This is an archive of the discontinued LLVM Phabricator instance.

[scudo] Quarantine overhaul
ClosedPublic

Authored by cryptoad on Jul 20 2017, 12:45 PM.

Details

Summary

First, some context.

The main feedback we get about the quarantine is that it's too memory hungry.
A single MB of quarantine will have an impact of 3 to 4MB of PSS/RSS, and
things quickly get out of hand in terms of memory usage, and the quarantine
ends up disabled.

The main objective of the quarantine is to protect from use-after-free
exploitation by making it harder for an attacker to reallocate a controlled
chunk in place of the targeted freed chunk. This is achieved by not making it
available to the backend right away for reuse, but holding it a little while.

Historically, what has usually been the target of such attacks was objects,
where vtable pointers or other function pointers could constitute a valuable
targeti to replace. Those are usually on the smaller side. There is barely any
advantage in putting the quarantine several megabytes of RGB data or the like.

Now for the patch.

This patch introduces a new way the Quarantine behaves in Scudo. First of all,
the size of the Quarantine will be defined in KB instead of MB, then we
introduce a new option: the size up to which (lower than or equal to) a chunk
will be quarantined. This way, we only quarantine smaller chunks, and the size
of the quarantine remains manageable. It also prevents someone from triggering
a recycle by allocating something huge. We default to 512 bytes on 32-bit and
2048 bytes on 64-bit platforms.

In details, the patches includes the following:

  • introduce QuarantineSizeKb, but honor QuarantineSizeMb if set to fall back to the old behavior (meaning no threshold in that case); QuarantineSizeMb is described as deprecated in the options descriptios; documentation update will follow;
  • introduce QuarantineChunksUpToSize, the new threshold value;
  • update the quarantine.cpp test, and other tests using QuarantineSizeMb;
  • remove AllocatorOptions::copyTo, it wasn't used;
  • slightly change the logic around quarantineOrDeallocateChunk to accomodate for the new logic; rename a couple of variables there as well;

Rewriting the tests, I found a somewhat annoying bug where non-default aligned
chunks would account for more than needed when placed in the quarantine due to
<< MinAlignment instead of << MinAlignmentLog. This is fixed and tested for
now.

Event Timeline

cryptoad created this revision.Jul 20 2017, 12:45 PM
alekseyshl added inline comments.Jul 20 2017, 3:37 PM
lib/scudo/scudo_allocator.cpp
164

Please remind me, what was the reason of switching to Kb? Do you need to go lower than 1Mb in real life or you need more granularity?

473

EstimatedSize?

lib/scudo/scudo_flags.cpp
128

Why do we care to check this?

test/scudo/quarantine.cpp
34

Those functions make the code more concise, but more fragile and less readable. Do you really need them? Inline asserts were just fine.

65–114

assert(found);

cryptoad added inline comments.Jul 20 2017, 3:46 PM
lib/scudo/scudo_allocator.cpp
164

Correct, going under 1MB is the objective. The added granularity is a bonus.

473

Ok, I will change that.

lib/scudo/scudo_flags.cpp
128

I think it's good practice to avoid too large of settings, keep people in check.

test/scudo/quarantine.cpp
34

Ok, I will change that.

65–114

Ok.

cryptoad updated this revision to Diff 107700.Jul 21 2017, 12:48 PM
cryptoad marked 8 inline comments as done.

Addressing Aleksey's comments.

alekseyshl accepted this revision.Jul 21 2017, 3:10 PM
alekseyshl added inline comments.
lib/scudo/scudo_flags.cpp
111

Move it up, before if (f->QuarantineSizeKb < 0) check. With my QuarantineChunksUpToSize suggestion (below), all legacy QuarantineSizeMb business will be handled right here, not spoiling the rest of the code.

125

I think we should check that QuarantineChunksUpToSize is not set when QuarantineSizeMb is set and dieWithMessage (up abive, where we do the same for QuarantineSizeKb) instead of setting it to -1. Otherwise we silently ignore the flag value.

test/scudo/quarantine.cpp
59

!found

This revision is now accepted and ready to land.Jul 21 2017, 3:10 PM
cryptoad updated this revision to Diff 107797.Jul 22 2017, 12:45 PM
cryptoad marked 3 inline comments as done.

Addressing Aleksey's comments.

If QuarantineSizeMb is set, check that QuarantineChunksUpToSize isn't.
Otherwise proceed with the new flags. Modified the tests accordingly
I left the upper limit checks out of the else clause on purpose, let me know if
that looks like what you were thinking.

cryptoad updated this revision to Diff 107798.Jul 22 2017, 12:51 PM

Additional shuffling around so that everything is dealt with in one statement.

alekseyshl accepted this revision.Jul 24 2017, 7:29 AM

Looks good

cryptoad closed this revision.Jul 24 2017, 8:30 AM