execution from instrumented code to detect UAR. What happens after that the process uses vfork to spawn a child process where we get the tag mismatch error. The reason is that the memory is unmmaped in the child process without being untagged and then the next mmap request returns the same memory with tagged shadow memory.

thurston added inline comments.Jun 13 2023, 9:42 AM

compiler-rt/test/hwasan/TestCases/munmap.c
25	Wouldn't it be better to zero-tag the memory in the mmap interceptor, rather than the munmap interceptor? It would mean that un-mmap'ed pages would continue to be protected against illegal accesses, until such time that the memory is actually reused by mmap.

Fixed unmap.

Harbormaster completed remote builds in B238587: Diff 531025.Jun 13 2023, 1:08 PM

we need the same for Asan, in a separate patch

compiler-rt/lib/hwasan/hwasan_interceptors.cpp
208	Let's do __hwasan::TagMemoryAligned(reinterpret_cast<uptr>(addr), length, 0); here as well
compiler-rt/test/hwasan/TestCases/munmap.c
25	pages are already protected as they are not mapped, so you'll get segv TagMemoryAligned(...0) will also release unused physical pages I guess it will not hurt to zero tag in mmap as well. Reason is that some user code can mmap/munmap avoiding our interceptors, so these two checkpoints to fix them up
30	as this is hwasan test, you can use __hwasan_test_shadow, it's going to be simple: __hwasan_tag_memory mmap(fixed) __hwasan_test_shadow __hwasan_tag_memory munmap __hwasan_test_shadow

Updated the test.

kstoimenov marked an inline comment as done.Jun 13 2023, 3:57 PM

kstoimenov added inline comments.

compiler-rt/test/hwasan/TestCases/munmap.c
30	Also added some extra checks. PTAL.

Harbormaster completed remote builds in B238640: Diff 531100.Jun 13 2023, 4:18 PM

vitalybuka added inline comments.Jun 13 2023, 4:52 PM

compiler-rt/lib/hwasan/hwasan_interceptors.cpp
210	it need to be under if (res != (void *)-1) {
compiler-rt/test/hwasan/TestCases/munmap.c
43	please add __hwasan_test_shadow(r) just after munmap
43	and then tag again before mmap(r, FIXED

LGTM with fixes above

vitalybuka accepted this revision.Jun 13 2023, 4:52 PM

This revision is now accepted and ready to land.Jun 13 2023, 4:52 PM

Address comments.

kstoimenov marked 3 inline comments as done.Jun 13 2023, 5:11 PM

Harbormaster completed remote builds in B238654: Diff 531119.Jun 13 2023, 5:34 PM

vitalybuka accepted this revision.Jun 13 2023, 7:29 PM

Updated to TagMem.

This revision was landed with ongoing or failed builds.Jun 13 2023, 10:37 PM

Closed by commit rGfba9fd1afa70: [HWASAN] Implement munmap interceptor for HWASAN (authored by kstoimenov). · Explain Why

This revision was automatically updated to reflect the committed changes.

kstoimenov added a commit: rGfba9fd1afa70: [HWASAN] Implement munmap interceptor for HWASAN.

Harbormaster completed remote builds in B238695: Diff 531172.Jun 13 2023, 10:50 PM

Breaks the build bot. Will fix forward.

This revision is now accepted and ready to land.Jun 14 2023, 7:25 AM

Switched to unaligned.

