This is an archive of the discontinued LLVM Phabricator instance.

Differential D29341

[scudo] 32-bit quarantine sizes adjustments and bug fixes
ClosedPublic

Authored by cryptoad on Jan 31 2017, 11:27 AM.

Details

Reviewers
kcc
alekseyshl
Commits
rG8d6257b4bfa5: [scudo] 32-bit quarantine sizes adjustments and bug fixes
rCRT294037: [scudo] 32-bit quarantine sizes adjustments and bug fixes
rL294037: [scudo] 32-bit quarantine sizes adjustments and bug fixes
Summary

The local and global quarantine sizes were not offering a distinction for
32-bit and 64-bit platforms. This is addressed with lower values for 32-bit.

When writing additional tests for the quarantine, it was discovered that when
calling some of the allocator interface function prior to any allocation
operation having occured, the test would crash due to the allocator not being
initialized. This was addressed by making sure the allocator is initialized
for those scenarios.

Relevant tests were added in interface.cpp and quarantine.cpp.

Last change being the removal of the extraneous link dependencies for the
tests thanks to rL293220, anf the addition of the gc-sections linker flag.

Diff Detail

Event Timeline

cryptoad created this revision.Jan 31 2017, 11:27 AM
cryptoad updated this revision to Diff 86491.Jan 31 2017, 1:52 PM

Test update.

Harbormaster completed remote builds in B3457: Diff 86491.Jan 31 2017, 1:52 PM
alekseyshl requested changes to this revision.Feb 3 2017, 9:28 AM
alekseyshl added inline comments.
lib/scudo/scudo_flags.cpp
71

So, scudo default quarantine size is less than asan's one? Is there a reason?

test/scudo/quarantine.cpp
55

Wouldn't assert(CONDITION); be more debug friendly than if (!CONDITION) return 1; throughout? Should any of those tests break, to figure out what exactly went wrong, one will have to either step through the code or add printfs/asserts anyway.

This revision now requires changes to proceed.Feb 3 2017, 9:28 AM
cryptoad added inline comments.Feb 3 2017, 9:36 AM
lib/scudo/scudo_flags.cpp
71

The main reason being that the additional memory footprint incurred by the allocator should remain acceptable.
The ASan default of 256MB is, in my opinion, somewhat crippling. We just want the chunks to not be available right away, but if an attacker has the ability to allocate 64MB to get his chunk back, then he'll likely be able to allocate 256MB as well (to be faire 64MB is arbitrary, it could be less, but it feels like a decent number).

test/scudo/quarantine.cpp
55

Good point, I will change those.

cryptoad updated this revision to Diff 86984.Feb 3 2017, 10:37 AM
cryptoad edited edge metadata.

Update the tests to use asserts in error path to make failures clearer.

Harbormaster completed remote builds in B3592: Diff 86984.Feb 3 2017, 10:37 AM
cryptoad updated this revision to Diff 86987.Feb 3 2017, 11:05 AM

Ensure that NDEBUG is undefined via the -UNDEBUG command line flag.

Harbormaster completed remote builds in B3595: Diff 86987.Feb 3 2017, 11:05 AM
alekseyshl accepted this revision.Feb 3 2017, 11:24 AM

LGTM

This revision is now accepted and ready to land.Feb 3 2017, 11:24 AM
cryptoad closed this revision.Feb 3 2017, 1:00 PM
cryptoad mentioned this in D29516: [scudo] Fix buildbot test error on ARM.Feb 3 2017, 1:52 PM
cryptoad mentioned this in rL294056: [scudo] Fix buildbot test error on ARM.Feb 3 2017, 2:10 PM

Revision Contents

PathSize
lib/
scudo/
18 lines
9 lines
6 lines
test/
scudo/
3 lines
12 lines
45 lines
6 lines
7 lines
12 lines
11 lines
6 lines
10 lines
5 lines
60 lines
25 lines
7 lines
3 lines
21 lines

Diff 86987

lib/scudo/scudo_allocator.cpp

Show First 20 LinesShow All 348 Lines▼ Show 20 Lines AllocatorQuarantine.Init(
static_cast<uptr>(Options.QuarantineSizeMb) << 20, static_cast<uptr>(Options.QuarantineSizeMb) << 20,
static_cast<uptr>(Options.ThreadLocalQuarantineSizeKb) << 10); static_cast<uptr>(Options.ThreadLocalQuarantineSizeKb) << 10);
BackendAllocator.InitCache(&FallbackAllocatorCache); BackendAllocator.InitCache(&FallbackAllocatorCache);
Cookie = Prng.Next(); Cookie = Prng.Next();
} }
// Helper function that checks for a valid Scudo chunk. // Helper function that checks for a valid Scudo chunk.
bool isValidPointer(const void *UserPtr) { bool isValidPointer(const void *UserPtr) {
if (UNLIKELY(!ThreadInited))
initThread();
uptr ChunkBeg = reinterpret_cast<uptr>(UserPtr); uptr ChunkBeg = reinterpret_cast<uptr>(UserPtr);
if (!IsAligned(ChunkBeg, MinAlignment)) { if (!IsAligned(ChunkBeg, MinAlignment)) {
return false; return false;
} }
ScudoChunk *Chunk = ScudoChunk *Chunk =
reinterpret_cast<ScudoChunk *>(ChunkBeg - AlignedChunkHeaderSize); reinterpret_cast<ScudoChunk *>(ChunkBeg - AlignedChunkHeaderSize);
return Chunk->isValid(); return Chunk->isValid();
} }
▲ Show 20 LinesShow All 210 Lines▼ Show 20 Lines if (!ZeroContents && Ptr && BackendAllocator.FromPrimary(Ptr))
memset(Ptr, 0, getUsableSize(Ptr)); memset(Ptr, 0, getUsableSize(Ptr));
return Ptr; return Ptr;
} }
void drainQuarantine() { void drainQuarantine() {
AllocatorQuarantine.Drain(&ThreadQuarantineCache, AllocatorQuarantine.Drain(&ThreadQuarantineCache,
QuarantineCallback(&Cache)); QuarantineCallback(&Cache));
} }
uptr getStats(AllocatorStat StatType) {
if (UNLIKELY(!ThreadInited))
initThread();
uptr stats[AllocatorStatCount];
BackendAllocator.GetStats(stats);
return stats[StatType];
}
}; };
static Allocator Instance(LINKER_INITIALIZED); static Allocator Instance(LINKER_INITIALIZED);
static ScudoAllocator &getAllocator() { static ScudoAllocator &getAllocator() {
return Instance.BackendAllocator; return Instance.BackendAllocator;
} }
▲ Show 20 LinesShow All 68 Lines▼ Show 20 Lines
} // namespace __scudo } // namespace __scudo
using namespace __scudo; using namespace __scudo;
// MallocExtension helper functions // MallocExtension helper functions
uptr __sanitizer_get_current_allocated_bytes() { uptr __sanitizer_get_current_allocated_bytes() {
uptr stats[AllocatorStatCount]; return Instance.getStats(AllocatorStatAllocated);
getAllocator().GetStats(stats);
return stats[AllocatorStatAllocated];
} }
uptr __sanitizer_get_heap_size() { uptr __sanitizer_get_heap_size() {
uptr stats[AllocatorStatCount]; return Instance.getStats(AllocatorStatMapped);
getAllocator().GetStats(stats);
return stats[AllocatorStatMapped];
} }
uptr __sanitizer_get_free_bytes() { uptr __sanitizer_get_free_bytes() {
return 1; return 1;
} }
uptr __sanitizer_get_unmapped_bytes() { uptr __sanitizer_get_unmapped_bytes() {
return 1; return 1;
Show All 13 Lines

