This is an archive of the discontinued LLVM Phabricator instance.

Differential D36754

[scudo] Application & platform compatibility changes
ClosedPublic

Authored by cryptoad on Aug 15 2017, 9:55 AM.

Details

Reviewers
alekseyshl
Commits
rG43917720a72b: [scudo] Application & platform compatibility changes
rCRT311018: [scudo] Application & platform compatibility changes
rL311018: [scudo] Application & platform compatibility changes
Summary

This patch changes a few (small) things around for compatibility purposes for
the current Android & Fuchsia work:

  • realloc'ing some memory that was not allocated with malloc, calloc or realloc, while UB according to http://pubs.opengroup.org/onlinepubs/009695399/functions/realloc.html is more common that one would think. We now only check this if DeallocationTypeMismatch is set; change the "mismatch" error messages to be more homogeneous;
  • some sketchily written but widely used libraries expect a call to realloc to copy the usable size of the old chunk to the new one instead of the requested size. We have to begrundingly abide by this de-facto standard. This doesn't seem to impact security either way, unless someone comes up with something we didn't think about;
  • the CRC32 intrinsics for 64-bit take a 64-bit first argument. This is misleading as the upper 32 bits end up being ignored. This was also raising -Wconversion errors. Change things to take a u32 as first argument. This also means we were (and are) only using 32 bits of the Cookie - not a big thing, but worth mentioning.
  • Includes-wise: prefer stddef.h to cstddef, move scudo_flags.h where it is actually needed.
  • Add tests for the memalign-realloc case, and the realloc-usable-size one.

(Edited typos)

Diff Detail

Event Timeline

cryptoad created this revision.Aug 15 2017, 9:55 AM
cryptoad edited the summary of this revision. (Show Details)Aug 15 2017, 10:36 AM
alekseyshl accepted this revision.Aug 15 2017, 1:54 PM

What are these libraries? Can you mention some examples here?

This revision is now accepted and ready to land.Aug 15 2017, 1:54 PM
cryptoad closed this revision.Aug 16 2017, 9:41 AM

Revision Contents

PathSize
lib/
scudo/
2 lines
20 lines
2 lines
test/
scudo/
23 lines
2 lines
102 lines

Diff 111196

lib/scudo/scudo_allocator.h

//===-- scudo_allocator.h ---------------------------------------*- C++ -*-===// //===-- scudo_allocator.h ---------------------------------------*- C++ -*-===//
// //
// The LLVM Compiler Infrastructure // The LLVM Compiler Infrastructure
// //
// This file is distributed under the University of Illinois Open Source // This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details. // License. See LICENSE.TXT for details.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
/// ///
/// Header for scudo_allocator.cpp. /// Header for scudo_allocator.cpp.
/// ///
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#ifndef SCUDO_ALLOCATOR_H_ #ifndef SCUDO_ALLOCATOR_H_
#define SCUDO_ALLOCATOR_H_ #define SCUDO_ALLOCATOR_H_
#include "scudo_flags.h"
#include "sanitizer_common/sanitizer_allocator.h" #include "sanitizer_common/sanitizer_allocator.h"
#if !SANITIZER_LINUX #if !SANITIZER_LINUX
# error "The Scudo hardened allocator is currently only supported on Linux." # error "The Scudo hardened allocator is currently only supported on Linux."
#endif #endif
namespace __scudo { namespace __scudo {
▲ Show 20 LinesShow All 122 LinesShow Last 20 Lines