Will submit as separate patch.

kstoimenov mentioned this in rGceab8e3af7d8: [HWASAN] Fix bot test failure caused by D152763 by switching to.Jun 14 2023, 7:57 AM

Harbormaster completed remote builds in B238809: Diff 531333.Jun 14 2023, 8:12 AM

Diff 530731

compiler-rt/lib/hwasan/hwasan_interceptors.cpp

Show First 20 Lines • Show All 199 Lines • ▼ Show 20 Lines	if (res != (void *)-1) {
void end_res = (char )res + (rounded_length - 1);		void end_res = (char )res + (rounded_length - 1);
if (!MemIsApp(reinterpret_cast<uptr>(res)) \|\|		if (!MemIsApp(reinterpret_cast<uptr>(res)) \|\|
!MemIsApp(reinterpret_cast<uptr>(end_res))) {		!MemIsApp(reinterpret_cast<uptr>(end_res))) {
// Application has attempted to map more memory than is supported by		// Application has attempted to map more memory than is supported by
// HWASan. Act as if we ran out of memory.		// HWASan. Act as if we ran out of memory.
internal_munmap(res, length);		internal_munmap(res, length);
errno = errno_ENOMEM;		errno = errno_ENOMEM;
return (void *)-1;		return (void *)-1;
}		}
		vitalybukaUnsubmitted Done Reply Inline Actions Let's do __hwasan::TagMemoryAligned(reinterpret_cast<uptr>(addr), length, 0); here as well vitalybuka: Let's do __hwasan::TagMemoryAligned(reinterpret_cast<uptr>(addr), length, 0); here as well
}		}

		vitalybukaUnsubmitted Done Reply Inline Actions it need to be under if (res != (void )-1) { vitalybuka:* it need to be under if (res != (void *)-1) {
return res;		return res;
}		}

		template <class Munmap>
		static int munmap_interceptor(Munmap real_munmap, void *addr, SIZE_T length) {
		__hwasan::TagMemoryAligned(reinterpret_cast<uptr>(addr), length, 0);
		thurstonUnsubmitted Not Done Reply Inline Actions HWASan's mmap interceptor does not tag memory or allow MAP_FIXED with a tagged address, so there should be no need to zero-tag memory in the munmap interceptor. (To the extent that zero-tagging fixes anything, it means there is a bug elsewhere.) thurston: HWASan's mmap interceptor does not tag memory or allow MAP_FIXED with a tagged address, so…
		return real_munmap(addr, length);
		}

# define COMMON_INTERCEPTOR_MMAP_IMPL(ctx, mmap, addr, length, prot, flags, \		# define COMMON_INTERCEPTOR_MMAP_IMPL(ctx, mmap, addr, length, prot, flags, \
fd, offset) \		fd, offset) \
do { \		do { \
(void)(ctx); \		(void)(ctx); \
return mmap_interceptor(REAL(mmap), addr, sz, prot, flags, fd, off); \		return mmap_interceptor(REAL(mmap), addr, sz, prot, flags, fd, off); \
} while (false)		} while (false)

		# define COMMON_INTERCEPTOR_MUNMAP_IMPL(ctx, mmap, addr, length) \
		do { \
		(void)(ctx); \
		return munmap_interceptor(REAL(mmap), addr, sz); \
		} while (false)

# include "sanitizer_common/sanitizer_common_interceptors_memintrinsics.inc"		# include "sanitizer_common/sanitizer_common_interceptors_memintrinsics.inc"
# include "sanitizer_common/sanitizer_common_interceptors.inc"		# include "sanitizer_common/sanitizer_common_interceptors.inc"

struct ThreadStartArg {		struct ThreadStartArg {
__sanitizer_sigset_t starting_sigset_;		__sanitizer_sigset_t starting_sigset_;
};		};

static void HwasanThreadStartFunc(void arg) {		static void HwasanThreadStartFunc(void arg) {
▲ Show 20 Lines • Show All 296 Lines • Show Last 20 Lines

compiler-rt/test/hwasan/TestCases/munmap.c

This file was added.

