This is an archive of the discontinued LLVM Phabricator instance.

Differential D20084

[sanitizer] Initial implementation of a Hardened Allocator
ClosedPublic

Authored by cryptoad on May 9 2016, 3:13 PM.

Details

Reviewers
kcc
vitalybuka
glider
krasin
dvyukov
eugenis
pcc
aizatsky
Commits
rG712fc9803a4d: [sanitizer] Initial implementation of a Hardened Allocator
rCRT271968: [sanitizer] Initial implementation of a Hardened Allocator
rL271968: [sanitizer] Initial implementation of a Hardened Allocator
Summary

This is an initial implementation of a Hardened Allocator based on Sanitizer Common's CombinedAllocator.
It aims at mitigating heap based vulnerabilities by adding several features to the base allocator, while staying relatively fast.
The following were implemented:

  • additional consistency checks on the allocation function parameters and on the heap chunks;
  • use of checksum protected chunk header, to detect corruption;
  • randomness to the allocator base;
  • delayed freelist (quarantine), to mitigate use after free and overall determinism.

Additional mitigations are in the works.

Diff Detail

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
vitalybuka added inline comments.May 11 2016, 12:05 PM
projects/compiler-rt/lib/hardened_allocator/scudo_allocator.cc
53 ↗(On Diff #56926)

enum ChunkState : u8 {

ChunkAvailible  = 0,

};

80 ↗(On Diff #56926)

I see why you need 128bit for structure.
Why do you need u128 type for 2 bit members?

309 ↗(On Diff #56926)

could be removed?

406 ↗(On Diff #56926)

no Die?

543 ↗(On Diff #56926)

maybe remove temp variable?

projects/compiler-rt/lib/hardened_allocator/scudo_allocator.h
57 ↗(On Diff #56926)

QuarantineSizeMb;

70 ↗(On Diff #56926)

const uptr AllocatorSpace =

72 ↗(On Diff #56926)

static is not needed

83 ↗(On Diff #56926)

scudoMalloc(uptr Size, AllocType AllocType)

kcc added inline comments.May 11 2016, 1:51 PM
projects/compiler-rt/lib/hardened_allocator/scudo_allocator.cc
80 ↗(On Diff #56926)

I actually like it this way. The intent is more clear.

cryptoad updated this revision to Diff 56965.May 11 2016, 2:37 PM
cryptoad marked 19 inline comments as done.

Resolving the issues raised in the new batch of comments.
Started renaming the variables, functions, etc, to be compliant with the LLVM coding standards.

docs/HardenedAllocator.rst
88 ↗(On Diff #56926)

I would have to check that.

projects/compiler-rt/lib/hardened_allocator/scudo_allocator.cc
406 ↗(On Diff #56926)

Good catch!

glider added inline comments.May 12 2016, 5:30 AM
projects/compiler-rt/lib/hardened_allocator/scudo_allocator.cc
13 ↗(On Diff #56965)

Please either elaborate what other "various security improvements" are there, or remove that phrase.

115 ↗(On Diff #56965)

I would've started with a handwritten crc32 implementation and bother with hardware support only iff it's performance-critical (don't think it is)

161 ↗(On Diff #56965)

Shouldn't the success memory order be __ATOMIC_RELEASE?

175 ↗(On Diff #56965)

Please remind if Scudo is going to be used together with any of the sanitizers.
If yes, the destructor magic won't probably work as intended, because other tools also play with it.

262 ↗(On Diff #56965)

Are we going to target 32-bit systems? This is gonna overflow uptr on x86.

278 ↗(On Diff #56965)

Despite SSE 4.2 may be quite common at Google, I don't think it's a good idea to bail out if it's unsupported.
Note TestCPUFeature() doesn't work on AMD processors yet.

435 ↗(On Diff #56965)

So remove it, maybe?

projects/compiler-rt/lib/hardened_allocator/scudo_allocator.h
1 ↗(On Diff #56965)

I don't insist much, but I think either the library name should be "scudo" instead of "hardened_allocator", or the names of the files under hardened_allocator/ should start with "hardened_allocator_"

projects/compiler-rt/lib/hardened_allocator/scudo_flags.inc
29 ↗(On Diff #56965)

Feature request: filling the chunk context with a nonzero byte.

projects/compiler-rt/lib/hardened_allocator/scudo_utils.cc
1 ↗(On Diff #56965)

Do the build configs prevent this file from being built on ARM?

32 ↗(On Diff #56965)

Do you really need the subleaf parameter now?

39 ↗(On Diff #56965)

I believe requiring certain Intel CPU models in order for the allocator to work isn't a good idea.

57 ↗(On Diff #56965)

Note this is thread-unsafe. Not sure if that matters here, but still.

84 ↗(On Diff #56965)

Why not use a bool here?

86 ↗(On Diff #56965)

Usually a "k" prefix denotes a constant. If you're going to change it, that's just a regular variable named "has_rd_rand" (or something like that)

93 ↗(On Diff #56965)

Please move this call inside the loop below.

104 ↗(On Diff #56965)

Is this problem that severe that we want to abort?
Note that we don't abort if the CPU doesn't support rdrand.

109 ↗(On Diff #56965)

My gut feeling is that XORing rdtsc and the time since epoch is actually reducing the entropy, not increasing it. Any idea if that's true?
Also, do we really need a dependency on std::chrono?

projects/compiler-rt/lib/hardened_allocator/scudo_utils.h
50 ↗(On Diff #56965)

GetSeed is unused.

58 ↗(On Diff #56965)

These "a", "b", "c" comments don't help :(
Please remove them.

projects/compiler-rt/test/hardened_allocator/alignment.cc
13 ↗(On Diff #56965)

alignment is unused.

projects/compiler-rt/test/hardened_allocator/init.cc
1 ↗(On Diff #56965)

Do you really need this test?

projects/compiler-rt/test/hardened_allocator/malloc.cc
1 ↗(On Diff #56965)

Each test must have comments that describe its purpose.

projects/compiler-rt/test/hardened_allocator/mismatch.cc
2 ↗(On Diff #56965)

FYI you can use --check-prefix to write more test-specific CHECK directives.

26 ↗(On Diff #56965)

Nit: spare newline

projects/compiler-rt/test/hardened_allocator/quarantine.cc
15 ↗(On Diff #56965)

You should probably add nullptr checks to other allocations in other tests.

projects/compiler-rt/test/hardened_allocator/realloc.cc
29 ↗(On Diff #56965)

Nit: a comment on a separat line must end with a period.

projects/compiler-rt/test/hardened_allocator/sizes.cc
19 ↗(On Diff #56965)

s/fulfill/allocate?

53 ↗(On Diff #56965)

Where does this line come from? I don't see the allocator printing it anywhere.

glider edited edge metadata.May 12 2016, 5:34 AM

$0.05 regarding the cryptographic security: can someone please clarify the goal of hardening the allocator?
If the intention is to use it for e.g. ASan in production, the randomness should be at least not worse than that of regular allocators.

glider added inline comments.May 12 2016, 8:23 AM
projects/compiler-rt/lib/hardened_allocator/scudo_utils.cc
109 ↗(On Diff #56965)

As a data point, I've ran RdTSC() and std::chrono::high_resolution_clock::now().time_since_epoch().count() 200278017 times.
The number of unique values of both variables was exactly 200278017, while the number of unique XOR values was only 200205416, i.e. there were 0.036% collisions.

filcab added a subscriber: filcab.May 12 2016, 9:50 AM
filcab added inline comments.
docs/HardenedAllocator.rst
47 ↗(On Diff #56965)

I think this parenthesis should be somewhere else. The crc32 instruction is an actual requirement of the allocator right now.

P.S: Alternatively, remove the "if ..." and say it's a requirement, like you do in the next paragraph.

110 ↗(On Diff #56965)

If we're making a "hardened allocator", shouldn't the default be to zero out all chunks?
(of course, performance would suffer a lot. I'm just curious if there are other reasons)

projects/compiler-rt/cmake/config-ix.cmake
196 ↗(On Diff #56965)

I know safestack, cfi, and ESan don't follow this, but we can probably put the HARDENED_ALLOCATOR stuff in alphabetical order with the other stuff above.

projects/compiler-rt/lib/CMakeLists.txt
58 ↗(On Diff #56965)

Same here.

projects/compiler-rt/lib/hardened_allocator/scudo_allocator.cc
32 ↗(On Diff #56965)

I would remove the TODO.
If we're in a debugger, Abort() might trigger the debugger and stop the program execution. exit() will simply close the program. We've added the abort in ASan, back in the day (D12332), due to this.
It's the default for ASan on OS X and on the PS4.

48 ↗(On Diff #56965)

It's very likely a smaller price to pay than to have to use atomic updates + spin on update collisions.

60 ↗(On Diff #56965)

I could do without the u128 typedef. You're only using it for the PackedHeader typedef.

93 ↗(On Diff #56965)

I'd suggest:

COMPILER_CHECK(sizeof(UnpackedHeader) == sizeof(PackedHeader));

Since it makes it explicit we want those two to be the same and that it's not a coincidence that we're expecting both to "happen to be" the same size as u128.
The sizeof(PackedHeader) isn't needed, since it's a typedef for u128 (even after my proposed change, it won't be needed).

95 ↗(On Diff #56965)

Remove the static here, since you're not adding it to other const-qualified variables when it isn't needed.

117 ↗(On Diff #56965)

No need to do this. Much better to just handle it on the CMake side (which you're already doing).

123 ↗(On Diff #56965)

"... 16 least significant bits of the header of the first 8 bytes..."

134 ↗(On Diff #56965)

Why are you not using the C++11 atomics?

242 ↗(On Diff #56965)

Why?

262 ↗(On Diff #56965)

If this ends up being ported, it's a simple matter of using the FIRST_32_SECOND_64 macro.

278 ↗(On Diff #56965)

Source files are compiled assuming that feature is available.
We'll have to add a fallback checksum (plus change build and this check) to address this comment.

I would be ok with keeping the SSE4.2 requirement until we get a non-zero amount of requests/bug reports.

P.S: http://store.steampowered.com/hwsurvey (first result for "hardware survey". It's clearly biased, but I'd guess developer CPUs are also biased to be more recent/powerful than an average computer) puts SSE4.2 adoption at ~80%.

334 ↗(On Diff #56965)

Pobably best to zero the whole thing (needed_size - ChunkHeaderSize)?

373 ↗(On Diff #56965)

Please push the negation through.

449 ↗(On Diff #56965)

I'm guessing you only need to zero the additional contents to account for possible overflows that might have happened.
Otherwise:
ZeroContents = true -> they're already zeroed
ZeroContents = false -> No need to zero.

473 ↗(On Diff #56965)

If we have the ZeroContents, no need to zero again.

474 ↗(On Diff #56965)

Should we zero the whole block, instead of just the size we were asked?
(Hardening it a tiny bit against overflows)

projects/compiler-rt/lib/hardened_allocator/scudo_allocator.h
41 ↗(On Diff #56965)

Why the empty comment trailing the while (false)?

projects/compiler-rt/lib/hardened_allocator/scudo_malloc_linux.cc
1 ↗(On Diff #56965)

scudo_interceptors.cc (.cpp in the future, but do what Vitaly suggested and change the names only after approval to ease code review)

15 ↗(On Diff #56965)

Don't add these to the whole file.
I'm ok with protecting Linux/glibc-specific functions like pvalloc, etc. Those will need it anyway if this gets ported somewhere.
No need to protect the malloc/free interceptors with SANITIZER_LINUX, though.

projects/compiler-rt/lib/hardened_allocator/scudo_rtl.cc
50 ↗(On Diff #56965)

Should this be an #error?

projects/compiler-rt/lib/hardened_allocator/scudo_utils.cc
59 ↗(On Diff #56965)
else
  UNIMPLEMENTED();

(or something similar)

89 ↗(On Diff #56965)

Does gcc actually do anything with this?
If not, then just delete it. AFAICT, clang doesn't care unless you have an asm attribute to tie it to a specific register.

98 ↗(On Diff #56965)

Nit: Why not a simple int? Closer to the "usual idiom" in C++.

projects/compiler-rt/lib/hardened_allocator/scudo_utils.h
26 ↗(On Diff #56965)

static_assert(sizeof(Dest) == sizeof(Source), "Sized are not equal!");

projects/compiler-rt/test/hardened_allocator/double-free.cc
28 ↗(On Diff #56965)

Add a posix_memalign version. We have a special case in free for it.

projects/compiler-rt/test/hardened_allocator/mismatch.cc
21 ↗(On Diff #56965)

You should add, at least, the memalign -> something_other_than_free case, since it's a special case.

projects/compiler-rt/test/hardened_allocator/quarantine.cc
15 ↗(On Diff #56965)

if (p)

glider added a comment.May 12 2016, 10:11 AM

BTW we've been discussing the issue with the random seed (and the header cookies) being reused upon fork() today.
If you've a service that forks in response to every client request, it can be exploited by brute-forcing the CRC of a single object (which remains the same upon fork())

Thus two questions arise:

  • shouldn't we increase the size of the header's crc32 to, um, 32 bits?
  • is it possible to re-initialize the seed and the cookie upon fork() (a dummy solution is to iterate over the heap and fix all headers, but maybe there's something more elegant?)
glider added inline comments.May 12 2016, 10:18 AM
projects/compiler-rt/lib/hardened_allocator/scudo_malloc_linux.cc
15 ↗(On Diff #56965)

Note that for other systems (e.g. OSX) it may be incorrect to intercept malloc/free.
Therefore it should be ok to keep those in a Linux/FreeBSD-specific file and keep SANITIZER_LINUX | SANITIZER_FREEBSD for the whole file.

75 ↗(On Diff #56965)

It's better to add comments (e.g. " // SANITIZER_LINUX" here) to #endif directives, especially when the code doesn't fit on a single screen.

dvyukov added inline comments.May 12 2016, 10:25 AM
projects/compiler-rt/lib/hardened_allocator/scudo_allocator.cc
87 ↗(On Diff #56965)

Don't we need only 20 bits here?

162 ↗(On Diff #56965)

Looks pointless.

