This is an archive of the discontinued LLVM Phabricator instance.

Differential D47442

Introduce CheckASLR() in sanitizers
ClosedPublic

Authored by krytarowski on May 28 2018, 12:36 AM.

Details

Reviewers
vitalybuka
joerg
Commits
rG7d260775f34f: Introduce CheckASLR() in sanitizers
rL333985: Introduce CheckASLR() in sanitizers
rCRT333985: Introduce CheckASLR() in sanitizers
Summary

At least the ASan, MSan, TSan sanitizers require disabled ASLR on a NetBSD.

Introduce a generic CheckASLR() routine, that implements a check for the
current process. This flag depends on the global or per-process settings.

There is no simple way to disable ASLR in the build process from the
level of a sanitizer or during the runtime execution.

With ASLR enabled sanitizers that operate over the process virtual address
space can misbehave usually breaking with cryptic messages.

This check is dummy for !NetBSD.

Sponsored by <The NetBSD Foundation>

Diff Detail

Event Timeline

krytarowski created this revision.May 28 2018, 12:36 AM
Herald added subscribers: llvm-commits, kubamracek. · View Herald TranscriptMay 28 2018, 12:36 AM
cryptoad added a subscriber: cryptoad.May 29 2018, 7:15 AM

Is disabling ASLR required just because of the hardcoded heap base addresses or is there more to it?

krytarowski added a comment.May 29 2018, 12:02 PM

In the PaX ASLR NetBSD implementation we add a random offset to all allocations including text (for PIE programs), heap and stack.

This means that the program can be in so wide ranges in the address space that it's not possible to use certain sanitizers without disabling ASLR.

ASan is more tolerant and it sometimes works with PaX ASLR, but it's mandatory for TSan and MSan.

135 kamil@rugged /home/kamil $ cat /proc/self/map 
0xd4800000 0xd4803000 r-x r-x COW NC 1 0 0
0xd4a02000 0xd4a03000 r-- rw- COW NNC 1 0 0
0xd4a03000 0xd4a04000 rw- rw- COW NNC 1 0 0
0x7ec318000000 0x7ec318003000 r-x r-x COW NC 1 0 0
0x7ec318003000 0x7ec318202000 --- r-x COW NC 1 0 0
0x7ec318202000 0x7ec318203000 rw- rw- COW NNC 1 0 0
0x7ec318400000 0x7ec318551000 r-x r-x COW NC 1 0 0
0x7ec318551000 0x7ec318750000 --- r-x COW NC 1 0 0
0x7ec318750000 0x7ec318757000 r-- rw- COW NNC 1 0 0
0x7ec318757000 0x7ec31875d000 rw- rw- COW NNC 1 0 0
0x7ec31875d000 0x7ec31876e000 rw- rw- COW NNC 1 0 0
0x7ec318800000 0x7ec318810000 rw- rw- COW NNC 1 0 0
0x7ec318810000 0x7ec318900000 rw- rw- COW NNC 1 0 0
0x7ec318929000 0x7ec318933000 rw- rw- COW NNC 1 0 0
0x7f7e88400000 0x7f7e88410000 r-x r-x COW NC 1 0 0
0x7f7e88410000 0x7f7e88610000 --- --- COW NC 1 0 0
0x7f7e88610000 0x7f7e88611000 rw- rw- COW NNC 1 0 0
0x7f7e88611000 0x7f7e88612000 rw- rw- COW NNC 1 0 0
0x7f7ff7eff000 0x7f7ffefd4000 --- --- COW NC 1 0 0
0x7f7ffefd4000 0x7f7fff3d0000 rw- rw- COW NC 1 0 0
0x7f7fff3d0000 0x7f7fff3d4000 rw- rw- COW NNC 1 0 0
136 kamil@rugged /home/kamil $ cat /proc/self/map 
0x17b000000 0x17b003000 r-x r-x COW NC 1 0 0
0x17b202000 0x17b203000 r-- rw- COW NNC 1 0 0
0x17b203000 0x17b204000 rw- rw- COW NNC 1 0 0
0x6f8473e00000 0x6f8473e03000 r-x r-x COW NC 1 0 0
0x6f8473e03000 0x6f8474002000 --- r-x COW NC 1 0 0
0x6f8474002000 0x6f8474003000 rw- rw- COW NNC 1 0 0
0x6f8474100000 0x6f8474110000 rw- rw- COW NNC 1 0 0
0x6f8474110000 0x6f8474200000 rw- rw- COW NNC 1 0 0
0x6f8474200000 0x6f8474351000 r-x r-x COW NC 1 0 0
0x6f8474351000 0x6f8474550000 --- r-x COW NC 1 0 0
0x6f8474550000 0x6f8474557000 r-- rw- COW NNC 1 0 0
0x6f8474557000 0x6f847455d000 rw- rw- COW NNC 1 0 0
0x6f847455d000 0x6f847456e000 rw- rw- COW NNC 1 0 0
0x6f847468b000 0x6f8474695000 rw- rw- COW NNC 1 0 0
0x7f7f0d000000 0x7f7f0d010000 r-x r-x COW NC 1 0 0
0x7f7f0d010000 0x7f7f0d210000 --- --- COW NC 1 0 0
0x7f7f0d210000 0x7f7f0d211000 rw- rw- COW NNC 1 0 0
0x7f7f0d211000 0x7f7f0d212000 rw- rw- COW NNC 1 0 0
0x7f7ff7eff000 0x7f7fff871000 --- --- COW NC 1 0 0
0x7f7fff871000 0x7f7fffc60000 rw- rw- COW NC 1 0 0
0x7f7fffc60000 0x7f7fffc71000 rw- rw- COW NNC 1 0 0
137 kamil@rugged /home/kamil $ cat /proc/self/map 
0x1ef200000 0x1ef203000 r-x r-x COW NC 1 0 0
0x1ef402000 0x1ef403000 r-- rw- COW NNC 1 0 0
0x1ef403000 0x1ef404000 rw- rw- COW NNC 1 0 0
0x7e4bc1c00000 0x7e4bc1c03000 r-x r-x COW NC 1 0 0
0x7e4bc1c03000 0x7e4bc1e02000 --- r-x COW NC 1 0 0
0x7e4bc1e02000 0x7e4bc1e03000 rw- rw- COW NNC 1 0 0
0x7e4bc1f00000 0x7e4bc1f10000 rw- rw- COW NNC 1 0 0
0x7e4bc1f10000 0x7e4bc2000000 rw- rw- COW NNC 1 0 0
0x7e4bc2000000 0x7e4bc2151000 r-x r-x COW NC 1 0 0
0x7e4bc2151000 0x7e4bc2350000 --- r-x COW NC 1 0 0
0x7e4bc2350000 0x7e4bc2357000 r-- rw- COW NNC 1 0 0
0x7e4bc2357000 0x7e4bc235d000 rw- rw- COW NNC 1 0 0
0x7e4bc235d000 0x7e4bc236e000 rw- rw- COW NNC 1 0 0
0x7e4bc2462000 0x7e4bc246c000 rw- rw- COW NNC 1 0 0
0x7f7f4fe00000 0x7f7f4fe10000 r-x r-x COW NC 1 0 0
0x7f7f4fe10000 0x7f7f50010000 --- --- COW NC 1 0 0
0x7f7f50010000 0x7f7f50011000 rw- rw- COW NNC 1 0 0
0x7f7f50011000 0x7f7f50012000 rw- rw- COW NNC 1 0 0
0x7f7ff7eff000 0x7f7fffa75000 --- --- COW NC 1 0 0
0x7f7fffa75000 0x7f7fffe70000 rw- rw- COW NC 1 0 0
0x7f7fffe70000 0x7f7fffe75000 rw- rw- COW NNC 1 0 0
vitalybuka accepted this revision.Jun 4 2018, 1:19 PM
vitalybuka added inline comments.
lib/sanitizer_common/sanitizer_linux.cc
1961