lib/scudo/scudo_flags.cpp

Show First 20 LinesShow All 62 Lines▼ Show 20 Linesvoid initFlags() {
// Override from environment. // Override from environment.
ScudoParser.ParseString(GetEnv("SCUDO_OPTIONS")); ScudoParser.ParseString(GetEnv("SCUDO_OPTIONS"));
InitializeCommonFlags(); InitializeCommonFlags();
// Sanity checks and default settings for the Quarantine parameters. // Sanity checks and default settings for the Quarantine parameters.
if (f->QuarantineSizeMb < 0) { if (f->QuarantineSizeMb < 0) {
const int DefaultQuarantineSizeMb = 64; const int DefaultQuarantineSizeMb = FIRST_32_SECOND_64(16, 64);
alekseyshlUnsubmitted
Not Done
ReplyInline Actions

So, scudo default quarantine size is less than asan's one? Is there a reason?

alekseyshl: So, scudo default quarantine size is less than asan's one? Is there a reason?
cryptoadAuthorUnsubmitted
Not Done
ReplyInline Actions

The main reason being that the additional memory footprint incurred by the allocator should remain acceptable.
The ASan default of 256MB is, in my opinion, somewhat crippling. We just want the chunks to not be available right away, but if an attacker has the ability to allocate 64MB to get his chunk back, then he'll likely be able to allocate 256MB as well (to be faire 64MB is arbitrary, it could be less, but it feels like a decent number).

cryptoad: The main reason being that the additional memory footprint incurred by the allocator should…
f->QuarantineSizeMb = DefaultQuarantineSizeMb; f->QuarantineSizeMb = DefaultQuarantineSizeMb;
} }
// We enforce an upper limit for the quarantine size of 4Gb. // We enforce an upper limit for the quarantine size of 4Gb.
if (f->QuarantineSizeMb > (4 * 1024)) { if (f->QuarantineSizeMb > (4 * 1024)) {
dieWithMessage("ERROR: the quarantine size is too large\n"); dieWithMessage("ERROR: the quarantine size is too large\n");
} }
if (f->ThreadLocalQuarantineSizeKb < 0) { if (f->ThreadLocalQuarantineSizeKb < 0) {
const int DefaultThreadLocalQuarantineSizeKb = 1024; const int DefaultThreadLocalQuarantineSizeKb =
FIRST_32_SECOND_64(256, 1024);
f->ThreadLocalQuarantineSizeKb = DefaultThreadLocalQuarantineSizeKb; f->ThreadLocalQuarantineSizeKb = DefaultThreadLocalQuarantineSizeKb;
} }
// And an upper limit of 128Mb for the thread quarantine cache. // And an upper limit of 128Mb for the thread quarantine cache.
if (f->ThreadLocalQuarantineSizeKb > (128 * 1024)) { if (f->ThreadLocalQuarantineSizeKb > (128 * 1024)) {
dieWithMessage("ERROR: the per thread quarantine cache size is too " dieWithMessage("ERROR: the per thread quarantine cache size is too "
"large\n"); "large\n");
} }
if (f->ThreadLocalQuarantineSizeKb == 0 && f->QuarantineSizeMb > 0) {
dieWithMessage("ERROR: ThreadLocalQuarantineSizeKb can be set to 0 only "
"when QuarantineSizeMb is set to 0\n");
}
} }
Flags *getFlags() { Flags *getFlags() {
return &ScudoFlags; return &ScudoFlags;
} }
} // namespace __scudo } // namespace __scudo

