This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
lib/
-
sanitizer_common/
-
sanitizer_common.h
3
sanitizer_linux.cc
-
sanitizer_mac.cc
-
sanitizer_win.cc
-
tests/
-
sanitizer_common_test.cc
-
scudo/
-
scudo_utils.h

Differential D36399

[sanitizers] Add a blocking boolean to GetRandom prototype
ClosedPublic

Authored by cryptoad on Aug 7 2017, 7:53 AM.

Download Raw Diff

Details

Reviewers

alekseyshl

Commits

rGe1dde076402e: [sanitizers] Add a blocking boolean to GetRandom prototype
rCRT310839: [sanitizers] Add a blocking boolean to GetRandom prototype
rL310839: [sanitizers] Add a blocking boolean to GetRandom prototype

Summary

On platforms with getrandom, the system call defaults to blocking. This
becomes an issue in the very early stage of the boot for Scudo, when the RNG
source is not set-up yet: the syscall will block and we'll stall.

Introduce a parameter to specify that the function should not block, defaulting
to blocking as the underlying syscall does.

Update Scudo to use the non-blocking version.

Diff Detail

Build Status

Buildable 9236
Build 9236: arc lint + arc unit

Event Timeline

cryptoad created this revision.Aug 7 2017, 7:53 AM

Herald added a subscriber: kubamracek. · View Herald TranscriptAug 7 2017, 7:53 AM

Harbormaster completed remote builds in B9084: Diff 109995.Aug 7 2017, 7:53 AM

alekseyshl added inline comments.Aug 8 2017, 9:38 AM

lib/sanitizer_common/sanitizer_linux.cc
1786	Can you move those defines to the top of the file and define SANITIZER_USE_GETRANDOM? Then here you can do if (SANITIZER_USE_GETRANDOM) { ... }

cryptoad added inline comments.Aug 8 2017, 10:00 AM

lib/sanitizer_common/sanitizer_linux.cc
1786	So the compiler still wants `SYSCALL(getrandom)` and `GRND_NONBLOCK` to be defined with an `if` rather than an `#if`. I am unsure how to cleanly address that. Macroing the internal_syscall part to do nothing?

How about this code construct?

Harbormaster completed remote builds in B9149: Diff 110240.Aug 8 2017, 11:15 AM

alekseyshl accepted this revision.Aug 11 2017, 7:52 AM

alekseyshl added inline comments.

lib/sanitizer_common/sanitizer_linux.cc
1786	You're right, this is not ideal too. Yep, let's keep #if SANITIZER_LINUX && defined(__NR_getrandom) block at the top of the file and use #if SANITIZER_USE_GETRANDOM here to avoid internal_getrandom definition. Other than that, looks good. Sorry for the delay!

This revision is now accepted and ready to land.Aug 11 2017, 7:52 AM

Keeping SANITIZER_USE_GETRANDOM at the top, protecting the getrandom
syscall with an #if to keep the compiler happy.

Harbormaster completed remote builds in B9236: Diff 110764.Aug 11 2017, 10:31 AM

cryptoad closed this revision.Aug 14 2017, 7:54 AM

Revision Contents

Path

Size

lib/

sanitizer_common/

4 lines

21 lines

2 lines

2 lines

tests/

sanitizer_common_test.cc

20 lines

scudo/

scudo_utils.h

13 lines

Diff 110764

lib/sanitizer_common/sanitizer_common.h

	Show First 20 Lines • Show All 851 Lines • ▼ Show 20 Lines

	// The default value for allocator_release_to_os_interval_ms common flag to			// The default value for allocator_release_to_os_interval_ms common flag to
	// indicate that sanitizer allocator should not attempt to release memory to OS.			// indicate that sanitizer allocator should not attempt to release memory to OS.
	const s32 kReleaseToOSIntervalNever = -1;			const s32 kReleaseToOSIntervalNever = -1;

	void CheckNoDeepBind(const char *filename, int flag);			void CheckNoDeepBind(const char *filename, int flag);