187 ↗(On Diff #56965)

This will leak memory.
Destructors run FIFO order, so later-created user dtors can run after you. Plus pthread frees thread stack and pthread_specific regions after running pthread_specific dtors.

195 ↗(On Diff #56965)

Why initGlobal is not called from ScudoInitInternal?
If you expect that malloc can come before ScudoInitInternal, then you also need to call ScudoInitInternal from initThread. Otherwise it won't work anyway.

241 ↗(On Diff #56965)

Why is this commented out? Looks cleaner.

283 ↗(On Diff #56965)

Do we want to sanity check options.QuarantineSizeMb) << 20? What if it overflows?

284 ↗(On Diff #56965)

Make this tunable as well. If my program has 10000 threads, 1MB per thread is a lot.

293 ↗(On Diff #56965)

s/alignment/malloc alignment/
So that user can get at least some glue when she sees this on console.

325 ↗(On Diff #56965)

It seems to me that we don't actually need with_offset and all the associated if's.
You can just always store (chunk_beg - alloc_beg) >> MinAlignmentLog into header.offset and always subtract it from user_beg.

326 ↗(On Diff #56965)

There is a very tricky, implicit relation between MinAlignment, MaxAlignment and number of bits in offset. If there of these change in future we can get a nice attack vector due to offset overflow.

Check that MaxAlignment/MinAlignment fits into offset during init.

381 ↗(On Diff #56965)

I wonder if delete_size can be 0 and it does not mean that delete_size is not passed, it is just legally zero. What is passed in for delete of an array with 0 elements?

projects/compiler-rt/lib/hardened_allocator/scudo_flags.cc
56 ↗(On Diff #56965)

You use convoluted way to express 64 that requires remembering powers of two, and then spell 64 in comments. Why not just say "64"?

projects/compiler-rt/lib/hardened_allocator/scudo_flags.inc
18 ↗(On Diff #56965)

s/-1/64/ then the default will be visible in help as well.
User can't tune this value if she does not have a single reference point. If I know that the default is 64, then I can set it to 32 of 128. If I don't know the default, what am I supposed to do?

projects/compiler-rt/lib/hardened_allocator/scudo_utils.cc
109 ↗(On Diff #56965)

This is used to initialize global cookie. I would use /dev/random. Or there must be 16 bytes of good randomness in auxv.

projects/compiler-rt/lib/hardened_allocator/scudo_utils.h
44 ↗(On Diff #56965)

This is not used. Remove.

46 ↗(On Diff #56965)

This is not used. Remove.

50 ↗(On Diff #56965)

This is not used. Remove.

dvyukov added inline comments.May 12 2016, 10:25 AM
projects/compiler-rt/lib/hardened_allocator/scudo_allocator.cc
64 ↗(On Diff #56965)

It's better to comment right on the fields rather than duplicate them here. The comment has good chances of getting outdated. It's also harder to find the relevant part of the comment for a particular field.
E.g.:

u8  state          : 2;  // available, allocated, or quarantined

comments like 'salt' on 'salt' field are excessive, drop them.

104 ↗(On Diff #56965)

I am missing the relation between the requirement to not load header second time and making the function static.
Why not:

void *AllocBeg(UnpackedHeader *header)

?

126 ↗(On Diff #56965)

Add a bold comment to checksum filed that Checksum expects it to be low 16 bits. And maybe add some debug check here.

128 ↗(On Diff #56965)

Won't it do to initialize crc to cookie as:

u64 crc = _mm_crc32_u64(cookie, reinterpret_cast<uptr>(this));

?

135 ↗(On Diff #56965)

Why does this need to be acquire? Please comment.

153 ↗(On Diff #56965)

Why release?

161 ↗(On Diff #56965)

Why acquire?

glider added inline comments.May 12 2016, 10:50 AM
projects/compiler-rt/lib/hardened_allocator/scudo_allocator.cc
278 ↗(On Diff #56965)

Well, IIUC right now the implementation just aborts for AMD processors, which are among those ~80%.

kcc added inline comments.May 12 2016, 12:15 PM
projects/compiler-rt/lib/hardened_allocator/scudo_allocator.cc
115 ↗(On Diff #56965)

I am pretty sure it *is* performance critical.
If this gets used on older or non-x86 systems we can add other implementation later.

175 ↗(On Diff #56965)

Afiact, scudo will not be combinable with any of the sanitizers other than with ubsan

262 ↗(On Diff #56965)

no 32-bit for now (or ever?)

projects/compiler-rt/lib/hardened_allocator/scudo_allocator.h
1 ↗(On Diff #56965)

I initially proposed to name the dir hardened_allocator to make it more self-descriptive.
But if others don't mind to have dir named "scuda" let the author decide.

filcab added inline comments.May 12 2016, 12:52 PM
projects/compiler-rt/lib/hardened_allocator/scudo_allocator.cc
278 ↗(On Diff #56965)

I was just talking about the SSE4.2 part. Sorry, I was going to comment on the CPUID thing but forgot. Doing it now.

projects/compiler-rt/lib/hardened_allocator/scudo_utils.cc
64 ↗(On Diff #56965)

Same on AMD (source: https://support.amd.com/TechDocs/25481.pdf):
"
CPUID Fn0000_0001_ECX Feature Identifiers
...
20 SSE42: SSE4.2 instruction support.
"

66 ↗(On Diff #56965)

Doesn't exist on AMD.
Since SSE4.2 is required for this, you'll need to implement SSE4.2 detection for other CPU brands.
RDRAND seems to exist only on Intel CPUs and there's a fallback path, so having it only on Intel doesn't seem like a problem.

cryptoad updated this revision to Diff 57100.May 12 2016, 2:21 PM
cryptoad edited edge metadata.
cryptoad marked 44 inline comments as done.

Addressed some of the issues raised during the review.
Additional renaming done to comply with the LLVM coding standard.

projects/compiler-rt/lib/hardened_allocator/scudo_allocator.cc
87 ↗(On Diff #56965)

This is indeed the case.
I figured I would align that one to a multiple of 8 bits as we have some space in the second half of the 128-bit integer.
I am not opposed to shortening to the actual needed bit size if you feel strongly about it.

134 ↗(On Diff #56965)

Using std::atomic<unsigned __int128>?

242 ↗(On Diff #56965)

Sorry this was a remainder of a debugging session. I switched it back to the original plan which was to use the thread_local QuarantineCache.

262 ↗(On Diff #56965)

No plan to support 32-bit as of yet, but yes we will use FIRST_32_SECOND_64 if we do.

334 ↗(On Diff #56965)

I guess we have several choices here:

  • move it up and zero the whole thing prior to the header being store
  • leave it here and zero the whole thing post header, which will have to account for the offset (needed_size - (chunk_beg - alloc_beg))

I think the first option would be better.

projects/compiler-rt/lib/hardened_allocator/scudo_rtl.cc
50 ↗(On Diff #56965)

I figured the additional initialization techniques used by ASan et al. could be added later on. Hence the #error for now.

projects/compiler-rt/lib/hardened_allocator/scudo_utils.cc
32 ↗(On Diff #56965)

I figured it could be useful if a feature such as RDSEED was needed.

39 ↗(On Diff #56965)

My point of view when writing this was that I had to be as competitive as can be with other allocators, so that the benefit of additional checks would not be offseted by a dramatic decrease in performances. In the initial stages, it was determined that a BSD checksum vs the CPU backed CRC32 induced a performance gain of about 10% in pure allocation benchmarks, so I went that way.

I am not opposed to doing something purely software, but I'd rather start this way and then expend it to be more portable.

84 ↗(On Diff #56965)

I wanted to use a 3 state variable: unintialized, true, false. Hence the -1, 0, 1.

98 ↗(On Diff #56965)

I tried to be consistent using the Sanitizer types. But I see your point.

109 ↗(On Diff #56965)

Is your suggestion to get rid of the epoch component?

projects/compiler-rt/test/hardened_allocator/sizes.cc
53 ↗(On Diff #56965)

This is from sanitizer_allocator.cc, that handles this condition.

dvyukov added inline comments.May 13 2016, 12:55 AM
projects/compiler-rt/lib/hardened_allocator/scudo_allocator.cc
88 ↗(On Diff #57100)

Does it improve generated code?
Leaving it as 24 is OK in that case, but it needs to be explained in comments. Width of that field has crucial implicit relation with Min/MaxAlignment. When double-checked width, I found that it's not what I would expect it to be. What means that either I missing something else important here, or there is a bug, or things get out of sync. This uncertainty is very unpleasant and takes time for anybody reading the code.

projects/compiler-rt/lib/hardened_allocator/scudo_utils.cc
110 ↗(On Diff #57100)

Yes, all that is predictable.
/dev/random is meant specifically for such cases, it uses various sources of entropy to create strongly random numbers.

On second though, just remove all rdtsc/cpuid/rdrand trickery and read from /dev/random. If rdrand is present, kernel will use it.

filcab added inline comments.May 13 2016, 7:55 AM
projects/compiler-rt/lib/hardened_allocator/scudo_allocator.cc
135 ↗(On Diff #57100)

Yeah, should be nicer. Unless it's a problem due to something I'm not thinking of, then I'd rather have more standard constructs (even though there's no guarantee of an __int128 type, let alone an std::atomic<__int128>, AFAICT libstdc++ and libc++ will have those implemented).

cryptoad updated this revision to Diff 57362.May 16 2016, 9:54 AM
cryptoad marked 26 inline comments as done.

This update addresses another batch of comments raised during the review.
Among the notable changes:

  • after discussion with dvyukov, the memory order for the atomic operation has to changed to relaxed;
  • the 'with_offset' field in the header is going away, and the offset field now always stores the distance between the backend allocation and the chunk.
projects/compiler-rt/lib/hardened_allocator/scudo_allocator.cc
188 ↗(On Diff #57100)

For this, I used the same technique that is used in ASan's PlatformTSDDtor, as it seems to be the most viable one.
I am not sure what alternative would work here.

projects/compiler-rt/lib/hardened_allocator/scudo_allocator.h
42 ↗(On Diff #57100)

This actually a straight copy from sanitizer_internal_defs.h, just replacing CheckFailed. So I left it as is.
This will go away when I redo the CHECK_IMPL logic to follow kcc@'s suggestion to implement templated failure functions.

projects/compiler-rt/lib/hardened_allocator/scudo_utils.cc
110 ↗(On Diff #57100)

I gave it a try and I have had a lot of issues with /dev/random on my system.
Between the fact that it's blocking, and that sometimes it won't return the amount of bytes requested, the tests have been failing inconsistently.
Tests with /dev/urandom worked better though.
I am going to dig further into that.

filcab added inline comments.May 16 2016, 10:13 AM
projects/compiler-rt/lib/hardened_allocator/scudo_allocator.cc
135 ↗(On Diff #57362)

Did std::atomic<unsigned __int128> not work/was too slow?

projects/compiler-rt/lib/hardened_allocator/scudo_utils.cc
111 ↗(On Diff #57362)

Using /dev/urandom should be what you need, yes.
Did you still have problems with urandom, btw?

cryptoad added inline comments.May 16 2016, 10:37 AM
projects/compiler-rt/lib/hardened_allocator/scudo_allocator.cc
135 ↗(On Diff #57362)

It's in the works :)

projects/compiler-rt/lib/hardened_allocator/scudo_utils.cc
111 ↗(On Diff #57362)

/dev/udrandom appeared to work fine.

dvyukov added inline comments.May 17 2016, 1:19 AM
projects/compiler-rt/lib/hardened_allocator/scudo_allocator.cc
189 ↗(On Diff #57362)

If a free comes after we drained local cache, asan uses a global cache. Grep for "fallback" in asan_allocator.cc. Tsan now uses the same. It sucks. But I don't see how to do better. We need to detect when a thread is actually finished, but it's tricky to do with pthread_join API.

projects/compiler-rt/lib/hardened_allocator/scudo_utils.cc
111 ↗(On Diff #57362)

/dev/urandom is not what you need. It trades security for performance. I.e. instead of blocking it will just give you predictable randomness. Which kind of defeats the whole purpose of a security allocator.
/dev/random blocks when it does not have enough entropy. But there is not much you can do if you do need the entropy.
If it returns less bytes, read again. That's how it works with all read calls.

filcab added inline comments.May 17 2016, 6:02 AM
projects/compiler-rt/lib/hardened_allocator/scudo_utils.cc
111 ↗(On Diff #57362)

People like Daniel Bernstein and Thomas Ptacek (and others) tend to disagree and say that /dev/urandom is what we need:
http://blog.cr.yp.to/20140205-entropy.html
http://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers/

I'm no expert in this, so I tend to rely on people who work on this kind of thing.

cryptoad updated this revision to Diff 57702.May 18 2016, 4:11 PM
cryptoad marked 24 inline comments as done.

This diff addresses another batch of comments from the review, as well as some renaming to converge towards LLVM coding standard compliance.
Among the notable changes:

  • a fallback mechanism has been added to service allocations and deallocation post thread tear-down as per dvyukov guidance;
  • the initialization has been moved around to not depend on .preinit_array; a test has been added to make sure that preinit allocations are serviced successfully;
  • std::atomic is used in place of the GCC builtins; the compiled code is identical.

There are still some comments left to address, notably regarding the source of randomness.

kubamracek added a subscriber: kubamracek.May 22 2016, 11:55 AM
cryptoad updated this revision to Diff 58659.May 26 2016, 11:37 AM

With this diff ends the renaming process, so unless I missed or misunderstood something, this should be compliant with the LLVM coding standards.
Additional, I migrated the thread local PRNG initialization to use /dev/urandom for seeding purposes. This appears to not have significantly impacted the performances.

cryptoad marked 12 inline comments as done.May 26 2016, 12:53 PM

One of the outstanding items on my list was to have a look at the CHECK logic to be able to have everything fast fail without callbacks if something went wrong.
kcc's suggestion was to change the CHECKs in the Allocator to make them call a templated failure function (or virtual) (http://reviews.llvm.org/D20084#425327).
I've realize since then that we also need that to be true for the Quarantine, and potentially any abstracted Sanitizer function (the per platform file access functions come to mind). Basically we really want CheckFailed to be ours anywhere in the project, so that when compiling the hardened allocator, none of the with-callbacks version will be compiled in.

