This is an archive of the discontinued LLVM Phabricator instance.

Differential D30101

[asan] Implement "scribble" flag, which overwrites free'd memory with 0x55
ClosedPublic

Authored by kubamracek on Feb 17 2017, 10:19 AM.

Details

Reviewers
kcc
filcab
eugenis
rnk
Commits
rGfe7e91b0033f: [asan] Implement "scribble" flags, which overwrite free'd memory with 0x55
rCRT299085: [asan] Implement "scribble" flags, which overwrite free'd memory with 0x55
rL299085: [asan] Implement "scribble" flags, which overwrite free'd memory with 0x55
Summary

This patch implements a off-by-default flag called "scribble", which will overwrite free()'d memory with 0x55 bytes. This is to match the MallocScribble env var on macOS (see https://developer.apple.com/library/content/documentation/Performance/Conceptual/ManagingMemory/Articles/MallocDebug.html) and it's a helpful tool to better detect use-after-free bugs that happen in non-instrumented code. For example in Obj-C code, a lot of memory accesses happens within libobjc, which is not instrumented, and using "scribble=1" will make it crash much more reliably.

Diff Detail

Repository
rL LLVM

Event Timeline

kubamracek created this revision.Feb 17 2017, 10:19 AM
kubamracek updated this revision to Diff 88954.Feb 17 2017, 2:26 PM

Changing the testcase slightly. I realized that 0x55555555 can actually be a valid address in some platforms.

kcc edited edge metadata.Feb 17 2017, 2:42 PM

there is already max_malloc_fill_size and malloc_fill_byte
So to be consistent I suggest to have flags max_free_fill_size and free_fill_byte

I don't mind having max_free_fill_size=0x1000 by default.

filcab added inline comments.Feb 21 2017, 7:12 AM
lib/asan/asan_allocator.cc
533 ↗(On Diff #88954)

If you're re-using max_malloc_fill_size, please add to its description that it's also used for scribbling after deallocation.
Otherwise, having different flags for the deallocation scribbling looks good too.

lib/asan/asan_flags.inc
147 ↗(On Diff #88954)

"On deallocation..."? Since we also set it for delete/delete[]
I think the current phrasing is understandable, but seems better to phrase it more generally.

kubamracek updated this revision to Diff 93170.Mar 27 2017, 1:08 PM

Updating patch. This now uses the max_malloc_fill_size/max_free_fill_size and malloc_fill_byte/free_fill_byte flag names. We're also turning this on with the same env vars as Malloc Scribble on macOS does (https://developer.apple.com/library/content/documentation/Performance/Conceptual/ManagingMemory/Articles/MallocDebug.html).

kcc added inline comments.Mar 29 2017, 5:31 PM
lib/asan/asan_flags.cc
98 ↗(On Diff #93170)

Put this under if (SANITIZER_MAC) or something.
AFIACT, there is no such standard env var on other platforms.

test/asan/TestCases/scribble.cc
3 ↗(On Diff #93170)

add one more test with ASAN_OPTIONS instead of Mac-specific options.

kubamracek updated this revision to Diff 93431.Mar 29 2017, 6:03 PM
kubamracek marked 4 inline comments as done.
kcc added inline comments.Mar 29 2017, 6:04 PM
test/asan/TestCases/scribble.cc
3 ↗(On Diff #93431)

and now this test will fail on non-Mac, right?

kubamracek added inline comments.Mar 29 2017, 6:05 PM
test/asan/TestCases/scribble.cc
3 ↗(On Diff #93431)

Right, I thought this test was in TestCases/Darwin/.

kubamracek updated this revision to Diff 93434.Mar 29 2017, 6:10 PM
kcc accepted this revision.Mar 29 2017, 6:11 PM

LGTM

This revision is now accepted and ready to land.Mar 29 2017, 6:11 PM
Closed by commit rL299085: [asan] Implement "scribble" flags, which overwrite free'd memory with 0x55 (authored by kuba.brecka). · Explain WhyMar 30 2017, 8:57 AM
This revision was automatically updated to reflect the committed changes.
kubamracek added a comment.Mar 30 2017, 8:58 AM

Thanks for the review!

Revision Contents

PathSize
compiler-rt/
trunk/
lib/
asan/
12 lines
12 lines
6 lines
test/
asan/
TestCases/
Darwin/
56 lines
55 lines

