This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
lib/
-
cfi/
-
cfi.cc
-
ubsan/
-
ubsan_handlers.h
-
ubsan_handlers.cc
-
ubsan_handlers_cxx.cc
-
test/cfi/
-
cfi/
-
cross-dso/
6
target_out_of_bounds.cpp
1/3
target_uninstrumented.cpp

Differential D16824

[cfi] Safe handling of unaddressable vtable pointers (compiler-rt).
ClosedPublic

Authored by eugenis on Feb 2 2016, 2:18 PM.

Download Raw Diff

Details

Reviewers

kcc
samsonov
pcc

Summary

Avoid crashing when printing diagnostics for vtable-related CFI
errors. In diagnostic mode, the frontend does an additional check of
the vtable pointer against the set of all known vtable addresses and
lets the runtime handler know if it is safe to inspect the vtable.

Diff Detail

Repository: rL LLVM

Event Timeline

eugenis updated this revision to Diff 46704.Feb 2 2016, 2:18 PM

eugenis retitled this revision from to [cfi] Safe handling of unaddressable vtable pointers (compiler-rt)..

eugenis updated this object.

eugenis added reviewers: pcc, kcc.

eugenis set the repository for this revision to rL LLVM.

eugenis added a subscriber: llvm-commits.

eugenis added a reviewer: samsonov.Feb 3 2016, 11:40 AM

LGTM

This revision is now accepted and ready to land.Feb 3 2016, 11:47 AM

I have comments.

This revision now requires changes to proceed.Feb 3 2016, 11:48 AM

This regresses the case where the target vtable is uninstrumented. Please add a test case showing that we at least print the name of the module in that case.

pcc added inline comments.Feb 3 2016, 11:56 AM

test/cfi/cross-dso/target_out_of_bounds.cpp
42	Why not just `memset(p, 0, sizeof(A));`?
52–56	Likewise `memset(p, 0xFE, sizeof(A));`

eugenis added inline comments.Feb 3 2016, 12:24 PM

test/cfi/cross-dso/target_out_of_bounds.cpp
42	Because that would test a different thing.
52–56	That, again, would be quite different. This code is testing an invalid TypeInfo pointer, not an invalid vptr.

pcc added inline comments.Feb 3 2016, 12:34 PM

test/cfi/cross-dso/target_out_of_bounds.cpp
42	Okay, I see. Please give the variables better names to make this code less confusing. Same for the other block. Please also change the loops to just an assignment of the vtable pointer.

added the module name to the invalid-vtable report

LGTM with nit

test/cfi/target_uninstrumented.cpp
34	Shouldn't you check specifically that the name matches the DSO name? Maybe have your test output to `%T/target-uninstrumented.so` and have this match against that?

This revision is now accepted and ready to land.Feb 3 2016, 2:05 PM

eugenis updated this revision to Diff 46837.Feb 3 2016, 2:13 PM

eugenis edited edge metadata.

eugenis added inline comments.

test/cfi/cross-dso/target_out_of_bounds.cpp
42	done
test/cfi/target_uninstrumented.cpp
34	I've made the check a bit stricter. I don't think there is any benefit in making it stricter than that, and it could make the test fragile.

pcc added inline comments.Feb 3 2016, 2:15 PM

test/cfi/target_uninstrumented.cpp
36	`%T` gives you a directory name so you can just have your test output to a subpath of that like in my example and you won't have any of the `tmp` stuff in your path name.