I'd welcome some feedback as to how to do that as cleanly as possible, thanks!

kcc added a comment.May 26 2016, 1:04 PM

Yea...
So one possible way is to re-define __sanitizer::CheckFailed.
It should be relatively easy if we never going to allow mixing scudo and the sanitizers.
There is no way to mix scudo and asan/tsan/msan anyway, because they have conflicting allocators.
You may mix scudo and ubsan, since ubsan does not have an allocator, but the only sane way to have ubasan
in prod is to use it in trapping mode which does not have run-time. So we are good here too.

So, try this:

  • move __sanitizer::CheckFailed into a separate file.
  • make sure it is used by *san
  • make sure it is not used by scudo
  • defined your own __sanitizer::CheckFailed

I have not tested it, so something may go wrong, you'll need to experiment...

kcc added inline comments.May 27 2016, 3:19 PM
projects/compiler-rt/lib/hardened_allocator/scudo_allocator.h
29 ↗(On Diff #58659)

So, you should not need this any more, let's remove it now.
I'll make on more pass afterwards (Monday-ish)

dvyukov edited edge metadata.May 28 2016, 11:44 PM
In D20084#441391, @cryptoad wrote:

One of the outstanding items on my list was to have a look at the CHECK logic to be able to have everything fast fail without callbacks if something went wrong.

Why can't we just set Die as CheckFailedCallback?

dvyukov added inline comments.May 28 2016, 11:46 PM
projects/compiler-rt/lib/hardened_allocator/scudo_utils.cc
99 ↗(On Diff #58659)

urandom is not secure and can allow to guess the cookie in a local setuid binary.

cryptoad marked an inline comment as done.May 30 2016, 7:57 PM
In D20084#443276, @dvyukov wrote:
In D20084#441391, @cryptoad wrote:

One of the outstanding items on my list was to have a look at the CHECK logic to be able to have everything fast fail without callbacks if something went wrong.

Why can't we just set Die as CheckFailedCallback?

What I am trying to prevent here is the use of callbacks at all. They would be an interesting target for an attacker as they would be writable function pointers that could be triggered on demand on heap corruption.

projects/compiler-rt/lib/hardened_allocator/scudo_utils.cc
99 ↗(On Diff #58659)

So on this matter it seems that the general agreement is that urandom on modern Linux system is secure and can be used for cryptographic purposes. Even the more recent getrandom system call uses urandom by default, with the following entry in the man page: "Unless you are doing long-term key generation (and perhaps not even then), you probably shouldn't be using GRND_RANDOM. The cryptographic algorithms used for /dev/urandom are quite conservative, and so should be sufficient for all purposes."
/dev/random performs poorly in my tests, often blocking the allocator.

dvyukov added a comment.May 31 2016, 12:36 AM
In D20084#443951, @cryptoad wrote:
In D20084#443276, @dvyukov wrote:
In D20084#441391, @cryptoad wrote:

One of the outstanding items on my list was to have a look at the CHECK logic to be able to have everything fast fail without callbacks if something went wrong.

Why can't we just set Die as CheckFailedCallback?

What I am trying to prevent here is the use of callbacks at all. They would be an interesting target for an attacker as they would be writable function pointers that could be triggered on demand on heap corruption.

But that would mean that an attacker broke ASLR and can write arbitrary values at necessary memory locations. Does it still make sense to defend in such case?

projects/compiler-rt/lib/hardened_allocator/scudo_utils.cc
99 ↗(On Diff #58659)

Okay. You know better.

cryptoad added a comment.May 31 2016, 8:55 AM
In D20084#444017, @dvyukov wrote:

But that would mean that an attacker broke ASLR and can write arbitrary values at necessary memory locations. Does it still make sense to defend in such case?

That is correct. I think it is still worth it to not take the chance.
Previous work on other heaps have leveraged such features, given the same assumptions (for example the commit function pointer in the Windows Heap https://www.blackhat.com/presentations/bh-usa-09/MCDONALD/BHUSA09-McDonald-WindowsHeap-PAPER.pdf).
I think it's particularly important to make sure that the failure path fails fast and ideally without the possibility of interruption (like __fastfail http://www.alex-ionescu.com/?p=69).

cryptoad updated this revision to Diff 59082.May 31 2016, 9:26 AM
cryptoad edited edge metadata.

We now replace the Sanitizer's termination functions so that no callbacks can be called in CheckFailed and Die.

kcc added a comment.Jun 1 2016, 10:19 AM

Mostly LG.
Please address a few remaining nits and wait until tomorrow for more comments.
If no significant comments, rename the dir to scudo and I will land it.

Note: I did not review this code from security perspective in details because

  • not an expert
  • there are known security weaknesses in the backend allocator (we will need to handle them separately)
  • it'll be easier to do further security assessment once the code is committed.
docs/HardenedAllocator.rst
89 ↗(On Diff #59082)

Did you?

94 ↗(On Diff #59082)

Give an example instead of referring to "usual ASan syntax".
Scudo users don't have to be asan experts.

projects/compiler-rt/lib/hardened_allocator/scudo_allocator.cc
63 ↗(On Diff #59082)

align the comment block

109 ↗(On Diff #59082)

I suggest to replace all cases of

if (!cond) {
  Printf()
  Die()
}

With

if (!cond)
  DieWithMessage();

This is using the Printf from sanitizer_common, right?
It might be worth replacing it with your own, simpler one.
If you agree, just leave a TODO near DieWithMessage and address it later.

278 ↗(On Diff #59082)

s/late/later

projects/compiler-rt/lib/hardened_allocator/scudo_allocator.h
18 ↗(On Diff #59082)

is currently only supported?
os "supports x86_64"?

49 ↗(On Diff #59082)

Does the following block of code have to be in this header?
Why not in .cc?

cryptoad updated this revision to Diff 59581.Jun 3 2016, 10:49 AM
cryptoad marked 7 inline comments as done.

Addressing some comments raised in the review, notably:

  • new dieWithMessage function wrapping a Printf+Die functionality - still currently using Sanitizer's VSNPrintf which will be changed later;
  • updated the documentation;
docs/HardenedAllocator.rst
89 ↗(On Diff #59082)

I removed the part about the preinit_array as I do not use that anymore.
Whatever LIT is using requires the whole-archive flag, if using gcc to link the static library against a project, it doesn't.

94 ↗(On Diff #59082)

I didn't realize that I hadn't updated the options names below as well. Also added ThreadLocalQuarantineSizeKb.

projects/compiler-rt/lib/hardened_allocator/scudo_allocator.cc
109 ↗(On Diff #59082)

There is also a PrintfAndReportCallback callback that I just noticed.
I will have to address that later as well.

kcc accepted this revision.Jun 3 2016, 2:48 PM
kcc edited edge metadata.

LGTM.
I think it's as good as we can make it via code review.
Let's make it better by incremental changes.

Now, please rename the directories to lib/scudo and test/scudo, upload the updated patch and let me land it.
Probably also rename HardenedAllocator.rst to ScudoHardenedAllocator.rst or some such (up to you)

This revision is now accepted and ready to land.Jun 3 2016, 2:48 PM
cryptoad updated this revision to Diff 59638.Jun 3 2016, 4:07 PM
cryptoad edited edge metadata.

This patch renames the directories and files to fit the scheme suggested during the review, and the LLVM practices:

  • hardened_allocator is now scudo everywhere;
  • documentation is now in ScudoHardenedAllocator.rst;
  • all .cc files are now .cpp;
  • additionally scudo_malloc_linux.cc is now scudo_interceptors.cpp;
  • build files have been updated accordingly, as well as all references to the previous naming scheme (the library and checks rules are now 'scudo' and 'check-scudo').
kcc added a comment.Jun 3 2016, 5:31 PM

I am getting these when trying 'ninja check-scudo'
/usr/lib/gcc/x86_64-linux-gnu/4.8/../../../../include/c++/4.8/atomic:266: undefined reference to `__sync_val_compare_and_swap_16'
Any suggestions?

BTW, do we make sure that check-scudo is not run if the current machine does not support proper SSE?

filcab added a comment.Jun 3 2016, 10:14 PM

Most likely were missing -latomic (IIRC)
I wouldn't expect to have to link with that when using the std::atomic, but
that might be it.

Filipe

cryptoad added a comment.Jun 6 2016, 8:24 AM
In D20084#449057, @kcc wrote:

I am getting these when trying 'ninja check-scudo'
/usr/lib/gcc/x86_64-linux-gnu/4.8/../../../../include/c++/4.8/atomic:266: undefined reference to `__sync_val_compare_and_swap_16'
Any suggestions?

Regarding @filcab's comment, -latomic is in the cflags in the lit.cfg, not sure why this is not working for you.

BTW, do we make sure that check-scudo is not run if the current machine does not support proper SSE?

We do check for SSE 4.2 in the init of the Allocator via CHECK(testCPUFeature(SSE4_2))

cryptoad added a comment.Jun 6 2016, 9:05 AM
In D20084#449057, @kcc wrote:

I am getting these when trying 'ninja check-scudo'
/usr/lib/gcc/x86_64-linux-gnu/4.8/../../../../include/c++/4.8/atomic:266: undefined reference to `__sync_val_compare_and_swap_16'
Any suggestions?

I also use -mcx16 in g3 BUILD, that might be it.

kcc added a comment.Jun 6 2016, 9:29 AM

We do check for SSE 4.2 in the init of the Allocator via CHECK(testCPUFeature(SSE4_2))

That's not enough.
This is a run-time check and so if someone runs "check-all" on a machine that does not support SSE4_2
thye *will* run check-scudo and get a test failure.
Instead, we need to ensure that check-scudo is not executed as part of check-all when there is no proper HW support

And of course, fix check-scudo on my machine [ :) ] so that I can test it before committing.

cryptoad updated this revision to Diff 59744.Jun 6 2016, 10:07 AM

Updated Scudo LIT CMakeLists.txt to only add check-scudo on Linux x64 machines with SSE4.2.

Closed by commit rL271968: [sanitizer] Initial implementation of a Hardened Allocator (authored by kcc). · Explain WhyJun 6 2016, 6:27 PM
This revision was automatically updated to reflect the committed changes.
kcc added a comment.Jun 6 2016, 6:28 PM

Thanks again for contributing this code, let's now make the allocator even more hardened!

Revision Contents

PathSize
cmake/
14 lines
lib/
4 lines
hardened_allocator/
32 lines
97 lines
596 lines
36 lines
61 lines
30 lines
75 lines
69 lines
51 lines
69 lines
120 lines
test/
3 lines
hardened_allocator/
21 lines
25 lines
32 lines
7 lines
39 lines
7 lines
25 lines
40 lines
26 lines
33 lines
40 lines
63 lines
36 lines
54 lines

