This is an archive of the discontinued LLVM Phabricator instance.

Differential D152893

[hwasan] Fixup mmap tagging regions
ClosedPublic

Authored by vitalybuka on Jun 14 2023, 1:11 AM.

Details

Reviewers
thurston
kstoimenov
Commits
rGad1dd7879326: [hwasan] Fixup mmap tagging regions

Diff Detail

Event Timeline

vitalybuka created this revision.Jun 14 2023, 1:11 AM
Herald added a project: Restricted Project. · View Herald TranscriptJun 14 2023, 1:11 AM
Herald added a subscriber: Enna1. · View Herald Transcript
vitalybuka requested review of this revision.Jun 14 2023, 1:11 AM
Herald added a project: Restricted Project. · View Herald TranscriptJun 14 2023, 1:11 AM
Herald added a subscriber: Restricted Project. · View Herald Transcript
vitalybuka updated this revision to Diff 531227.Jun 14 2023, 1:18 AM

update

vitalybuka added reviewers: thurston, kstoimenov.Jun 14 2023, 1:19 AM
Harbormaster completed remote builds in B238726: Diff 531227.Jun 14 2023, 1:51 AM
thurston added inline comments.Jun 14 2023, 9:12 AM
compiler-rt/lib/hwasan/hwasan_interceptors.cpp
233–236
if (IsAligned(beg, GetPageSize()))
  __hwasan::TagMemoryAligned(beg, RoundUpTo(length, GetPageSize()), 0);
int res = real_munmap(addr, length);
CHECK(IsAligned(beg, GetPageSize()) || (res != 0));

Why not CHECK(IsAligned) at the beginning, to avoid duplicating the check?

CHECK(IsAligned(beg, GetPageSize());
__hwasan::TagMemoryAligned(beg, RoundUpTo(length, GetPageSize()), 0);
int res = real_munmap(addr, length);
CHECK(res != 0);
thurston accepted this revision.Jun 14 2023, 9:18 AM
thurston added inline comments.
compiler-rt/lib/hwasan/hwasan_interceptors.cpp
233–236

Ignore my comment, just noticed it was 'CHECK(IsAligned(beg, GetPageSize()) || (res != 0));' not '&&'

This revision is now accepted and ready to land.Jun 14 2023, 9:18 AM
kstoimenov added inline comments.Jun 14 2023, 11:06 AM
compiler-rt/lib/hwasan/hwasan_interceptors.cpp
233

So if the pointer is not aligned we will not untag? Could you pease explain the logic?

vitalybuka added inline comments.Jun 14 2023, 11:26 AM
compiler-rt/lib/hwasan/hwasan_interceptors.cpp
233

So if the pointer is not aligned we will not untag? Could you pease explain the logic?

This part is confusing.

So if pointer misaligned, real_munmap should fail. So if we untag the shadow, memory will still be there.
Ideally for this issue it would be nice to tag after real_munmap, but it will cause a data race with other threads.

Maybe it's fine just round the region and and untag always.
WDYT?

kstoimenov added inline comments.Jun 14 2023, 2:56 PM
compiler-rt/lib/hwasan/hwasan_interceptors.cpp
233

We should verify that real_munmap fails when the pointer is miss

233

I've read the description of munmap and I think you you did makes sense. You should probably also add a check for valid memory similar to mmap. So the logic will be:

bool untagged = false;
if (Aligned(...) && MemIsApp(...) && length > 0) {
  Untag();
  untagged = true;
}

res = munmap(...)

// This might trigger under legitimate situation. For example the 
// address is owned by the app, aligned and length > 0, but it points 
// to memory which is not mapped. Should we fail at this point? 
if (untagged) CHECK(res == 0);
vitalybuka updated this revision to Diff 531542.Jun 14 2023, 3:23 PM

update

vitalybuka updated this revision to Diff 531551.Jun 14 2023, 3:29 PM

check length

vitalybuka updated this revision to Diff 531552.Jun 14 2023, 3:31 PM

format

This revision was landed with ongoing or failed builds.Jun 14 2023, 3:32 PM
Closed by commit rGad1dd7879326: [hwasan] Fixup mmap tagging regions (authored by vitalybuka). · Explain Why
This revision was automatically updated to reflect the committed changes.
vitalybuka added a commit: rGad1dd7879326: [hwasan] Fixup mmap tagging regions.
Harbormaster completed remote builds in B238982: Diff 531552.Jun 14 2023, 4:30 PM