lgtm

http://llvm.org/viewvc/llvm-project?rev=259717&view=rev

Revision Contents

Path

Size

lib/

cfi/

cfi.cc

2 lines

ubsan/

ubsan_handlers.h

4 lines

ubsan_handlers.cc

14 lines

ubsan_handlers_cxx.cc

17 lines

test/

cfi/

cross-dso/

target_out_of_bounds.cpp

58 lines

target_uninstrumented.cpp

44 lines

Diff 46833

lib/cfi/cfi.cc

Show First 20 Lines • Show All 301 Lines • ▼ Show 20 Lines	ALWAYS_INLINE void CfiSlowPathCommon(u64 CallSiteTypeId, void *Ptr,
uptr Addr = (uptr)Ptr;		uptr Addr = (uptr)Ptr;
VReport(3, "__cfi_slowpath: %llx, %p\n", CallSiteTypeId, Ptr);		VReport(3, "__cfi_slowpath: %llx, %p\n", CallSiteTypeId, Ptr);
ShadowValue sv = ShadowValue::load(Addr);		ShadowValue sv = ShadowValue::load(Addr);
if (sv.is_invalid()) {		if (sv.is_invalid()) {
VReport(1, "CFI: invalid memory region for a check target: %p\n", Ptr);		VReport(1, "CFI: invalid memory region for a check target: %p\n", Ptr);
#ifdef CFI_ENABLE_DIAG		#ifdef CFI_ENABLE_DIAG
if (DiagData) {		if (DiagData) {
__ubsan_handle_cfi_check_fail(		__ubsan_handle_cfi_check_fail(
reinterpret_cast<__ubsan::CFICheckFailData *>(DiagData), Addr);		reinterpret_cast<__ubsan::CFICheckFailData *>(DiagData), Addr, false);
return;		return;
}		}
#endif		#endif
Trap();		Trap();
}		}
if (sv.is_unchecked()) {		if (sv.is_unchecked()) {
VReport(2, "CFI: unchecked call (shadow=FFFF): %p\n", Ptr);		VReport(2, "CFI: unchecked call (shadow=FFFF): %p\n", Ptr);
return;		return;
▲ Show 20 Lines • Show All 102 Lines • Show Last 20 Lines

lib/ubsan/ubsan_handlers.h

	Show First 20 Lines • Show All 159 Lines • ▼ Show 20 Lines

	struct CFICheckFailData {			struct CFICheckFailData {
	CFITypeCheckKind CheckKind;			CFITypeCheckKind CheckKind;
	SourceLocation Loc;			SourceLocation Loc;
	const TypeDescriptor &Type;			const TypeDescriptor &Type;
	};			};

	/// \brief Handle control flow integrity failures.			/// \brief Handle control flow integrity failures.
	RECOVERABLE(cfi_check_fail, CFICheckFailData *Data, ValueHandle Function)			RECOVERABLE(cfi_check_fail, CFICheckFailData *Data, ValueHandle Function,
				uptr VtableIsValid)
	}			}

	#endif // UBSAN_HANDLERS_H			#endif // UBSAN_HANDLERS_H

lib/ubsan/ubsan_handlers.cc

Show First 20 Lines • Show All 545 Lines • ▼ Show 20 Lines	if (!FName)
FName = "(unknown)";		FName = "(unknown)";
Diag(FLoc, DL_Note, "%0 defined here") << FName;		Diag(FLoc, DL_Note, "%0 defined here") << FName;
}		}

namespace __ubsan {		namespace __ubsan {
#ifdef UBSAN_CAN_USE_CXXABI		#ifdef UBSAN_CAN_USE_CXXABI
SANITIZER_WEAK_ATTRIBUTE		SANITIZER_WEAK_ATTRIBUTE
void HandleCFIBadType(CFICheckFailData *Data, ValueHandle Vtable,		void HandleCFIBadType(CFICheckFailData *Data, ValueHandle Vtable,
ReportOptions Opts);		bool ValidVtable, ReportOptions Opts);
#else		#else
static void HandleCFIBadType(CFICheckFailData *Data, ValueHandle Vtable,		static void HandleCFIBadType(CFICheckFailData *Data, ValueHandle Vtable,
ReportOptions Opts) {		bool ValidVtable, ReportOptions Opts) {
Die();		Die();
}		}
#endif		#endif
} // namespace __ubsan		} // namespace __ubsan

void __ubsan::__ubsan_handle_cfi_check_fail(CFICheckFailData *Data,		void __ubsan::__ubsan_handle_cfi_check_fail(CFICheckFailData *Data,
ValueHandle Value) {		ValueHandle Value,
		uptr ValidVtable) {
GET_REPORT_OPTIONS(false);		GET_REPORT_OPTIONS(false);
if (Data->CheckKind == CFITCK_ICall)		if (Data->CheckKind == CFITCK_ICall)
handleCFIBadIcall(Data, Value, Opts);		handleCFIBadIcall(Data, Value, Opts);
else		else
HandleCFIBadType(Data, Value, Opts);		HandleCFIBadType(Data, Value, ValidVtable, Opts);
}		}