Diff 56923

cmake/config-ix.cmake

Show First 20 LinesShow All 187 Lines▼ Show 20 Lines
set(ALL_PROFILE_SUPPORTED_ARCH ${X86} ${X86_64} ${ARM32} ${ARM64} ${PPC64} set(ALL_PROFILE_SUPPORTED_ARCH ${X86} ${X86_64} ${ARM32} ${ARM64} ${PPC64}
${MIPS32} ${MIPS64}) ${MIPS32} ${MIPS64})
set(ALL_TSAN_SUPPORTED_ARCH ${X86_64} ${MIPS64} ${ARM64} ${PPC64}) set(ALL_TSAN_SUPPORTED_ARCH ${X86_64} ${MIPS64} ${ARM64} ${PPC64})
set(ALL_UBSAN_SUPPORTED_ARCH ${X86} ${X86_64} ${ARM32} ${ARM64} set(ALL_UBSAN_SUPPORTED_ARCH ${X86} ${X86_64} ${ARM32} ${ARM64}
${MIPS32} ${MIPS64} ${PPC64} ${S390X}) ${MIPS32} ${MIPS64} ${PPC64} ${S390X})
set(ALL_SAFESTACK_SUPPORTED_ARCH ${X86} ${X86_64} ${ARM64} ${MIPS32} ${MIPS64}) set(ALL_SAFESTACK_SUPPORTED_ARCH ${X86} ${X86_64} ${ARM64} ${MIPS32} ${MIPS64})
set(ALL_CFI_SUPPORTED_ARCH ${X86} ${X86_64} ${MIPS64}) set(ALL_CFI_SUPPORTED_ARCH ${X86} ${X86_64} ${MIPS64})
set(ALL_ESAN_SUPPORTED_ARCH ${X86_64}) set(ALL_ESAN_SUPPORTED_ARCH ${X86_64})
set(ALL_HARDENED_ALLOCATOR_SUPPORTED_ARCH ${X86_64})
if(APPLE) if(APPLE)
include(CompilerRTDarwinUtils) include(CompilerRTDarwinUtils)
find_darwin_sdk_dir(DARWIN_osx_SYSROOT macosx) find_darwin_sdk_dir(DARWIN_osx_SYSROOT macosx)
find_darwin_sdk_dir(DARWIN_iossim_SYSROOT iphonesimulator) find_darwin_sdk_dir(DARWIN_iossim_SYSROOT iphonesimulator)
find_darwin_sdk_dir(DARWIN_ios_SYSROOT iphoneos) find_darwin_sdk_dir(DARWIN_ios_SYSROOT iphoneos)
find_darwin_sdk_dir(DARWIN_watchossim_SYSROOT watchsimulator) find_darwin_sdk_dir(DARWIN_watchossim_SYSROOT watchsimulator)
▲ Show 20 LinesShow All 170 Lines▼ Show 20 Lines list_intersect(SAFESTACK_SUPPORTED_ARCH
ALL_SAFESTACK_SUPPORTED_ARCH ALL_SAFESTACK_SUPPORTED_ARCH
SANITIZER_COMMON_SUPPORTED_ARCH) SANITIZER_COMMON_SUPPORTED_ARCH)
list_intersect(CFI_SUPPORTED_ARCH list_intersect(CFI_SUPPORTED_ARCH
ALL_CFI_SUPPORTED_ARCH ALL_CFI_SUPPORTED_ARCH
SANITIZER_COMMON_SUPPORTED_ARCH) SANITIZER_COMMON_SUPPORTED_ARCH)
list_intersect(ESAN_SUPPORTED_ARCH list_intersect(ESAN_SUPPORTED_ARCH
ALL_ESAN_SUPPORTED_ARCH ALL_ESAN_SUPPORTED_ARCH
SANITIZER_COMMON_SUPPORTED_ARCH) SANITIZER_COMMON_SUPPORTED_ARCH)
list_intersect(HARDENED_ALLOCATOR_SUPPORTED_ARCH
ALL_HARDENED_ALLOCATOR_SUPPORTED_ARCH
SANITIZER_COMMON_SUPPORTED_ARCH)
else() else()
# Architectures supported by compiler-rt libraries. # Architectures supported by compiler-rt libraries.
filter_available_targets(SANITIZER_COMMON_SUPPORTED_ARCH filter_available_targets(SANITIZER_COMMON_SUPPORTED_ARCH
${ALL_SANITIZER_COMMON_SUPPORTED_ARCH}) ${ALL_SANITIZER_COMMON_SUPPORTED_ARCH})
# LSan and UBSan common files should be available on all architectures # LSan and UBSan common files should be available on all architectures
# supported by other sanitizers (even if they build into dummy object files). # supported by other sanitizers (even if they build into dummy object files).
filter_available_targets(LSAN_COMMON_SUPPORTED_ARCH filter_available_targets(LSAN_COMMON_SUPPORTED_ARCH
${SANITIZER_COMMON_SUPPORTED_ARCH}) ${SANITIZER_COMMON_SUPPORTED_ARCH})
filter_available_targets(UBSAN_COMMON_SUPPORTED_ARCH filter_available_targets(UBSAN_COMMON_SUPPORTED_ARCH
${SANITIZER_COMMON_SUPPORTED_ARCH}) ${SANITIZER_COMMON_SUPPORTED_ARCH})
filter_available_targets(ASAN_SUPPORTED_ARCH ${ALL_ASAN_SUPPORTED_ARCH}) filter_available_targets(ASAN_SUPPORTED_ARCH ${ALL_ASAN_SUPPORTED_ARCH})
filter_available_targets(DFSAN_SUPPORTED_ARCH ${ALL_DFSAN_SUPPORTED_ARCH}) filter_available_targets(DFSAN_SUPPORTED_ARCH ${ALL_DFSAN_SUPPORTED_ARCH})
filter_available_targets(LSAN_SUPPORTED_ARCH ${ALL_LSAN_SUPPORTED_ARCH}) filter_available_targets(LSAN_SUPPORTED_ARCH ${ALL_LSAN_SUPPORTED_ARCH})
filter_available_targets(MSAN_SUPPORTED_ARCH ${ALL_MSAN_SUPPORTED_ARCH}) filter_available_targets(MSAN_SUPPORTED_ARCH ${ALL_MSAN_SUPPORTED_ARCH})
filter_available_targets(PROFILE_SUPPORTED_ARCH ${ALL_PROFILE_SUPPORTED_ARCH}) filter_available_targets(PROFILE_SUPPORTED_ARCH ${ALL_PROFILE_SUPPORTED_ARCH})
filter_available_targets(TSAN_SUPPORTED_ARCH ${ALL_TSAN_SUPPORTED_ARCH}) filter_available_targets(TSAN_SUPPORTED_ARCH ${ALL_TSAN_SUPPORTED_ARCH})
filter_available_targets(UBSAN_SUPPORTED_ARCH ${ALL_UBSAN_SUPPORTED_ARCH}) filter_available_targets(UBSAN_SUPPORTED_ARCH ${ALL_UBSAN_SUPPORTED_ARCH})
filter_available_targets(SAFESTACK_SUPPORTED_ARCH filter_available_targets(SAFESTACK_SUPPORTED_ARCH
${ALL_SAFESTACK_SUPPORTED_ARCH}) ${ALL_SAFESTACK_SUPPORTED_ARCH})
filter_available_targets(CFI_SUPPORTED_ARCH ${ALL_CFI_SUPPORTED_ARCH}) filter_available_targets(CFI_SUPPORTED_ARCH ${ALL_CFI_SUPPORTED_ARCH})
filter_available_targets(ESAN_SUPPORTED_ARCH ${ALL_ESAN_SUPPORTED_ARCH}) filter_available_targets(ESAN_SUPPORTED_ARCH ${ALL_ESAN_SUPPORTED_ARCH})
filter_available_targets(HARDENED_ALLOCATOR_SUPPORTED_ARCH
${ALL_HARDENED_ALLOCATOR_SUPPORTED_ARCH})
endif() endif()
if (MSVC) if (MSVC)
# See if the DIA SDK is available and usable. # See if the DIA SDK is available and usable.
set(MSVC_DIA_SDK_DIR "$ENV{VSINSTALLDIR}DIA SDK") set(MSVC_DIA_SDK_DIR "$ENV{VSINSTALLDIR}DIA SDK")
if (IS_DIRECTORY ${MSVC_DIA_SDK_DIR}) if (IS_DIRECTORY ${MSVC_DIA_SDK_DIR})
set(CAN_SYMBOLIZE 1) set(CAN_SYMBOLIZE 1)
else() else()
▲ Show 20 LinesShow All 98 Lines▼ Show 20 Lines
endif() endif()
if (COMPILER_RT_HAS_SANITIZER_COMMON AND ESAN_SUPPORTED_ARCH AND if (COMPILER_RT_HAS_SANITIZER_COMMON AND ESAN_SUPPORTED_ARCH AND
OS_NAME MATCHES "Linux") OS_NAME MATCHES "Linux")
set(COMPILER_RT_HAS_ESAN TRUE) set(COMPILER_RT_HAS_ESAN TRUE)
else() else()
set(COMPILER_RT_HAS_ESAN FALSE) set(COMPILER_RT_HAS_ESAN FALSE)
endif() endif()
if (COMPILER_RT_HAS_SANITIZER_COMMON AND HARDENED_ALLOCATOR_SUPPORTED_ARCH AND
OS_NAME MATCHES "Linux")
set(COMPILER_RT_HAS_HARDENED_ALLOCATOR TRUE)
else()
set(COMPILER_RT_HAS_HARDENED_ALLOCATOR FALSE)
endif()

lib/CMakeLists.txt

Show First 20 LinesShow All 46 Lines▼ Show 20 Linesif(COMPILER_RT_BUILD_SANITIZERS)
if(COMPILER_RT_HAS_CFI) if(COMPILER_RT_HAS_CFI)
add_subdirectory(cfi) add_subdirectory(cfi)
endif() endif()
if(COMPILER_RT_HAS_ESAN) if(COMPILER_RT_HAS_ESAN)
add_subdirectory(esan) add_subdirectory(esan)
endif() endif()
if(COMPILER_RT_HAS_HARDENED_ALLOCATOR)
add_subdirectory(hardened_allocator)
endif()
endif() endif()

lib/hardened_allocator/CMakeLists.txt

add_custom_target(hardened_allocator)
include_directories(..)
set(HARDENED_ALLOCATOR_CFLAGS ${SANITIZER_COMMON_CFLAGS})
append_rtti_flag(OFF HARDENED_ALLOCATOR_CFLAGS)
list(APPEND HARDENED_ALLOCATOR_CFLAGS -msse4.2)
set(HARDENED_ALLOCATOR_SOURCES
scudo_allocator.cc
scudo_flags.cc
scudo_malloc_linux.cc
scudo_new_delete.cc
scudo_rtl.cc
scudo_utils.cc)
if(COMPILER_RT_HAS_HARDENED_ALLOCATOR)
foreach(arch ${HARDENED_ALLOCATOR_SUPPORTED_ARCH})
add_compiler_rt_runtime(clang_rt.hardened_allocator
STATIC
ARCHS ${arch}
SOURCES ${HARDENED_ALLOCATOR_SOURCES}
$<TARGET_OBJECTS:RTInterception.${arch}>
$<TARGET_OBJECTS:RTSanitizerCommon.${arch}>
$<TARGET_OBJECTS:RTSanitizerCommonLibc.${arch}>
CFLAGS ${HARDENED_ALLOCATOR_CFLAGS}
PARENT_TARGET hardened_allocator)
endforeach()
endif()
add_dependencies(compiler-rt hardened_allocator)

lib/hardened_allocator/scudo_allocator.h

//===-- scudo_allocator.h ---------------------------------------*- C++ -*-===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
///
/// Header for scudo_allocator.cc.
///
//===----------------------------------------------------------------------===//
#ifndef SCUDO_ALLOCATOR_H_
#define SCUDO_ALLOCATOR_H_
#ifndef __x86_64__
kccUnsubmitted
Done
ReplyInline Actions

Do we expect this code to work on 32-bit? I guess not.
We should probably add a guard like
#if 32-bit
#error bark

kcc: Do we expect this code to work on 32-bit? I guess not. We should probably add a guard like…
# error "The Scudo hardened allocator currently only supports on x86_64."
#endif
#include "scudo_flags.h"
#include "sanitizer_common/sanitizer_allocator.h"
namespace __scudo {
kccUnsubmitted
Not Done
ReplyInline Actions

We shouldn't be doing this.
Instead, please send a separate change to replace all CHECK_* inside the allocator code
with something like ALLOCATOR_CHECK that will invoke a method that you can redefine using C++ mechanisms (template parameters or virtual functions).
Since this is not a hot code, virtual functions will work, but given that we don't use them anywhere else in the allocator, template parameter is preferred.

kcc: We shouldn't be doing this. Instead, please send a separate change to replace all CHECK_*…
cryptoadAuthorUnsubmitted
Not Done
ReplyInline Actions

Will do.

cryptoad: Will do.
// We have to redefine CHECK_IMPL, as the __sanitizer one involves calling a
// CheckFailedCallback function, which could be abused by a potential attacker.
#ifdef CHECK_IMPL
#undef CHECK_IMPL
#endif
#define CHECK_IMPL(c1, op, c2) \
do { \
__sanitizer::u64 v1 = (u64)(c1); \
__sanitizer::u64 v2 = (u64)(c2); \
if (UNLIKELY(!(v1 op v2))) \
__scudo::CheckFailed(__FILE__, __LINE__, \
"(" #c1 ") " #op " (" #c2 ")", v1, v2); \
} while (false) \
/**/
// We will also use our own CheckFailed and Die functions, once again to avoid
// the __sanitizer ones that have callbacks.
void NORETURN
CheckFailed(const char *file, int line, const char *cond, u64 v1, u64 v2);
kccUnsubmitted
Done
ReplyInline Actions

Please no such declarations of globals in the header, if possible.
I also don't see where you use it here.

kcc: Please no such declarations of globals in the header, if possible. I also don't see where you…
void NORETURN Die();
enum AllocType : u8 {
FROM_MALLOC = 0, // Memory block came from malloc, realloc, calloc, etc.
FROM_NEW = 1, // Memory block came from operator new.
FROM_NEWARRAY = 2, // Memory block came from operator new [].
FROM_MEMALIGN = 3, // Memory block came from memalign, posix_memalign, etc.
};
struct AllocatorOptions {
u32 quarantine_size_mb;
bool may_return_null;
bool alloc_dealloc_mismatch;
bool new_delete_size_mismatch;
bool zero_chunk_contents;
void SetFrom(const Flags *f, const CommonFlags *cf);
aizatskyUnsubmitted
Done
ReplyInline Actions

const function?

aizatsky: const function?
void CopyTo(Flags *f, CommonFlags *cf) const;
};
void InitializeAllocator(const AllocatorOptions &options);
void DrainQuarantine();
aizatskyUnsubmitted
Done
ReplyInline Actions

static?

aizatsky: static?
dvyukovUnsubmitted
Done
ReplyInline Actions

constant variables are static by default.

dvyukov: constant variables are static by default.
aizatskyUnsubmitted
Done
ReplyInline Actions

Yes, but next two are static. I'm asking for consistency.

aizatsky: Yes, but next two are static. I'm asking for consistency.
const uptr kAllocatorSpace = ~0ULL;
const uptr kAllocatorSize = 0x10000000000ULL;
static const uptr kMinAlignmentLog = 4; // 16 bytes for x64
static const uptr kMaxAlignmentLog = 24;
typedef DefaultSizeClassMap SizeClassMap;
typedef SizeClassAllocator64<kAllocatorSpace, kAllocatorSize, 0,
SizeClassMap> PrimaryAllocator;
typedef SizeClassAllocatorLocalCache<PrimaryAllocator> AllocatorCache;
typedef LargeMmapAllocator<> SecondaryAllocator;
typedef CombinedAllocator<PrimaryAllocator, AllocatorCache,
SecondaryAllocator> ScudoAllocator;
void *scudo_malloc(uptr size, AllocType alloc_type);
void scudo_free(void *ptr, AllocType alloc_type);
void scudo_sized_free(void *ptr, uptr size, AllocType alloc_type);
void *scudo_realloc(void *ptr, uptr size);
void *scudo_calloc(uptr nmemb, uptr size);
void *scudo_memalign(uptr alignment, uptr size);
void *scudo_valloc(uptr size);
void *scudo_pvalloc(uptr size);
int scudo_posix_memalign(void **memptr, uptr alignment, uptr size);
void *scudo_aligned_alloc(uptr alignment, uptr size);
uptr scudo_malloc_usable_size(void *ptr);
} // namespace __scudo
#endif // SCUDO_ALLOCATOR_H_

lib/hardened_allocator/scudo_allocator.cc

//===-- scudo_allocator.cc --------------------------------------*- C++ -*-===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
///
/// Scudo Hardened Allocator implementation.
/// It uses the sanitizer_common allocator as a base and aims at mitigating
/// heap corruption vulnerabilities. It provides a checksum-guarded chunk
/// header, a delayed free list, and various other security improvements.
///
//===----------------------------------------------------------------------===//
#include "scudo_allocator.h"
#include "scudo_utils.h"
#include "sanitizer_common/sanitizer_allocator_interface.h"
#include "sanitizer_common/sanitizer_quarantine.h"
#include <limits.h>
#include <pthread.h>
#include <smmintrin.h>
#include <cstring>
namespace __scudo {
void NORETURN Die() {
// TODO(kostyak): do we want to be able to abort?
if (common_flags()->abort_on_error)
Abort();
internal__exit(common_flags()->exitcode);
}
void NORETURN CheckFailed(const char *file, int line, const char *cond,
u64 v1, u64 v2) {
// FIXME: currently using sanitizer's Printf. We might want to use
// something less complex to avoid potential issues.
kccUnsubmitted
Done
ReplyInline Actions

