This is an archive of the discontinued LLVM Phabricator instance.

Differential D18915

[sanitizer] [SystemZ] Abort if the kernel might be vulnerable to CVE-2016-2143.
ClosedPublic

Authored by koriakin on Apr 8 2016, 5:00 PM.

Details

Reviewers
glider
samsonov
uweigand
eugenis
rsmith
Commits
rGc8dda336bbb7: [sanitizer] [SystemZ] Abort if the kernel might be vulnerable to CVE-2016-2143.
rCRT266297: [sanitizer] [SystemZ] Abort if the kernel might be vulnerable to CVE-2016-2143.
rL266297: [sanitizer] [SystemZ] Abort if the kernel might be vulnerable to CVE-2016-2143.
Summary

In short, CVE-2016-2143 will crash the machine if a process uses both >4TB
virtual addresses and fork(). ASan, TSan, and MSan will, by necessity, map
a sizable chunk of virtual address space, which is much larger than 4TB.
Even worse, sanitizers will always use fork() for llvm-symbolizer when a bug
is detected. Disable all three by aborting on process initialization if
the running kernel version is not known to contain a fix.

Unfortunately, there's no reliable way to detect the fix without crashing
the kernel. So, we rely on whitelisting - I've included a list of upstream
kernel versions that will work. In case someone uses a distribution kernel
or applied the fix themselves, an override switch is also included.

Diff Detail

Repository
rL LLVM

Event Timeline

koriakin updated this revision to Diff 53104.Apr 8 2016, 5:00 PM
koriakin retitled this revision from to [sanitizer] [SystemZ] Abort if the kernel might be vulnerable to CVE-2016-2143..
koriakin updated this object.
koriakin added reviewers: uweigand, eugenis, rsmith, samsonov.
koriakin set the repository for this revision to rL LLVM.
koriakin added a project: Restricted Project.
koriakin added a subscriber: llvm-commits.
glider added a subscriber: glider.Apr 12 2016, 7:09 AM

Note that 32-bit ASan process doesn't map >4Tb memory.

koriakin added a comment.Apr 12 2016, 9:04 AM
In D18915#398325, @glider wrote:

Note that 32-bit ASan process doesn't map >4Tb memory.

Yes, this is why the ifdefs are all for s390x, not for s390.

glider accepted this revision.Apr 12 2016, 10:16 AM
glider added a reviewer: glider.

The code looks good.
We may want to introduce some InitializeCommon() in sanitizer_common() to avoid putting common code in every tool, but maybe this can be done next time such a need arises.

This revision is now accepted and ready to land.Apr 12 2016, 10:16 AM
koriakin added a comment.Apr 12 2016, 10:37 AM
In D18915#398580, @glider wrote:

The code looks good.
We may want to introduce some InitializeCommon() in sanitizer_common() to avoid putting common code in every tool, but maybe this can be done next time such a need arises.

The thing is, we don't want this check for every sanitizer - only for sanitizers that reserve a good fraction of the address space (so UBSan and safestack are fine, LSan might be too - I haven't looked at it yet). Is there such a distinction somewhere already?

glider added a comment.Apr 12 2016, 10:38 AM

Nope, there isn't, and adding it will be an overkill indeed.

Closed by commit rL266297: [sanitizer] [SystemZ] Abort if the kernel might be vulnerable to CVE-2016-2143. (authored by koriakin). · Explain WhyApr 14 2016, 6:02 AM
This revision was automatically updated to reflect the committed changes.
kcc added a subscriber: kcc.Apr 15 2016, 9:42 AM

So many ifdefs are bad, please don't do this. (this applies to this patch, and others)
Instead, please have a s390-specific (or SystemZ-specific) file that will define some functions (and also define those functions for everyone else as empty)
and then call those functions.

koriakin mentioned this in D19576: [sanitizer] [SystemZ] Abort if the kernel might be vulnerable to CVE-2016-2143..Apr 26 2016, 7:08 PM

Revision Contents

PathSize
compiler-rt/
trunk/
lib/
asan/
7 lines
msan/
7 lines
sanitizer_common/
5 lines
67 lines
tsan/
rtl/
3 lines