void __ubsan::__ubsan_handle_cfi_check_fail_abort(CFICheckFailData *Data,		void __ubsan::__ubsan_handle_cfi_check_fail_abort(CFICheckFailData *Data,
ValueHandle Value) {		ValueHandle Value,
		uptr ValidVtable) {
GET_REPORT_OPTIONS(true);		GET_REPORT_OPTIONS(true);
if (Data->CheckKind == CFITCK_ICall)		if (Data->CheckKind == CFITCK_ICall)
handleCFIBadIcall(Data, Value, Opts);		handleCFIBadIcall(Data, Value, Opts);
else		else
HandleCFIBadType(Data, Value, Opts);		HandleCFIBadType(Data, Value, ValidVtable, Opts);
Die();		Die();
}		}

#endif // CAN_SANITIZE_UB		#endif // CAN_SANITIZE_UB

lib/ubsan/ubsan_handlers_cxx.cc

Show First 20 Lines • Show All 84 Lines • ▼ Show 20 Lines	void __ubsan::__ubsan_handle_dynamic_type_cache_miss_abort(
// Note: -fsanitize=vptr is always recoverable.		// Note: -fsanitize=vptr is always recoverable.
GET_REPORT_OPTIONS(false);		GET_REPORT_OPTIONS(false);
if (HandleDynamicTypeCacheMiss(Data, Pointer, Hash, Opts))		if (HandleDynamicTypeCacheMiss(Data, Pointer, Hash, Opts))
Die();		Die();
}		}

namespace __ubsan {		namespace __ubsan {
void HandleCFIBadType(CFICheckFailData *Data, ValueHandle Vtable,		void HandleCFIBadType(CFICheckFailData *Data, ValueHandle Vtable,
ReportOptions Opts) {		bool ValidVtable, ReportOptions Opts) {
SourceLocation Loc = Data->Loc.acquire();		SourceLocation Loc = Data->Loc.acquire();
ErrorType ET = ErrorType::CFIBadType;		ErrorType ET = ErrorType::CFIBadType;

if (ignoreReport(Loc, Opts, ET))		if (ignoreReport(Loc, Opts, ET))
return;		return;

ScopedReport R(Opts, Loc, ET);		ScopedReport R(Opts, Loc, ET);
DynamicTypeInfo DTI = getDynamicTypeInfoFromVtable((void *)Vtable);		DynamicTypeInfo DTI = ValidVtable
		? getDynamicTypeInfoFromVtable((void *)Vtable)
		: DynamicTypeInfo(0, 0, 0);

const char *CheckKindStr;		const char *CheckKindStr;
switch (Data->CheckKind) {		switch (Data->CheckKind) {
case CFITCK_VCall:		case CFITCK_VCall:
CheckKindStr = "virtual call";		CheckKindStr = "virtual call";
break;		break;
case CFITCK_NVCall:		case CFITCK_NVCall:
CheckKindStr = "non-virtual call";		CheckKindStr = "non-virtual call";
break;		break;
case CFITCK_DerivedCast:		case CFITCK_DerivedCast:
CheckKindStr = "base-to-derived cast";		CheckKindStr = "base-to-derived cast";
break;		break;
case CFITCK_UnrelatedCast:		case CFITCK_UnrelatedCast:
CheckKindStr = "cast to unrelated type";		CheckKindStr = "cast to unrelated type";
break;		break;
case CFITCK_ICall:		case CFITCK_ICall:
Die();		Die();
}		}

Diag(Loc, DL_Error, "control flow integrity check for type %0 failed during "		Diag(Loc, DL_Error, "control flow integrity check for type %0 failed during "
"%1 (vtable address %2)")		"%1 (vtable address %2)")
<< Data->Type << CheckKindStr << (void *)Vtable;		<< Data->Type << CheckKindStr << (void *)Vtable;