lib/scudo/scudo_flags.inc

Show All 9 Lines
/// Hardened Allocator runtime flags. /// Hardened Allocator runtime flags.
/// ///
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#ifndef SCUDO_FLAG #ifndef SCUDO_FLAG
# error "Define SCUDO_FLAG prior to including this file!" # error "Define SCUDO_FLAG prior to including this file!"
#endif #endif
SCUDO_FLAG(int, QuarantineSizeMb, 64, // Default value is set in scudo_flags.cpp based on architecture.
SCUDO_FLAG(int, QuarantineSizeMb, -1,
"Size (in Mb) of quarantine used to delay the actual deallocation " "Size (in Mb) of quarantine used to delay the actual deallocation "
"of chunks. Lower value may reduce memory usage but decrease the " "of chunks. Lower value may reduce memory usage but decrease the "
"effectiveness of the mitigation.") "effectiveness of the mitigation.")
SCUDO_FLAG(int, ThreadLocalQuarantineSizeKb, 1024, // Default value is set in scudo_flags.cpp based on architecture.
SCUDO_FLAG(int, ThreadLocalQuarantineSizeKb, -1,
"Size (in Kb) of per-thread cache used to offload the global " "Size (in Kb) of per-thread cache used to offload the global "
"quarantine. Lower value may reduce memory usage but might increase " "quarantine. Lower value may reduce memory usage but might increase "
"the contention on the global quarantine.") "the contention on the global quarantine.")
SCUDO_FLAG(bool, DeallocationTypeMismatch, true, SCUDO_FLAG(bool, DeallocationTypeMismatch, true,
"Report errors on malloc/delete, new/free, new/delete[], etc.") "Report errors on malloc/delete, new/free, new/delete[], etc.")
SCUDO_FLAG(bool, DeleteSizeMismatch, true, SCUDO_FLAG(bool, DeleteSizeMismatch, true,
"Report errors on mismatch between size of new and delete.") "Report errors on mismatch between size of new and delete.")
SCUDO_FLAG(bool, ZeroContents, false, SCUDO_FLAG(bool, ZeroContents, false,
"Zero chunk contents on allocation and deallocation.") "Zero chunk contents on allocation and deallocation.")

test/scudo/alignment.cpp

// RUN: %clang_scudo %s -o %t // RUN: %clang_scudo %s -o %t
// RUN: not %run %t pointers 2>&1 | FileCheck %s // RUN: not %run %t pointers 2>&1 | FileCheck %s
// Tests that a non MinAlignment aligned pointer will trigger the associated // Tests that a non MinAlignment aligned pointer will trigger the associated
// error on deallocation. // error on deallocation.
#include <assert.h> #include <assert.h>
#include <stdint.h> #include <stdint.h>
#include <stdlib.h> #include <stdlib.h>
#include <string.h> #include <string.h>
int main(int argc, char **argv) int main(int argc, char **argv)
{ {
assert(argc == 2); assert(argc == 2);
if (!strcmp(argv[1], "pointers")) { if (!strcmp(argv[1], "pointers")) {
void *p = malloc(1U << 16); void *p = malloc(1U << 16);
if (!p) assert(p);
return 1;
free(reinterpret_cast<void *>(reinterpret_cast<uintptr_t>(p) | 1)); free(reinterpret_cast<void *>(reinterpret_cast<uintptr_t>(p) | 1));
} }
return 0; return 0;
} }
// CHECK: ERROR: attempted to deallocate a chunk not properly aligned // CHECK: ERROR: attempted to deallocate a chunk not properly aligned

test/scudo/double-free.cpp

Show All 10 Lines
#include <stdlib.h> #include <stdlib.h>
#include <string.h> #include <string.h>
int main(int argc, char **argv) int main(int argc, char **argv)
{ {
assert(argc == 2); assert(argc == 2);
if (!strcmp(argv[1], "malloc")) { if (!strcmp(argv[1], "malloc")) {
void *p = malloc(sizeof(int)); void *p = malloc(sizeof(int));
if (!p) assert(p);
return 1;
free(p); free(p);
free(p); free(p);
} }
if (!strcmp(argv[1], "new")) { if (!strcmp(argv[1], "new")) {
int *p = new int; int *p = new int;
if (!p) assert(p);
return 1;
delete p; delete p;
delete p; delete p;
} }
if (!strcmp(argv[1], "newarray")) { if (!strcmp(argv[1], "newarray")) {
int *p = new int[8]; int *p = new int[8];
if (!p) assert(p);
return 1;
delete[] p; delete[] p;
delete[] p; delete[] p;
} }
if (!strcmp(argv[1], "memalign")) { if (!strcmp(argv[1], "memalign")) {
void *p = nullptr; void *p = nullptr;
posix_memalign(&p, 0x100, sizeof(int)); posix_memalign(&p, 0x100, sizeof(int));
if (!p) assert(p);
return 1;
free(p); free(p);
free(p); free(p);
} }
return 0; return 0;
} }
// CHECK: ERROR: invalid chunk state // CHECK: ERROR: invalid chunk state

test/scudo/interface.cpp

// RUN: %clang_scudo %s -lstdc++ -o %t // RUN: %clang_scudo %s -lstdc++ -o %t
// RUN: %run %t 2>&1 // RUN: %run %t ownership 2>&1
// RUN: %run %t ownership-and-size 2>&1
// RUN: %run %t heap-size 2>&1
// Tests that the sanitizer interface functions behave appropriately. // Tests that the sanitizer interface functions behave appropriately.
#include <stdlib.h> #include <stdlib.h>
#include <assert.h>
#include <string.h>
#include <vector> #include <vector>
#include <sanitizer/allocator_interface.h> #include <sanitizer/allocator_interface.h>
int main(int argc, char **argv) int main(int argc, char **argv)
{ {
assert(argc == 2);
if (!strcmp(argv[1], "ownership")) {
// Ensures that __sanitizer_get_ownership can be called before any other
// allocator function, and that it behaves properly on a pointer not owned
// by us.
assert(!__sanitizer_get_ownership(argv));
}
if (!strcmp(argv[1], "ownership-and-size")) {
// Tests that __sanitizer_get_ownership and __sanitizer_get_allocated_size
// behave properly on chunks allocated by the Primary and Secondary.
void *p; void *p;
std::vector<ssize_t> sizes{1, 8, 16, 32, 1024, 32768, std::vector<ssize_t> sizes{1, 8, 16, 32, 1024, 32768,
1 << 16, 1 << 17, 1 << 20, 1 << 24}; 1 << 16, 1 << 17, 1 << 20, 1 << 24};
for (size_t size : sizes) { for (size_t size : sizes) {
p = malloc(size); p = malloc(size);
if (!p) assert(p);
return 1; assert(__sanitizer_get_ownership(p));
if (!__sanitizer_get_ownership(p)) assert(__sanitizer_get_allocated_size(p) >= size);
return 1;
if (__sanitizer_get_allocated_size(p) < size)
return 1;
free(p); free(p);
} }
}
if (!strcmp(argv[1], "heap-size")) {
// Ensures that __sanitizer_get_heap_size can be called before any other
// allocator function. At this point, this heap size should be 0.
assert(__sanitizer_get_heap_size() == 0);
}
return 0; return 0;
} }