Revision Contents

PathSize
compiler-rt/
lib/
hwasan/
28 lines
test/
hwasan/
TestCases/
27 lines

Diff 531554

compiler-rt/lib/hwasan/hwasan_interceptors.cpp

Show First 20 LinesShow All 178 Lines▼ Show 20 Linesstatic void *mmap_interceptor(Mmap real_mmap, void *addr, SIZE_T length,
int prot, int flags, int fd, OFF64_T offset) { int prot, int flags, int fd, OFF64_T offset) {
if (addr) { if (addr) {
if (flags & map_fixed) CHECK_EQ(addr, UntagPtr(addr)); if (flags & map_fixed) CHECK_EQ(addr, UntagPtr(addr));
addr = UntagPtr(addr); addr = UntagPtr(addr);
} }
SIZE_T rounded_length = RoundUpTo(length, GetPageSize()); SIZE_T rounded_length = RoundUpTo(length, GetPageSize());
void *end_addr = (char *)addr + (rounded_length - 1); void *end_addr = (char *)addr + (rounded_length - 1);
if (addr && (!MemIsApp(reinterpret_cast<uptr>(addr)) || if (addr && length &&
(!MemIsApp(reinterpret_cast<uptr>(addr)) ||
!MemIsApp(reinterpret_cast<uptr>(end_addr)))) { !MemIsApp(reinterpret_cast<uptr>(end_addr)))) {
// User requested an address that is incompatible with HWASan's // User requested an address that is incompatible with HWASan's
// memory layout. Use a different address if allowed, else fail. // memory layout. Use a different address if allowed, else fail.
if (flags & map_fixed) { if (flags & map_fixed) {
errno = errno_EINVAL; errno = errno_EINVAL;
return (void *)-1; return (void *)-1;
} else { } else {
addr = nullptr; addr = nullptr;
} }
} }
void *res = real_mmap(addr, length, prot, flags, fd, offset); void *res = real_mmap(addr, length, prot, flags, fd, offset);
if (res != (void *)-1) { if (length && res != (void *)-1) {
void *end_res = (char *)res + (rounded_length - 1); uptr beg = reinterpret_cast<uptr>(res);
if (!MemIsApp(reinterpret_cast<uptr>(res)) || DCHECK(IsAligned(beg, GetPageSize()));
!MemIsApp(reinterpret_cast<uptr>(end_res))) { if (!MemIsApp(beg) || !MemIsApp(beg + rounded_length - 1)) {
// Application has attempted to map more memory than is supported by // Application has attempted to map more memory than is supported by
// HWASan. Act as if we ran out of memory. // HWASan. Act as if we ran out of memory.
internal_munmap(res, length); internal_munmap(res, length);
errno = errno_ENOMEM; errno = errno_ENOMEM;
return (void *)-1; return (void *)-1;
} }
__hwasan::TagMemory(reinterpret_cast<uptr>(addr), length, 0); __hwasan::TagMemoryAligned(beg, rounded_length, 0);
} }
return res; return res;
} }
template <class Munmap> template <class Munmap>
static int munmap_interceptor(Munmap real_munmap, void *addr, SIZE_T length) { static int munmap_interceptor(Munmap real_munmap, void *addr, SIZE_T length) {
__hwasan::TagMemory(reinterpret_cast<uptr>(addr), length, 0); // We should not tag if munmap fail, but it's to late to tag after
// real_munmap, as the pages could be mmaped by another thread.
uptr beg = reinterpret_cast<uptr>(addr);
if (length && IsAligned(beg, GetPageSize())) {
SIZE_T rounded_length = RoundUpTo(length, GetPageSize());
// Protect from unmapping the shadow.
if (!MemIsApp(beg) || !MemIsApp(beg + rounded_length - 1)) {
errno = errno_EINVAL;
return -1;
}
__hwasan::TagMemoryAligned(beg, rounded_length, 0);
}
return real_munmap(addr, length); return real_munmap(addr, length);
} }
# define COMMON_INTERCEPTOR_MMAP_IMPL(ctx, mmap, addr, length, prot, flags, \ # define COMMON_INTERCEPTOR_MMAP_IMPL(ctx, mmap, addr, length, prot, flags, \
kstoimenovUnsubmitted
Not Done
ReplyInline Actions