sizeof(paxflags)

This revision is now accepted and ready to land.Jun 4 2018, 1:19 PM
Closed by commit rCRT333985: Introduce CheckASLR() in sanitizers (authored by kamil). · Explain WhyJun 5 2018, 12:34 AM
This revision was automatically updated to reflect the committed changes.
devnexen added a subscriber: devnexen.Jun 5 2018, 12:46 AM

Question out of curiosity, should HardenedBSD update this check as well ? Or maybe just keeping the diff in their side ...

krytarowski added a comment.Jun 5 2018, 12:48 AM

I don't know about other BSDs, I've never installed them.

devnexen added a comment.Jun 5 2018, 12:54 AM

Sure but this is the only other BSD which has ASLR you can disable but HardenedBSD is a fork of FreeBSD even though it has somehow its own "identity". Was just wondering about the "worthiness" of this specific case :-)

krytarowski added a comment.Jun 5 2018, 1:05 AM

They claim to sync with FreeBSD daily.. so perhaps they should first try to upstream ASLR to FreeBSD.

I wouldn't be surprised if they would drop it on some updates like the LibreSSL library...

Revision Contents

PathSize
lib/
asan/
1 line
msan/
1 line
sanitizer_common/
1 line
1 line
24 lines
4 lines
4 lines
tsan/
rtl/
1 line

Diff 149909

lib/asan/asan_rtl.cc

Show First 20 LinesShow All 378 Lines▼ Show 20 Lines
static void AsanInitInternal() { static void AsanInitInternal() {
if (LIKELY(asan_inited)) return; if (LIKELY(asan_inited)) return;
SanitizerToolName = "AddressSanitizer"; SanitizerToolName = "AddressSanitizer";
CHECK(!asan_init_is_running && "ASan init calls itself!"); CHECK(!asan_init_is_running && "ASan init calls itself!");
asan_init_is_running = true; asan_init_is_running = true;
CacheBinaryName(); CacheBinaryName();
CheckASLR();
// Initialize flags. This must be done early, because most of the // Initialize flags. This must be done early, because most of the
// initialization steps look at flags(). // initialization steps look at flags().
InitializeFlags(); InitializeFlags();
AsanCheckIncompatibleRT(); AsanCheckIncompatibleRT();
AsanCheckDynamicRTPrereqs(); AsanCheckDynamicRTPrereqs();
AvoidCVE_2016_2143(); AvoidCVE_2016_2143();
▲ Show 20 LinesShow All 188 LinesShow Last 20 Lines

