This is an archive of the discontinued LLVM Phabricator instance.

Differential D31092

Bypass potential libc's sysconf wrappers for sysconf(_SC_PAGESIZE) call
ClosedPublic

Authored by alekseyshl on Mar 17 2017, 11:44 AM.

Details

Reviewers
eugenis
Commits
rGa7291b373063: Bypass potential libc's sysconf wrappers for sysconf(_SC_PAGESIZE) call
rCRT298305: Bypass potential libc's sysconf wrappers for sysconf(_SC_PAGESIZE) call
rL298305: Bypass potential libc's sysconf wrappers for sysconf(_SC_PAGESIZE) call
Summary

sysconf(_SC_PAGESIZE) is called very early, during sanitizer init and
any instrumented code (a wrapper/interceptor will likely be instrumented)
calling back to sanitizer before init is done will most surely crash.

Diff Detail

Event Timeline

alekseyshl created this revision.Mar 17 2017, 11:44 AM
Harbormaster completed remote builds in B4846: Diff 92176.Mar 17 2017, 11:44 AM
Herald added a subscriber: kubamracek. · View Herald TranscriptMar 17 2017, 11:44 AM
kubamracek added a comment.Mar 17 2017, 11:52 AM

So is this to avoid potential future crashes when sysconf gets an interceptor? Can we instead call REAL(sysconf)?

alekseyshl added a comment.Mar 17 2017, 1:09 PM

No, it's intended to bypass interceptors defined in other libraries. REAL(sysconf) bypasses our own interceptor and REAL(...) functions are not ready yet at the moment we call sysconf(_SC_PAGESIZE) first time anyway.

kubamracek added a comment.Mar 17 2017, 1:26 PM

If that something that sanitizers need to protect against, then it sounds like we should do a direct syscall instead. Dlsym is also a complicated thing and it can call other possibly-intercepted functions, e.g. malloc or pthread_mutex_lock, IIRC.

Anyway, I'm not opposing this change, I was just curious why we need it.

eugenis edited edge metadata.Mar 17 2017, 1:52 PM

sysconf for the page size is not a syscall on most platforms.
On linux it reads auxv, which could also be done through getauxval() on glibc and bionic, and, it appears, freebsd. But in bionic it is broken.

alekseyshl updated this revision to Diff 92357.Mar 20 2017, 10:51 AM
  • Do not call sysconf() during init at all.
Harbormaster completed remote builds in B4891: Diff 92357.Mar 20 2017, 10:51 AM
alekseyshl added a comment.Mar 20 2017, 10:52 AM

It appears that dlsym() also cannot be used during init stage, this code path calls into instrumented code as well under some sanitizers. PTAL.

eugenis added a comment.Mar 20 2017, 1:17 PM

LGTM

test/sanitizer_common/TestCases/Linux/sysconf_interceptor_bypass_test.cc
19

Does the test fail w/o this change?
AFAIK CHECK-NOT should go both before and after the CHECK: Passed line.

alekseyshl updated this revision to Diff 92380.Mar 20 2017, 1:58 PM
  • Add forgotten CHECK-NOT.
Harbormaster completed remote builds in B4897: Diff 92380.Mar 20 2017, 1:58 PM
alekseyshl marked an inline comment as done.Mar 20 2017, 1:58 PM
Closed by commit rL298305: Bypass potential libc's sysconf wrappers for sysconf(_SC_PAGESIZE) call (authored by alekseyshl). · Explain WhyMar 20 2017, 2:15 PM
This revision was automatically updated to reflect the committed changes.
alekseyshl mentioned this in D31221: Bypass potential libc's sysconf interceptors.Mar 21 2017, 4:11 PM
alekseyshl mentioned this in rL298613: Bypass potential libc's sysconf interceptors.Mar 23 2017, 9:10 AM

Revision Contents

PathSize
lib/
sanitizer_common/
3 lines
test/
sanitizer_common/
TestCases/
Linux/
21 lines

Diff 92380

lib/sanitizer_common/sanitizer_linux.cc

Show First 20 LinesShow All 72 Lines▼ Show 20 Lines
extern char **environ; // provided by crt1 extern char **environ; // provided by crt1
#endif // SANITIZER_FREEBSD #endif // SANITIZER_FREEBSD
#if !SANITIZER_ANDROID #if !SANITIZER_ANDROID
#include <sys/signal.h> #include <sys/signal.h>
#endif #endif
#if SANITIZER_LINUX #if SANITIZER_LINUX
#include <sys/auxv.h>
// <linux/time.h> // <linux/time.h>
struct kernel_timeval { struct kernel_timeval {
long tv_sec; long tv_sec;
long tv_usec; long tv_usec;
}; };
// <linux/futex.h> is broken on some linux distributions. // <linux/futex.h> is broken on some linux distributions.
const int FUTEX_WAIT = 0; const int FUTEX_WAIT = 0;
▲ Show 20 LinesShow All 711 Lines▼ Show 20 Lines
} }
uptr GetPageSize() { uptr GetPageSize() {
// Android post-M sysconf(_SC_PAGESIZE) crashes if called from .preinit_array. // Android post-M sysconf(_SC_PAGESIZE) crashes if called from .preinit_array.
#if SANITIZER_ANDROID #if SANITIZER_ANDROID
return 4096; return 4096;
#elif SANITIZER_LINUX && (defined(__x86_64__) || defined(__i386__)) #elif SANITIZER_LINUX && (defined(__x86_64__) || defined(__i386__))
return EXEC_PAGESIZE; return EXEC_PAGESIZE;
#elif SANITIZER_LINUX
return getauxval(AT_PAGESZ);
#else #else
return sysconf(_SC_PAGESIZE); // EXEC_PAGESIZE may not be trustworthy. return sysconf(_SC_PAGESIZE); // EXEC_PAGESIZE may not be trustworthy.
#endif #endif
} }
uptr ReadBinaryName(/*out*/char *buf, uptr buf_len) { uptr ReadBinaryName(/*out*/char *buf, uptr buf_len) {
#if SANITIZER_FREEBSD #if SANITIZER_FREEBSD
const int Mib[] = { CTL_KERN, KERN_PROC, KERN_PROC_PATHNAME, -1 }; const int Mib[] = { CTL_KERN, KERN_PROC, KERN_PROC_PATHNAME, -1 };
▲ Show 20 LinesShow All 672 LinesShow Last 20 Lines

test/sanitizer_common/TestCases/Linux/sysconf_interceptor_bypass_test.cc

  • This file was added.
// RUN: %clangxx -O2 %s -o %t && %run %t 2>&1 | FileCheck %s
#include <stdio.h>
extern "C" long sysconf(int name) {
fprintf(stderr, "sysconf wrapper called\n");
return 0;
}
int main() {
// All we need to check is that the sysconf() interceptor defined above was
// not called. Should it get called, it will crash right there, any
// instrumented code executed before sanitizer init is finished will crash
// accessing non-initialized sanitizer internals. Even if it will not crash
// in some configuration, it should never be called anyway.
fprintf(stderr, "Passed\n");
// CHECK-NOT: sysconf wrapper called
// CHECK: Passed
// CHECK-NOT: sysconf wrapper called
eugenisUnsubmitted
Done
ReplyInline Actions

Does the test fail w/o this change?
AFAIK CHECK-NOT should go both before and after the CHECK: Passed line.

eugenis: Does the test fail w/o this change? AFAIK CHECK-NOT should go both before and after the CHECK…
return 0;
}