	// Returns the requested amount of random data (up to 256 bytes) that can then			// Returns the requested amount of random data (up to 256 bytes) that can then
	// be used to seed a PRNG.			// be used to seed a PRNG. Defaults to blocking like the underlying syscall.
	bool GetRandom(void *buffer, uptr length);			bool GetRandom(void *buffer, uptr length, bool blocking = true);

	} // namespace __sanitizer			} // namespace __sanitizer

	inline void *operator new(__sanitizer::operator_new_size_type size,			inline void *operator new(__sanitizer::operator_new_size_type size,
	__sanitizer::LowLevelAllocator &alloc) {			__sanitizer::LowLevelAllocator &alloc) {
	return alloc.Allocate(size);			return alloc.Allocate(size);
	}			}

	#endif // SANITIZER_COMMON_H			#endif // SANITIZER_COMMON_H

lib/sanitizer_common/sanitizer_linux.cc

	Show First 20 Lines • Show All 129 Lines • ▼ Show 20 Lines
	#endif			#endif

	#if defined(__x86_64__) \|\| SANITIZER_MIPS64			#if defined(__x86_64__) \|\| SANITIZER_MIPS64
	extern "C" {			extern "C" {
	extern void internal_sigreturn();			extern void internal_sigreturn();
	}			}
	#endif			#endif

				#if SANITIZER_LINUX && defined(__NR_getrandom)
				# if !defined(GRND_NONBLOCK)
				# define GRND_NONBLOCK 1
				# endif
				# define SANITIZER_USE_GETRANDOM 1
				#else
				# define SANITIZER_USE_GETRANDOM 0
				#endif // SANITIZER_LINUX && defined(__NR_getrandom)

	namespace __sanitizer {			namespace __sanitizer {

	#if SANITIZER_LINUX && defined(__x86_64__)			#if SANITIZER_LINUX && defined(__x86_64__)
	#include "sanitizer_syscall_linux_x86_64.inc"			#include "sanitizer_syscall_linux_x86_64.inc"
	#elif SANITIZER_LINUX && defined(__aarch64__)			#elif SANITIZER_LINUX && defined(__aarch64__)
	#include "sanitizer_syscall_linux_aarch64.inc"			#include "sanitizer_syscall_linux_aarch64.inc"
	#else			#else
	#include "sanitizer_syscall_generic.inc"			#include "sanitizer_syscall_generic.inc"
	▲ Show 20 Lines • Show All 1,617 Lines • ▼ Show 20 Lines
	}			}

	uptr FindAvailableMemoryRange(uptr size, uptr alignment, uptr left_padding,			uptr FindAvailableMemoryRange(uptr size, uptr alignment, uptr left_padding,
	uptr *largest_gap_found) {			uptr *largest_gap_found) {
	UNREACHABLE("FindAvailableMemoryRange is not available");			UNREACHABLE("FindAvailableMemoryRange is not available");
	return 0;			return 0;
	}			}