test/scudo/lit.cfg

Show All 13 Lines
whole_archive = "-Wl,-whole-archive %s -Wl,-no-whole-archive " % base_lib whole_archive = "-Wl,-whole-archive %s -Wl,-no-whole-archive " % base_lib
# Test suffixes. # Test suffixes.
config.suffixes = ['.c', '.cc', '.cpp'] config.suffixes = ['.c', '.cc', '.cpp']
# C flags. # C flags.
c_flags = ([config.target_cflags] + c_flags = ([config.target_cflags] +
["-std=c++11", ["-std=c++11",
"-lrt",
"-ldl",
"-pthread", "-pthread",
"-fPIE", "-fPIE",
"-pie", "-pie",
"-O0"]) "-O0",
"-UNDEBUG",
"-Wl,--gc-sections"])
def build_invocation(compile_flags): def build_invocation(compile_flags):
return " " + " ".join([config.clang] + compile_flags) + " " return " " + " ".join([config.clang] + compile_flags) + " "
# Add clang substitutions. # Add clang substitutions.
config.substitutions.append( ("%clang_scudo ", config.substitutions.append( ("%clang_scudo ",
build_invocation(c_flags) + whole_archive) ) build_invocation(c_flags) + whole_archive) )
# Hardened Allocator tests are currently supported on Linux only. # Hardened Allocator tests are currently supported on Linux only.
if config.host_os not in ['Linux']: if config.host_os not in ['Linux']:
config.unsupported = True config.unsupported = True

test/scudo/malloc.cpp

// RUN: %clang_scudo %s -lstdc++ -o %t // RUN: %clang_scudo %s -lstdc++ -o %t
// RUN: %run %t 2>&1 // RUN: %run %t 2>&1
// Tests that a regular workflow of allocation, memory fill and free works as // Tests that a regular workflow of allocation, memory fill and free works as
// intended. Tests various sizes serviced by the primary and secondary // intended. Tests various sizes serviced by the primary and secondary
// allocators. // allocators.
#include <assert.h>
#include <stdlib.h> #include <stdlib.h>
#include <string.h> #include <string.h>
#include <vector> #include <vector>
int main(int argc, char **argv) int main(int argc, char **argv)
{ {
void *p; void *p;
std::vector<ssize_t> sizes{1, 8, 16, 32, 1024, 32768, std::vector<ssize_t> sizes{1, 8, 16, 32, 1024, 32768,
1 << 16, 1 << 17, 1 << 20, 1 << 24}; 1 << 16, 1 << 17, 1 << 20, 1 << 24};
std::vector<int> offsets{1, 0, -1, -7, -8, -15, -16, -31, -32}; std::vector<int> offsets{1, 0, -1, -7, -8, -15, -16, -31, -32};
p = malloc(0); p = malloc(0);
if (!p) assert(p);
return 1;
free(p); free(p);
for (ssize_t size : sizes) { for (ssize_t size : sizes) {
for (int offset: offsets) { for (int offset: offsets) {
ssize_t actual_size = size + offset; ssize_t actual_size = size + offset;
if (actual_size <= 0) if (actual_size <= 0)
continue; continue;
p = malloc(actual_size); p = malloc(actual_size);
if (!p) assert(p);
return 1;
memset(p, 0xff, actual_size); memset(p, 0xff, actual_size);
free(p); free(p);
} }
} }
return 0; return 0;
} }

test/scudo/memalign.cpp

Show All 23 Linesint main(int argc, char **argv)
void *p = nullptr; void *p = nullptr;
size_t alignment = 1U << 12; size_t alignment = 1U << 12;
size_t size = 1U << 12; size_t size = 1U << 12;
assert(argc == 2); assert(argc == 2);
if (!strcmp(argv[1], "valid")) { if (!strcmp(argv[1], "valid")) {
posix_memalign(&p, alignment, size); posix_memalign(&p, alignment, size);
if (!p) assert(p);
return 1;
free(p); free(p);
p = aligned_alloc(alignment, size); p = aligned_alloc(alignment, size);
if (!p) assert(p);
return 1;
free(p); free(p);
// Tests various combinations of alignment and sizes // Tests various combinations of alignment and sizes
for (int i = (sizeof(void *) == 4) ? 3 : 4; i < 19; i++) { for (int i = (sizeof(void *) == 4) ? 3 : 4; i < 19; i++) {
alignment = 1U << i; alignment = 1U << i;
for (int j = 1; j < 33; j++) { for (int j = 1; j < 33; j++) {
size = 0x800 * j; size = 0x800 * j;
for (int k = 0; k < 3; k++) { for (int k = 0; k < 3; k++) {
p = memalign(alignment, size - (2 * sizeof(void *) * k)); p = memalign(alignment, size - (2 * sizeof(void *) * k));
if (!p) assert(p);
return 1;
free(p); free(p);
} }
} }
} }
// For larger alignment, reduce the number of allocations to avoid running // For larger alignment, reduce the number of allocations to avoid running
// out of potential addresses (on 32-bit). // out of potential addresses (on 32-bit).
for (int i = 19; i <= 24; i++) { for (int i = 19; i <= 24; i++) {
for (int k = 0; k < 3; k++) { for (int k = 0; k < 3; k++) {
p = memalign(alignment, 0x1000 - (2 * sizeof(void *) * k)); p = memalign(alignment, 0x1000 - (2 * sizeof(void *) * k));
if (!p) assert(p);
return 1;
free(p); free(p);
} }
} }
} }
if (!strcmp(argv[1], "invalid")) { if (!strcmp(argv[1], "invalid")) {
p = memalign(alignment - 1, size); p = memalign(alignment - 1, size);
free(p); free(p);
} }
return 0; return 0;
} }
// CHECK: ERROR: alignment is not a power of 2 // CHECK: ERROR: alignment is not a power of 2