lib/scudo/scudo_allocator.cpp

Show All 10 Lines
/// It uses the sanitizer_common allocator as a base and aims at mitigating /// It uses the sanitizer_common allocator as a base and aims at mitigating
/// heap corruption vulnerabilities. It provides a checksum-guarded chunk /// heap corruption vulnerabilities. It provides a checksum-guarded chunk
/// header, a delayed free list, and additional sanity checks. /// header, a delayed free list, and additional sanity checks.
/// ///
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "scudo_allocator.h" #include "scudo_allocator.h"
#include "scudo_crc32.h" #include "scudo_crc32.h"
#include "scudo_flags.h"
#include "scudo_tls.h" #include "scudo_tls.h"
#include "scudo_utils.h" #include "scudo_utils.h"
#include "sanitizer_common/sanitizer_allocator_checks.h" #include "sanitizer_common/sanitizer_allocator_checks.h"
#include "sanitizer_common/sanitizer_allocator_interface.h" #include "sanitizer_common/sanitizer_allocator_interface.h"
#include "sanitizer_common/sanitizer_errno.h" #include "sanitizer_common/sanitizer_errno.h"
#include "sanitizer_common/sanitizer_quarantine.h" #include "sanitizer_common/sanitizer_quarantine.h"
#include <string.h> #include <string.h>
namespace __scudo { namespace __scudo {
// Global static cookie, initialized at start-up. // Global static cookie, initialized at start-up.
static uptr Cookie; static uptr Cookie;
// We default to software CRC32 if the alternatives are not supported, either // We default to software CRC32 if the alternatives are not supported, either
// at compilation or at runtime. // at compilation or at runtime.
static atomic_uint8_t HashAlgorithm = { CRC32Software }; static atomic_uint8_t HashAlgorithm = { CRC32Software };
INLINE u32 computeCRC32(uptr Crc, uptr Value, uptr *Array, uptr ArraySize) { INLINE u32 computeCRC32(u32 Crc, uptr Value, uptr *Array, uptr ArraySize) {
// If the hardware CRC32 feature is defined here, it was enabled everywhere, // If the hardware CRC32 feature is defined here, it was enabled everywhere,
// as opposed to only for scudo_crc32.cpp. This means that other hardware // as opposed to only for scudo_crc32.cpp. This means that other hardware
// specific instructions were likely emitted at other places, and as a // specific instructions were likely emitted at other places, and as a
// result there is no reason to not use it here. // result there is no reason to not use it here.
#if defined(__SSE4_2__) || defined(__ARM_FEATURE_CRC32) #if defined(__SSE4_2__) || defined(__ARM_FEATURE_CRC32)
Crc = CRC32_INTRINSIC(Crc, Value); Crc = CRC32_INTRINSIC(Crc, Value);
for (uptr i = 0; i < ArraySize; i++) for (uptr i = 0; i < ArraySize; i++)
Crc = CRC32_INTRINSIC(Crc, Array[i]); Crc = CRC32_INTRINSIC(Crc, Array[i]);
Show All 35 Linesstruct ScudoChunk : UnpackedHeader {
