This is an archive of the discontinued LLVM Phabricator instance.

[scudo] Modify Scudo to use its own Secondary Allocator
ClosedPublic

Authored by cryptoad on Sep 19 2016, 11:35 AM.

Download Raw Diff

Details

Reviewers

Commits

rG3beafffcca2e: [scudo] Modify Scudo to use its own Secondary Allocator
rCRT281938: [scudo] Modify Scudo to use its own Secondary Allocator
rL281938: [scudo] Modify Scudo to use its own Secondary Allocator

Summary

The Sanitizer Secondary Allocator was not entirely ideal was Scudo for several
reasons: decent amount of unneeded code, redundant checks already performed by
the front end, unneeded data structures, difficulty to properly protect the
secondary chunks header.

Given that the second allocator is pretty straight forward, Scudo will use its
own, trimming all the unneeded code off of the Sanitizer one. A significant
difference in terms of security is that now each secondary chunk is preceded
and followed by a guard page, thus mitigating overflows into and from the
chunk.

A test was added as well to illustrate the overflow & underflow situations
into the guard pages.

Diff Detail

Event Timeline

cryptoad updated this revision to Diff 71859.Sep 19 2016, 11:35 AM

cryptoad retitled this revision from to [scudo] Modify Scudo to use its own Secondary Allocator.

cryptoad updated this object.

cryptoad updated this object.Sep 19 2016, 11:39 AM

cryptoad added a reviewer: kcc.

cryptoad added a subscriber: llvm-commits.

kcc added inline comments.Sep 19 2016, 11:50 AM

lib/scudo/scudo_allocator_secondary.h
11	Fix TODO
27	Just have Init() InitLinkerInitialized has lots its meaning, and anyway the other have it with capital I

Fixing the TODO (doh!) and moving some code into Init().

LGTM

This revision is now accepted and ready to land.Sep 19 2016, 11:55 AM

cryptoad closed this revision.Sep 19 2016, 2:20 PM

Revision Contents

Path

Size

lib/

scudo/

scudo_allocator.cpp

5 lines

scudo_allocator_secondary.h

138 lines

test/

scudo/

secondary.cpp

54 lines

Diff 71864

lib/scudo/scudo_allocator.cpp

Show All 10 Lines
/// It uses the sanitizer_common allocator as a base and aims at mitigating		/// It uses the sanitizer_common allocator as a base and aims at mitigating
/// heap corruption vulnerabilities. It provides a checksum-guarded chunk		/// heap corruption vulnerabilities. It provides a checksum-guarded chunk
/// header, a delayed free list, and additional sanity checks.		/// header, a delayed free list, and additional sanity checks.
///		///
//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//

#include "scudo_allocator.h"		#include "scudo_allocator.h"
#include "scudo_utils.h"		#include "scudo_utils.h"
		#include "scudo_allocator_secondary.h"

#include "sanitizer_common/sanitizer_allocator_interface.h"		#include "sanitizer_common/sanitizer_allocator_interface.h"
#include "sanitizer_common/sanitizer_quarantine.h"		#include "sanitizer_common/sanitizer_quarantine.h"

#include <limits.h>		#include <limits.h>
#include <pthread.h>		#include <pthread.h>
#include <smmintrin.h>		#include <smmintrin.h>

Show All 12 Lines	struct AP {
typedef DefaultSizeClassMap SizeClassMap;		typedef DefaultSizeClassMap SizeClassMap;
typedef NoOpMapUnmapCallback MapUnmapCallback;		typedef NoOpMapUnmapCallback MapUnmapCallback;
static const uptr kFlags =		static const uptr kFlags =
SizeClassAllocator64FlagMasks::kRandomShuffleChunks;		SizeClassAllocator64FlagMasks::kRandomShuffleChunks;
};		};

typedef SizeClassAllocator64<AP> PrimaryAllocator;		typedef SizeClassAllocator64<AP> PrimaryAllocator;
typedef SizeClassAllocatorLocalCache<PrimaryAllocator> AllocatorCache;		typedef SizeClassAllocatorLocalCache<PrimaryAllocator> AllocatorCache;
typedef LargeMmapAllocator<> SecondaryAllocator;		typedef ScudoLargeMmapAllocator SecondaryAllocator;
typedef CombinedAllocator<PrimaryAllocator, AllocatorCache, SecondaryAllocator>		typedef CombinedAllocator<PrimaryAllocator, AllocatorCache, SecondaryAllocator>
ScudoAllocator;		ScudoAllocator;

static ScudoAllocator &getAllocator();		static ScudoAllocator &getAllocator();