Are you using Printf from the sanitizer_common?
Fine for now, but add a FIXIME comment to replace it with something of your own,
because sanitizer_common's Printf is pretty complex and you may not want this complexity in a hardened malloc.

kcc: Are you using Printf from the sanitizer_common? Fine for now, but add a FIXIME comment to…
Printf("CHECK failed: %s:%d %s (%lld, %lld)\n", file, line, cond, v1, v2);
Die();
}
static ScudoAllocator &get_allocator();
// TODO(kostyak): currently we have one prng per thread, is it necessary?
static thread_local Xorshift128Plus prng;
// Global cookie
static u64 cookie;
enum ChunkState : u8 {
CHUNK_AVAILABLE = 0,
CHUNK_ALLOCATED = 1,
CHUNK_QUARANTINE = 2
};
typedef unsigned __int128 u128;
typedef u128 PackedHeader;
// Our header requires 128-bit of storage on x64 (the only platform supported
// as of now), which fits nicely with the alignment requirements. It's storing:
// - a 16-bit checksum
kccUnsubmitted
Done
ReplyInline Actions

May I ask you to reformat this as a bullet list, or move the comments closer to the fields?
Just for better visual effect of the comment.

kcc: May I ask you to reformat this as a bullet list, or move the comments closer to the fields?
// - the user requested size for that chunk (needed for reallocation purposes)
// - its state (available, allocated, or quarantined),
// - the allocation type (malloc, new, new[], or memalign)
// - if that chunk if 'offseted' (ie: if the chunk beginning is different than
// the backend allocation beginning)
// - the related offset field
// - and a salt
// Having the offset saves us from using functions such as GetBlockBegin, that
// is fairly costly. Our first implementation used the MetaData as well, which
// offers the advantage of being stored away from the chunk itself, but
// accessing it was costly as well.
// The header will be atomically loaded and stored using the 16-byte primitives
// offered by the platform (likely requires cmpxchg16b support).
struct UnpackedHeader {
// 1st 8 bytes
u128 checksum : 16;
u128 requested_size : 40;
u128 state : 2;
u128 alloc_type : 2;
u128 with_offset : 1;
u128 unused_0_ : 3;
// 2nd 8 bytes
u128 offset : 24;
u128 unused_1_ : 24;
u128 salt : 16;
};
COMPILER_CHECK(sizeof(UnpackedHeader) == sizeof(u128));
COMPILER_CHECK(sizeof(PackedHeader) == sizeof(u128));
static const uptr kChunkHeaderSize = sizeof(PackedHeader);
struct ScudoChunk : UnpackedHeader {
uptr UserBeg() {
return reinterpret_cast<uptr>(this) + kChunkHeaderSize;
}
// We can't use the offset member of the chunk itself, as we would double
// fetch it without any warranty that it wouldn't have been tampered. To
// prevent this, we work with a stack based copy of the header, hence the
// following static function.
static void *AllocBeg(ScudoChunk *chunk, UnpackedHeader *header) {
if (header->with_offset == 0) {
return reinterpret_cast<void *>(chunk);
} else {
return reinterpret_cast<void *>(
chunk->UserBeg() - (header->offset << kMinAlignmentLog));
}
}
// CRC32 checksum of the Chunk pointer and its ChunkHeader.
// It currently uses the Intel Nehalem SSE4.2 crc32 64-bit instruction.
// TODO(kostyak): use a BSD checksum for the non-sse4.2 processors?
__attribute__((target("sse4.2")))
u16 Checksum(UnpackedHeader *header) const {
kccUnsubmitted
Done
ReplyInline Actions

is stored

kcc: is stored
u64 header_holder[2];
memcpy(header_holder, header, sizeof(header_holder));
u64 crc = _mm_crc32_u64(0, reinterpret_cast<uptr>(this));
// This is somewhat of a shortcut. The checksum is stored in the 16 least
// significant bits of the header, hence zero-ing those bits out. It would
// be more valid to zero the checksum field of the UnpackedHeader, but
aizatskyUnsubmitted
Done
ReplyInline Actions

This uses this.cookie. Is this intended?

aizatsky: This uses this.cookie. Is this intended?
cryptoadAuthorUnsubmitted
Done
ReplyInline Actions

I am not sure what you mean here, as there is no cookie member to the struct. Could you please clarify?

cryptoad: I am not sure what you mean here, as there is no cookie member to the struct. Could you please…
aizatskyUnsubmitted
Done
ReplyInline Actions

I had wrong idea where cookie is stored. NM.

aizatsky: I had wrong idea where cookie is stored. NM.
// would require holding an additional copy of it.
crc = _mm_crc32_u64(crc, header_holder[0] & 0xffffffffffff0000ULL);
crc = _mm_crc32_u64(crc, header_holder[1]);
return static_cast<u16>(crc ^ cookie);
aizatskyUnsubmitted
Done
ReplyInline Actions

const function?

aizatsky: const function?
}
aizatskyUnsubmitted
Done
ReplyInline Actions

I suggest to use PackedHeader instead of u128 throught the source code. Will make maintaining/porting much easier.

aizatsky: I suggest to use PackedHeader instead of u128 throught the source code. Will make…
// Loads and unpacks the header, verifying the checksum in the process.
void LoadHeader(UnpackedHeader *unpacked_header) const {
PackedHeader packed_header;
__atomic_load(reinterpret_cast<const PackedHeader *>(this), &packed_header,
__ATOMIC_ACQUIRE);
*unpacked_header = bit_cast<UnpackedHeader>(packed_header);
if (unpacked_header->checksum != Checksum(unpacked_header)) {
Printf("ERROR: corrupted chunk header at address %p\n", this);
Die();
}
}
aizatskyUnsubmitted
Done
ReplyInline Actions

Instead of having optional parameter, maybe its better to split this function into two? One simple copying, another - verify and copy.

aizatsky: Instead of having optional parameter, maybe its better to split this function into two? One…
cryptoadAuthorUnsubmitted
Done
ReplyInline Actions

I liked having a single one to avoid duplication, but I can see the interest in having two. I can change that if you feel strongly about it.

cryptoad: I liked having a single one to avoid duplication, but I can see the interest in having two. I…
aizatskyUnsubmitted
Done
ReplyInline Actions

Besides making them much easier, this would clearly show where there is verification and where there isn't. These are totally two different functions, and you use null value as a special value logic switch.

aizatsky: Besides making them much easier, this would clearly show where there is verification and where…
// Packs and stores the header, computing the checksum in the process. If a
// header is provided for comparison, we check that it is still the same.
// A different one would mean that another thread would have raced us.
void StoreHeader(UnpackedHeader *new_unpacked_header,
UnpackedHeader *old_unpacked_header) {
new_unpacked_header->checksum = Checksum(new_unpacked_header);
PackedHeader new_packed_header =
bit_cast<PackedHeader>(*new_unpacked_header);
if (old_unpacked_header == nullptr) {
__atomic_store(reinterpret_cast<PackedHeader *>(this), &new_packed_header,
__ATOMIC_RELEASE);
} else {
PackedHeader old_packed_header =
bit_cast<PackedHeader>(*old_unpacked_header);
if (!__atomic_compare_exchange(reinterpret_cast<PackedHeader *>(this),
&old_packed_header,
&new_packed_header,
false,
__ATOMIC_ACQUIRE,
__ATOMIC_ACQUIRE)) {
Printf("ERROR: race on chunk header at address %p\n", this);
Die();
}
}
}
};
static pthread_once_t global_inited = PTHREAD_ONCE_INIT;
static thread_local bool thread_inited;
static pthread_key_t pkey;
static thread_local AllocatorCache cache;
static void thread_dtor(void *p) {
uptr v = reinterpret_cast<uptr>(p);
// The glibc POSIX thread-local-storage deallocation routine calls user
// provided destructors in a loop of PTHREAD_DESTRUCTOR_ITERATIONS.
// We want to be called last since other destructors might call free and the
// like, so we wait until PTHREAD_DESTRUCTOR_ITERATIONS before draining the
// quarantine and swallowing the cache.
if (v < PTHREAD_DESTRUCTOR_ITERATIONS) {
pthread_setspecific(pkey, reinterpret_cast<void *>(v + 1));
return;
}
DrainQuarantine();
get_allocator().DestroyCache(&cache);
}
static void global_init() {
pthread_key_create(&pkey, thread_dtor);
}
kccUnsubmitted
Done
ReplyInline Actions

Yep, sadly I don't think this will ever work, just delete it.

kcc: Yep, sadly I don't think this will ever work, just delete it.
static void NOINLINE thread_init() {
pthread_once(&global_inited, global_init);
pthread_setspecific(pkey, reinterpret_cast<void *>(1));
get_allocator().InitCache(&cache);
thread_inited = true;
}
struct QuarantineCallback {
explicit QuarantineCallback(AllocatorCache *cache)
: cache_(cache) {}
// Chunk recycling function, returns a quarantined chunk to the backend.
void Recycle(ScudoChunk *chunk) {
UnpackedHeader header;
chunk->LoadHeader(&header);
if (header.state != CHUNK_QUARANTINE) {
Printf("ERROR: invalid chunk state when recycling address %p\n",
chunk);
Die();
}
void *ptr = ScudoChunk::AllocBeg(chunk, &header);
get_allocator().Deallocate(cache_, ptr);
}
/// Internal quarantine allocation and deallocation functions.
void *Allocate(uptr size) {
// The internal quarantine memory cannot be protected by us. But the only
// structures allocated are QuarantineBatch, that are 8KB for x64. So we
// will use mmap for those, and given that Deallocate doesn't pass a size
// in, we enforce the size of the allocation to be sizeof(QuarantineBatch).
// TODO(kostyak): switching to mmap impacts greatly performances, we have
// to find another solution
// CHECK_EQ(size, sizeof(QuarantineBatch));
// return MmapOrDie(size, "QuarantineBatch");
return get_allocator().Allocate(cache_, size, 1, false);
}
void Deallocate(void *ptr) {
// UnmapOrDie(ptr, sizeof(QuarantineBatch));
get_allocator().Deallocate(cache_, ptr);
}
kccUnsubmitted
Done
ReplyInline Actions

merge into one line

kcc: merge into one line
AllocatorCache *cache_;
};
typedef Quarantine<QuarantineCallback, ScudoChunk> ScudoQuarantine;
typedef ScudoQuarantine::Cache QuarantineCache;
// static thread_local QuarantineCache quarantine_cache;
static THREADLOCAL uptr quarantine_cache[4] = {};
COMPILER_CHECK(sizeof(QuarantineCache) <= sizeof(quarantine_cache));
void AllocatorOptions::SetFrom(const Flags *f, const CommonFlags *cf) {
may_return_null = cf->allocator_may_return_null;
quarantine_size_mb = f->quarantine_size_mb;
alloc_dealloc_mismatch = f->alloc_dealloc_mismatch;
new_delete_size_mismatch = f->new_delete_size_mismatch;
zero_chunk_contents = f->zero_chunk_contents;
}
void AllocatorOptions::CopyTo(Flags *f, CommonFlags *cf) const {
cf->allocator_may_return_null = may_return_null;
f->quarantine_size_mb = quarantine_size_mb;
f->alloc_dealloc_mismatch = alloc_dealloc_mismatch;
f->new_delete_size_mismatch = new_delete_size_mismatch;
f->zero_chunk_contents = zero_chunk_contents;
}
struct Allocator {
static const uptr kMaxAllowedMallocSize = 1ULL << 40;
static const uptr kMaxThreadLocalQuarantine = 1U << 20;
static const uptr kMinAlignment = 1 << kMinAlignmentLog;
static const uptr kMaxAlignment = 1 << kMaxAlignmentLog; // 16 MB
ScudoAllocator allocator;
ScudoQuarantine quarantine;
bool alloc_dealloc_mismatch;
bool zero_chunk_contents;
bool new_delete_size_mismatch;
explicit Allocator(LinkerInitialized)
: quarantine(LINKER_INITIALIZED) {}
void Initialize(const AllocatorOptions &options) {
CHECK(TestCPUFeature(SSE4_2)); // for crc32
alloc_dealloc_mismatch = options.alloc_dealloc_mismatch;
new_delete_size_mismatch = options.new_delete_size_mismatch;
zero_chunk_contents = options.zero_chunk_contents;
allocator.Init(options.may_return_null);
quarantine.Init(static_cast<uptr>(options.quarantine_size_mb) << 20,
kMaxThreadLocalQuarantine);
cookie = prng.Next();
}
// Allocates a chunk.
void *Allocate(uptr size, uptr alignment, AllocType alloc_type) {
if (UNLIKELY(!thread_inited))
thread_init();
if (!IsPowerOfTwo(alignment)) {
Printf("ERROR: alignment is not a power of 2\n");
Die();
}
if (alignment > kMaxAlignment)
return allocator.ReturnNullOrDie();
if (alignment < kMinAlignment)
alignment = kMinAlignment;
if (size == 0)
size = 1;
if (size >= kMaxAllowedMallocSize)
return allocator.ReturnNullOrDie();
uptr rounded_size = RoundUpTo(size, kMinAlignment);
uptr extra_bytes = kChunkHeaderSize;
if (alignment > kMinAlignment)
extra_bytes += alignment;
uptr needed_size = rounded_size + extra_bytes;
// CHECK_GE(needed_size, size); // Overflow cannot happen
if (needed_size >= kMaxAllowedMallocSize)
return allocator.ReturnNullOrDie();
void *ptr = allocator.Allocate(&cache, needed_size, kMinAlignment);
if (ptr == nullptr)
return allocator.ReturnNullOrDie();
uptr alloc_beg = reinterpret_cast<uptr>(ptr);
uptr chunk_beg = alloc_beg + kChunkHeaderSize;
if (!IsAligned(chunk_beg, alignment))
chunk_beg = RoundUpTo(chunk_beg, alignment);
CHECK_LE(chunk_beg + size, alloc_beg + needed_size);
ScudoChunk *chunk =
reinterpret_cast<ScudoChunk *>(chunk_beg - kChunkHeaderSize);
UnpackedHeader header = {};
header.state = CHUNK_ALLOCATED;
if (chunk_beg != alloc_beg + kChunkHeaderSize) {
header.with_offset = 1;
header.offset = (chunk_beg - alloc_beg) >> kMinAlignmentLog;
}
header.alloc_type = alloc_type;
header.requested_size = size;
header.salt = static_cast<u16>(prng.Next());
chunk->StoreHeader(&header, nullptr);
gliderUnsubmitted
Not Done
ReplyInline Actions