} }
// Compute the checksum of the Chunk pointer and its ChunkHeader. // Compute the checksum of the Chunk pointer and its ChunkHeader.
u16 computeChecksum(UnpackedHeader *Header) const { u16 computeChecksum(UnpackedHeader *Header) const {
UnpackedHeader ZeroChecksumHeader = *Header; UnpackedHeader ZeroChecksumHeader = *Header;
ZeroChecksumHeader.Checksum = 0; ZeroChecksumHeader.Checksum = 0;
uptr HeaderHolder[sizeof(UnpackedHeader) / sizeof(uptr)]; uptr HeaderHolder[sizeof(UnpackedHeader) / sizeof(uptr)];
memcpy(&HeaderHolder, &ZeroChecksumHeader, sizeof(HeaderHolder)); memcpy(&HeaderHolder, &ZeroChecksumHeader, sizeof(HeaderHolder));
u32 Crc = computeCRC32(Cookie, reinterpret_cast<uptr>(this), HeaderHolder, u32 Crc = computeCRC32(static_cast<u32>(Cookie),
reinterpret_cast<uptr>(this), HeaderHolder,
ARRAY_SIZE(HeaderHolder)); ARRAY_SIZE(HeaderHolder));
return static_cast<u16>(Crc); return static_cast<u16>(Crc);
} }
// Checks the validity of a chunk by verifying its checksum. It doesn't // Checks the validity of a chunk by verifying its checksum. It doesn't
// incur termination in the event of an invalid chunk. // incur termination in the event of an invalid chunk.
bool isValid() { bool isValid() {
UnpackedHeader NewUnpackedHeader; UnpackedHeader NewUnpackedHeader;
▲ Show 20 LinesShow All 410 Lines▼ Show 20 Lines if (UNLIKELY(Header.State != ChunkAllocated)) {
dieWithMessage("ERROR: invalid chunk state when deallocating address " dieWithMessage("ERROR: invalid chunk state when deallocating address "
"%p\n", UserPtr); "%p\n", UserPtr);
} }
if (DeallocationTypeMismatch) { if (DeallocationTypeMismatch) {
// The deallocation type has to match the allocation one. // The deallocation type has to match the allocation one.
if (Header.AllocType != Type) { if (Header.AllocType != Type) {
// With the exception of memalign'd Chunks, that can be still be free'd. // With the exception of memalign'd Chunks, that can be still be free'd.
if (Header.AllocType != FromMemalign || Type != FromMalloc) { if (Header.AllocType != FromMemalign || Type != FromMalloc) {
dieWithMessage("ERROR: allocation type mismatch on address %p\n", dieWithMessage("ERROR: allocation type mismatch when deallocating "
UserPtr); "address %p\n", UserPtr);
} }
} }
} }
uptr Size = Header.FromPrimary ? Header.SizeOrUnusedBytes : uptr Size = Header.FromPrimary ? Header.SizeOrUnusedBytes :
Chunk->getUsableSize(&Header) - Header.SizeOrUnusedBytes; Chunk->getUsableSize(&Header) - Header.SizeOrUnusedBytes;
if (DeleteSizeMismatch) { if (DeleteSizeMismatch) {
if (DeleteSize && DeleteSize != Size) { if (DeleteSize && DeleteSize != Size) {
dieWithMessage("ERROR: invalid sized delete on chunk at address %p\n", dieWithMessage("ERROR: invalid sized delete on chunk at address %p\n",
