This is an archive of the discontinued LLVM Phabricator instance.

Differential D152942

[scudo] Validate flags in MemMap and ReservedMemory methods
AbandonedPublic

Authored by fabio-d on Jun 14 2023, 11:44 AM.

Details

Reviewers
Chia-hungDuan

Diff Detail

Event Timeline

fabio-d created this revision.Jun 14 2023, 11:44 AM
Herald added a project: Restricted Project. · View Herald TranscriptJun 14 2023, 11:44 AM
Herald added subscribers: yaneury, Chia-hungDuan, Enna1. · View Herald Transcript
fabio-d requested review of this revision.Jun 14 2023, 11:44 AM
Herald added a project: Restricted Project. · View Herald TranscriptJun 14 2023, 11:44 AM
Herald added a subscriber: Restricted Project. · View Herald Transcript
fabio-d added a reviewer: Chia-hungDuan.Jun 14 2023, 11:52 AM

I've allowlisted only the flags the the underlying methods actually accept in at least one platform.

The MAP_RESIZABLE flag is only meaningful on Fuchsia and we'll probably be able to get rid of it in the new design, but we have to keep it for now as it's used by the legacy implementation.

Chia-hungDuan added a comment.Jun 14 2023, 11:57 AM

I would suggest this kind of checks to be in the platform specific implementations

fabio-d added a comment.Jun 14 2023, 12:01 PM

Uhm, why? I think that it's super useful to add them here, so that if you want to know if you can pass a given flag when you call these methods you only have one place to look at. If these checks were in platform-specific code, you'd have to look in three different places (and hope that they don't contradict each other).

Harbormaster completed remote builds in B238895: Diff 531445.Jun 14 2023, 12:07 PM
Chia-hungDuan added a comment.Jun 14 2023, 12:25 PM
In D152942#4422214, @fabio-d wrote:

Uhm, why? I think that it's super useful to add them here, so that if you want to know if you can pass a given flag when you call these methods you only have one place to look at. If these checks were in platform-specific code, you'd have to look in three different places (and hope that they don't contradict each other).

If a flag is used or if it's valid, only can be verified on each platform. AllowedMapFlags doesn't guarantee it'll work on each platform. Like you mentioned, MAP_RESIZABLE is only meaningful on Fuchsia so far, what if it gets passed in a wrong place, when do we know that is causing problem? I think it still needs to wait until its running on Fuchsia. If a flag is not used anymore, we should just remove it. So the AllowedMapFlags is simply the flags you have defined.

I do want to clean up the map flags in common.h, for this case, I would only move those flags to mem_map_base.h

fabio-d added a comment.Jun 14 2023, 2:30 PM
In D152942#4422240, @Chia-hungDuan wrote:

If a flag is used or if it's valid, only can be verified on each platform. AllowedMapFlags doesn't guarantee it'll work on each platform.

Yes, AllowedMapFlags does not guarantee that each flag is supported on _every_ platform. Maybe we'll get there when we fully implement the new backends, but I agree that today it is not the case.

The idea in this CL is simply to validate that callers are not doing anything spectacularly wrong (e.g. passing garbage values) and, at the same time, document what flags platforms may consider implementing (today, if you wanted to implement a new platform backend, the only way to know for sure what flags you might receive is to grep all the callers).

The way I see it is that these are the flags that callers are allowed to pass. How/if they actually they are translated into syscalls depends on the platform.

Like you mentioned, MAP_RESIZABLE is only meaningful on Fuchsia so far, what if it gets passed in a wrong place, when do we know that is causing problem? I think it still needs to wait until its running on Fuchsia.

What I'm proposing in this CL is simply to assert that MAP_RESIZABLE is a valid flag to pass to map and remap. That's it. The actual implementation is still free to ignore it.