	bool GetRandom(void *buffer, uptr length) {			bool GetRandom(void *buffer, uptr length, bool blocking) {
	if (!buffer \|\| !length \|\| length > 256)			if (!buffer \|\| !length \|\| length > 256)
	return false;			return false;
	#if defined(__NR_getrandom)			#if SANITIZER_USE_GETRANDOM
	static atomic_uint8_t skip_getrandom_syscall;			static atomic_uint8_t skip_getrandom_syscall;
	if (!atomic_load_relaxed(&skip_getrandom_syscall)) {			if (!atomic_load_relaxed(&skip_getrandom_syscall)) {
	// Up to 256 bytes, getrandom will not be interrupted.			// Up to 256 bytes, getrandom will not be interrupted.
				alekseyshlUnsubmitted Not Done Reply Inline Actions Can you move those defines to the top of the file and define SANITIZER_USE_GETRANDOM? Then here you can do if (SANITIZER_USE_GETRANDOM) { ... } alekseyshl: Can you move those defines to the top of the file and define SANITIZER_USE_GETRANDOM? Then here…
				cryptoadAuthorUnsubmitted Not Done Reply Inline Actions So the compiler still wants `SYSCALL(getrandom)` and `GRND_NONBLOCK` to be defined with an `if` rather than an `#if`. I am unsure how to cleanly address that. Macroing the internal_syscall part to do nothing? cryptoad: So the compiler still wants `SYSCALL(getrandom)` and `GRND_NONBLOCK` to be defined with an `if`…
				alekseyshlUnsubmitted Not Done Reply Inline Actions You're right, this is not ideal too. Yep, let's keep #if SANITIZER_LINUX && defined(__NR_getrandom) block at the top of the file and use #if SANITIZER_USE_GETRANDOM here to avoid internal_getrandom definition. Other than that, looks good. Sorry for the delay! alekseyshl: You're right, this is not ideal too. Yep, let's keep #if SANITIZER_LINUX && defined…
	uptr res = internal_syscall(SYSCALL(getrandom), buffer, length, 0);			uptr res = internal_syscall(SYSCALL(getrandom), buffer, length,
				blocking ? 0 : GRND_NONBLOCK);
	int rverrno = 0;			int rverrno = 0;
	if (internal_iserror(res, &rverrno) && rverrno == ENOSYS)			if (internal_iserror(res, &rverrno) && rverrno == ENOSYS)
	atomic_store_relaxed(&skip_getrandom_syscall, 1);			atomic_store_relaxed(&skip_getrandom_syscall, 1);
	else if (res == length)			else if (res == length)
	return true;			return true;
	}			}
	#endif			#endif // SANITIZER_USE_GETRANDOM
				// Up to 256 bytes, a read off /dev/urandom will not be interrupted.
				// blocking is moot here, O_NONBLOCK has no effect when opening /dev/urandom.
	uptr fd = internal_open("/dev/urandom", O_RDONLY);			uptr fd = internal_open("/dev/urandom", O_RDONLY);
	if (internal_iserror(fd))			if (internal_iserror(fd))
	return false;			return false;
	// internal_read deals with EINTR.
	uptr res = internal_read(fd, buffer, length);			uptr res = internal_read(fd, buffer, length);
	if (internal_iserror(res))			if (internal_iserror(res))
	return false;			return false;
	internal_close(fd);			internal_close(fd);
	return true;			return true;
	}			}

	} // namespace __sanitizer			} // namespace __sanitizer

	#endif // SANITIZER_FREEBSD \|\| SANITIZER_LINUX \|\| SANITIZER_NETBSD			#endif // SANITIZER_FREEBSD \|\| SANITIZER_LINUX \|\| SANITIZER_NETBSD

lib/sanitizer_common/sanitizer_mac.cc

Show First 20 Lines • Show All 986 Lines • ▼ Show 20 Lines	void PrintModuleMap() {
Printf("End of module map.\n");		Printf("End of module map.\n");
}		}

void CheckNoDeepBind(const char *filename, int flag) {		void CheckNoDeepBind(const char *filename, int flag) {
// Do nothing.		// Do nothing.
}		}

// FIXME: implement on this platform.		// FIXME: implement on this platform.
bool GetRandom(void *buffer, uptr length) {		bool GetRandom(void *buffer, uptr length, bool blocking) {
UNIMPLEMENTED();		UNIMPLEMENTED();
}		}

} // namespace __sanitizer		} // namespace __sanitizer

#endif // SANITIZER_MAC		#endif // SANITIZER_MAC

lib/sanitizer_common/sanitizer_win.cc

	Show First 20 Lines • Show All 1,016 Lines • ▼ Show 20 Lines
	// FIXME implement on this platform.			// FIXME implement on this platform.
	void GetMemoryProfile(fill_profile_f cb, uptr *stats, uptr stats_size) { }			void GetMemoryProfile(fill_profile_f cb, uptr *stats, uptr stats_size) { }

	void CheckNoDeepBind(const char *filename, int flag) {			void CheckNoDeepBind(const char *filename, int flag) {
	// Do nothing.			// Do nothing.
	}			}

	// FIXME: implement on this platform.			// FIXME: implement on this platform.
	bool GetRandom(void *buffer, uptr length) {			bool GetRandom(void *buffer, uptr length, bool blocking) {
	UNIMPLEMENTED();			UNIMPLEMENTED();
	}			}