Show All 14 Lines void *reallocate(void *OldPtr, uptr NewSize) {
} }
ScudoChunk *Chunk = getScudoChunk(UserBeg); ScudoChunk *Chunk = getScudoChunk(UserBeg);
UnpackedHeader OldHeader; UnpackedHeader OldHeader;
Chunk->loadHeader(&OldHeader); Chunk->loadHeader(&OldHeader);
if (UNLIKELY(OldHeader.State != ChunkAllocated)) { if (UNLIKELY(OldHeader.State != ChunkAllocated)) {
dieWithMessage("ERROR: invalid chunk state when reallocating address " dieWithMessage("ERROR: invalid chunk state when reallocating address "
"%p\n", OldPtr); "%p\n", OldPtr);
} }
if (DeallocationTypeMismatch) {
if (UNLIKELY(OldHeader.AllocType != FromMalloc)) { if (UNLIKELY(OldHeader.AllocType != FromMalloc)) {
dieWithMessage("ERROR: invalid chunk type when reallocating address %p\n", dieWithMessage("ERROR: allocation type mismatch when reallocating "
OldPtr); "address %p\n", OldPtr);
}
} }
uptr UsableSize = Chunk->getUsableSize(&OldHeader); uptr UsableSize = Chunk->getUsableSize(&OldHeader);
// The new size still fits in the current chunk, and the size difference // The new size still fits in the current chunk, and the size difference
// is reasonable. // is reasonable.
if (NewSize <= UsableSize && if (NewSize <= UsableSize &&
(UsableSize - NewSize) < (SizeClassMap::kMaxSize / 2)) { (UsableSize - NewSize) < (SizeClassMap::kMaxSize / 2)) {
UnpackedHeader NewHeader = OldHeader; UnpackedHeader NewHeader = OldHeader;
NewHeader.SizeOrUnusedBytes = NewHeader.SizeOrUnusedBytes =
OldHeader.FromPrimary ? NewSize : UsableSize - NewSize; OldHeader.FromPrimary ? NewSize : UsableSize - NewSize;
Chunk->compareExchangeHeader(&NewHeader, &OldHeader); Chunk->compareExchangeHeader(&NewHeader, &OldHeader);
return OldPtr; return OldPtr;
} }
// Otherwise, we have to allocate a new chunk and copy the contents of the // Otherwise, we have to allocate a new chunk and copy the contents of the
// old one. // old one.
void *NewPtr = allocate(NewSize, MinAlignment, FromMalloc); void *NewPtr = allocate(NewSize, MinAlignment, FromMalloc);
if (NewPtr) { if (NewPtr) {
uptr OldSize = OldHeader.FromPrimary ? OldHeader.SizeOrUnusedBytes : uptr OldSize = OldHeader.FromPrimary ? OldHeader.SizeOrUnusedBytes :
UsableSize - OldHeader.SizeOrUnusedBytes; UsableSize - OldHeader.SizeOrUnusedBytes;
memcpy(NewPtr, OldPtr, Min(NewSize, OldSize)); memcpy(NewPtr, OldPtr, Min(NewSize, UsableSize));
quarantineOrDeallocateChunk(Chunk, &OldHeader, OldSize); quarantineOrDeallocateChunk(Chunk, &OldHeader, OldSize);
} }
return NewPtr; return NewPtr;
} }
// Helper function that returns the actual usable size of a chunk. // Helper function that returns the actual usable size of a chunk.
uptr getUsableSize(const void *Ptr) { uptr getUsableSize(const void *Ptr) {
initThreadMaybe(); initThreadMaybe();
▲ Show 20 LinesShow All 163 LinesShow Last 20 Lines