If linux.cpp and trusty.cpp had assertions stating that MAP_RESIZABLE is *not* acceptable, we would have to change primary64.h:772, which I think we agree is not a wrong place to use this flag. A similar line of reasoning applies to MAP_PRECOMMIT and, until D152888 lands, to MAP_ALLOWNOMEM too.

fabio-d updated this revision to Diff 531731.Jun 15 2023, 6:54 AM

After discussing offline, I've removed the checks for map and remap and only left them for methods that only accept a subset of the flags (MemMap::setMemoryPermission and ReservedMemory::create)

Harbormaster completed remote builds in B239111: Diff 531731.Jun 15 2023, 7:18 AM
Chia-hungDuan requested changes to this revision.Sep 25 2023, 9:28 AM

I still don't think the DCHECK here is useful. As mentioned, whether a flag has a meaning depends on the platform. It doesn't bring much benefit at the abstraction layer.

This revision now requires changes to proceed.Sep 25 2023, 9:28 AM
fabio-d added a comment.Sep 26 2023, 8:54 AM

Even only the checks that I've left? e.g. what's the meaning of calling setMemoryPermission with any flag except MAP_NOACCESS?

Chia-hungDuan added a comment.Sep 26 2023, 3:11 PM
In D152942#4650944, @fabio-d wrote:

Even only the checks that I've left? e.g. what's the meaning of calling setMemoryPermission with any flag except MAP_NOACCESS?

We may think a different question first, what will happen if we call setMemoryPermission with the flags other than MAP_NOACCESS? This flags are read by bit checking and if a certain flag has no meaning on the certain platforms, it does nothing. It doesn't cause any *critical* issues. Given that the meaning of a flag is pretty platform dependent, if we do need this kind of check, it should be done at platform specific side. You may always ignore some flags on a platform. If we call setMemoryPermission with a flag that has no meaning on all platforms, then we should avoid the submission of that change at the first place.

I would suggest having this kind of checks when we have some real cases that are caused by redundant flags.