static thread_local Xorshift128Plus Prng;		static thread_local Xorshift128Plus Prng;
// Global static cookie, initialized at start-up.		// Global static cookie, initialized at start-up.
static u64 Cookie;		static u64 Cookie;
▲ Show 20 Lines • Show All 287 Lines • ▼ Show 20 Lines	if (NeededSize >= MaxAllowedMallocSize)
return BackendAllocator.ReturnNullOrDie();		return BackendAllocator.ReturnNullOrDie();

void *Ptr;		void *Ptr;
if (LIKELY(!ThreadTornDown)) {		if (LIKELY(!ThreadTornDown)) {
Ptr = BackendAllocator.Allocate(&Cache, NeededSize, MinAlignment);		Ptr = BackendAllocator.Allocate(&Cache, NeededSize, MinAlignment);
} else {		} else {
SpinMutexLock l(&FallbackMutex);		SpinMutexLock l(&FallbackMutex);
Ptr = BackendAllocator.Allocate(&FallbackAllocatorCache, NeededSize,		Ptr = BackendAllocator.Allocate(&FallbackAllocatorCache, NeededSize,
MinAlignment);		MinAlignment);
}		}
if (!Ptr)		if (!Ptr)
return BackendAllocator.ReturnNullOrDie();		return BackendAllocator.ReturnNullOrDie();

// If requested, we will zero out the entire contents of the returned chunk.		// If requested, we will zero out the entire contents of the returned chunk.
if (ZeroContents && BackendAllocator.FromPrimary(Ptr))		if (ZeroContents && BackendAllocator.FromPrimary(Ptr))
memset(Ptr, 0, BackendAllocator.GetActuallyAllocatedSize(Ptr));		memset(Ptr, 0, BackendAllocator.GetActuallyAllocatedSize(Ptr));

▲ Show 20 Lines • Show All 282 Lines • Show Last 20 Lines

lib/scudo/scudo_allocator_secondary.h

This file was added.

				//===-- scudo_allocator_secondary.h ------------------------------ C++ --===//
				//
				// The LLVM Compiler Infrastructure
				//
				// This file is distributed under the University of Illinois Open Source
				// License. See LICENSE.TXT for details.
				//
				//===----------------------------------------------------------------------===//
				///
				/// Scudo Secondary Allocator.
				/// This services allocation that are too large to be serviced by the Primary
				kccUnsubmitted Not Done Reply Inline Actions Fix TODO kcc: Fix TODO
				/// Allocator. It is directly backed by the memory mapping functions of the
				/// operating system.
				///
				//===----------------------------------------------------------------------===//

				#ifndef SCUDO_ALLOCATOR_SECONDARY_H_
				#define SCUDO_ALLOCATOR_SECONDARY_H_

				namespace __scudo {

				class ScudoLargeMmapAllocator {
				public:

				void Init(bool AllocatorMayReturnNull) {
				PageSize = GetPageSizeCached();
				atomic_store(&MayReturnNull, AllocatorMayReturnNull, memory_order_relaxed);
				kccUnsubmitted Not Done Reply Inline Actions Just have Init() InitLinkerInitialized has lots its meaning, and anyway the other have it with capital I kcc: Just have Init() InitLinkerInitialized has lots its meaning, and anyway the other have it with…
				}

				void Allocate(AllocatorStats Stats, uptr Size, uptr Alignment) {
				// The Scudo frontend prevents us from allocating more than
				// MaxAllowedMallocSize, so integer overflow checks would be superfluous.
				uptr MapSize = RoundUpTo(Size + sizeof(SecondaryHeader), PageSize);
				// Account for 2 guard pages, one before and one after the chunk.
				uptr MapBeg = reinterpret_cast<uptr>(MmapNoAccess(MapSize + 2 * PageSize));
				CHECK_NE(MapBeg, ~static_cast<uptr>(0));
				// A page-aligned pointer is assumed after that, so check it now.
				CHECK(IsAligned(MapBeg, PageSize));
				MapBeg += PageSize;
				CHECK_EQ(MapBeg, reinterpret_cast<uptr>(MmapFixedOrDie(MapBeg, MapSize)));
				uptr MapEnd = MapBeg + MapSize;
				uptr Ptr = MapBeg + sizeof(SecondaryHeader);
				// TODO(kostyak): add a random offset to Ptr.
				CHECK_GT(Ptr + Size, MapBeg);
				CHECK_LE(Ptr + Size, MapEnd);
				SecondaryHeader *Header = getHeader(Ptr);
				Header->MapBeg = MapBeg - PageSize;
				Header->MapSize = MapSize + 2 * PageSize;
				Stats->Add(AllocatorStatAllocated, MapSize);
				Stats->Add(AllocatorStatMapped, MapSize);
				return reinterpret_cast<void *>(Ptr);
				}