test/scudo/mismatch.cpp

// RUN: %clang_scudo %s -o %t // RUN: %clang_scudo %s -o %t
// RUN: SCUDO_OPTIONS=DeallocationTypeMismatch=1 not %run %t mallocdel 2>&1 | FileCheck %s // RUN: SCUDO_OPTIONS=DeallocationTypeMismatch=1 not %run %t mallocdel 2>&1 | FileCheck %s
// RUN: SCUDO_OPTIONS=DeallocationTypeMismatch=0 %run %t mallocdel 2>&1 // RUN: SCUDO_OPTIONS=DeallocationTypeMismatch=0 %run %t mallocdel 2>&1
// RUN: SCUDO_OPTIONS=DeallocationTypeMismatch=1 not %run %t newfree 2>&1 | FileCheck %s // RUN: SCUDO_OPTIONS=DeallocationTypeMismatch=1 not %run %t newfree 2>&1 | FileCheck %s
// RUN: SCUDO_OPTIONS=DeallocationTypeMismatch=0 %run %t newfree 2>&1 // RUN: SCUDO_OPTIONS=DeallocationTypeMismatch=0 %run %t newfree 2>&1
// RUN: SCUDO_OPTIONS=DeallocationTypeMismatch=1 not %run %t memaligndel 2>&1 | FileCheck %s // RUN: SCUDO_OPTIONS=DeallocationTypeMismatch=1 not %run %t memaligndel 2>&1 | FileCheck %s
// RUN: SCUDO_OPTIONS=DeallocationTypeMismatch=0 %run %t memaligndel 2>&1 // RUN: SCUDO_OPTIONS=DeallocationTypeMismatch=0 %run %t memaligndel 2>&1
// Tests that type mismatches between allocation and deallocation functions are // Tests that type mismatches between allocation and deallocation functions are
// caught when the related option is set. // caught when the related option is set.
#include <assert.h> #include <assert.h>
#include <malloc.h>
#include <stdlib.h> #include <stdlib.h>
#include <string.h> #include <string.h>
#include <malloc.h>
int main(int argc, char **argv) int main(int argc, char **argv)
{ {
assert(argc == 2); assert(argc == 2);
if (!strcmp(argv[1], "mallocdel")) { if (!strcmp(argv[1], "mallocdel")) {
int *p = (int *)malloc(16); int *p = (int *)malloc(16);
if (!p) assert(p);
return 1;
delete p; delete p;
} }
if (!strcmp(argv[1], "newfree")) { if (!strcmp(argv[1], "newfree")) {
int *p = new int; int *p = new int;
if (!p) assert(p);
return 1;
free((void *)p); free((void *)p);
} }
if (!strcmp(argv[1], "memaligndel")) { if (!strcmp(argv[1], "memaligndel")) {
int *p = (int *)memalign(16, 16); int *p = (int *)memalign(16, 16);
if (!p) assert(p);
return 1;
delete p; delete p;
} }
return 0; return 0;
} }
// CHECK: ERROR: allocation type mismatch on address // CHECK: ERROR: allocation type mismatch on address

test/scudo/options.cpp

// RUN: %clang_scudo %s -o %t // RUN: %clang_scudo %s -o %t
// RUN: %run %t 2>&1 // RUN: %run %t 2>&1
// RUN: SCUDO_OPTIONS=DeallocationTypeMismatch=0 %run %t 2>&1 // RUN: SCUDO_OPTIONS=DeallocationTypeMismatch=0 %run %t 2>&1
// RUN: SCUDO_OPTIONS=DeallocationTypeMismatch=1 not %run %t 2>&1 | FileCheck %s // RUN: SCUDO_OPTIONS=DeallocationTypeMismatch=1 not %run %t 2>&1 | FileCheck %s
// Tests that the options can be passed using getScudoDefaultOptions, and that // Tests that the options can be passed using getScudoDefaultOptions, and that
// the environment ones take precedence over them. // the environment ones take precedence over them.
#include <stdlib.h> #include <assert.h>
#include <malloc.h> #include <malloc.h>
#include <stdlib.h>
extern "C" const char* __scudo_default_options() { extern "C" const char* __scudo_default_options() {
return "DeallocationTypeMismatch=0"; // Defaults to true in scudo_flags.inc. return "DeallocationTypeMismatch=0"; // Defaults to true in scudo_flags.inc.
} }
int main(int argc, char **argv) int main(int argc, char **argv)
{ {
int *p = (int *)malloc(16); int *p = (int *)malloc(16);
if (!p) assert(p);
return 1;
delete p; delete p;
return 0; return 0;
} }
// CHECK: ERROR: allocation type mismatch on address // CHECK: ERROR: allocation type mismatch on address