Diff 93485

compiler-rt/trunk/lib/asan/asan_allocator.cc

Show First 20 LinesShow All 517 Lines▼ Show 20 Lines void QuarantineChunk(AsanChunk *m, void *ptr, BufferedStackTrace *stack,
AllocType alloc_type) { AllocType alloc_type) {
CHECK_EQ(m->chunk_state, CHUNK_QUARANTINE); CHECK_EQ(m->chunk_state, CHUNK_QUARANTINE);
CHECK_GE(m->alloc_tid, 0); CHECK_GE(m->alloc_tid, 0);
if (SANITIZER_WORDSIZE == 64) // On 32-bits this resides in user area. if (SANITIZER_WORDSIZE == 64) // On 32-bits this resides in user area.
CHECK_EQ(m->free_tid, kInvalidTid); CHECK_EQ(m->free_tid, kInvalidTid);
AsanThread *t = GetCurrentThread(); AsanThread *t = GetCurrentThread();
m->free_tid = t ? t->tid() : 0; m->free_tid = t ? t->tid() : 0;
m->free_context_id = StackDepotPut(*stack); m->free_context_id = StackDepotPut(*stack);
Flags &fl = *flags();
if (fl.max_free_fill_size > 0) {
// We have to skip the chunk header, it contains free_context_id.
uptr scribble_start = (uptr)m + kChunkHeaderSize + kChunkHeader2Size;
if (m->UsedSize() >= kChunkHeader2Size) { // Skip Header2 in user area.
uptr size_to_fill = m->UsedSize() - kChunkHeader2Size;
size_to_fill = Min(size_to_fill, (uptr)fl.max_free_fill_size);
REAL(memset)((void *)scribble_start, fl.free_fill_byte, size_to_fill);
}
}
// Poison the region. // Poison the region.
PoisonShadow(m->Beg(), PoisonShadow(m->Beg(),
RoundUpTo(m->UsedSize(), SHADOW_GRANULARITY), RoundUpTo(m->UsedSize(), SHADOW_GRANULARITY),
kAsanHeapFreeMagic); kAsanHeapFreeMagic);
AsanStats &thread_stats = GetCurrentThreadStats(); AsanStats &thread_stats = GetCurrentThreadStats();
thread_stats.frees++; thread_stats.frees++;
thread_stats.freed += m->UsedSize(); thread_stats.freed += m->UsedSize();
▲ Show 20 LinesShow All 451 LinesShow Last 20 Lines

compiler-rt/trunk/lib/asan/asan_flags.cc

Show First 20 LinesShow All 89 Lines▼ Show 20 Lines#if CAN_SANITIZE_UB
__ubsan::Flags *uf = __ubsan::flags(); __ubsan::Flags *uf = __ubsan::flags();
uf->SetDefaults(); uf->SetDefaults();
FlagParser ubsan_parser; FlagParser ubsan_parser;
__ubsan::RegisterUbsanFlags(&ubsan_parser, uf); __ubsan::RegisterUbsanFlags(&ubsan_parser, uf);
RegisterCommonFlags(&ubsan_parser); RegisterCommonFlags(&ubsan_parser);
#endif #endif
if (SANITIZER_MAC) {
// Support macOS MallocScribble and MallocPreScribble:
// <https://developer.apple.com/library/content/documentation/Performance/
// Conceptual/ManagingMemory/Articles/MallocDebug.html>
if (GetEnv("MallocScribble")) {
f->max_free_fill_size = 0x1000;
}
if (GetEnv("MallocPreScribble")) {
f->malloc_fill_byte = 0xaa;
}
}
// Override from ASan compile definition. // Override from ASan compile definition.
const char *asan_compile_def = MaybeUseAsanDefaultOptionsCompileDefinition(); const char *asan_compile_def = MaybeUseAsanDefaultOptionsCompileDefinition();
asan_parser.ParseString(asan_compile_def); asan_parser.ParseString(asan_compile_def);
// Override from user-specified string. // Override from user-specified string.
const char *asan_default_options = MaybeCallAsanDefaultOptions(); const char *asan_default_options = MaybeCallAsanDefaultOptions();
asan_parser.ParseString(asan_default_options); asan_parser.ParseString(asan_default_options);
#if CAN_SANITIZE_UB #if CAN_SANITIZE_UB
▲ Show 20 LinesShow All 86 LinesShow Last 20 Lines

compiler-rt/trunk/lib/asan/asan_flags.inc

Show First 20 LinesShow All 57 Lines▼ Show 20 LinesASAN_FLAG(int, max_uar_stack_size_log,
20, // 1Mb per size class, i.e. ~11Mb per thread 20, // 1Mb per size class, i.e. ~11Mb per thread
"Maximum fake stack size log.") "Maximum fake stack size log.")
ASAN_FLAG(bool, uar_noreserve, false, ASAN_FLAG(bool, uar_noreserve, false,
"Use mmap with 'noreserve' flag to allocate fake stack.") "Use mmap with 'noreserve' flag to allocate fake stack.")
ASAN_FLAG( ASAN_FLAG(
int, max_malloc_fill_size, 0x1000, // By default, fill only the first 4K. int, max_malloc_fill_size, 0x1000, // By default, fill only the first 4K.
"ASan allocator flag. max_malloc_fill_size is the maximal amount of " "ASan allocator flag. max_malloc_fill_size is the maximal amount of "
"bytes that will be filled with malloc_fill_byte on malloc.") "bytes that will be filled with malloc_fill_byte on malloc.")
ASAN_FLAG(
int, max_free_fill_size, 0,
"ASan allocator flag. max_free_fill_size is the maximal amount of "
"bytes that will be filled with free_fill_byte during free.")
ASAN_FLAG(int, malloc_fill_byte, 0xbe, ASAN_FLAG(int, malloc_fill_byte, 0xbe,
"Value used to fill the newly allocated memory.") "Value used to fill the newly allocated memory.")
ASAN_FLAG(int, free_fill_byte, 0x55,
"Value used to fill deallocated memory.")
ASAN_FLAG(bool, allow_user_poisoning, true, ASAN_FLAG(bool, allow_user_poisoning, true,
"If set, user may manually mark memory regions as poisoned or " "If set, user may manually mark memory regions as poisoned or "
"unpoisoned.") "unpoisoned.")
ASAN_FLAG( ASAN_FLAG(
int, sleep_before_dying, 0, int, sleep_before_dying, 0,
"Number of seconds to sleep between printing an error report and " "Number of seconds to sleep between printing an error report and "
"terminating the program. Useful for debugging purposes (e.g. when one " "terminating the program. Useful for debugging purposes (e.g. when one "
"needs to attach gdb).") "needs to attach gdb).")
▲ Show 20 LinesShow All 79 LinesShow Last 20 Lines

