This is an archive of the discontinued LLVM Phabricator instance.

Differential D35818

[scudo] Check for pvalloc overflow
ClosedPublic

Authored by cryptoad on Jul 24 2017, 3:04 PM.

Details

Reviewers
alekseyshl
Commits
rG65fdf677f284: [scudo] Check for pvalloc overflow
rCRT309033: [scudo] Check for pvalloc overflow
rL309033: [scudo] Check for pvalloc overflow
Summary

Previously we were rounding up the size passed to pvalloc to the next
multiple of page size no matter what. There is an overflow possibility that
wasn't accounted for. So now, return null in the event of an overflow. The man
page doesn't seem to indicate the errno to set in this particular situation,
but the glibc unit tests go for ENOMEM (https://code.woboq.org/userspace/glibc/malloc/tst-pvalloc.c.html#54)
so we'll do the same.
Update the aligned allocation funtions tests to check for properly aligned
returned pointers, and the pvalloc corner cases.

@alekseyshl: do you want me to do the same in the other Sanitizers?

Diff Detail

Event Timeline

cryptoad created this revision.Jul 24 2017, 3:04 PM
Herald added a subscriber: kubamracek. · View Herald TranscriptJul 24 2017, 3:04 PM
Harbormaster completed remote builds in B8542: Diff 107975.Jul 24 2017, 3:04 PM
alekseyshl accepted this revision.Jul 24 2017, 5:05 PM

Yep, please do it other sanitizers too. Seems like a reasonable change.

test/scudo/memalign.cpp
80

Spaces around -

84

Ditto

This revision is now accepted and ready to land.Jul 24 2017, 5:05 PM
cryptoad added a comment.Jul 24 2017, 10:34 PM

Do you prefer the other sanitizers in the same CL or a different one?

test/scudo/memalign.cpp
80

Just making sure: do you want spaces around the unary minus? I feel it's usually not the case.

alekseyshl added a comment.Jul 25 2017, 8:38 AM

Let's have a cl per sanitizer.

test/scudo/memalign.cpp
80

Silly me :) ignore both

cryptoad updated this revision to Diff 108104.Jul 25 2017, 9:41 AM

Move valloc & pvalloc tests to their own file.

cryptoad requested review of this revision.Jul 25 2017, 10:01 AM
cryptoad edited edge metadata.
alekseyshl accepted this revision.Jul 25 2017, 1:52 PM
This revision is now accepted and ready to land.Jul 25 2017, 1:52 PM
cryptoad closed this revision.Jul 25 2017, 2:18 PM
cryptoad mentioned this in D36093: [msan] Check for pvalloc overflow.Jul 31 2017, 8:40 AM
cryptoad mentioned this in rL309601: [msan] Check for pvalloc overflow.Jul 31 2017, 11:48 AM
cryptoad mentioned this in D36103: [tsan] Check for pvalloc overlow.Jul 31 2017, 12:29 PM
cryptoad mentioned this in D36164: [msan] Check for pvalloc overflow.Aug 1 2017, 11:06 AM
cryptoad mentioned this in rL309883: [msan] Check for pvalloc overflow.Aug 2 2017, 1:32 PM
cryptoad mentioned this in D36245: [tsan] Check for pvalloc overlow.Aug 2 2017, 3:39 PM
cryptoad mentioned this in rL309897: [tsan] Check for pvalloc overlow.Aug 2 2017, 3:48 PM
cryptoad mentioned this in D36257: [asan] Check for pvalloc overlow.Aug 2 2017, 7:51 PM
cryptoad mentioned this in rL310119: [asan] Check for pvalloc overlow.Aug 4 2017, 1:29 PM

Revision Contents

PathSize
lib/
sanitizer_common/
6 lines
scudo/
4 lines
test/
scudo/
14 lines
63 lines

Diff 108104

lib/sanitizer_common/sanitizer_allocator_checks.h

Show First 20 LinesShow All 53 Lines▼ Show 20 Lines
// Returns true if calloc(size, n) call overflows on size*n calculation. // Returns true if calloc(size, n) call overflows on size*n calculation.
INLINE bool CheckForCallocOverflow(uptr size, uptr n) { INLINE bool CheckForCallocOverflow(uptr size, uptr n) {
if (!size) if (!size)
return false; return false;
uptr max = (uptr)-1L; uptr max = (uptr)-1L;
return (max / size) < n; return (max / size) < n;
} }
// Returns true if the size passed to pvalloc overflows when rounded to the next
// multiple of page_size.
INLINE bool CheckForPvallocOverflow(uptr size, uptr page_size) {
return RoundUpTo(size, page_size) < size;
}
} // namespace __sanitizer } // namespace __sanitizer
#endif // SANITIZER_ALLOCATOR_CHECKS_H #endif // SANITIZER_ALLOCATOR_CHECKS_H