lib/scudo/scudo_new_delete.cpp

Show All 9 Lines
/// Interceptors for operators new and delete. /// Interceptors for operators new and delete.
/// ///
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "scudo_allocator.h" #include "scudo_allocator.h"
#include "interception/interception.h" #include "interception/interception.h"
#include <cstddef> #include <stddef.h>
using namespace __scudo; using namespace __scudo;
#define CXX_OPERATOR_ATTRIBUTE INTERCEPTOR_ATTRIBUTE #define CXX_OPERATOR_ATTRIBUTE INTERCEPTOR_ATTRIBUTE
// Fake std::nothrow_t to avoid including <new>. // Fake std::nothrow_t to avoid including <new>.
namespace std { namespace std {
struct nothrow_t {}; struct nothrow_t {};
▲ Show 20 LinesShow All 48 LinesShow Last 20 Lines

test/scudo/mismatch.cpp

// RUN: %clang_scudo %s -o %t // RUN: %clang_scudo %s -o %t
// RUN: SCUDO_OPTIONS=DeallocationTypeMismatch=1 not %run %t mallocdel 2>&1 | FileCheck %s // RUN: SCUDO_OPTIONS=DeallocationTypeMismatch=1 not %run %t mallocdel 2>&1 | FileCheck --check-prefix=CHECK-dealloc %s
// RUN: SCUDO_OPTIONS=DeallocationTypeMismatch=0 %run %t mallocdel 2>&1 // RUN: SCUDO_OPTIONS=DeallocationTypeMismatch=0 %run %t mallocdel 2>&1
// RUN: SCUDO_OPTIONS=DeallocationTypeMismatch=1 not %run %t newfree 2>&1 | FileCheck %s // RUN: SCUDO_OPTIONS=DeallocationTypeMismatch=1 not %run %t newfree 2>&1 | FileCheck --check-prefix=CHECK-dealloc %s
// RUN: SCUDO_OPTIONS=DeallocationTypeMismatch=0 %run %t newfree 2>&1 // RUN: SCUDO_OPTIONS=DeallocationTypeMismatch=0 %run %t newfree 2>&1
// RUN: SCUDO_OPTIONS=DeallocationTypeMismatch=1 not %run %t memaligndel 2>&1 | FileCheck %s // RUN: SCUDO_OPTIONS=DeallocationTypeMismatch=1 not %run %t memaligndel 2>&1 | FileCheck --check-prefix=CHECK-dealloc %s
// RUN: SCUDO_OPTIONS=DeallocationTypeMismatch=0 %run %t memaligndel 2>&1 // RUN: SCUDO_OPTIONS=DeallocationTypeMismatch=0 %run %t memaligndel 2>&1
// RUN: SCUDO_OPTIONS=DeallocationTypeMismatch=1 not %run %t memalignrealloc 2>&1 | FileCheck --check-prefix=CHECK-realloc %s
// RUN: SCUDO_OPTIONS=DeallocationTypeMismatch=0 %run %t memalignrealloc 2>&1
// Tests that type mismatches between allocation and deallocation functions are // Tests that type mismatches between allocation and deallocation functions are
// caught when the related option is set. // caught when the related option is set.
#include <assert.h> #include <assert.h>
#include <malloc.h> #include <malloc.h>
#include <stdlib.h> #include <stdlib.h>
#include <string.h> #include <string.h>
Show All 11 Lines if (!strcmp(argv[1], "newfree")) {
assert(p); assert(p);
free((void *)p); free((void *)p);
} }
if (!strcmp(argv[1], "memaligndel")) { if (!strcmp(argv[1], "memaligndel")) {
int *p = (int *)memalign(16, 16); int *p = (int *)memalign(16, 16);
assert(p); assert(p);
delete p; delete p;
} }
if (!strcmp(argv[1], "memalignrealloc")) {
void *p = memalign(16, 16);
assert(p);
p = realloc(p, 32);
free(p);
}
return 0; return 0;
} }
// CHECK: ERROR: allocation type mismatch on address // CHECK-dealloc: ERROR: allocation type mismatch when deallocating address
// CHECK-realloc: ERROR: allocation type mismatch when reallocating address

test/scudo/options.cpp

Show All 16 Lines
int main(int argc, char **argv) int main(int argc, char **argv)
{ {
int *p = (int *)malloc(16); int *p = (int *)malloc(16);
assert(p); assert(p);
delete p; delete p;
return 0; return 0;
} }
// CHECK: ERROR: allocation type mismatch on address // CHECK: ERROR: allocation type mismatch when deallocating address