So if the pointer is not aligned we will not untag? Could you pease explain the logic?

kstoimenov: So if the pointer is not aligned we will not untag? Could you pease explain the logic?
vitalybukaAuthorUnsubmitted
Done
ReplyInline Actions

So if the pointer is not aligned we will not untag? Could you pease explain the logic?

This part is confusing.

So if pointer misaligned, real_munmap should fail. So if we untag the shadow, memory will still be there.
Ideally for this issue it would be nice to tag after real_munmap, but it will cause a data race with other threads.

Maybe it's fine just round the region and and untag always.
WDYT?

vitalybuka: > So if the pointer is not aligned we will not untag? Could you pease explain the logic? This…
kstoimenovUnsubmitted
Not Done
ReplyInline Actions

We should verify that real_munmap fails when the pointer is miss

kstoimenov: We should verify that real_munmap fails when the pointer is miss
kstoimenovUnsubmitted
Not Done
ReplyInline Actions

I've read the description of munmap and I think you you did makes sense. You should probably also add a check for valid memory similar to mmap. So the logic will be:

bool untagged = false;
if (Aligned(...) && MemIsApp(...) && length > 0) {
  Untag();
  untagged = true;
}

res = munmap(...)

// This might trigger under legitimate situation. For example the 
// address is owned by the app, aligned and length > 0, but it points 
// to memory which is not mapped. Should we fail at this point? 
if (untagged) CHECK(res == 0);
kstoimenov: I've read the description of munmap and I think you you did makes sense. You should probably…
fd, offset) \ fd, offset) \
do { \ do { \
(void)(ctx); \ (void)(ctx); \
thurstonUnsubmitted
Not Done
ReplyInline Actions
if (IsAligned(beg, GetPageSize()))
  __hwasan::TagMemoryAligned(beg, RoundUpTo(length, GetPageSize()), 0);
int res = real_munmap(addr, length);
CHECK(IsAligned(beg, GetPageSize()) || (res != 0));

Why not CHECK(IsAligned) at the beginning, to avoid duplicating the check?

CHECK(IsAligned(beg, GetPageSize());
__hwasan::TagMemoryAligned(beg, RoundUpTo(length, GetPageSize()), 0);
int res = real_munmap(addr, length);
CHECK(res != 0);
thurston: ``` if (IsAligned(beg, GetPageSize())) __hwasan::TagMemoryAligned(beg, RoundUpTo(length…
thurstonUnsubmitted
Not Done
ReplyInline Actions

Ignore my comment, just noticed it was 'CHECK(IsAligned(beg, GetPageSize()) || (res != 0));' not '&&'

thurston: Ignore my comment, just noticed it was 'CHECK(IsAligned(beg, GetPageSize()) || (res != 0));'…
return mmap_interceptor(REAL(mmap), addr, sz, prot, flags, fd, off); \ return mmap_interceptor(REAL(mmap), addr, sz, prot, flags, fd, off); \
} while (false) } while (false)
# define COMMON_INTERCEPTOR_MUNMAP_IMPL(ctx, munmap, addr, length) \ # define COMMON_INTERCEPTOR_MUNMAP_IMPL(ctx, munmap, addr, length) \
do { \ do { \
(void)(ctx); \ (void)(ctx); \
return munmap_interceptor(REAL(munmap), addr, sz); \ return munmap_interceptor(REAL(munmap), addr, sz); \
} while (false) } while (false)
▲ Show 20 LinesShow All 305 LinesShow Last 20 Lines