Diff 53699

compiler-rt/trunk/lib/asan/asan_rtl.cc

Show All 21 Lines
#include "asan_report.h" #include "asan_report.h"
#include "asan_stack.h" #include "asan_stack.h"
#include "asan_stats.h" #include "asan_stats.h"
#include "asan_suppressions.h" #include "asan_suppressions.h"
#include "asan_thread.h" #include "asan_thread.h"
#include "sanitizer_common/sanitizer_atomic.h" #include "sanitizer_common/sanitizer_atomic.h"
#include "sanitizer_common/sanitizer_flags.h" #include "sanitizer_common/sanitizer_flags.h"
#include "sanitizer_common/sanitizer_libc.h" #include "sanitizer_common/sanitizer_libc.h"
#if defined(__s390x__) && defined(__linux__)
// For AvoidCVE_2016_2143.
#include "sanitizer_common/sanitizer_linux.h"
#endif
#include "sanitizer_common/sanitizer_symbolizer.h" #include "sanitizer_common/sanitizer_symbolizer.h"
#include "lsan/lsan_common.h" #include "lsan/lsan_common.h"
#include "ubsan/ubsan_init.h" #include "ubsan/ubsan_init.h"
#include "ubsan/ubsan_platform.h" #include "ubsan/ubsan_platform.h"
int __asan_option_detect_stack_use_after_return; // Global interface symbol. int __asan_option_detect_stack_use_after_return; // Global interface symbol.
uptr *__asan_test_only_reported_buggy_pointer; // Used only for testing asan. uptr *__asan_test_only_reported_buggy_pointer; // Used only for testing asan.
▲ Show 20 LinesShow All 372 Lines▼ Show 20 Linesstatic void AsanInitInternal() {
CacheBinaryName(); CacheBinaryName();
// Initialize flags. This must be done early, because most of the // Initialize flags. This must be done early, because most of the
// initialization steps look at flags(). // initialization steps look at flags().
InitializeFlags(); InitializeFlags();
AsanCheckIncompatibleRT(); AsanCheckIncompatibleRT();
AsanCheckDynamicRTPrereqs(); AsanCheckDynamicRTPrereqs();
#if defined(__s390x__) && defined(__linux__)
AvoidCVE_2016_2143();
#endif
SetCanPoisonMemory(flags()->poison_heap); SetCanPoisonMemory(flags()->poison_heap);
SetMallocContextSize(common_flags()->malloc_context_size); SetMallocContextSize(common_flags()->malloc_context_size);
InitializeHighMemEnd(); InitializeHighMemEnd();
// Make sure we are not statically linked. // Make sure we are not statically linked.
AsanDoesNotSupportStaticLinkage(); AsanDoesNotSupportStaticLinkage();
▲ Show 20 LinesShow All 205 LinesShow Last 20 Lines