lib/scudo/scudo_allocator.cpp

Show First 20 LinesShow All 659 Lines▼ Show 20 Lines
void *scudoValloc(uptr Size) { void *scudoValloc(uptr Size) {
return SetErrnoOnNull( return SetErrnoOnNull(
Instance.allocate(Size, GetPageSizeCached(), FromMemalign)); Instance.allocate(Size, GetPageSizeCached(), FromMemalign));
} }
void *scudoPvalloc(uptr Size) { void *scudoPvalloc(uptr Size) {
uptr PageSize = GetPageSizeCached(); uptr PageSize = GetPageSizeCached();
if (UNLIKELY(CheckForPvallocOverflow(Size, PageSize))) {
errno = errno_ENOMEM;
return ScudoAllocator::FailureHandler::OnBadRequest();
}
// pvalloc(0) should allocate one page. // pvalloc(0) should allocate one page.
Size = Size ? RoundUpTo(Size, PageSize) : PageSize; Size = Size ? RoundUpTo(Size, PageSize) : PageSize;
return SetErrnoOnNull(Instance.allocate(Size, PageSize, FromMemalign)); return SetErrnoOnNull(Instance.allocate(Size, PageSize, FromMemalign));
} }
void *scudoMemalign(uptr Alignment, uptr Size) { void *scudoMemalign(uptr Alignment, uptr Size) {
if (UNLIKELY(!IsPowerOfTwo(Alignment))) { if (UNLIKELY(!IsPowerOfTwo(Alignment))) {
errno = errno_EINVAL; errno = errno_EINVAL;
▲ Show 20 LinesShow All 62 LinesShow Last 20 Lines

test/scudo/memalign.cpp

// RUN: %clang_scudo %s -o %t // RUN: %clang_scudo %s -o %t
// RUN: %run %t valid 2>&1 // RUN: %run %t valid 2>&1
// RUN: %run %t invalid 2>&1 // RUN: %run %t invalid 2>&1
// Tests that the various aligned allocation functions work as intended. Also // Tests that the various aligned allocation functions work as intended. Also
// tests for the condition where the alignment is not a power of 2. // tests for the condition where the alignment is not a power of 2.
#include <assert.h> #include <assert.h>
#include <errno.h> #include <errno.h>
#include <malloc.h> #include <malloc.h>
#include <stdint.h>
#include <stdlib.h> #include <stdlib.h>
#include <string.h> #include <string.h>
#include <unistd.h>
// Reduce the size of the quarantine, or the test can run out of aligned memory
// on 32-bit for the larger alignments.
extern "C" const char *__scudo_default_options() {
return "QuarantineSizeMb=1";
}
// Sometimes the headers may not have this... // Sometimes the headers may not have this...
extern "C" void *aligned_alloc (size_t alignment, size_t size); extern "C" void *aligned_alloc(size_t alignment, size_t size);
int main(int argc, char **argv) int main(int argc, char **argv)
{ {
void *p = nullptr; void *p = nullptr;
size_t alignment = 1U << 12; size_t alignment = 1U << 12;
size_t size = 1U << 12; size_t size = 1U << 12;
int err; int err;
assert(argc == 2); assert(argc == 2);
if (!strcmp(argv[1], "valid")) { if (!strcmp(argv[1], "valid")) {
posix_memalign(&p, alignment, size); posix_memalign(&p, alignment, size);
assert(p); assert(p);
assert(((uintptr_t)p & (alignment - 1)) == 0);
free(p); free(p);
p = aligned_alloc(alignment, size); p = aligned_alloc(alignment, size);
assert(p); assert(p);
assert(((uintptr_t)p & (alignment - 1)) == 0);
free(p); free(p);
// Tests various combinations of alignment and sizes // Tests various combinations of alignment and sizes
for (int i = (sizeof(void *) == 4) ? 3 : 4; i < 19; i++) { for (int i = (sizeof(void *) == 4) ? 3 : 4; i < 19; i++) {
alignment = 1U << i; alignment = 1U << i;
for (int j = 1; j < 33; j++) { for (int j = 1; j < 33; j++) {
size = 0x800 * j; size = 0x800 * j;
for (int k = 0; k < 3; k++) { for (int k = 0; k < 3; k++) {
p = memalign(alignment, size - (2 * sizeof(void *) * k)); p = memalign(alignment, size - (2 * sizeof(void *) * k));
assert(p); assert(p);
assert(((uintptr_t)p & (alignment - 1)) == 0);
free(p); free(p);
} }
} }
} }
// For larger alignment, reduce the number of allocations to avoid running // For larger alignment, reduce the number of allocations to avoid running
// out of potential addresses (on 32-bit). // out of potential addresses (on 32-bit).
for (int i = 19; i <= 24; i++) { for (int i = 19; i <= 24; i++) {
for (int k = 0; k < 3; k++) { for (int k = 0; k < 3; k++) {
p = memalign(alignment, 0x1000 - (2 * sizeof(void *) * k)); p = memalign(alignment, 0x1000 - (2 * sizeof(void *) * k));
assert(p); assert(p);
assert(((uintptr_t)p & (alignment - 1)) == 0);
free(p); free(p);
} }
} }
} }
if (!strcmp(argv[1], "invalid")) { if (!strcmp(argv[1], "invalid")) {
// Alignment is not a power of 2. // Alignment is not a power of 2.
p = memalign(alignment - 1, size); p = memalign(alignment - 1, size);
assert(!p); assert(!p);
// Size is not a multiple of alignment. // Size is not a multiple of alignment.
p = aligned_alloc(alignment, size >> 1); p = aligned_alloc(alignment, size >> 1);
assert(!p); assert(!p);
void *p_unchanged = (void *)0x42UL; void *p_unchanged = (void *)0x42UL;
p = p_unchanged; p = p_unchanged;
// Alignment is not a power of 2. // Alignment is not a power of 2.
err = posix_memalign(&p, 3, size); err = posix_memalign(&p, 3, size);
assert(p == p_unchanged); assert(p == p_unchanged);
assert(err == EINVAL); assert(err == EINVAL);
// Alignment is a power of 2, but not a multiple of size(void *). // Alignment is a power of 2, but not a multiple of size(void *).
err = posix_memalign(&p, 2, size); err = posix_memalign(&p, 2, size);
assert(p == p_unchanged); assert(p == p_unchanged);
assert(err == EINVAL); assert(err == EINVAL);
} }
return 0; return 0;
} }
alekseyshlUnsubmitted
Not Done
ReplyInline Actions