	} // namespace __sanitizer			} // namespace __sanitizer

	#endif // _WIN32			#endif // _WIN32

lib/sanitizer_common/tests/sanitizer_common_test.cc

Show First 20 Lines • Show All 298 Lines • ▼ Show 20 Lines	TEST(SanitizerCommon, InternalScopedString) {
str.append("0123456789");		str.append("0123456789");
EXPECT_EQ(9U, str.length());		EXPECT_EQ(9U, str.length());
EXPECT_STREQ("012345678", str.data());		EXPECT_STREQ("012345678", str.data());
}		}

#if SANITIZER_LINUX		#if SANITIZER_LINUX
TEST(SanitizerCommon, GetRandom) {		TEST(SanitizerCommon, GetRandom) {
u8 buffer_1[32], buffer_2[32];		u8 buffer_1[32], buffer_2[32];
EXPECT_FALSE(GetRandom(nullptr, 32));		for (bool blocking : { false, true }) {
EXPECT_FALSE(GetRandom(buffer_1, 0));		EXPECT_FALSE(GetRandom(nullptr, 32, blocking));
EXPECT_FALSE(GetRandom(buffer_1, 512));		EXPECT_FALSE(GetRandom(buffer_1, 0, blocking));
		EXPECT_FALSE(GetRandom(buffer_1, 512, blocking));
EXPECT_EQ(ARRAY_SIZE(buffer_1), ARRAY_SIZE(buffer_2));		EXPECT_EQ(ARRAY_SIZE(buffer_1), ARRAY_SIZE(buffer_2));
for (uptr size = 4; size <= ARRAY_SIZE(buffer_1); size += 4) {		for (uptr size = 4; size <= ARRAY_SIZE(buffer_1); size += 4) {
for (uptr i = 0; i < 100; i++) {		for (uptr i = 0; i < 100; i++) {
EXPECT_TRUE(GetRandom(buffer_1, size));		EXPECT_TRUE(GetRandom(buffer_1, size, blocking));
EXPECT_TRUE(GetRandom(buffer_2, size));		EXPECT_TRUE(GetRandom(buffer_2, size, blocking));
EXPECT_NE(internal_memcmp(buffer_1, buffer_2, size), 0);		EXPECT_NE(internal_memcmp(buffer_1, buffer_2, size), 0);
}		}
}		}
}		}
		}
#endif		#endif

} // namespace __sanitizer		} // namespace __sanitizer

lib/scudo/scudo_utils.h

	Show All 38 Lines
	INLINE u64 rotl(const u64 X, int K) {			INLINE u64 rotl(const u64 X, int K) {
	return (X << K) \| (X >> (64 - K));			return (X << K) \| (X >> (64 - K));
	}			}

	// XoRoShiRo128+ PRNG (http://xoroshiro.di.unimi.it/).			// XoRoShiRo128+ PRNG (http://xoroshiro.di.unimi.it/).
	struct XoRoShiRo128Plus {			struct XoRoShiRo128Plus {
	public:			public:
	void init() {			void init() {
	if (UNLIKELY(!GetRandom(reinterpret_cast<void *>(State), sizeof(State)))) {			if (UNLIKELY(!GetRandom(reinterpret_cast<void *>(State), sizeof(State),
	// Early processes (eg: init) do not have /dev/urandom yet, but we still			/blocking=/false))) {
	// have to provide them with some degree of entropy. Not having a secure			// On some platforms, early processes like `init` do not have an
	// seed is not as problematic for them, as they are less likely to be			// initialized random pool (getrandom blocks and /dev/urandom doesn't
	// the target of heap based vulnerabilities exploitation attempts.			// exist yet), but we still have to provide them with some degree of
				// entropy. Not having a secure seed is not as problematic for them, as
				// they are less likely to be the target of heap based vulnerabilities
				// exploitation attempts.
	State[0] = NanoTime();			State[0] = NanoTime();
	State[1] = 0;			State[1] = 0;
	}			}
	fillCache();			fillCache();
	}			}
	u8 getU8() {			u8 getU8() {
	if (UNLIKELY(isCacheEmpty()))			if (UNLIKELY(isCacheEmpty()))
	fillCache();			fillCache();
	Show All 34 Lines