compiler-rt/trunk/lib/msan/msan.cc

Show All 16 Lines
#include "msan_origin.h" #include "msan_origin.h"
#include "msan_thread.h" #include "msan_thread.h"
#include "msan_poisoning.h" #include "msan_poisoning.h"
#include "sanitizer_common/sanitizer_atomic.h" #include "sanitizer_common/sanitizer_atomic.h"
#include "sanitizer_common/sanitizer_common.h" #include "sanitizer_common/sanitizer_common.h"
#include "sanitizer_common/sanitizer_flags.h" #include "sanitizer_common/sanitizer_flags.h"
#include "sanitizer_common/sanitizer_flag_parser.h" #include "sanitizer_common/sanitizer_flag_parser.h"
#include "sanitizer_common/sanitizer_libc.h" #include "sanitizer_common/sanitizer_libc.h"
#if defined(__s390x__) && defined(__linux__)
// For AvoidCVE_2016_2143.
#include "sanitizer_common/sanitizer_linux.h"
#endif
#include "sanitizer_common/sanitizer_procmaps.h" #include "sanitizer_common/sanitizer_procmaps.h"
#include "sanitizer_common/sanitizer_stacktrace.h" #include "sanitizer_common/sanitizer_stacktrace.h"
#include "sanitizer_common/sanitizer_symbolizer.h" #include "sanitizer_common/sanitizer_symbolizer.h"
#include "sanitizer_common/sanitizer_stackdepot.h" #include "sanitizer_common/sanitizer_stackdepot.h"
#include "ubsan/ubsan_flags.h" #include "ubsan/ubsan_flags.h"
#include "ubsan/ubsan_init.h" #include "ubsan/ubsan_init.h"
// ACHTUNG! No system header includes in this file. // ACHTUNG! No system header includes in this file.
▲ Show 20 LinesShow All 337 Lines▼ Show 20 Lines
} }
void __msan_init() { void __msan_init() {
CHECK(!msan_init_is_running); CHECK(!msan_init_is_running);
if (msan_inited) return; if (msan_inited) return;
msan_init_is_running = 1; msan_init_is_running = 1;
SanitizerToolName = "MemorySanitizer"; SanitizerToolName = "MemorySanitizer";
#if defined(__s390x__) && defined(__linux__)
AvoidCVE_2016_2143();
#endif
InitTlsSize(); InitTlsSize();
CacheBinaryName(); CacheBinaryName();
InitializeFlags(); InitializeFlags();
__sanitizer_set_report_path(common_flags()->log_path); __sanitizer_set_report_path(common_flags()->log_path);
InitializeInterceptors(); InitializeInterceptors();
▲ Show 20 LinesShow All 252 LinesShow Last 20 Lines

compiler-rt/trunk/lib/sanitizer_common/sanitizer_linux.h

Show First 20 LinesShow All 77 Lines▼ Show 20 Lines
uptr ThreadSelfOffset(); uptr ThreadSelfOffset();
// Matches a library's file name against a base name (stripping path and version // Matches a library's file name against a base name (stripping path and version
// information). // information).
bool LibraryNameIs(const char *full_name, const char *base_name); bool LibraryNameIs(const char *full_name, const char *base_name);
// Call cb for each region mapped by map. // Call cb for each region mapped by map.
void ForEachMappedRegion(link_map *map, void (*cb)(const void *, uptr)); void ForEachMappedRegion(link_map *map, void (*cb)(const void *, uptr));
#ifdef __s390x__
// Aborts the process if running on a kernel without a fix for CVE-2016-2143.
void AvoidCVE_2016_2143();
#endif
} // namespace __sanitizer } // namespace __sanitizer
#endif // SANITIZER_FREEBSD || SANITIZER_LINUX #endif // SANITIZER_FREEBSD || SANITIZER_LINUX
#endif // SANITIZER_LINUX_H #endif // SANITIZER_LINUX_H