test/scudo/overflow.cpp

// RUN: %clang_scudo %s -o %t // RUN: %clang_scudo %s -o %t
// RUN: not %run %t malloc 2>&1 | FileCheck %s // RUN: not %run %t malloc 2>&1 | FileCheck %s
// RUN: SCUDO_OPTIONS=QuarantineSizeMb=1 not %run %t quarantine 2>&1 | FileCheck %s // RUN: SCUDO_OPTIONS=QuarantineSizeMb=1 not %run %t quarantine 2>&1 | FileCheck %s
// Tests that header corruption of an allocated or quarantined chunk is caught. // Tests that header corruption of an allocated or quarantined chunk is caught.
#include <assert.h> #include <assert.h>
#include <stdlib.h> #include <stdlib.h>
#include <string.h> #include <string.h>
int main(int argc, char **argv) int main(int argc, char **argv)
{ {
assert(argc == 2);
ssize_t offset = sizeof(void *) == 8 ? 8 : 0; ssize_t offset = sizeof(void *) == 8 ? 8 : 0;
assert(argc == 2);
if (!strcmp(argv[1], "malloc")) { if (!strcmp(argv[1], "malloc")) {
// Simulate a header corruption of an allocated chunk (1-bit) // Simulate a header corruption of an allocated chunk (1-bit)
void *p = malloc(1U << 4); void *p = malloc(1U << 4);
if (!p) assert(p);
return 1;
((char *)p)[-(offset + 1)] ^= 1; ((char *)p)[-(offset + 1)] ^= 1;
free(p); free(p);
} }
if (!strcmp(argv[1], "quarantine")) { if (!strcmp(argv[1], "quarantine")) {
void *p = malloc(1U << 4); void *p = malloc(1U << 4);
if (!p) assert(p);
return 1;
free(p); free(p);
// Simulate a header corruption of a quarantined chunk // Simulate a header corruption of a quarantined chunk
((char *)p)[-(offset + 2)] ^= 1; ((char *)p)[-(offset + 2)] ^= 1;
// Trigger the quarantine recycle // Trigger the quarantine recycle
for (int i = 0; i < 0x100; i++) { for (int i = 0; i < 0x100; i++) {
p = malloc(1U << 16); p = malloc(1U << 16);
free(p); free(p);
} }
} }
return 0; return 0;
} }
// CHECK: ERROR: corrupted chunk header at address // CHECK: ERROR: corrupted chunk header at address

test/scudo/preinit.cpp

// RUN: %clang_scudo %s -o %t // RUN: %clang_scudo %s -o %t
// RUN: %run %t 2>&1 // RUN: %run %t 2>&1
// Verifies that calling malloc in a preinit_array function succeeds, and that // Verifies that calling malloc in a preinit_array function succeeds, and that
// the resulting pointer can be freed at program termination. // the resulting pointer can be freed at program termination.
#include <assert.h>
#include <stdlib.h> #include <stdlib.h>
#include <string.h> #include <string.h>
static void *global_p = nullptr; static void *global_p = nullptr;
void __init(void) { void __init(void) {
global_p = malloc(1); global_p = malloc(1);
if (!global_p) if (!global_p)
exit(1); exit(1);
} }
void __fini(void) { void __fini(void) {
if (global_p) if (global_p)
free(global_p); free(global_p);
} }
int main(int argc, char **argv) int main(int argc, char **argv)
{ {
void *p = malloc(1); void *p = malloc(1);
if (!p) assert(p);
return 1;
free(p); free(p);
return 0; return 0;
} }
__attribute__((section(".preinit_array"), used)) __attribute__((section(".preinit_array"), used))
void (*__local_preinit)(void) = __init; void (*__local_preinit)(void) = __init;
__attribute__((section(".fini_array"), used)) __attribute__((section(".fini_array"), used))
void (*__local_fini)(void) = __fini; void (*__local_fini)(void) = __fini;

test/scudo/quarantine.cpp

// RUN: %clang_scudo %s -o %t // RUN: %clang_scudo %s -o %t
// RUN: SCUDO_OPTIONS=QuarantineSizeMb=1 %run %t 2>&1 // RUN: SCUDO_OPTIONS="QuarantineSizeMb=0:ThreadLocalQuarantineSizeKb=0" %run %t zeroquarantine 2>&1
// RUN: SCUDO_OPTIONS=QuarantineSizeMb=1 %run %t smallquarantine 2>&1
// Tests that the quarantine prevents a chunk from being reused right away. // Tests that the quarantine prevents a chunk from being reused right away.
// Also tests that a chunk will eventually become available again for // Also tests that a chunk will eventually become available again for
// allocation when the recycling criteria has been met. // allocation when the recycling criteria has been met.
#include <assert.h>
#include <malloc.h> #include <malloc.h>
#include <stdlib.h> #include <stdlib.h>
#include <string.h> #include <string.h>
#include <sanitizer/allocator_interface.h>
int main(int argc, char **argv) int main(int argc, char **argv)
{ {
void *p, *old_p; void *p, *old_p;
size_t size = 1U << 16; size_t allocated_bytes, size = 1U << 16;
assert(argc == 2);
// The delayed freelist will prevent a chunk from being available right away if (!strcmp(argv[1], "zeroquarantine")) {
// Verifies that a chunk is deallocated right away when the local and
// global quarantine sizes are 0.
allocated_bytes = __sanitizer_get_current_allocated_bytes();
p = malloc(size);
assert(p);
assert(__sanitizer_get_current_allocated_bytes() > allocated_bytes);
free(p);
assert(__sanitizer_get_current_allocated_bytes() == allocated_bytes);
}
if (!strcmp(argv[1], "smallquarantine")) {
// The delayed freelist will prevent a chunk from being available right
// away.
p = malloc(size); p = malloc(size);
if (!p) assert(p);
return 1;
old_p = p; old_p = p;
free(p); free(p);
p = malloc(size); p = malloc(size);
if (!p) assert(p);
return 1; assert(old_p != p);
if (old_p == p)
return 1;
free(p); free(p);
// Eventually the chunk should become available again // Eventually the chunk should become available again.
bool found = false; bool found = false;
for (int i = 0; i < 0x100 && found == false; i++) { for (int i = 0; i < 0x100 && found == false; i++) {
p = malloc(size); p = malloc(size);
if (!p) assert(p);
return 1;
found = (p == old_p); found = (p == old_p);
free(p); free(p);
} }
if (found == false) assert(found == true);
return 1; }
alekseyshlUnsubmitted
Not Done
ReplyInline Actions