Spaces around -

alekseyshl: Spaces around -
cryptoadAuthorUnsubmitted
Not Done
ReplyInline Actions

Just making sure: do you want spaces around the unary minus? I feel it's usually not the case.

cryptoad: Just making sure: do you want spaces around the unary minus? I feel it's usually not the case.
alekseyshlUnsubmitted
Not Done
ReplyInline Actions

Silly me :) ignore both

alekseyshl: Silly me :) ignore both
alekseyshlUnsubmitted
Not Done
ReplyInline Actions

Ditto

alekseyshl: Ditto

test/scudo/valloc.cpp

  • This file was added.
// RUN: %clang_scudo %s -o %t
// RUN: %run %t valid 2>&1
// RUN: %run %t invalid 2>&1
// Tests that valloc and pvalloc work as intended.
#include <assert.h>
#include <errno.h>
#include <malloc.h>
#include <stdint.h>
#include <string.h>
#include <unistd.h>
size_t round_up_to(size_t size, size_t alignment) {
return (size + alignment - 1) & ~(alignment - 1);
}
int main(int argc, char **argv)
{
void *p = nullptr;
size_t size, page_size;
assert(argc == 2);
page_size = sysconf(_SC_PAGESIZE);
// Check that the page size is a power of two.
assert((page_size & (page_size - 1)) == 0);
if (!strcmp(argv[1], "valid")) {
for (int i = (sizeof(void *) == 4) ? 3 : 4; i < 21; i++) {
size = 1U << i;
p = valloc(size - (2 * sizeof(void *)));
assert(p);
assert(((uintptr_t)p & (page_size - 1)) == 0);
free(p);
p = pvalloc(size - (2 * sizeof(void *)));
assert(p);
assert(((uintptr_t)p & (page_size - 1)) == 0);
assert(malloc_usable_size(p) >= round_up_to(size, page_size));
free(p);
p = valloc(size);
assert(p);
assert(((uintptr_t)p & (page_size - 1)) == 0);
free(p);
p = pvalloc(size);
assert(p);
assert(((uintptr_t)p & (page_size - 1)) == 0);
assert(malloc_usable_size(p) >= round_up_to(size, page_size));
free(p);
}
}
if (!strcmp(argv[1], "invalid")) {
// Size passed to pvalloc overflows when rounded up.
p = pvalloc((size_t)-1);
assert(!p);
assert(errno == ENOMEM);
errno = 0;
p = pvalloc((size_t)-page_size);
assert(!p);
assert(errno == ENOMEM);
}
return 0;
}