// If possible, say what type it actually points to.		// If possible, say what type it actually points to.
if (!DTI.isValid())		if (!DTI.isValid()) {
Diag(Vtable, DL_Note, "invalid vtable");		const char *module = Symbolizer::GetOrInit()->GetModuleNameForPc(Vtable);
		if (module)
		Diag(Vtable, DL_Note, "invalid vtable in module %0") << module;
else		else
		Diag(Vtable, DL_Note, "invalid vtable");
		} else {
Diag(Vtable, DL_Note, "vtable is of type %0")		Diag(Vtable, DL_Note, "vtable is of type %0")
<< TypeName(DTI.getMostDerivedTypeName());		<< TypeName(DTI.getMostDerivedTypeName());
}		}
		}
} // namespace __ubsan		} // namespace __ubsan

#endif // CAN_SANITIZE_UB		#endif // CAN_SANITIZE_UB

test/cfi/cross-dso/target_out_of_bounds.cpp

	// RUN: %clangxx_cfi_dso_diag %s -o %t			// RUN: %clangxx_cfi_dso_diag -std=c++11 %s -o %t
	// RUN: %expect_crash %t 2>&1 \| FileCheck %s			// RUN: %t zero 2>&1 \| FileCheck --check-prefix=CHECK-ZERO %s
				// RUN: %t unaddressable 2>&1 \| FileCheck --check-prefix=CHECK-UNADDR %s
				// RUN: %t 2>&1 \| FileCheck --check-prefix=CHECK-TYPEINFO %s

				// RUN: %clangxx_cfi_diag -std=c++11 %s -o %t2
				// RUN: %t2 zero 2>&1 \| FileCheck --check-prefix=CHECK-ZERO %s
				// RUN: %t2 unaddressable 2>&1 \| FileCheck --check-prefix=CHECK-UNADDR %s
				// RUN: %t2 2>&1 \| FileCheck --check-prefix=CHECK-TYPEINFO %s

	// REQUIRES: cxxabi			// REQUIRES: cxxabi

	#include <stdio.h>			#include <stdio.h>
	#include <stdint.h>			#include <stdint.h>
	#include <stdlib.h>			#include <stdlib.h>
	#include <string.h>			#include <string.h>
				#include <sys/mman.h>

	struct A {			struct A {
	virtual void f();			virtual void f();
	};			};

	void A::f() {}			void A::f() {}

	int main(int argc, char *argv[]) {			int main(int argc, char *argv[]) {
	// Create an object with a vtable outside of any known DSO, but still in an
	// addressable area. Current implementation of handlers in UBSan is not robust
	// enough to handle unaddressable vtables. TODO: fix this.
	void *empty = calloc(1, 128);
	uintptr_t v = (uintptr_t)empty + 64;
	char volatile p = reinterpret_cast<char >(new A());			char volatile p = reinterpret_cast<char >(new A());
	for (uintptr_t q = (uintptr_t )p; q < (uintptr_t *)(p + sizeof(A)); ++q)			if (argc > 1 && strcmp(argv[1], "unaddressable") == 0) {
	*q = v;			void *vtable = mmap(nullptr, 4096, PROT_NONE, MAP_PRIVATE \| MAP_ANONYMOUS, 0, 0);
				// Create an object with a vtable in an unaddressable memory region.
				(uintptr_t )p = (uintptr_t)vtable + 64;
				// CHECK-UNADDR: runtime error: control flow integrity check for type 'A' failed during cast
				// CHECK-UNADDR: note: invalid vtable
				// CHECK-UNADDR: <memory cannot be printed>
				// CHECK-UNADDR: runtime error: control flow integrity check for type 'A' failed during cast
				// CHECK-UNADDR: note: invalid vtable
				// CHECK-UNADDR: <memory cannot be printed>
				} else if (argc > 1 && strcmp(argv[1], "zero") == 0) {
				// Create an object with a vtable outside of any known DSO, but still in an
				// addressable area.
				void *vtable = calloc(1, 128);
				(uintptr_t )p = (uintptr_t)vtable + 64;
				// CHECK-ZERO: runtime error: control flow integrity check for type 'A' failed during cast
				pccUnsubmitted Not Done Reply Inline Actions Why not just `memset(p, 0, sizeof(A));`? pcc: Why not just `memset(p, 0, sizeof(A));`?
				eugenisAuthorUnsubmitted Not Done Reply Inline Actions Because that would test a different thing. eugenis: Because that would test a different thing.
				pccUnsubmitted Not Done Reply Inline Actions Okay, I see. Please give the variables better names to make this code less confusing. Same for the other block. Please also change the loops to just an assignment of the vtable pointer. pcc: Okay, I see. Please give the variables better names to make this code less confusing. Same for…
				eugenisAuthorUnsubmitted Not Done Reply Inline Actions done eugenis: done
				// CHECK-ZERO: note: invalid vtable
				// CHECK-ZERO: 00 00 00 00 00 00 00 00
				// CHECK-ZERO: runtime error: control flow integrity check for type 'A' failed during cast
				// CHECK-ZERO: note: invalid vtable
				// CHECK-ZERO: 00 00 00 00 00 00 00 00
				} else {
				// Create an object with a seemingly fine vtable, but with an unaddressable
				// typeinfo pointer.
				void *vtable = calloc(1, 128);
				memset(vtable, 0xFE, 128);
				(uintptr_t )p = (uintptr_t)vtable + 64;
				// CHECK-TYPEINFO: runtime error: control flow integrity check for type 'A' failed during cast
				// CHECK-TYPEINFO: note: invalid vtable
				// CHECK-TYPEINFO: fe fe fe fe fe fe fe fe
				pccUnsubmitted Not Done Reply Inline Actions Likewise `memset(p, 0xFE, sizeof(A));` pcc: Likewise `memset(p, 0xFE, sizeof(A));`
				eugenisAuthorUnsubmitted Not Done Reply Inline Actions That, again, would be quite different. This code is testing an invalid TypeInfo pointer, not an invalid vptr. eugenis: That, again, would be quite different. This code is testing an invalid TypeInfo pointer, not an…
				// CHECK-TYPEINFO: runtime error: control flow integrity check for type 'A' failed during cast
				// CHECK-TYPEINFO: note: invalid vtable
				// CHECK-TYPEINFO: fe fe fe fe fe fe fe fe
				}