Wouldn't assert(CONDITION); be more debug friendly than if (!CONDITION) return 1; throughout? Should any of those tests break, to figure out what exactly went wrong, one will have to either step through the code or add printfs/asserts anyway.

alekseyshl: Wouldn't assert(CONDITION); be more debug friendly than if (!CONDITION) return 1; throughout?
cryptoadAuthorUnsubmitted
Not Done
ReplyInline Actions

Good point, I will change those.

cryptoad: Good point, I will change those.
return 0; return 0;
} }

test/scudo/realloc.cpp

Show All 17 Lines
int main(int argc, char **argv) int main(int argc, char **argv)
{ {
void *p, *old_p; void *p, *old_p;
// Those sizes will exercise both allocators (Primary & Secondary). // Those sizes will exercise both allocators (Primary & Secondary).
std::vector<size_t> sizes{1, 16, 1024, 32768, 1 << 16, 1 << 17, 1 << 20}; std::vector<size_t> sizes{1, 16, 1024, 32768, 1 << 16, 1 << 17, 1 << 20};
assert(argc == 2); assert(argc == 2);
for (size_t size : sizes) { for (size_t size : sizes) {
if (!strcmp(argv[1], "pointers")) { if (!strcmp(argv[1], "pointers")) {
old_p = p = realloc(nullptr, size); old_p = p = realloc(nullptr, size);
if (!p) assert(p);
return 1;
size = malloc_usable_size(p); size = malloc_usable_size(p);
// Our realloc implementation will return the same pointer if the size // Our realloc implementation will return the same pointer if the size
// requested is lower than or equal to the usable size of the associated // requested is lower than or equal to the usable size of the associated
// chunk. // chunk.
p = realloc(p, size - 1); p = realloc(p, size - 1);
if (p != old_p) assert(p == old_p);
return 1;
p = realloc(p, size); p = realloc(p, size);
if (p != old_p) assert(p == old_p);
return 1;
// And a new one if the size is greater. // And a new one if the size is greater.
p = realloc(p, size + 1); p = realloc(p, size + 1);
if (p == old_p) assert(p != old_p);
return 1;
// A size of 0 will free the chunk and return nullptr. // A size of 0 will free the chunk and return nullptr.
p = realloc(p, 0); p = realloc(p, 0);
if (p) assert(!p);
return 1;
old_p = nullptr; old_p = nullptr;
} }
if (!strcmp(argv[1], "contents")) { if (!strcmp(argv[1], "contents")) {
p = realloc(nullptr, size); p = realloc(nullptr, size);
if (!p) assert(p);
return 1;
for (int i = 0; i < size; i++) for (int i = 0; i < size; i++)
reinterpret_cast<char *>(p)[i] = 'A'; reinterpret_cast<char *>(p)[i] = 'A';
p = realloc(p, size + 1); p = realloc(p, size + 1);
// The contents of the reallocated chunk must match the original one. // The contents of the reallocated chunk must match the original one.
for (int i = 0; i < size; i++) for (int i = 0; i < size; i++)
if (reinterpret_cast<char *>(p)[i] != 'A') assert(reinterpret_cast<char *>(p)[i] == 'A');
return 1;
} }
if (!strcmp(argv[1], "memalign")) { if (!strcmp(argv[1], "memalign")) {
// A chunk coming from memalign cannot be reallocated. // A chunk coming from memalign cannot be reallocated.
p = memalign(16, size); p = memalign(16, size);
if (!p) assert(p);
return 1;
p = realloc(p, size); p = realloc(p, size);
free(p); free(p);
} }
} }
return 0; return 0;
} }
// CHECK: ERROR: invalid chunk type when reallocating address // CHECK: ERROR: invalid chunk type when reallocating address

test/scudo/secondary.cpp

// RUN: %clang_scudo %s -o %t // RUN: %clang_scudo %s -o %t
// RUN: %run %t after 2>&1 | FileCheck %s // RUN: %run %t after 2>&1 | FileCheck %s
// RUN: %run %t before 2>&1 | FileCheck %s // RUN: %run %t before 2>&1 | FileCheck %s
// Test that we hit a guard page when writing past the end of a chunk // Test that we hit a guard page when writing past the end of a chunk
// allocated by the Secondary allocator, or writing too far in front of it. // allocated by the Secondary allocator, or writing too far in front of it.
#include <assert.h>
#include <malloc.h> #include <malloc.h>
#include <signal.h>
#include <stdlib.h> #include <stdlib.h>
#include <string.h> #include <string.h>
#include <unistd.h> #include <unistd.h>
#include <signal.h>
#include <assert.h>
void handler(int signo, siginfo_t *info, void *uctx) { void handler(int signo, siginfo_t *info, void *uctx) {
if (info->si_code == SEGV_ACCERR) { if (info->si_code == SEGV_ACCERR) {
fprintf(stderr, "SCUDO SIGSEGV\n"); fprintf(stderr, "SCUDO SIGSEGV\n");
exit(0); exit(0);
} }
exit(1); exit(1);
} }
int main(int argc, char **argv) int main(int argc, char **argv)
{ {
// The size must be large enough to be serviced by the secondary allocator. // The size must be large enough to be serviced by the secondary allocator.
long page_size = sysconf(_SC_PAGESIZE); long page_size = sysconf(_SC_PAGESIZE);
size_t size = (1U << 17) + page_size; size_t size = (1U << 17) + page_size;
struct sigaction a; struct sigaction a;
assert(argc == 2); assert(argc == 2);
memset(&a, 0, sizeof(a)); memset(&a, 0, sizeof(a));
a.sa_sigaction = handler; a.sa_sigaction = handler;
a.sa_flags = SA_SIGINFO; a.sa_flags = SA_SIGINFO;
char *p = (char *)malloc(size); char *p = (char *)malloc(size);
if (!p) assert(p);
return 1;
memset(p, 'A', size); // This should not trigger anything. memset(p, 'A', size); // This should not trigger anything.
// Set up the SIGSEGV handler now, as the rest should trigger an AV. // Set up the SIGSEGV handler now, as the rest should trigger an AV.
sigaction(SIGSEGV, &a, nullptr); sigaction(SIGSEGV, &a, nullptr);
if (!strcmp(argv[1], "after")) { if (!strcmp(argv[1], "after")) {
for (int i = 0; i < page_size; i++) for (int i = 0; i < page_size; i++)
p[size + i] = 'A'; p[size + i] = 'A';
} }
if (!strcmp(argv[1], "before")) { if (!strcmp(argv[1], "before")) {
Show All 9 Lines

