This is an archive of the discontinued LLVM Phabricator instance.

Differential D159518

[lsan][fuchsia] Add extra check for allocator cache to avoid overflow
ClosedPublic

Authored by leonardchan on Sep 14 2023, 3:19 PM.

Details

Reviewers
phosek
mcgrathr
Commits
rG4db6803dc799: [lsan][fuchsia] Add extra check for allocator cache to avoid overflow
Summary

Prior to this, we would check if the end of the allocator cache was located before the end of the chunk passed to the tls check. However, if the actual allocator cache comes after the end of the chunk, then the sub in the end - params->allocator_caches[i] bit overflows. Since the resulting type is an unsigned uptr, this is not UB, but if the signed result would be a negative value (ie. end < params->allocator_caches[i]) then this will actually result in a very large unsigned value much bigger than the compared sizeof(AllocatorCache) which will almost always be true. This can cause ScanRangeForPointers to accept incorrect values: a begin pointing to some address, and params->allocator_caches[i] pointing to some much larger address way past the end of the chunk which can result in a page fault/stack overflow.

Diff Detail

Event Timeline

leonardchan created this revision.Sep 14 2023, 3:19 PM
Herald added a project: Restricted Project. · View Herald TranscriptSep 14 2023, 3:19 PM
Herald added subscribers: Enna1, abrachet. · View Herald Transcript
leonardchan requested review of this revision.Sep 14 2023, 3:19 PM
Harbormaster completed remote builds in B257251: Diff 556816.Sep 14 2023, 3:49 PM
phosek accepted this revision.Sep 14 2023, 4:02 PM

LGTM

This revision is now accepted and ready to land.Sep 14 2023, 4:02 PM
Closed by commit rG4db6803dc799: [lsan][fuchsia] Add extra check for allocator cache to avoid overflow (authored by leonardchan). · Explain WhySep 14 2023, 4:05 PM
This revision was automatically updated to reflect the committed changes.
leonardchan added a commit: rG4db6803dc799: [lsan][fuchsia] Add extra check for allocator cache to avoid overflow.

Revision Contents

PathSize
compiler-rt/
lib/
lsan/
1 line

Diff 556818

compiler-rt/lib/lsan/lsan_common_fuchsia.cpp

Show First 20 LinesShow All 113 Lines▼ Show 20 Linesvoid LockStuffAndStopTheWorld(StopTheWorldCallback callback,
// variables as well as C11 tss_set and POSIX pthread_setspecific. // variables as well as C11 tss_set and POSIX pthread_setspecific.
auto tls = +[](void *chunk, size_t size, void *data) { auto tls = +[](void *chunk, size_t size, void *data) {
auto params = static_cast<const Params *>(data); auto params = static_cast<const Params *>(data);
uptr begin = reinterpret_cast<uptr>(chunk); uptr begin = reinterpret_cast<uptr>(chunk);
uptr end = begin + size; uptr end = begin + size;
auto i = __sanitizer::InternalLowerBound(params->allocator_caches, begin); auto i = __sanitizer::InternalLowerBound(params->allocator_caches, begin);
if (i < params->allocator_caches.size() && if (i < params->allocator_caches.size() &&
params->allocator_caches[i] >= begin && params->allocator_caches[i] >= begin &&
params->allocator_caches[i] <= end &&
end - params->allocator_caches[i] >= sizeof(AllocatorCache)) { end - params->allocator_caches[i] >= sizeof(AllocatorCache)) {
// Split the range in two and omit the allocator cache within. // Split the range in two and omit the allocator cache within.
ScanRangeForPointers(begin, params->allocator_caches[i], ScanRangeForPointers(begin, params->allocator_caches[i],
&params->argument->frontier, "TLS", kReachable); &params->argument->frontier, "TLS", kReachable);
uptr begin2 = params->allocator_caches[i] + sizeof(AllocatorCache); uptr begin2 = params->allocator_caches[i] + sizeof(AllocatorCache);
ScanRangeForPointers(begin2, end, &params->argument->frontier, "TLS", ScanRangeForPointers(begin2, end, &params->argument->frontier, "TLS",
kReachable); kReachable);
} else { } else {
Show All 38 Lines