Is the salt value used anywhere? If not, what's its point?

glider: Is the salt value used anywhere? If not, what's its point?
cryptoadAuthorUnsubmitted
Not Done
ReplyInline Actions

The salt will be part of the data checksumed.
This allows a chunk to not always have the same checksum even if it's "metadata" is identical.
On the downside, tampering with the salt might be used to do a compensation attack.
I felt the benefit outweighed the disadvantage, but it's debatable.

cryptoad: The salt will be part of the data checksumed. This allows a chunk to not always have the same…
kccUnsubmitted
Not Done
ReplyInline Actions

AFIACT, The salt bits (among others) are used to compute the checksum.

kcc: AFIACT, The salt bits (among others) are used to compute the checksum.
void *user_ptr = reinterpret_cast<void *>(chunk_beg);
if (zero_chunk_contents && allocator.FromPrimary(ptr))
memset(user_ptr, 0, size);
// TODO(kostyak): hooks sound like a terrible idea security wise but might
// be needed for things to work properly?
// if (&__sanitizer_malloc_hook) __sanitizer_malloc_hook(user_ptr, size);
return user_ptr;
}
// Deallocates a Chunk, which means adding it to the delayed free list (or
// Quarantine).
void Deallocate(void *user_ptr, uptr delete_size, AllocType alloc_type) {
if (UNLIKELY(!thread_inited))
thread_init();
// TODO(kostyak): see hook comment above
// if (&__sanitizer_free_hook) __sanitizer_free_hook(user_ptr);
if (user_ptr == nullptr)
return;
uptr chunk_beg = reinterpret_cast<uptr>(user_ptr);
if (!IsAligned(chunk_beg, kMinAlignment)) {
Printf("ERROR: attempted to deallocate a chunk not properly aligned at "
"address %p\n", user_ptr);
Die();
}
ScudoChunk *chunk =
reinterpret_cast<ScudoChunk *>(chunk_beg - kChunkHeaderSize);
UnpackedHeader old_header;
chunk->LoadHeader(&old_header);
if (old_header.state != CHUNK_ALLOCATED) {
Printf("ERROR: invalid chunk state when deallocating address %p\n",
chunk);
Die();
}
UnpackedHeader new_header = old_header;
new_header.state = CHUNK_QUARANTINE;
chunk->StoreHeader(&new_header, &old_header);
if (alloc_dealloc_mismatch) {
// The deallocation type has to match the allocation one
if (new_header.alloc_type != alloc_type) {
// With the exception of memalign'd Chunks, that can be still be free'd
if (!(new_header.alloc_type == FROM_MEMALIGN &&
alloc_type == FROM_MALLOC)) {
Printf("ERROR: allocation type mismatch on address %p\n", chunk);
Die();
}
}
}
uptr size = new_header.requested_size;
if (new_delete_size_mismatch) {
if (delete_size && delete_size != size) {
Printf("ERROR: invalid sized delete on chunk at address %p\n", chunk);
Die();
}
}
quarantine.Put(reinterpret_cast<QuarantineCache *>(quarantine_cache),
QuarantineCallback(&cache), chunk, size);
}
// Returns the actual usable size of a chunk. Since this requires loading the
// header, we will return it in the second parameter, as it can be required
// by the caller to perform additional processing.
uptr UsableSize(const void *ptr, UnpackedHeader *header) {
if (UNLIKELY(!thread_inited))
thread_init();
if (ptr == nullptr)
return 0;
uptr chunk_beg = reinterpret_cast<uptr>(ptr);
ScudoChunk *chunk =
reinterpret_cast<ScudoChunk *>(chunk_beg - kChunkHeaderSize);
chunk->LoadHeader(header);
// Getting the usable size of a chunk only makes sense if it's allocated.
if (header->state != CHUNK_ALLOCATED) {
Printf("ERROR: attempted to size a non-allocated chunk at address %p\n",
chunk);
}
uptr size = allocator.GetActuallyAllocatedSize(
ScudoChunk::AllocBeg(chunk, header));
// UsableSize works as malloc_usable_size, which is also what (AFAIU)
// tcmalloc's MallocExtension::GetAllocatedSize aims at providing. This
// means we will return the size of the chunk from the user beginning to
// the end of the 'user' allocation, hence us subtracting the header and|or
// offset from the size.
if (size == 0) {
return size;
}
if (header->with_offset == 0) {
return size - kChunkHeaderSize;
}
return size - (header->offset << kMinAlignmentLog);
kccUnsubmitted
Done
ReplyInline Actions

You probably mean tcmalloc's MallocExtension. Mention tcmalloc here?

kcc: You probably mean tcmalloc's MallocExtension. Mention tcmalloc here?
}
// Helper function that doesn't care about the header.
uptr UsableSize(const void *ptr) {
UnpackedHeader header;
return UsableSize(ptr, &header);
}
// Reallocates a chunk. We can save on a new allocation if the new requested
// size still fits in the chunk.
void *Reallocate(void *old_ptr, uptr new_size) {
if (UNLIKELY(!thread_inited))
thread_init();
// CHECK(old_ptr && new_size); // Redundant with scudo_realloc
UnpackedHeader old_header;
uptr usable_size = UsableSize(old_ptr, &old_header);
uptr chunk_beg = reinterpret_cast<uptr>(old_ptr);
ScudoChunk *chunk =
reinterpret_cast<ScudoChunk *>(chunk_beg - kChunkHeaderSize);
if (old_header.alloc_type != FROM_MALLOC) {
kccUnsubmitted
Not Done
ReplyInline Actions

Are you sure we want to save an alloc?
Does this actually improve security, or weaken it?
(I don't know, just asking)

kcc: Are you sure we want to save an alloc? Does this actually improve security, or weaken it? (I…
cryptoadAuthorUnsubmitted
Not Done
ReplyInline Actions

That is a valid point. I haven't thought about the security implications of reallocating in place when the size allows. I will look into it.

cryptoad: That is a valid point. I haven't thought about the security implications of reallocating in…
Printf("ERROR: invalid chunk type when reallocating address %p\n",
chunk);
Die();
}
UnpackedHeader new_header = old_header;
// The new size still fits in the current chunk.
if (new_size <= usable_size) {
// TODO(kostyak): zero the additional contents
new_header.requested_size = new_size;
chunk->StoreHeader(&new_header, &old_header);
return old_ptr;
}
// Otherwise, we have to allocate a new chunk and copy the contents of the
// old one.
void *new_ptr = Allocate(new_size, kMinAlignment, FROM_MALLOC);
if (new_ptr) {
uptr old_size = old_header.requested_size;
memcpy(new_ptr, old_ptr, Min(new_size, old_size));
new_header.state = CHUNK_QUARANTINE;
chunk->StoreHeader(&new_header, &old_header);
quarantine.Put(reinterpret_cast<QuarantineCache *>(quarantine_cache),
QuarantineCallback(&cache), chunk, old_size);
}
return new_ptr;
}
void *Calloc(uptr nmemb, uptr size) {
uptr total = nmemb * size;
if (size != 0 && total / size != nmemb) // Overflow check
return allocator.ReturnNullOrDie();
void *ptr = Allocate(total, kMinAlignment, FROM_MALLOC);
if (ptr && allocator.FromPrimary(ptr))
memset(ptr, 0, total);
return ptr;
}
void DrainQuarantine() {
quarantine.Drain(reinterpret_cast<QuarantineCache *>(quarantine_cache),
QuarantineCallback(&cache));
}
};
static Allocator instance(LINKER_INITIALIZED);
static ScudoAllocator &get_allocator() {
return instance.allocator;
}
void InitializeAllocator(const AllocatorOptions &options) {
instance.Initialize(options);
}
void DrainQuarantine() {
instance.DrainQuarantine();
}
void *scudo_malloc(uptr size, AllocType alloc_type) {
return instance.Allocate(size, Allocator::kMinAlignment, alloc_type);
}
void scudo_free(void *ptr, AllocType alloc_type) {
instance.Deallocate(ptr, 0, alloc_type);
}
void scudo_sized_free(void *ptr, uptr size, AllocType alloc_type) {
instance.Deallocate(ptr, size, alloc_type);
}
void *scudo_realloc(void *ptr, uptr size) {
if (ptr == nullptr)
return instance.Allocate(size, Allocator::kMinAlignment, FROM_MALLOC);
if (size == 0) {
instance.Deallocate(ptr, 0, FROM_MALLOC);
return nullptr;
}
return instance.Reallocate(ptr, size);
}
void *scudo_calloc(uptr nmemb, uptr size) {
return instance.Calloc(nmemb, size);
}
void *scudo_valloc(uptr size) {
return instance.Allocate(size, GetPageSizeCached(), FROM_MEMALIGN);
}
void *scudo_memalign(uptr alignment, uptr size) {
return instance.Allocate(size, alignment, FROM_MEMALIGN);
}
void *scudo_pvalloc(uptr size) {
uptr PageSize = GetPageSizeCached();
size = RoundUpTo(size, PageSize);
if (size == 0) {
// pvalloc(0) should allocate one page.
size = PageSize;
}
return instance.Allocate(size, PageSize, FROM_MEMALIGN);
}
int scudo_posix_memalign(void **memptr, uptr alignment, uptr size) {
void *ptr = instance.Allocate(size, alignment, FROM_MEMALIGN);
*memptr = ptr;
return 0;
}
void *scudo_aligned_alloc(uptr alignment, uptr size) {
// size must be a multiple of the alignment. To avoid a division, we first
// make sure that alignment is a power of 2.
CHECK(IsPowerOfTwo(alignment));
CHECK_EQ((size & (alignment - 1)), 0);
return instance.Allocate(size, alignment, FROM_MALLOC);
}
uptr scudo_malloc_usable_size(void *ptr) {
return instance.UsableSize(ptr);
}
} // namespace __scudo
using namespace __scudo;
// MallocExtension helper functions
uptr __sanitizer_get_current_allocated_bytes() {
uptr stats[AllocatorStatCount];
get_allocator().GetStats(stats);
return stats[AllocatorStatAllocated];
}
uptr __sanitizer_get_heap_size() {
uptr stats[AllocatorStatCount];
get_allocator().GetStats(stats);
return stats[AllocatorStatMapped];
}
uptr __sanitizer_get_free_bytes() {
return 1;
}
uptr __sanitizer_get_unmapped_bytes() {
return 1;
}
uptr __sanitizer_get_estimated_allocated_size(uptr size) {
return size;
}
int __sanitizer_get_ownership(const void *p) {
return instance.UsableSize(p) != 0;
}
uptr __sanitizer_get_allocated_size(const void *p) {
return instance.UsableSize(p);
}

lib/hardened_allocator/scudo_flags.h

//===-- scudo_flags.h -------------------------------------------*- C++ -*-===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
///
/// Header for scudo_flags.cc.
///
//===----------------------------------------------------------------------===//
#ifndef SCUDO_FLAGS_H_
#define SCUDO_FLAGS_H_
namespace __scudo {
struct Flags {
#define SCUDO_FLAG(Type, Name, DefaultValue, Description) Type Name;
#include "scudo_flags.inc"
#undef SCUDO_FLAG
void SetDefaults();
};
extern Flags scudo_flags_dont_use_directly;
inline Flags *flags() {
return &scudo_flags_dont_use_directly;
}
void InitializeFlags();
} // namespace __scudo
#endif // SCUDO_FLAGS_H_

lib/hardened_allocator/scudo_flags.cc

//===-- scudo_flags.cc ------------------------------------------*- C++ -*-===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
///
/// Hardened Allocator flag parsing logic.
///
//===----------------------------------------------------------------------===//
#include "scudo_flags.h"
#include "sanitizer_common/sanitizer_flags.h"
#include "sanitizer_common/sanitizer_flag_parser.h"
namespace __scudo {
Flags scudo_flags_dont_use_directly; // use via flags().
void Flags::SetDefaults() {
#define SCUDO_FLAG(Type, Name, DefaultValue, Description) Name = DefaultValue;
#include "scudo_flags.inc"
#undef SCUDO_FLAG
}
static void RegisterScudoFlags(FlagParser *parser, Flags *f) {
#define SCUDO_FLAG(Type, Name, DefaultValue, Description) \
RegisterFlag(parser, #Name, Description, &f->Name);
#include "scudo_flags.inc"
#undef SCUDO_FLAG
}
void InitializeFlags() {
SetCommonFlagsDefaults();
{
CommonFlags cf;
cf.CopyFrom(*common_flags());
cf.exitcode = 1;
OverrideCommonFlags(cf);
}
Flags *f = flags();
f->SetDefaults();
FlagParser scudo_parser;
RegisterScudoFlags(&scudo_parser, f);
RegisterCommonFlags(&scudo_parser);
scudo_parser.ParseString(GetEnv("SCUDO_OPTIONS"));
InitializeCommonFlags();
if (f->quarantine_size_mb < 0) {
const int kDefaultQuarantineSizeMb = 1UL << 6; // 64 MB
f->quarantine_size_mb = kDefaultQuarantineSizeMb;
}
}
}

lib/hardened_allocator/scudo_flags.inc

//===-- scudo_flags.inc -----------------------------------------*- C++ -*-===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
///
/// Hardened Allocator runtime flags.
///
//===----------------------------------------------------------------------===//
#ifndef SCUDO_FLAG
# error "Define SCUDO_FLAG prior to including this file!"
#endif
SCUDO_FLAG(int, quarantine_size_mb, -1,
"Size (in Mb) of quarantine used to delay the actual deallocation "
"of chunks. Lower value may reduce memory usage but decrease the "
"effectiveness of the mitigation.")
SCUDO_FLAG(bool, alloc_dealloc_mismatch, true,
"Report errors on malloc/delete, new/free, new/delete[], etc.")
SCUDO_FLAG(bool, new_delete_size_mismatch, true,
"Report errors on mismatch between size of new and delete.")
SCUDO_FLAG(bool, zero_chunk_contents, false,
"Zero chunk contents on allocation and deallocation.")