test/scudo/sized-delete.cpp

// RUN: %clang_scudo -fsized-deallocation %s -o %t // RUN: %clang_scudo -fsized-deallocation %s -o %t
// RUN: SCUDO_OPTIONS=DeleteSizeMismatch=1 %run %t gooddel 2>&1 // RUN: SCUDO_OPTIONS=DeleteSizeMismatch=1 %run %t gooddel 2>&1
// RUN: SCUDO_OPTIONS=DeleteSizeMismatch=1 not %run %t baddel 2>&1 | FileCheck %s // RUN: SCUDO_OPTIONS=DeleteSizeMismatch=1 not %run %t baddel 2>&1 | FileCheck %s
// RUN: SCUDO_OPTIONS=DeleteSizeMismatch=0 %run %t baddel 2>&1 // RUN: SCUDO_OPTIONS=DeleteSizeMismatch=0 %run %t baddel 2>&1
// RUN: SCUDO_OPTIONS=DeleteSizeMismatch=1 %run %t gooddelarr 2>&1 // RUN: SCUDO_OPTIONS=DeleteSizeMismatch=1 %run %t gooddelarr 2>&1
// RUN: SCUDO_OPTIONS=DeleteSizeMismatch=1 not %run %t baddelarr 2>&1 | FileCheck %s // RUN: SCUDO_OPTIONS=DeleteSizeMismatch=1 not %run %t baddelarr 2>&1 | FileCheck %s
// RUN: SCUDO_OPTIONS=DeleteSizeMismatch=0 %run %t baddelarr 2>&1 // RUN: SCUDO_OPTIONS=DeleteSizeMismatch=0 %run %t baddelarr 2>&1
// Ensures that the sized delete operator errors out when the appropriate // Ensures that the sized delete operator errors out when the appropriate
// option is passed and the sizes do not match between allocation and // option is passed and the sizes do not match between allocation and
// deallocation functions. // deallocation functions.
#include <new>
#include <assert.h> #include <assert.h>
#include <stdlib.h> #include <stdlib.h>
#include <string.h> #include <string.h>
#include <new>
int main(int argc, char **argv) int main(int argc, char **argv)
{ {
assert(argc == 2); assert(argc == 2);
if (!strcmp(argv[1], "gooddel")) { if (!strcmp(argv[1], "gooddel")) {
long long *p = new long long; long long *p = new long long;
operator delete(p, sizeof(long long)); operator delete(p, sizeof(long long));
} }
if (!strcmp(argv[1], "baddel")) { if (!strcmp(argv[1], "baddel")) {
Show All 15 Lines

test/scudo/sizes.cpp

Show All 17 Lines
int main(int argc, char **argv) int main(int argc, char **argv)
{ {
assert(argc == 2); assert(argc == 2);
if (!strcmp(argv[1], "malloc")) { if (!strcmp(argv[1], "malloc")) {
// Currently the maximum size the allocator can allocate is 1ULL<<40 bytes. // Currently the maximum size the allocator can allocate is 1ULL<<40 bytes.
size_t size = std::numeric_limits<size_t>::max(); size_t size = std::numeric_limits<size_t>::max();
void *p = malloc(size); void *p = malloc(size);
if (p) assert(!p);
return 1;
size = (1ULL << 40) - 16; size = (1ULL << 40) - 16;
p = malloc(size); p = malloc(size);
if (p) assert(!p);
return 1;
} }
if (!strcmp(argv[1], "calloc")) { if (!strcmp(argv[1], "calloc")) {
// Trigger an overflow in calloc. // Trigger an overflow in calloc.
size_t size = std::numeric_limits<size_t>::max(); size_t size = std::numeric_limits<size_t>::max();
void *p = calloc((size / 0x1000) + 1, 0x1000); void *p = calloc((size / 0x1000) + 1, 0x1000);
if (p) assert(!p);
return 1;
} }
if (!strcmp(argv[1], "usable")) { if (!strcmp(argv[1], "usable")) {
// Playing with the actual usable size of a chunk. // Playing with the actual usable size of a chunk.
void *p = malloc(1007); void *p = malloc(1007);
if (!p) assert(p);
return 1;
size_t size = malloc_usable_size(p); size_t size = malloc_usable_size(p);
if (size < 1007) assert(size >= 1007);
return 1;
memset(p, 'A', size); memset(p, 'A', size);
p = realloc(p, 2014); p = realloc(p, 2014);
if (!p) assert(p);
return 1;
size = malloc_usable_size(p); size = malloc_usable_size(p);
if (size < 2014) assert(size >= 2014);
return 1;
memset(p, 'B', size); memset(p, 'B', size);
free(p); free(p);
} }
return 0; return 0;
} }
// CHECK: allocator is terminating the process // CHECK: allocator is terminating the process