This is an archive of the discontinued LLVM Phabricator instance.

[asan] Re-poison all redzones on activation
ClosedPublic

Authored by eugenis on Sep 12 2016, 5:28 PM.

Download Raw Diff

Details

Reviewers

Summary

When running with start_deactivated=1 in ASAN_OPTIONS, heap redzones
are not poisoned until the first instrumented module is loaded. This
can cause false negatives even on memory allocated after activation,
because redzones are normally poisoned only once when a new allocator
region is mapped.

This change attempts to fix it by iterating over all existing
allocator chunks and poisoning their redzones.

Diff Detail

Repository: rL LLVM

Event Timeline

eugenis updated this revision to Diff 71084.Sep 12 2016, 5:28 PM

eugenis retitled this revision from to [asan] Re-poison all redzones on activation.

eugenis updated this object.

eugenis added a reviewer: kcc.

eugenis set the repository for this revision to rL LLVM.

eugenis added a subscriber: llvm-commits.

Herald added a subscriber: kubamracek. · View Herald TranscriptSep 12 2016, 5:28 PM

LGTM with a nit

lib/asan/asan_allocator.cc
275	add a comment why we have two paths here.

This revision is now accepted and ready to land.Sep 12 2016, 5:30 PM

r281364

Revision Contents

Path

Size

lib/

asan/

asan_allocator.cc

34 lines

test/

asan/

TestCases/

Posix/

start-deactivated.cc

41 lines

Diff 71085

lib/asan/asan_allocator.cc

Show First 20 Lines • Show All 260 Lines • ▼ Show 20 Lines	void SharedInitCode(const AllocatorOptions &options) {
atomic_store(&max_redzone, options.max_redzone, memory_order_release);		atomic_store(&max_redzone, options.max_redzone, memory_order_release);
}		}

void Initialize(const AllocatorOptions &options) {		void Initialize(const AllocatorOptions &options) {
allocator.Init(options.may_return_null);		allocator.Init(options.may_return_null);
SharedInitCode(options);		SharedInitCode(options);
}		}

		void RePoisonChunk(uptr chunk) {
		// This could a user-facing chunk (with redzones), or some internal
		// housekeeping chunk, like TransferBatch. Start by assuming the former.
		AsanChunk ac = GetAsanChunk((void )chunk);
		uptr allocated_size = allocator.GetActuallyAllocatedSize((void *)ac);
		uptr beg = ac->Beg();
		uptr end = ac->Beg() + ac->UsedSize(true);
		kccUnsubmitted Done Reply Inline Actions add a comment why we have two paths here. kcc: add a comment why we have two paths here.
		uptr chunk_end = chunk + allocated_size;
		if (chunk < beg && beg < end && end <= chunk_end) {
		// Looks like a valid AsanChunk. Or maybe not. Be conservative and only
		// poison the redzones.
		PoisonShadow(chunk, beg - chunk, kAsanHeapLeftRedzoneMagic);
		uptr end_aligned_down = RoundDownTo(end, SHADOW_GRANULARITY);
		FastPoisonShadowPartialRightRedzone(
		end_aligned_down, end - end_aligned_down,
		chunk_end - end_aligned_down, kAsanHeapLeftRedzoneMagic);
		} else {
		// This can not be an AsanChunk. Poison everything. It may be reused as
		// AsanChunk later.
		PoisonShadow(chunk, allocated_size, kAsanHeapLeftRedzoneMagic);
		}
		}

void ReInitialize(const AllocatorOptions &options) {		void ReInitialize(const AllocatorOptions &options) {
allocator.SetMayReturnNull(options.may_return_null);		allocator.SetMayReturnNull(options.may_return_null);
SharedInitCode(options);		SharedInitCode(options);

		// Poison all existing allocation's redzones.
		if (CanPoisonMemory()) {
		allocator.ForceLock();
		allocator.ForEachChunk(
		[](uptr chunk, void *alloc) {
		((Allocator *)alloc)->RePoisonChunk(chunk);
		},
		this);
		allocator.ForceUnlock();
		}
}		}

void GetOptions(AllocatorOptions *options) const {		void GetOptions(AllocatorOptions *options) const {
options->quarantine_size_mb = quarantine.GetSize() >> 20;		options->quarantine_size_mb = quarantine.GetSize() >> 20;
options->min_redzone = atomic_load(&min_redzone, memory_order_acquire);		options->min_redzone = atomic_load(&min_redzone, memory_order_acquire);
options->max_redzone = atomic_load(&max_redzone, memory_order_acquire);		options->max_redzone = atomic_load(&max_redzone, memory_order_acquire);
options->may_return_null = allocator.MayReturnNull();		options->may_return_null = allocator.MayReturnNull();
options->alloc_dealloc_mismatch =		options->alloc_dealloc_mismatch =
▲ Show 20 Lines • Show All 656 Lines • Show Last 20 Lines

test/asan/TestCases/Posix/start-deactivated.cc

	// Test for ASAN_OPTIONS=start_deactivated=1 mode.			// Test for ASAN_OPTIONS=start_deactivated=1 mode.
	// Main executable is uninstrumented, but linked to ASan runtime. The shared			// Main executable is uninstrumented, but linked to ASan runtime. The shared
	// library is instrumented. Memory errors before dlopen are not detected.			// library is instrumented. Memory errors before dlopen are not detected.