test/scudo/realloc.cpp

// RUN: %clang_scudo %s -lstdc++ -o %t // RUN: %clang_scudo %s -lstdc++ -o %t
// RUN: %run %t pointers 2>&1 // RUN: %run %t pointers 2>&1
// RUN: %run %t contents 2>&1 // RUN: %run %t contents 2>&1
// RUN: not %run %t memalign 2>&1 | FileCheck %s // RUN: %run %t usablesize 2>&1
// Tests that our reallocation function returns the same pointer when the // Tests that our reallocation function returns the same pointer when the
// requested size can fit into the previously allocated chunk. Also tests that // requested size can fit into the previously allocated chunk. Also tests that
// a new chunk is returned if the size is greater, and that the contents of the // a new chunk is returned if the size is greater, and that the contents of the
// chunk are left unchanged. // chunk are left unchanged. Finally, checks that realloc copies the usable
// As a final test, make sure that a chunk allocated by memalign cannot be // size of the old chunk to the new one (as opposed to the requested size).
// reallocated.
#include <assert.h> #include <assert.h>
#include <malloc.h> #include <malloc.h>
#include <string.h> #include <string.h>
#include <vector> #include <vector>
int main(int argc, char **argv) int main(int argc, char **argv)
{ {
void *p, *old_p; void *p, *old_p;
// Those sizes will exercise both allocators (Primary & Secondary). // Those sizes will exercise both allocators (Primary & Secondary).
std::vector<size_t> sizes{1, 16, 1024, 32768, 1 << 16, 1 << 17, 1 << 20}; std::vector<size_t> sizes{1, 16, 1024, 32768, 1 << 16, 1 << 17, 1 << 20};
assert(argc == 2); assert(argc == 2);
if (!strcmp(argv[1], "usablesize")) {
// This tests a sketchy behavior inherited from poorly written libraries
// that have become somewhat standard. When realloc'ing a chunk, the
// copied contents should span the usable size of the chunk, not the
// requested size.
size_t size = 496, usable_size;
p = nullptr;
// Make sure we get a chunk with a usable size actually larger than size.
do {
if (p) free(p);
size += 16;
p = malloc(size);
usable_size = malloc_usable_size(p);
assert(usable_size >= size);
} while (usable_size == size);
for (int i = 0; i < usable_size; i++)
reinterpret_cast<char *>(p)[i] = 'A';
old_p = p;
// Make sure we get a different chunk so that the data is actually copied.
do {
size *= 2;
p = realloc(p, size);
assert(p);
} while (p == old_p);
// The contents of the new chunk must match the old one up to usable_size.
for (int i = 0; i < usable_size; i++)
assert(reinterpret_cast<char *>(p)[i] == 'A');
free(p);
} else {
for (size_t size : sizes) { for (size_t size : sizes) {
if (!strcmp(argv[1], "pointers")) { if (!strcmp(argv[1], "pointers")) {
old_p = p = realloc(nullptr, size); old_p = p = realloc(nullptr, size);
assert(p); assert(p);
size = malloc_usable_size(p); size = malloc_usable_size(p);
// Our realloc implementation will return the same pointer if the size // Our realloc implementation will return the same pointer if the size
// requested is lower than or equal to the usable size of the associated // requested is lower than or equal to the usable size of the associated
// chunk. // chunk.
p = realloc(p, size - 1); p = realloc(p, size - 1);
assert(p == old_p); assert(p == old_p);
p = realloc(p, size); p = realloc(p, size);
assert(p == old_p); assert(p == old_p);
// And a new one if the size is greater. // And a new one if the size is greater.
p = realloc(p, size + 1); p = realloc(p, size + 1);
assert(p != old_p); assert(p != old_p);
// A size of 0 will free the chunk and return nullptr. // A size of 0 will free the chunk and return nullptr.
p = realloc(p, 0); p = realloc(p, 0);
assert(!p); assert(!p);
old_p = nullptr; old_p = nullptr;
} }
if (!strcmp(argv[1], "contents")) { if (!strcmp(argv[1], "contents")) {
p = realloc(nullptr, size); p = realloc(nullptr, size);
assert(p); assert(p);
for (int i = 0; i < size; i++) for (int i = 0; i < size; i++)
reinterpret_cast<char *>(p)[i] = 'A'; reinterpret_cast<char *>(p)[i] = 'A';
p = realloc(p, size + 1); p = realloc(p, size + 1);
// The contents of the reallocated chunk must match the original one. // The contents of the reallocated chunk must match the original one.
for (int i = 0; i < size; i++) for (int i = 0; i < size; i++)
assert(reinterpret_cast<char *>(p)[i] == 'A'); assert(reinterpret_cast<char *>(p)[i] == 'A');
} }
if (!strcmp(argv[1], "memalign")) {
// A chunk coming from memalign cannot be reallocated.
p = memalign(16, size);
assert(p);
p = realloc(p, size);
free(p);
} }
} }
return 0; return 0;
} }
// CHECK: ERROR: invalid chunk type when reallocating address // CHECK: ERROR: invalid chunk type when reallocating address