lib/hardened_allocator/scudo_malloc_linux.cc

//===-- scudo_malloc_linux.cc -----------------------------------*- C++ -*-===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
///
/// Linux specific malloc interception functions.
///
//===----------------------------------------------------------------------===//
#include "sanitizer_common/sanitizer_platform.h"
#if SANITIZER_LINUX
#include "scudo_allocator.h"
#include "interception/interception.h"
using namespace __scudo;
INTERCEPTOR(void, free, void *ptr) {
scudo_free(ptr, FROM_MALLOC);
}
INTERCEPTOR(void, cfree, void *ptr) {
scudo_free(ptr, FROM_MALLOC);
}
INTERCEPTOR(void*, malloc, uptr size) {
return scudo_malloc(size, FROM_MALLOC);
}
INTERCEPTOR(void*, realloc, void *ptr, uptr size) {
return scudo_realloc(ptr, size);
}
INTERCEPTOR(void*, calloc, uptr nmemb, uptr size) {
return scudo_calloc(nmemb, size);
}
INTERCEPTOR(void*, valloc, uptr size) {
return scudo_valloc(size);
}
INTERCEPTOR(void*, memalign, uptr alignment, uptr size) {
return scudo_memalign(alignment, size);
}
INTERCEPTOR(void*, __libc_memalign, uptr alignment, uptr size) {
return scudo_memalign(alignment, size);
}
INTERCEPTOR(void*, pvalloc, uptr size) {
return scudo_pvalloc(size);
}
INTERCEPTOR(void*, aligned_alloc, uptr alignment, uptr size) {
return scudo_aligned_alloc(alignment, size);
}
INTERCEPTOR(int, posix_memalign, void **memptr, uptr alignment, uptr size) {
return scudo_posix_memalign(memptr, alignment, size);
}
INTERCEPTOR(uptr, malloc_usable_size, void *ptr) {
return scudo_malloc_usable_size(ptr);
}
INTERCEPTOR(int, mallopt, int cmd, int value) {
return -1;
}
#endif

lib/hardened_allocator/scudo_new_delete.cc

//===-- scudo_new_delete.cc -------------------------------------*- C++ -*-===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
///
/// Interceptors for operators new and delete.
///
//===----------------------------------------------------------------------===//
#include "scudo_allocator.h"
#include "interception/interception.h"
#include <cstddef>
using namespace __scudo;
#define CXX_OPERATOR_ATTRIBUTE INTERCEPTOR_ATTRIBUTE
// Fake std::nothrow_t to avoid including <new>.
namespace std {
struct nothrow_t {};
} // namespace std
CXX_OPERATOR_ATTRIBUTE
void *operator new(size_t size) {
return scudo_malloc(size, FROM_NEW);
}
CXX_OPERATOR_ATTRIBUTE
void *operator new[](size_t size) {
return scudo_malloc(size, FROM_NEWARRAY);
}
CXX_OPERATOR_ATTRIBUTE
void *operator new(size_t size, std::nothrow_t const&) {
return scudo_malloc(size, FROM_NEW);
}
CXX_OPERATOR_ATTRIBUTE
void *operator new[](size_t size, std::nothrow_t const&) {
return scudo_malloc(size, FROM_NEWARRAY);
}
CXX_OPERATOR_ATTRIBUTE
void operator delete(void *ptr) NOEXCEPT {
return scudo_free(ptr, FROM_NEW);
}
CXX_OPERATOR_ATTRIBUTE
void operator delete[](void *ptr) NOEXCEPT {
return scudo_free(ptr, FROM_NEWARRAY);
}
CXX_OPERATOR_ATTRIBUTE
void operator delete(void *ptr, std::nothrow_t const&) NOEXCEPT {
return scudo_free(ptr, FROM_NEW);
}
CXX_OPERATOR_ATTRIBUTE
void operator delete[](void *ptr, std::nothrow_t const&) NOEXCEPT {
return scudo_free(ptr, FROM_NEWARRAY);
}
CXX_OPERATOR_ATTRIBUTE
void operator delete(void *ptr, size_t size) NOEXCEPT {
scudo_sized_free(ptr, size, FROM_NEW);
}
CXX_OPERATOR_ATTRIBUTE
void operator delete[](void *ptr, size_t size) NOEXCEPT {
scudo_sized_free(ptr, size, FROM_NEWARRAY);
}

lib/hardened_allocator/scudo_rtl.cc

//===-- scudo_rtl.cc --------------------------------------------*- C++ -*-===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
///
/// Main file for the Hardened Allocator runtime library.
///
//===----------------------------------------------------------------------===//
#include "scudo_allocator.h"
namespace __scudo {
bool scudo_inited;
bool scudo_init_is_running;
static void ScudoInitInternal() {
if (LIKELY(scudo_inited))
return;
SanitizerToolName = "Scudo";
CHECK(!scudo_init_is_running && "Scudo init calls itself!");
scudo_init_is_running = true;
InitializeFlags();
AllocatorOptions allocator_options;
allocator_options.SetFrom(flags(), common_flags());
InitializeAllocator(allocator_options);
scudo_inited = true;
scudo_init_is_running = false;
}
} // namespace __scudo
using namespace __scudo;
void __scudo_init() {
ScudoInitInternal();
}
#if SANITIZER_CAN_USE_PREINIT_ARRAY
__attribute__((section(".preinit_array"), used))
void (*__local_scudo_preinit)(void) = __scudo_init;
#else
#error "Can't use .preinit_array"
#endif

lib/hardened_allocator/scudo_utils.h

//===-- scudo_utils.h -------------------------------------------*- C++ -*-===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
///
/// Header for scudo_utils.cc.
///
//===----------------------------------------------------------------------===//
#ifndef SCUDO_UTILS_H_
#define SCUDO_UTILS_H_
#include <string.h>
#include "sanitizer_common/sanitizer_common.h"
namespace __scudo {
template <class Dest, class Source>
inline Dest bit_cast(const Source& source) {
typedef char VerifySizesAreEqual[sizeof(Dest) == sizeof(Source) ? 1 : -1]
UNUSED;
Dest dest;
memcpy(&dest, &source, sizeof(dest));
return dest;
}
enum CPUFeature {
SSE4_2 = 0,
RDRAND = 1,
ENUM_CPUFEATURE_MAX
};
bool TestCPUFeature(CPUFeature feature);
// Tiny PRNG based on https://en.wikipedia.org/wiki/Xorshift#xorshift.2B
// The state (128 bits) will be stored in thread local storage
gliderUnsubmitted
Not Done
ReplyInline Actions

Note that Xorshift isn't cryptographically secure, and may be easy to predict.

glider: Note that Xorshift isn't cryptographically secure, and may be easy to predict.
cryptoadAuthorUnsubmitted
Not Done
ReplyInline Actions

I am OK with the PRNG not being cryptographically secure, its purpose is to add some randomness to the process.

cryptoad: I am OK with the PRNG not being cryptographically secure, its purpose is to add some randomness…
struct Xorshift128Plus {
public:
Xorshift128Plus();
Xorshift128Plus(u64 state_0, u64 state_1)
: state_0_(state_0), state_1_(state_1) {}
void SetSeed(u64 state_0, u64 state_1) {
state_0_ = state_0;
state_1_ = state_1;
}
void GetSeed(u64 *state_0, u64 *state_1) {
*state_0 = state_0_;
*state_1 = state_1_;
}
u64 Next() {
u64 x = state_0_;
const u64 y = state_1_;
state_0_ = y;
x ^= x << 23; // a
state_1_ = x ^ y ^ (x >> 17) ^ (y >> 26); // b, c
return state_1_ + y;
}
private:
u64 state_0_;
u64 state_1_;
};
} // namespace __scudo
#endif // SCUDO_UTILS_H_

lib/hardened_allocator/scudo_utils.cc

//===-- scudo_utils.cc ------------------------------------------*- C++ -*-===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
///
/// Platform specific utility functions.
///
//===----------------------------------------------------------------------===//
#include "scudo_utils.h"
#include <cstring>
#include <chrono> // for std::chrono::high_resolution_clock
#include <functional> // for std::hash
#include <thread> // for std::this_thread
namespace __scudo {
typedef struct {
u32 eax;
u32 ebx;
u32 ecx;
u32 edx;
} CPUIDInfo;
static void cpuid(CPUIDInfo *info, u32 leaf, u32 subleaf)
{
asm volatile("cpuid"
: "=a" (info->eax), "=b" (info->ebx), "=c" (info->ecx), "=d" (info->edx)
: "a" (leaf), "c" (subleaf)
);
}
// Returns true is the CPU is a "GenuineIntel"
static bool IsIntelCPU()
{
CPUIDInfo Info;
vitalybukaUnsubmitted
Done
ReplyInline Actions

Variable naming does not comply http://llvm.org/docs/CodingStandards.html

vitalybuka: Variable naming does not comply http://llvm.org/docs/CodingStandards.html
cpuid(&Info, 0, 0);
if (memcmp(reinterpret_cast<char *>(&Info.ebx), "Genu", 4) ||
memcmp(reinterpret_cast<char *>(&Info.edx), "ineI", 4) ||
memcmp(reinterpret_cast<char *>(&Info.ecx), "ntel", 4)) {
return false;
}
return true;
}
bool TestCPUFeature(CPUFeature feature)
{
static bool kInfoInitialized = false;
static CPUIDInfo kCPUInfo = {};
if (kInfoInitialized == false) {
if (IsIntelCPU() == true)
cpuid(&kCPUInfo, 1, 0);
kInfoInitialized = true;
}
switch (feature) {
case SSE4_2:
return ((kCPUInfo.ecx >> 20) & 0x1) != 0;
case RDRAND:
return ((kCPUInfo.ecx >> 30) & 0x1) != 0;
default:
break;
}
return false;
}
static u64 RdTSC() {
// Clang: __builtin_readcyclecounter
u64 low, high;
__asm__ volatile("rdtsc" : "=a" (low), "=d" (high));
return (high << 32) | low;
}
// RdRand64 will call rdrand if the feature is available for the CPU, otherwise
// it will use a XOR of the cycle counter, the high resolution clock and the
// thread ID hash.
static u64 RdRand64() {
static s8 kHasRdRand = -1;
if (kHasRdRand == -1) {
kHasRdRand = TestCPUFeature(RDRAND);
}
if (kHasRdRand == 1) {
register u64 rnd;
u8 carry;
// Normally we need only one execution
asm volatile("rdrand %0; setc %1": "=r" (rnd), "=qm" (carry));
if (carry != 0)
return rnd; // Success
// If the first attempt failed, we fall back to retries.
for (s32 c = 10; c != 0; --c) {
asm volatile("rdrand %0; setc %1": "=r" (rnd), "=qm" (carry));
if (carry != 0)
return rnd; // Success
}
// All attempts failed. Log CPU error and abort.
Printf("ERROR: CPU error detected during 64-bit RDRAND execution.\n");
Die();
} else {
std::hash<std::thread::id> hasher;
return RdTSC() ^ hasher(std::this_thread::get_id()) ^
std::chrono::high_resolution_clock::now().time_since_epoch().count();
}
}
// Default constructor for Xorshift128Plus seeds the state with RdRand64
Xorshift128Plus::Xorshift128Plus() {
state_0_ = RdRand64();
state_1_ = RdRand64();
}
} // namespace __scudo

test/CMakeLists.txt

Show First 20 LinesShow All 67 Lines▼ Show 20 Lines if(COMPILER_RT_HAS_UBSAN)
add_subdirectory(cfi) add_subdirectory(cfi)
endif() endif()
if(COMPILER_RT_HAS_SAFESTACK) if(COMPILER_RT_HAS_SAFESTACK)
add_subdirectory(safestack) add_subdirectory(safestack)
endif() endif()
if(COMPILER_RT_HAS_ESAN) if(COMPILER_RT_HAS_ESAN)
add_subdirectory(esan) add_subdirectory(esan)
endif() endif()
if(COMPILER_RT_HAS_HARDENED_ALLOCATOR)
add_subdirectory(hardened_allocator)
endif()
endif() endif()
if(COMPILER_RT_STANDALONE_BUILD) if(COMPILER_RT_STANDALONE_BUILD)
# Now that we've traversed all the directories and know all the lit testsuites, # Now that we've traversed all the directories and know all the lit testsuites,
# introduce a rule to run to run all of them. # introduce a rule to run to run all of them.
get_property(LLVM_LIT_TESTSUITES GLOBAL PROPERTY LLVM_LIT_TESTSUITES) get_property(LLVM_LIT_TESTSUITES GLOBAL PROPERTY LLVM_LIT_TESTSUITES)
get_property(LLVM_LIT_DEPENDS GLOBAL PROPERTY LLVM_LIT_DEPENDS) get_property(LLVM_LIT_DEPENDS GLOBAL PROPERTY LLVM_LIT_DEPENDS)
add_lit_target(check-all add_lit_target(check-all
"Running all regression tests" "Running all regression tests"
${LLVM_LIT_TESTSUITES} ${LLVM_LIT_TESTSUITES}
DEPENDS ${LLVM_LIT_DEPENDS}) DEPENDS ${LLVM_LIT_DEPENDS})
endif() endif()