	// RUN: %clangxx_asan -O0 -DSHARED_LIB %s -fPIC -shared -o %t-so.so			// RUN: %clangxx_asan -O0 -DSHARED_LIB %s -std=c++11 -fPIC -shared -o %t-so.so
	// RUN: %clangxx -O0 %s -c -o %t.o			// RUN: %clangxx -O0 %s -std=c++11 -c -o %t.o
	// RUN: %clangxx_asan -O0 %t.o %libdl -o %t			// RUN: %clangxx_asan -O0 %t.o %libdl -o %t
	// RUN: %env_asan_opts=start_deactivated=1,allocator_may_return_null=0 \			// RUN: %env_asan_opts=start_deactivated=1,allocator_may_return_null=0 \
	// RUN: ASAN_ACTIVATION_OPTIONS=allocator_may_return_null=1 not %run %t 2>&1 \| FileCheck %s			// RUN: ASAN_ACTIVATION_OPTIONS=allocator_may_return_null=1 not %run %t 2>&1 \| FileCheck %s
	// RUN: %env_asan_opts=start_deactivated=1 \			// RUN: %env_asan_opts=start_deactivated=1 \
	// RUN: ASAN_ACTIVATION_OPTIONS=help=1 not %run %t 2>&1 \| FileCheck %s --check-prefix=CHECK-HELP			// RUN: ASAN_ACTIVATION_OPTIONS=help=1 not %run %t 2>&1 \| FileCheck %s --check-prefix=CHECK-HELP
	// RUN: %env_asan_opts=start_deactivated=1,verbosity=1 \			// RUN: %env_asan_opts=start_deactivated=1,verbosity=1 \
	// RUN: ASAN_ACTIVATION_OPTIONS=help=1,handle_segv=0 not %run %t 2>&1 \| FileCheck %s --check-prefix=CHECK-UNSUPPORTED			// RUN: ASAN_ACTIVATION_OPTIONS=help=1,handle_segv=0 not %run %t 2>&1 \| FileCheck %s --check-prefix=CHECK-UNSUPPORTED
	// RUN: %env_asan_opts=start_deactivated=1 \			// RUN: %env_asan_opts=start_deactivated=1 \
	Show All 12 Lines
	#include <stdlib.h>			#include <stdlib.h>
	#include <string.h>			#include <string.h>
	#include <unistd.h>			#include <unistd.h>

	#include <string>			#include <string>

	#include "sanitizer/asan_interface.h"			#include "sanitizer/asan_interface.h"

	void test_malloc_shadow() {			constexpr unsigned nPtrs = 200;
	char p = (char )malloc(100);			char *ptrs[nPtrs];
	char q = (char )__asan_region_is_poisoned(p + 95, 8);
	fprintf(stderr, "=%zd=\n", q ? q - (p + 95) : -1);			void test_malloc_shadow(char *p, size_t sz, bool expect_redzones) {
	free(p);			assert((char *)__asan_region_is_poisoned(p - 1, sz + 1) ==
				(expect_redzones ? p - 1 : nullptr));
				assert((char *)__asan_region_is_poisoned(p, sz) == nullptr);
				assert((char *)__asan_region_is_poisoned(p, sz + 1) ==
				(expect_redzones ? p + sz : nullptr));
	}			}

	typedef void (*Fn)();			typedef void (*Fn)();

	int main(int argc, char *argv[]) {			int main(int argc, char *argv[]) {
	test_malloc_shadow();			// Before activation: no redzones.
	// CHECK: =-1=			for (size_t sz = 1; sz < nPtrs; ++sz) {
				ptrs[sz] = (char *)malloc(sz);
				test_malloc_shadow(ptrs[sz], sz, false);
				}

	std::string path = std::string(argv[0]) + "-so.so";			std::string path = std::string(argv[0]) + "-so.so";
	void *dso = dlopen(path.c_str(), RTLD_NOW);			void *dso = dlopen(path.c_str(), RTLD_NOW);
	if (!dso) {			if (!dso) {
	fprintf(stderr, "dlopen failed: %s\n", dlerror());			fprintf(stderr, "dlopen failed: %s\n", dlerror());
	return 1;			return 1;
	}			}

	test_malloc_shadow();
	// CHECK: =5=

	// After this line ASan is activated and starts detecting errors.			// After this line ASan is activated and starts detecting errors.
	void *fn = dlsym(dso, "do_another_bad_thing");			void *fn = dlsym(dso, "do_another_bad_thing");
	if (!fn) {			if (!fn) {
	fprintf(stderr, "dlsym failed: %s\n", dlerror());			fprintf(stderr, "dlsym failed: %s\n", dlerror());
	return 1;			return 1;
	}			}

				// After activation: redzones.
				{
				char p = (char )malloc(100);
				test_malloc_shadow(p, 100, true);
				free(p);
				}

				// Pre-existing allocations got redzones, too.
				for (size_t sz = 1; sz < nPtrs; ++sz) {
				test_malloc_shadow(ptrs[sz], sz, true);
				free(ptrs[sz]);
				}

	// Test that ASAN_ACTIVATION_OPTIONS=allocator_may_return_null=1 has effect.			// Test that ASAN_ACTIVATION_OPTIONS=allocator_may_return_null=1 has effect.
	void *p = malloc((unsigned long)-2);			void *p = malloc((unsigned long)-2);
	assert(!p);			assert(!p);
	// CHECK: WARNING: AddressSanitizer failed to allocate 0xfff{{.*}} bytes			// CHECK: WARNING: AddressSanitizer failed to allocate 0xfff{{.*}} bytes

	((Fn)fn)();			((Fn)fn)();
	// CHECK: AddressSanitizer: heap-buffer-overflow			// CHECK: AddressSanitizer: heap-buffer-overflow
	// CHECK: READ of size 1			// CHECK: READ of size 1
	Show All 28 Lines