compiler-rt/trunk/lib/sanitizer_common/sanitizer_linux.cc

Show First 20 LinesShow All 50 Lines▼ Show 20 Lines
#include <sched.h> #include <sched.h>
#include <sys/mman.h> #include <sys/mman.h>
#include <sys/ptrace.h> #include <sys/ptrace.h>
#include <sys/resource.h> #include <sys/resource.h>
#include <sys/stat.h> #include <sys/stat.h>
#include <sys/syscall.h> #include <sys/syscall.h>
#include <sys/time.h> #include <sys/time.h>
#include <sys/types.h> #include <sys/types.h>
#include <sys/utsname.h>
#include <ucontext.h> #include <ucontext.h>
#include <unistd.h> #include <unistd.h>
#if SANITIZER_FREEBSD #if SANITIZER_FREEBSD
#include <sys/exec.h> #include <sys/exec.h>
#include <sys/sysctl.h> #include <sys/sysctl.h>
#include <vm/vm_param.h> #include <vm/vm_param.h>
#include <vm/pmap.h> #include <vm/pmap.h>
▲ Show 20 LinesShow All 1,274 Lines▼ Show 20 Lines
# error "Unsupported arch" # error "Unsupported arch"
#endif #endif
} }
void MaybeReexec() { void MaybeReexec() {
// No need to re-exec on Linux. // No need to re-exec on Linux.
} }
#ifdef __s390x__
static bool FixedCVE_2016_2143() {
// Try to determine if the running kernel has a fix for CVE-2016-2143,
// return false if in doubt (better safe than sorry). Distros may want to
// adjust this for their own kernels.
struct utsname buf;
unsigned int major, minor, patch = 0;
// This should never fail, but just in case...
if (uname(&buf))
return false;
char *ptr = buf.release;
major = internal_simple_strtoll(ptr, &ptr, 10);
// At least first 2 should be matched.
if (ptr[0] != '.')
return false;
minor = internal_simple_strtoll(ptr+1, &ptr, 10);
// Third is optional.
if (ptr[0] == '.')
patch = internal_simple_strtoll(ptr+1, &ptr, 10);
if (major < 3) {
// <3.0 is bad.
return false;
} else if (major == 3) {
// 3.2.79+ is OK.
if (minor == 2 && patch >= 79)
return true;
// Otherwise, bad.
return false;
} else if (major == 4) {
// 4.1.21+ is OK.
if (minor == 1 && patch >= 21)
return true;
// 4.4.6+ is OK.
if (minor == 4 && patch >= 6)
return true;
// Otherwise, OK if 4.5+.
return minor >= 5;
} else {
// Linux 5 and up are fine.
return true;
}
}
void AvoidCVE_2016_2143() {
// Older kernels are affected by CVE-2016-2143 - they will crash hard
// if someone uses 4-level page tables (ie. virtual addresses >= 4TB)
// and fork() in the same process. Unfortunately, sanitizers tend to
// require such addresses. Since this is very likely to crash the whole
// machine (sanitizers themselves use fork() for llvm-symbolizer, for one),
// abort the process at initialization instead.
if (FixedCVE_2016_2143())
return;
if (GetEnv("SANITIZER_IGNORE_CVE_2016_2143"))
return;
Report(
"ERROR: Your kernel seems to be vulnerable to CVE-2016-2143. Using ASan,\n"
"MSan or TSan with such kernel can and will crash your machine, or worse.\n"
"\n"
"If you are certain your kernel is not vulnerable (you have compiled it\n"
"yourself, are are using an unrecognized distribution kernel), you can\n"
"override this safety check by exporting SANITIZER_IGNORE_CVE_2016_2143\n"
"with any value.\n");
Die();
}
#endif
} // namespace __sanitizer } // namespace __sanitizer
#endif // SANITIZER_FREEBSD || SANITIZER_LINUX #endif // SANITIZER_FREEBSD || SANITIZER_LINUX

compiler-rt/trunk/lib/tsan/rtl/tsan_platform_linux.cc

Show First 20 LinesShow All 241 Lines▼ Show 20 Lines#endif
CHECK_LT(g_data_start, g_data_end); CHECK_LT(g_data_start, g_data_end);
CHECK_GE((uptr)&g_data_start, g_data_start); CHECK_GE((uptr)&g_data_start, g_data_start);
CHECK_LT((uptr)&g_data_start, g_data_end); CHECK_LT((uptr)&g_data_start, g_data_end);
} }
#endif // #ifndef SANITIZER_GO #endif // #ifndef SANITIZER_GO
void InitializePlatformEarly() { void InitializePlatformEarly() {
#ifdef __s390x__
AvoidCVE_2016_2143();
#endif
#ifdef TSAN_RUNTIME_VMA #ifdef TSAN_RUNTIME_VMA
vmaSize = vmaSize =
(MostSignificantSetBitIndex(GET_CURRENT_FRAME()) + 1); (MostSignificantSetBitIndex(GET_CURRENT_FRAME()) + 1);
#if defined(__aarch64__) #if defined(__aarch64__)
if (vmaSize != 39 && vmaSize != 42) { if (vmaSize != 39 && vmaSize != 42) {
Printf("FATAL: ThreadSanitizer: unsupported VMA range\n"); Printf("FATAL: ThreadSanitizer: unsupported VMA range\n");
Printf("FATAL: Found %d - Supported 39 and 42\n", vmaSize); Printf("FATAL: Found %d - Supported 39 and 42\n", vmaSize);
Die(); Die();
▲ Show 20 LinesShow All 191 LinesShow Last 20 Lines