				// RUN: %clang_hwasan %s -o %t
				// RUN: %run %t 2>&1

				// REQUIRES: aarch64-target-arch

				#include <sanitizer/hwasan_interface.h>
				#include <stdio.h>
				#include <stdlib.h>
				#include <sys/mman.h>

				int main(int argc, char **argv) {
				int size = 4096;
				int tag = 74;
				int val = 42;
				void *r = mmap(NULL, size, PROT_READ \| PROT_WRITE, MAP_ANON \| MAP_PRIVATE,
				-1, 0);
				if (r == MAP_FAILED) {
				fprintf(stderr, "Failed to mmap\n");
				abort();
				}
				int *p1 = __hwasan_tag_pointer(r, tag);
				__hwasan_tag_memory(r, tag, size);
				*p1 = 42;
				munmap(r, size);
				// Remap the same address and make sure we can access it with a tagged pointer.
				thurstonUnsubmitted Not Done Reply Inline Actions What is the purpose of testing that this works? Tagging the pointer and memory for an mmap'ed allocation is not something that should happen in practice. thurston: What is the purpose of testing that this works? Tagging the pointer and memory for an mmap'ed…
				kstoimenovAuthorUnsubmitted Done Reply Inline Actions Here is my understanding of what is going on. Feel free to double-check with vitalybuka@. While we investigated a bug we figured out that the area for the stack is mmaped. After that HWASAN tags that memory during execution from instrumented code to detect UAR. What happens after that the process uses vfork to spawn a child process where we get the tag mismatch error. The reason is that the memory is unmmaped in the child process without being untagged and then the next mmap request returns the same memory with tagged shadow memory. kstoimenov: Here is my understanding of what is going on. Feel free to double-check with vitalybuka@. While…
				thurstonUnsubmitted Not Done Reply Inline Actions Wouldn't it be better to zero-tag the memory in the mmap interceptor, rather than the munmap interceptor? It would mean that un-mmap'ed pages would continue to be protected against illegal accesses, until such time that the memory is actually reused by mmap. thurston: Wouldn't it be better to zero-tag the memory in the mmap interceptor, rather than the munmap…
				vitalybukaUnsubmitted Not Done Reply Inline Actions pages are already protected as they are not mapped, so you'll get segv TagMemoryAligned(...0) will also release unused physical pages I guess it will not hurt to zero tag in mmap as well. Reason is that some user code can mmap/munmap avoiding our interceptors, so these two checkpoints to fix them up vitalybuka: pages are already protected as they are not mapped, so you'll get segv TagMemoryAligned(...0)…
				int p2 = (int) mmap(r, size, PROT_READ \| PROT_WRITE, MAP_ANON \| MAP_PRIVATE,
				-1, 0);
				*p2 = 42;
				return 0;
				}
				vitalybukaUnsubmitted Done Reply Inline Actions as this is hwasan test, you can use __hwasan_test_shadow, it's going to be simple: __hwasan_tag_memory mmap(fixed) __hwasan_test_shadow __hwasan_tag_memory munmap __hwasan_test_shadow vitalybuka: as this is hwasan test, you can use __hwasan_test_shadow, it's going to be simple: ```…
				kstoimenovAuthorUnsubmitted Done Reply Inline Actions Also added some extra checks. PTAL. kstoimenov: Also added some extra checks. PTAL.
				No newline at end of file
				vitalybukaUnsubmitted Done Reply Inline Actions please add __hwasan_test_shadow(r) just after munmap vitalybuka: please add __hwasan_test_shadow(r) just after munmap
				vitalybukaUnsubmitted Done Reply Inline Actions and then tag again before mmap(r, FIXED vitalybuka: and then tag again before mmap(r, FIXED

This is an archive of the discontinued LLVM Phabricator instance.

[HWASAN] Implement munmap interceptor for HWASAN
ClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 530731

compiler-rt/lib/hwasan/hwasan_interceptors.cpp

compiler-rt/test/hwasan/TestCases/munmap.c

This is an archive of the discontinued LLVM Phabricator instance.

[HWASAN] Implement munmap interceptor for HWASANClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 530731

compiler-rt/lib/hwasan/hwasan_interceptors.cpp

compiler-rt/test/hwasan/TestCases/munmap.c

[HWASAN] Implement munmap interceptor for HWASAN
ClosedPublic