test/hardened_allocator/CMakeLists.txt

set(HARDENED_ALLOCATOR_LIT_SOURCE_DIR ${CMAKE_CURRENT_SOURCE_DIR})
set(HARDENED_ALLOCATOR_LIT_BINARY_DIR ${CMAKE_CURRENT_BINARY_DIR})
set(HARDENED_ALLOCATOR_TEST_DEPS ${SANITIZER_COMMON_LIT_TEST_DEPS})
if(NOT COMPILER_RT_STANDALONE_BUILD)
list(APPEND HARDENED_ALLOCATOR_TEST_DEPS hardened_allocator)
endif()
configure_lit_site_cfg(
${CMAKE_CURRENT_SOURCE_DIR}/lit.site.cfg.in
${CMAKE_CURRENT_BINARY_DIR}/lit.site.cfg
)
add_lit_testsuite(check-hardened_allocator
"Running the Hardened Allocator tests"
${CMAKE_CURRENT_BINARY_DIR}
DEPENDS ${HARDENED_ALLOCATOR_TEST_DEPS})
set_target_properties(check-hardened_allocator PROPERTIES FOLDER
"Hardened Allocator tests")

test/hardened_allocator/alignment.cc

// RUN: %clang_scudo %s -o %t
// RUN: not %run %t pointers 2>&1 | FileCheck %s
#include <assert.h>
#include <malloc.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
int main(int argc, char **argv)
{
void *p, *old_p;
size_t alignment = 1U << 16, size = 1U << 8;
assert(argc == 2);
if (!strcmp(argv[1], "pointers")) {
p = malloc(size);
if (p == nullptr)
return 1;
vitalybukaUnsubmitted
Done
ReplyInline Actions

nullptr

vitalybuka: nullptr
free(reinterpret_cast<void *>(reinterpret_cast<uintptr_t>(p) | 8));
}
return 0;
}
// CHECK: ERROR: attempted to deallocate a chunk not properly aligned

test/hardened_allocator/double-free.cc

// RUN: %clang_scudo %s -o %t
// RUN: not %run %t malloc 2>&1 | FileCheck %s
// RUN: not %run %t new 2>&1 | FileCheck %s
// RUN: not %run %t newarray 2>&1 | FileCheck %s
#include <assert.h>
#include <stdlib.h>
#include <string.h>
int main(int argc, char **argv)
{
assert(argc == 2);
if (!strcmp(argv[1], "malloc")) {
void *p = malloc(sizeof(int));
free(p);
free(p);
}
if (!strcmp(argv[1], "new")) {
int *p = new int;
delete p;
delete p;
}
if (!strcmp(argv[1], "newarray")) {
int *p = new int[8];
delete[] p;
delete[] p;
}
return 0;
}
// CHECK: ERROR: invalid chunk state when deallocating address

test/hardened_allocator/init.cc

// RUN: %clang_scudo %s -o %t && %run %t
int main(int argc, char **argv)
{
return 0;
}

test/hardened_allocator/lit.cfg

# -*- Python -*-
import os
# Setup config name.
config.name = 'Hardened Allocator'
# Setup source root.
config.test_source_root = os.path.dirname(__file__)
# Path to the static library
base_lib = os.path.join(config.compiler_rt_libdir,
"libclang_rt.hardened_allocator-%s.a" % config.target_arch)
whole_archive = "-Wl,-whole-archive %s -Wl,-no-whole-archive " % base_lib
# Test suffixes.
config.suffixes = ['.c', '.cc', '.cpp', '.m', '.mm', '.ll', '.test']
# C flags.
c_flags = ["-std=c++11",
"-lstdc++",
"-ldl",
"-lrt",
"-pthread",
"-latomic", #for __atomic_load_16, __atomic_store_16, __atomic_compare_exchange_16
"-fPIE",
"-pie",
"-O0"]
def build_invocation(compile_flags):
return " " + " ".join([config.clang] + compile_flags) + " "
# Add clang substitutions.
config.substitutions.append( ("%clang_scudo ",
build_invocation(c_flags) + whole_archive ) )
# Hardened Allocator tests are currently supported on Linux only.
if config.host_os not in ['Linux']:
config.unsupported = True

test/hardened_allocator/lit.site.cfg.in

@LIT_SITE_CFG_IN_HEADER@
# Load common config for all compiler-rt lit tests.
lit_config.load_config(config, "@COMPILER_RT_BINARY_DIR@/test/lit.common.configured")
# Load tool-specific config that would do the real work.
lit_config.load_config(config, "@HARDENED_ALLOCATOR_LIT_SOURCE_DIR@/lit.cfg")

test/hardened_allocator/malloc.cc

// RUN: %clang_scudo %s -o %t
// RUN: %run %t 2>&1
#include <malloc.h>
#include <stdlib.h>
#include <string.h>
int main(int argc, char **argv)
{
void *p;
size_t size = 1U << 8;
p = malloc(0);
if (p == nullptr)
return 1;
free(p);
p = malloc(size);
if (p == nullptr)
return 1;
memset(p, 'A', size);
free(p);
return 0;
}

test/hardened_allocator/memalign.cc

// RUN: %clang_scudo %s -o %t
// RUN: %run %t valid 2>&1
// RUN: not %run %t invalid 2>&1 | FileCheck %s
#include <assert.h>
#include <malloc.h>
#include <stdlib.h>
#include <string.h>
int main(int argc, char **argv)
{
void *p;
size_t alignment = 1U << 12;
size_t size = alignment;
assert(argc == 2);
if (!strcmp(argv[1], "valid")) {
p = memalign(alignment, size);
if (p == nullptr)
return 1;
free(p);
p = nullptr;
posix_memalign(&p, alignment, size);
if (p == nullptr)
return 1;
free(p);
p = aligned_alloc(alignment, size);
if (p == nullptr)
return 1;
free(p);
}
if (!strcmp(argv[1], "invalid")) {
p = memalign(alignment - 1, size);
free(p);
}
return 0;
}
// CHECK: ERROR: alignment is not a power of 2

test/hardened_allocator/mismatch.cc

// RUN: %clang_scudo %s -o %t
// RUN: SCUDO_OPTIONS=alloc_dealloc_mismatch=1 not %run %t mallocdel 2>&1 | FileCheck %s
// RUN: SCUDO_OPTIONS=alloc_dealloc_mismatch=0 %run %t mallocdel 2>&1
// RUN: SCUDO_OPTIONS=alloc_dealloc_mismatch=1 not %run %t newfree 2>&1 | FileCheck %s
// RUN: SCUDO_OPTIONS=alloc_dealloc_mismatch=0 %run %t newfree 2>&1
#include <assert.h>
#include <stdlib.h>
#include <string.h>
int main(int argc, char **argv)
{
assert(argc == 2);
if (!strcmp(argv[1], "mallocdel")) {
int *p = (int *)malloc(16);
delete p;
}
if (!strcmp(argv[1], "newfree")) {
int *p = new int;
free((void *)p);
}
return 0;
}
// CHECK: ERROR: allocation type mismatch on address

test/hardened_allocator/overflow.cc

// RUN: %clang_scudo %s -o %t
// RUN: not %run %t malloc 2>&1 | FileCheck %s
// RUN: SCUDO_OPTIONS=quarantine_size_mb=1 not %run %t quarantine 2>&1 | FileCheck %s
#include <assert.h>
#include <stdlib.h>
#include <string.h>
int main(int argc, char **argv)
{
assert(argc == 2);
if (!strcmp(argv[1], "malloc")) {
// Simulate a header corruption of an allocated chunk (1-bit)
void *p = malloc(1U << 4);
((char *)p)[-1] ^= 1;
free(p);
}
if (!strcmp(argv[1], "quarantine")) {
void *p = malloc(1U << 4);
free(p);
// Simulate a header corruption of a quarantined chunk
((char *)p)[-2] ^= 1;
// Trigger the quarantine recycle
for (int i = 0; i < 0x100; i++) {
p = malloc(1U << 16);
free(p);
}
}
return 0;
}
// CHECK: ERROR: corrupted chunk header at address

test/hardened_allocator/quarantine.cc

// RUN: %clang_scudo %s -o %t
// RUN: SCUDO_OPTIONS=quarantine_size_mb=1 %run %t 2>&1
#include <malloc.h>
#include <stdlib.h>
#include <string.h>
int main(int argc, char **argv)
{
void *p, *old_p;
size_t size = 1U << 16;
// The delayed freelist will prevent a chunk from being available right away
p = malloc(size);
if (p == nullptr)
return 1;
old_p = p;
free(p);
p = malloc(size);
if (p == nullptr)
return 1;
if (old_p == p)
return 1;
free(p);
// Eventually the chunk should become available again
bool found = false;
for (int i = 0; i < 0x100 && found == false; i++) {
p = malloc(size);
if (p == nullptr)
return 1;
found = (p == old_p);
free(p);
}
if (found == false)
return 1;
return 0;
}

test/hardened_allocator/realloc.cc

// RUN: %clang_scudo %s -o %t
// RUN: %run %t pointers 2>&1
// RUN: %run %t contents 2>&1
// RUN: not %run %t memalign 2>&1 | FileCheck %s
#include <assert.h>
#include <malloc.h>
#include <string.h>
int main(int argc, char **argv)
{
void *p, *old_p;
size_t size = 32;
assert(argc == 2);
if (!strcmp(argv[1], "pointers")) {
old_p = p = realloc(nullptr, size);
if (p == nullptr)
return 1;
size = malloc_usable_size(p);
// Our realloc implementation will return the same pointer if the size
// requested is lower or equal to the usable size of the associated chunk
p = realloc(p, size - 1);
if (p != old_p)
return 1;
p = realloc(p, size);
if (p != old_p)
return 1;
// And a new one if the size is greater
p = realloc(p, size + 1);
if (p == old_p)
return 1;
// A size of 0 will free the chunk and return nullptr
p = realloc(p, 0);
if (p != nullptr)
return 1;
old_p = nullptr;
}
if (!strcmp(argv[1], "contents")) {
p = realloc(nullptr, size);
if (p == nullptr)
return 1;
for (int i = 0; i < size; i++)
reinterpret_cast<char *>(p)[i] = 'A';
p = realloc(p, size + 1);
// The contents of the reallocated chunk must match the original one
for (int i = 0; i < size; i++)
if (reinterpret_cast<char *>(p)[i] != 'A')
return 1;
}
if (!strcmp(argv[1], "memalign")) {
// A chunk coming from memalign cannot be reallocated
p = memalign(16, size);
if (p == nullptr)
return 1;
p = realloc(p, size);
free(p);
}
return 0;
}
// CHECK: ERROR: invalid chunk type when reallocating address

test/hardened_allocator/sized-delete.cc

// RUN: %clang_scudo -fsized-deallocation %s -o %t
// RUN: SCUDO_OPTIONS=new_delete_size_mismatch=1 %run %t gooddel 2>&1
// RUN: SCUDO_OPTIONS=new_delete_size_mismatch=1 not %run %t baddel 2>&1 | FileCheck %s
// RUN: SCUDO_OPTIONS=new_delete_size_mismatch=0 %run %t baddel 2>&1
// RUN: SCUDO_OPTIONS=new_delete_size_mismatch=1 %run %t gooddelarr 2>&1
// RUN: SCUDO_OPTIONS=new_delete_size_mismatch=1 not %run %t baddelarr 2>&1 | FileCheck %s
// RUN: SCUDO_OPTIONS=new_delete_size_mismatch=0 %run %t baddelarr 2>&1
#include <new>
#include <assert.h>
#include <stdlib.h>
#include <string.h>
int main(int argc, char **argv)
{
assert(argc == 2);
if (!strcmp(argv[1], "gooddel")) {
long long *p = new long long;
operator delete(p, sizeof(long long));
}
if (!strcmp(argv[1], "baddel")) {
long long *p = new long long;
operator delete(p, 2);
}
if (!strcmp(argv[1], "gooddelarr")) {
char *p = new char[64];
operator delete[](p, 64);
}
if (!strcmp(argv[1], "baddelarr")) {
char *p = new char[63];
operator delete[](p, 64);
}
return 0;
}
// CHECK: ERROR: invalid sized delete on chunk at address

test/hardened_allocator/sizes.cc

// RUN: %clang_scudo %s -o %t
// RUN: SCUDO_OPTIONS=allocator_may_return_null=0 not %run %t malloc 2>&1 | FileCheck %s
// RUN: SCUDO_OPTIONS=allocator_may_return_null=1 %run %t malloc 2>&1
// RUN: SCUDO_OPTIONS=allocator_may_return_null=0 not %run %t calloc 2>&1 | FileCheck %s
// RUN: SCUDO_OPTIONS=allocator_may_return_null=1 %run %t calloc 2>&1
// RUN: %run %t usable 2>&1
#include <assert.h>
#include <malloc.h>
#include <stdlib.h>
#include <string.h>
#include <limits>
int main(int argc, char **argv)
{
assert(argc == 2);
if (!strcmp(argv[1], "malloc")) {
vitalybukaUnsubmitted
Done
ReplyInline Actions

better to declare on the same line with assignments

vitalybuka: better to declare on the same line with assignments
// Currently the maximum size the allocator can fullfill is 1ULL<<40 bytes
size_t size = std::numeric_limits<size_t>::max();
void *p = malloc(size);
if (p)
return 1;
size = (1ULL << 40) - 16;
p = malloc(size);
if (p)
vitalybukaUnsubmitted
Done
ReplyInline Actions

if (p)

vitalybuka: if (p)
return 1;
}
if (!strcmp(argv[1], "calloc")) {
// Trigger an overflow in calloc
size_t size = std::numeric_limits<size_t>::max();
void *p = calloc((size / 0x1000) + 1, 0x1000);
if (p)
return 1;
}
if (!strcmp(argv[1], "usable")) {
// Playing with the actual usable size of a chunk
void *p = malloc(1007);
size_t size = malloc_usable_size(p);
if (size < 1007)
return 1;
memset(p, 'A', size);
p = realloc(p, 2014);
size = malloc_usable_size(p);
if (size < 2014)
return 1;
memset(p, 'B', size);
free(p);
}
return 0;
}
// CHECK: allocator is terminating the process