				void *ReturnNullOrDie() {
				if (atomic_load(&MayReturnNull, memory_order_acquire))
				return nullptr;
				ReportAllocatorCannotReturnNull();
				}

				void SetMayReturnNull(bool AllocatorMayReturnNull) {
				atomic_store(&MayReturnNull, AllocatorMayReturnNull, memory_order_release);
				}

				void Deallocate(AllocatorStats Stats, void Ptr) {
				SecondaryHeader *Header = getHeader(Ptr);
				Stats->Sub(AllocatorStatAllocated, Header->MapSize);
				Stats->Sub(AllocatorStatMapped, Header->MapSize);
				UnmapOrDie(reinterpret_cast<void *>(Header->MapBeg), Header->MapSize);
				}

				uptr TotalMemoryUsed() {
				UNIMPLEMENTED();
				}

				bool PointerIsMine(const void *Ptr) {
				UNIMPLEMENTED();
				}

				uptr GetActuallyAllocatedSize(void *Ptr) {
				SecondaryHeader *Header = getHeader(Ptr);
				uptr MapEnd = Header->MapBeg + Header->MapSize;
				return MapEnd - reinterpret_cast<uptr>(Ptr);
				}

				void GetMetaData(const void Ptr) {
				UNIMPLEMENTED();
				}

				void GetBlockBegin(const void Ptr) {
				UNIMPLEMENTED();
				}

				void GetBlockBeginFastLocked(void Ptr) {
				UNIMPLEMENTED();
				}

				void PrintStats() {
				UNIMPLEMENTED();
				}

				void ForceLock() {
				UNIMPLEMENTED();
				}

				void ForceUnlock() {
				UNIMPLEMENTED();
				}

				void ForEachChunk(ForEachChunkCallback Callback, void *Arg) {
				UNIMPLEMENTED();
				}

				private:
				// A Secondary allocated chunk header contains the base of the mapping and
				// its size. Currently, the base is always a page before the header, but
				// we might want to extend that number in the future based on the size of
				// the allocation.
				struct SecondaryHeader {
				uptr MapBeg;
				uptr MapSize;
				};
				// Check that sizeof(SecondaryHeader) is a multiple of 16.
				COMPILER_CHECK((sizeof(SecondaryHeader) & 0xf) == 0);

				SecondaryHeader *getHeader(uptr Ptr) {
				return reinterpret_cast<SecondaryHeader*>(Ptr - sizeof(SecondaryHeader));
				}
				SecondaryHeader getHeader(const void Ptr) {
				return getHeader(reinterpret_cast<uptr>(Ptr));
				}

				uptr PageSize;
				atomic_uint8_t MayReturnNull;
				};

				} // namespace __scudo

				#endif // SCUDO_ALLOCATOR_SECONDARY_H_

test/scudo/secondary.cpp

This file was added.

				// RUN: %clang_scudo %s -o %t
				// RUN: %run %t after 2>&1 \| FileCheck %s
				// RUN: %run %t before 2>&1 \| FileCheck %s

				// Test that we hit a guard page when writing past the end of a chunk
				// allocated by the Secondary allocator, or writing too far in front of it.

				#include <malloc.h>
				#include <stdlib.h>
				#include <string.h>
				#include <unistd.h>
				#include <signal.h>
				#include <assert.h>

				void handler(int signo, siginfo_t info, void uctx) {
				if (info->si_code == SEGV_ACCERR) {
				fprintf(stderr, "SCUDO SIGSEGV\n");
				exit(0);
				}
				exit(1);
				}

				int main(int argc, char **argv)
				{
				// The size must be large enough to be serviced by the secondary allocator.
				long page_size = sysconf(_SC_PAGESIZE);
				size_t size = (1U << 17) + page_size;
				struct sigaction a;

				assert(argc == 2);
				memset(&a, 0, sizeof(a));
				a.sa_sigaction = handler;
				a.sa_flags = SA_SIGINFO;

				char p = (char )malloc(size);
				if (!p)
				return 1;
				memset(p, 'A', size); // This should not trigger anything.
				// Set up the SIGSEGV handler now, as the rest should trigger an AV.
				sigaction(SIGSEGV, &a, nullptr);
				if (!strcmp(argv[1], "after")) {
				for (int i = 0; i < page_size; i++)
				p[size + i] = 'A';
				}
				if (!strcmp(argv[1], "before")) {
				for (int i = 1; i < page_size; i++)
				p[-i] = 'A';
				}
				free(p);

				return 1; // A successful test means we shouldn't reach this.
				}

				// CHECK: SCUDO SIGSEGV