This is an archive of the discontinued LLVM Phabricator instance.

Differential D42430

[scudo] Allow for weak hooks, gated by a define
ClosedPublic

Authored by cryptoad on Jan 23 2018, 9:26 AM.

Details

Reviewers
alekseyshl
Commits
rG1ebebde8b7b9: [scudo] Allow for weak hooks, gated by a define
rL323278: [scudo] Allow for weak hooks, gated by a define
rCRT323278: [scudo] Allow for weak hooks, gated by a define
Summary

Hooks in the allocation & deallocation paths can be a security risk (see for an
example https://scarybeastsecurity.blogspot.com/2016/11/0day-exploit-advancing-exploitation.html
which used the glibc's __free_hook to complete exploitation).

But some users have expressed a need for them, even if only for tests and
memory benchmarks. So allow for __sanitizer_malloc_hook &
__sanitizer_free_hook to be called if defined, and gate them behind a global
define SCUDO_CAN_USE_HOOKS defaulting to 0.

Diff Detail

Event Timeline

cryptoad created this revision.Jan 23 2018, 9:26 AM
Herald added a subscriber: Restricted Project. · View Herald TranscriptJan 23 2018, 9:26 AM
Harbormaster completed remote builds in B14147: Diff 131095.Jan 23 2018, 9:27 AM
alekseyshl accepted this revision.Jan 23 2018, 1:27 PM
This revision is now accepted and ready to land.Jan 23 2018, 1:27 PM
Closed by commit rCRT323278: [scudo] Allow for weak hooks, gated by a define (authored by cryptoad). · Explain WhyJan 23 2018, 3:09 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
lib/
scudo/
6 lines
6 lines

Diff 131156

lib/scudo/scudo_allocator.cpp

Show First 20 LinesShow All 424 Lines▼ Show 20 Lines if (ClassId) {
// next page boundary. // next page boundary.
const uptr PageSize = GetPageSizeCached(); const uptr PageSize = GetPageSizeCached();
const uptr TrailingBytes = (UserPtr + Size) & (PageSize - 1); const uptr TrailingBytes = (UserPtr + Size) & (PageSize - 1);
if (TrailingBytes) if (TrailingBytes)
Header.SizeOrUnusedBytes = PageSize - TrailingBytes; Header.SizeOrUnusedBytes = PageSize - TrailingBytes;
} }
void *Ptr = reinterpret_cast<void *>(UserPtr); void *Ptr = reinterpret_cast<void *>(UserPtr);
Chunk::storeHeader(Ptr, &Header); Chunk::storeHeader(Ptr, &Header);
// if (&__sanitizer_malloc_hook) __sanitizer_malloc_hook(Ptr, Size); if (SCUDO_CAN_USE_HOOKS && &__sanitizer_malloc_hook)
__sanitizer_malloc_hook(Ptr, Size);
return Ptr; return Ptr;
} }
// Place a chunk in the quarantine or directly deallocate it in the event of // Place a chunk in the quarantine or directly deallocate it in the event of
// a zero-sized quarantine, or if the size of the chunk is greater than the // a zero-sized quarantine, or if the size of the chunk is greater than the
// quarantine chunk size threshold. // quarantine chunk size threshold.
void quarantineOrDeallocateChunk(void *Ptr, UnpackedHeader *Header, void quarantineOrDeallocateChunk(void *Ptr, UnpackedHeader *Header,
uptr Size) { uptr Size) {
Show All 33 Linesstruct ScudoAllocator {
void deallocate(void *Ptr, uptr DeleteSize, AllocType Type) { void deallocate(void *Ptr, uptr DeleteSize, AllocType Type) {
// For a deallocation, we only ensure minimal initialization, meaning thread // For a deallocation, we only ensure minimal initialization, meaning thread
// local data will be left uninitialized for now (when using ELF TLS). The // local data will be left uninitialized for now (when using ELF TLS). The
// fallback cache will be used instead. This is a workaround for a situation // fallback cache will be used instead. This is a workaround for a situation
// where the only heap operation performed in a thread would be a free past // where the only heap operation performed in a thread would be a free past
// the TLS destructors, ending up in initialized thread specific data never // the TLS destructors, ending up in initialized thread specific data never
// being destroyed properly. Any other heap operation will do a full init. // being destroyed properly. Any other heap operation will do a full init.
initThreadMaybe(/*MinimalInit=*/true); initThreadMaybe(/*MinimalInit=*/true);
// if (&__sanitizer_free_hook) __sanitizer_free_hook(Ptr); if (SCUDO_CAN_USE_HOOKS && &__sanitizer_free_hook)
__sanitizer_free_hook(Ptr);
if (UNLIKELY(!Ptr)) if (UNLIKELY(!Ptr))
return; return;
if (UNLIKELY(!Chunk::isAligned(Ptr))) { if (UNLIKELY(!Chunk::isAligned(Ptr))) {
dieWithMessage("ERROR: attempted to deallocate a chunk not properly " dieWithMessage("ERROR: attempted to deallocate a chunk not properly "
"aligned at address %p\n", Ptr); "aligned at address %p\n", Ptr);
} }
UnpackedHeader Header; UnpackedHeader Header;
Chunk::loadHeader(Ptr, &Header); Chunk::loadHeader(Ptr, &Header);
▲ Show 20 LinesShow All 252 LinesShow Last 20 Lines

lib/scudo/scudo_platform.h

Show First 20 LinesShow All 49 Lines▼ Show 20 Lines
# endif // SANITIZER_ANDROID # endif // SANITIZER_ANDROID
#endif // SCUDO_SHARED_TSD_POOL_SIZE #endif // SCUDO_SHARED_TSD_POOL_SIZE
// The following allows the public interface functions to be disabled. // The following allows the public interface functions to be disabled.
#ifndef SCUDO_CAN_USE_PUBLIC_INTERFACE #ifndef SCUDO_CAN_USE_PUBLIC_INTERFACE
# define SCUDO_CAN_USE_PUBLIC_INTERFACE 1 # define SCUDO_CAN_USE_PUBLIC_INTERFACE 1
#endif #endif
// Hooks in the allocation & deallocation paths can become a security concern if
// implemented improperly, or if overwritten by an attacker. Use with caution.
#ifndef SCUDO_CAN_USE_HOOKS
# define SCUDO_CAN_USE_HOOKS 0
#endif
namespace __scudo { namespace __scudo {
#if SANITIZER_CAN_USE_ALLOCATOR64 #if SANITIZER_CAN_USE_ALLOCATOR64
# if defined(__aarch64__) && SANITIZER_ANDROID # if defined(__aarch64__) && SANITIZER_ANDROID
const uptr AllocatorSize = 0x4000000000ULL; // 256G. const uptr AllocatorSize = 0x4000000000ULL; // 256G.
# elif defined(__aarch64__) # elif defined(__aarch64__)
const uptr AllocatorSize = 0x10000000000ULL; // 1T. const uptr AllocatorSize = 0x10000000000ULL; // 1T.
# else # else
Show All 19 Lines