compiler-rt/test/hwasan/TestCases/munmap.c

// RUN: %clang_hwasan %s -o %t // RUN: %clang_hwasan %s -o %t
// RUN: %run %t 2>&1 // RUN: %run %t 1 2>&1
// RUN: %run %t 2 2>&1
// REQUIRES: pointer-tagging // REQUIRES: pointer-tagging
#include <sanitizer/hwasan_interface.h> #include <sanitizer/hwasan_interface.h>
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
#include <sys/mman.h> #include <sys/mman.h>
#include <unistd.h>
int main(int argc, char **argv) { int main(int argc, char **argv) {
const int kSize = 4096; const size_t kPS = sysconf(_SC_PAGESIZE);
const int kSize = kPS / atoi(argv[1]);
const int kTag = 47; const int kTag = 47;
// Get any mmaped pointer. // Get any mmaped pointer.
void *r = void *r =
mmap(0, kSize, PROT_READ | PROT_WRITE, MAP_ANON | MAP_PRIVATE, -1, 0); mmap(0, kSize, PROT_READ | PROT_WRITE, MAP_ANON | MAP_PRIVATE, -1, 0);
if (r == MAP_FAILED) { if (r == MAP_FAILED) {
perror("Failed to mmap: "); perror("Failed to mmap: ");
abort(); abort();
} }
// Check that the pointer is untagged. // Check that the pointer is untagged.
if (r != __hwasan_tag_pointer(r, 0)) { if (r != __hwasan_tag_pointer(r, 0)) {
fprintf(stderr, "Pointer returned by mmap should be untagged.\n"); fprintf(stderr, "Pointer returned by mmap should be untagged.\n");
abort(); abort();
} }
// Manually tag the pointer and the memory. // Manually tag the pointer and the memory.
__hwasan_tag_memory(r, kTag, kSize); __hwasan_tag_memory(r, kTag, kPS);
int *p1 = __hwasan_tag_pointer(r, kTag); int *p1 = __hwasan_tag_pointer(r, kTag);
// Check that the pointer and the tag match. // Check that the pointer and the tag match.
if (__hwasan_test_shadow(p1, kSize) != -1) { if (__hwasan_test_shadow(p1, kPS) != -1) {
fprintf(stderr, "Failed to tag.\n"); fprintf(stderr, "Failed to tag.\n");
abort(); abort();
} }
if (munmap((char *)r + 1, kSize) == 0) {
perror("munmap should fail: ");
abort();
}
if (__hwasan_test_shadow(p1, kPS) != -1) {
fprintf(stderr, "Still must be tagged.\n");
abort();
}
// First munmmap and then mmap the same pointer using MAP_FIXED. // First munmmap and then mmap the same pointer using MAP_FIXED.
if (munmap((char *)r, kSize) != 0) { if (munmap((char *)r, kSize) != 0) {
perror("Failed to unmap: "); perror("Failed to unmap: ");
abort(); abort();
} }
if (__hwasan_test_shadow(r, kSize) != -1) { if (__hwasan_test_shadow(r, kPS) != -1) {
fprintf(stderr, "Shadow memory was not cleaned by munmap.\n"); fprintf(stderr, "Shadow memory was not cleaned by munmap.\n");
abort(); abort();
} }
__hwasan_tag_memory(r, kTag, kSize); __hwasan_tag_memory(r, kTag, kPS);
int *p2 = (int *)mmap(r, kSize, PROT_READ | PROT_WRITE, int *p2 = (int *)mmap(r, kSize, PROT_READ | PROT_WRITE,
MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0); MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0);
// Check that the pointer has no tag in it. // Check that the pointer has no tag in it.
if (p2 != r) { if (p2 != r) {
fprintf(stderr, "The mmap pointer has a non-zero tag in it.\n"); fprintf(stderr, "The mmap pointer has a non-zero tag in it.\n");
abort(); abort();
} }
// Make sure we can access the shadow with an untagged pointer. // Make sure we can access the shadow with an untagged pointer.
if (__hwasan_test_shadow(p2, kSize) != -1) { if (__hwasan_test_shadow(p2, kPS) != -1) {
fprintf(stderr, "Shadow memory was not cleaned by mmap.\n"); fprintf(stderr, "Shadow memory was not cleaned by mmap.\n");
abort(); abort();
} }
return 0; return 0;
} }