fabio-d abandoned this revision.Oct 3 2023, 8:25 AM

Revision Contents

PathSize
compiler-rt/
lib/
scudo/
standalone/
9 lines

Diff 531445

compiler-rt/lib/scudo/standalone/mem_map_base.h

Show All 19 Lines
template <class Derived> class MemMapBase { template <class Derived> class MemMapBase {
public: public:
constexpr MemMapBase() = default; constexpr MemMapBase() = default;
// This is used to map a new set of contiguous pages. Note that the `Addr` is // This is used to map a new set of contiguous pages. Note that the `Addr` is
// only a suggestion to the system. // only a suggestion to the system.
bool map(uptr Addr, uptr Size, const char *Name, uptr Flags = 0) { bool map(uptr Addr, uptr Size, const char *Name, uptr Flags = 0) {
DCHECK(!isAllocated()); DCHECK(!isAllocated());
DCHECK_EQ(Flags & ~AllowedMapFlags, 0);
return invokeImpl(&Derived::mapImpl, Addr, Size, Name, Flags); return invokeImpl(&Derived::mapImpl, Addr, Size, Name, Flags);
} }
// This is used to unmap partial/full pages from the beginning or the end. // This is used to unmap partial/full pages from the beginning or the end.
// I.e., the result pages are expected to be still contiguous. // I.e., the result pages are expected to be still contiguous.
void unmap(uptr Addr, uptr Size) { void unmap(uptr Addr, uptr Size) {
DCHECK(isAllocated()); DCHECK(isAllocated());
DCHECK((Addr == getBase()) || (Addr + Size == getBase() + getCapacity())); DCHECK((Addr == getBase()) || (Addr + Size == getBase() + getCapacity()));
invokeImpl(&Derived::unmapImpl, Addr, Size); invokeImpl(&Derived::unmapImpl, Addr, Size);
} }
// This is used to remap a mapped range (either from map() or dispatched from // This is used to remap a mapped range (either from map() or dispatched from
// ReservedMemory). For example, we have reserved several pages and then we // ReservedMemory). For example, we have reserved several pages and then we
// want to remap them with different accessibility. // want to remap them with different accessibility.
bool remap(uptr Addr, uptr Size, const char *Name, uptr Flags = 0) { bool remap(uptr Addr, uptr Size, const char *Name, uptr Flags = 0) {
DCHECK(isAllocated()); DCHECK(isAllocated());
DCHECK((Addr >= getBase()) && (Addr + Size <= getBase() + getCapacity())); DCHECK((Addr >= getBase()) && (Addr + Size <= getBase() + getCapacity()));
DCHECK_EQ(Flags & ~AllowedMapFlags, 0);
return invokeImpl(&Derived::remapImpl, Addr, Size, Name, Flags); return invokeImpl(&Derived::remapImpl, Addr, Size, Name, Flags);
} }
// This is used to update the pages' access permission. For example, mark // This is used to update the pages' access permission. For example, mark
// pages as no read/write permission. // pages as no read/write permission.
void setMemoryPermission(uptr Addr, uptr Size, uptr Flags) { void setMemoryPermission(uptr Addr, uptr Size, uptr Flags) {
DCHECK(isAllocated()); DCHECK(isAllocated());
DCHECK((Addr >= getBase()) && (Addr + Size <= getBase() + getCapacity())); DCHECK((Addr >= getBase()) && (Addr + Size <= getBase() + getCapacity()));
DCHECK_EQ(Flags & ~MAP_NOACCESS, 0);
return static_cast<Derived *>(this)->setMemoryPermissionImpl(Addr, Size, return static_cast<Derived *>(this)->setMemoryPermissionImpl(Addr, Size,
Flags); Flags);
} }
// Suggest releasing a set of contiguous physical pages back to the OS. Note // Suggest releasing a set of contiguous physical pages back to the OS. Note
// that only physical pages are supposed to be released. Any release of // that only physical pages are supposed to be released. Any release of
// virtual pages may lead to undefined behavior. // virtual pages may lead to undefined behavior.
void releasePagesToOS(uptr From, uptr Size) { void releasePagesToOS(uptr From, uptr Size) {
Show All 14 Linespublic:
bool isAllocated() { return getBase() != 0U; } bool isAllocated() { return getBase() != 0U; }
protected: protected:
template <typename R, typename... Args> template <typename R, typename... Args>
R invokeImpl(R (Derived::*MemFn)(Args...), Args... args) { R invokeImpl(R (Derived::*MemFn)(Args...), Args... args) {
return (static_cast<Derived *>(this)->*MemFn)(args...); return (static_cast<Derived *>(this)->*MemFn)(args...);
} }
private:
static const uptr AllowedMapFlags = MAP_ALLOWNOMEM | MAP_NOACCESS |
MAP_MEMTAG | MAP_PRECOMMIT |
MAP_RESIZABLE;
}; };
// `ReservedMemory` is a special memory handle which can be viewed as a page // `ReservedMemory` is a special memory handle which can be viewed as a page
// allocator. `ReservedMemory` will reserve a contiguous pages and the later // allocator. `ReservedMemory` will reserve a contiguous pages and the later
// page request can be fulfilled at the designated address. This is used when // page request can be fulfilled at the designated address. This is used when
// we want to ensure the virtual address of the MemMap will be in a known range. // we want to ensure the virtual address of the MemMap will be in a known range.
// This is implemented in CRTP, so for each // This is implemented in CRTP, so for each
// implementation, it has to implement all of the 'Impl' named functions. // implementation, it has to implement all of the 'Impl' named functions.
template <class Derived, typename MemMapTy> class ReservedMemory { template <class Derived, typename MemMapTy> class ReservedMemory {
public: public:
using MemMapT = MemMapTy; using MemMapT = MemMapTy;
constexpr ReservedMemory() = default; constexpr ReservedMemory() = default;
// Reserve a chunk of memory at a suggested address. // Reserve a chunk of memory at a suggested address.
bool create(uptr Addr, uptr Size, const char *Name, uptr Flags = 0) { bool create(uptr Addr, uptr Size, const char *Name, uptr Flags = 0) {
DCHECK(!isCreated()); DCHECK(!isCreated());
DCHECK_EQ(Flags & ~MAP_ALLOWNOMEM, 0);
return invokeImpl(&Derived::createImpl, Addr, Size, Name, Flags); return invokeImpl(&Derived::createImpl, Addr, Size, Name, Flags);
} }
// Release the entire reserved memory. // Release the entire reserved memory.
void release() { void release() {
DCHECK(isCreated()); DCHECK(isCreated());
invokeImpl(&Derived::releaseImpl); invokeImpl(&Derived::releaseImpl);
} }
Show All 24 Lines