	// CHECK: runtime error: control flow integrity check for type 'A' failed during cast
	A volatile pa = reinterpret_cast<A >(p);			A volatile pa = reinterpret_cast<A >(p);
				pa = reinterpret_cast<A *>(p);
	// CHECK: untime error: control flow integrity check for type 'A' failed during virtual call
	pa->f();
	}			}

test/cfi/target_uninstrumented.cpp

This file was added.

				// RUN: %clangxx -g -DSHARED_LIB %s -fPIC -shared -o %t-so.so
				// RUN: %clangxx_cfi_diag -g %s -o %t %t-so.so
				// RUN: %t 2>&1 \| FileCheck %s

				// REQUIRES: cxxabi

				#include <stdio.h>
				#include <string.h>

				struct A {
				virtual void f();
				};

				void *create_B();

				#ifdef SHARED_LIB

				struct B {
				virtual void f();
				};
				void B::f() {}

				void *create_B() {
				return (void *)(new B());
				}

				#else

				void A::f() {}

				int main(int argc, char *argv[]) {
				void *p = create_B();
				// CHECK: runtime error: control flow integrity check for type 'A' failed during cast to unrelated type
				// CHECK: invalid vtable in module {{.*}}target_uninstrumented
				pccUnsubmitted Not Done Reply Inline Actions Shouldn't you check specifically that the name matches the DSO name? Maybe have your test output to `%T/target-uninstrumented.so` and have this match against that? pcc: Shouldn't you check specifically that the name matches the DSO name? Maybe have your test…
				eugenisAuthorUnsubmitted Not Done Reply Inline Actions I've made the check a bit stricter. I don't think there is any benefit in making it stricter than that, and it could make the test fragile. eugenis: I've made the check a bit stricter. I don't think there is any benefit in making it stricter…
				A a = (A )p;
				memset(p, 0, sizeof(A));
				pccUnsubmitted Done Reply Inline Actions `%T` gives you a directory name so you can just have your test output to a subpath of that like in my example and you won't have any of the `tmp` stuff in your path name. pcc: `%T` gives you a directory name so you can just have your test output to a subpath of that like…
				// CHECK: runtime error: control flow integrity check for type 'A' failed during cast to unrelated type
				// CHECK-NOT: invalid vtable in module
				// CHECK: invalid vtable
				a = (A *)p;
				// CHECK: done
				fprintf(stderr, "done %p\n", a);
				}
				#endif