compiler-rt/trunk/test/asan/TestCases/Darwin/scribble.cc

// RUN: %clang_asan -O2 %s -o %t
// RUN: %run %t 2>&1 | FileCheck --check-prefix=CHECK-NOSCRIBBLE %s
// RUN: env MallocScribble=1 MallocPreScribble=1 %run %t 2>&1 | FileCheck --check-prefix=CHECK-SCRIBBLE %s
// RUN: %env_asan_opts=max_free_fill_size=4096 %run %t 2>&1 | FileCheck --check-prefix=CHECK-SCRIBBLE %s
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
struct Isa {
const char *class_name;
};
struct MyClass {
long padding;
Isa *isa;
long data;
void print_my_class_name();
};
__attribute__((no_sanitize("address")))
void MyClass::print_my_class_name() {
fprintf(stderr, "this = %p\n", this);
fprintf(stderr, "padding = 0x%lx\n", this->padding);
fprintf(stderr, "isa = %p\n", this->isa);
if ((uint32_t)(uintptr_t)this->isa != 0x55555555) {
fprintf(stderr, "class name: %s\n", this->isa->class_name);
}
}
int main() {
Isa *my_class_isa = (Isa *)malloc(sizeof(Isa));
memset(my_class_isa, 0x77, sizeof(Isa));
my_class_isa->class_name = "MyClass";
MyClass *my_object = (MyClass *)malloc(sizeof(MyClass));
memset(my_object, 0x88, sizeof(MyClass));
my_object->isa = my_class_isa;
my_object->data = 42;
my_object->print_my_class_name();
// CHECK-SCRIBBLE: class name: MyClass
// CHECK-NOSCRIBBLE: class name: MyClass
free(my_object);
my_object->print_my_class_name();
// CHECK-NOSCRIBBLE: class name: MyClass
// CHECK-SCRIBBLE: isa = {{0x5555555555555555|0x55555555}}
printf("okthxbai!\n");
// CHECK-SCRIBBLE: okthxbai!
// CHECK-NOSCRIBBLE: okthxbai!
}

compiler-rt/trunk/test/asan/TestCases/scribble.cc

// RUN: %clang_asan -O2 %s -o %t
// RUN: %run %t 2>&1 | FileCheck --check-prefix=CHECK-NOSCRIBBLE %s
// RUN: %env_asan_opts=max_free_fill_size=4096 %run %t 2>&1 | FileCheck --check-prefix=CHECK-SCRIBBLE %s
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
struct Isa {
const char *class_name;
};
struct MyClass {
long padding;
Isa *isa;
long data;
void print_my_class_name();
};
__attribute__((no_sanitize("address")))
void MyClass::print_my_class_name() {
fprintf(stderr, "this = %p\n", this);
fprintf(stderr, "padding = 0x%lx\n", this->padding);
fprintf(stderr, "isa = %p\n", this->isa);
if ((uint32_t)(uintptr_t)this->isa != 0x55555555) {
fprintf(stderr, "class name: %s\n", this->isa->class_name);
}
}
int main() {
Isa *my_class_isa = (Isa *)malloc(sizeof(Isa));
memset(my_class_isa, 0x77, sizeof(Isa));
my_class_isa->class_name = "MyClass";
MyClass *my_object = (MyClass *)malloc(sizeof(MyClass));
memset(my_object, 0x88, sizeof(MyClass));
my_object->isa = my_class_isa;
my_object->data = 42;
my_object->print_my_class_name();
// CHECK-SCRIBBLE: class name: MyClass
// CHECK-NOSCRIBBLE: class name: MyClass
free(my_object);
my_object->print_my_class_name();
// CHECK-NOSCRIBBLE: class name: MyClass
// CHECK-SCRIBBLE: isa = {{0x5555555555555555|0x55555555}}
printf("okthxbai!\n");
// CHECK-SCRIBBLE: okthxbai!
// CHECK-NOSCRIBBLE: okthxbai!
}