lib/msan/msan.cc

Show First 20 LinesShow All 391 Lines▼ Show 20 Linesvoid __msan_init() {
if (msan_inited) return; if (msan_inited) return;
msan_init_is_running = 1; msan_init_is_running = 1;
SanitizerToolName = "MemorySanitizer"; SanitizerToolName = "MemorySanitizer";
AvoidCVE_2016_2143(); AvoidCVE_2016_2143();
InitTlsSize(); InitTlsSize();
CacheBinaryName(); CacheBinaryName();
CheckASLR();
InitializeFlags(); InitializeFlags();
// Install tool-specific callbacks in sanitizer_common. // Install tool-specific callbacks in sanitizer_common.
SetCheckFailedCallback(MsanCheckFailed); SetCheckFailedCallback(MsanCheckFailed);
__sanitizer_set_report_path(common_flags()->log_path); __sanitizer_set_report_path(common_flags()->log_path);
InitializeInterceptors(); InitializeInterceptors();
▲ Show 20 LinesShow All 260 LinesShow Last 20 Lines

lib/sanitizer_common/sanitizer_common.h

Show First 20 LinesShow All 215 Lines▼ Show 20 Lines
void DisableCoreDumperIfNecessary(); void DisableCoreDumperIfNecessary();
void DumpProcessMap(); void DumpProcessMap();
void PrintModuleMap(); void PrintModuleMap();
const char *GetEnv(const char *name); const char *GetEnv(const char *name);
bool SetEnv(const char *name, const char *value); bool SetEnv(const char *name, const char *value);
u32 GetUid(); u32 GetUid();
void ReExec(); void ReExec();
void CheckASLR();
char **GetArgv(); char **GetArgv();
void PrintCmdline(); void PrintCmdline();
bool StackSizeIsUnlimited(); bool StackSizeIsUnlimited();
uptr GetStackSizeLimitInBytes(); uptr GetStackSizeLimitInBytes();
void SetStackSizeLimitInBytes(uptr limit); void SetStackSizeLimitInBytes(uptr limit);
bool AddressSpaceIsUnlimited(); bool AddressSpaceIsUnlimited();
void SetAddressSpaceUnlimited(); void SetAddressSpaceUnlimited();
void AdjustStackSize(void *attr); void AdjustStackSize(void *attr);
▲ Show 20 LinesShow All 723 LinesShow Last 20 Lines

lib/sanitizer_common/sanitizer_fuchsia.cc

Show First 20 LinesShow All 81 Lines▼ Show 20 Linesvoid GetThreadStackTopAndBottom(bool, uptr *stack_top, uptr *stack_bottom) {
CHECK_EQ(pthread_attr_getstack(&attr, &base, &size), 0); CHECK_EQ(pthread_attr_getstack(&attr, &base, &size), 0);
CHECK_EQ(pthread_attr_destroy(&attr), 0); CHECK_EQ(pthread_attr_destroy(&attr), 0);
*stack_bottom = reinterpret_cast<uptr>(base); *stack_bottom = reinterpret_cast<uptr>(base);
*stack_top = *stack_bottom + size; *stack_top = *stack_bottom + size;
} }
void MaybeReexec() {} void MaybeReexec() {}
void CheckASLR() {}
void PlatformPrepareForSandboxing(__sanitizer_sandbox_arguments *args) {} void PlatformPrepareForSandboxing(__sanitizer_sandbox_arguments *args) {}
void DisableCoreDumperIfNecessary() {} void DisableCoreDumperIfNecessary() {}
void InstallDeadlySignalHandlers(SignalHandlerType handler) {} void InstallDeadlySignalHandlers(SignalHandlerType handler) {}
void SetAlternateSignalStack() {} void SetAlternateSignalStack() {}
void UnsetAlternateSignalStack() {} void UnsetAlternateSignalStack() {}
void InitTlsSize() {} void InitTlsSize() {}
void PrintModuleMap() {} void PrintModuleMap() {}
▲ Show 20 LinesShow All 413 LinesShow Last 20 Lines

lib/sanitizer_common/sanitizer_linux.cc

Show First 20 LinesShow All 1,948 Lines▼ Show 20 Lines
} }
void SignalContext::InitPcSpBp() { GetPcSpBp(context, &pc, &sp, &bp); } void SignalContext::InitPcSpBp() { GetPcSpBp(context, &pc, &sp, &bp); }
void MaybeReexec() { void MaybeReexec() {
// No need to re-exec on Linux. // No need to re-exec on Linux.
} }
void CheckASLR() {
#if SANITIZER_NETBSD
int mib[3];
int paxflags;
size_t len = sizeof(paxflags);
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

sizeof(paxflags)

vitalybuka: sizeof(paxflags)
mib[0] = CTL_PROC;
mib[1] = internal_getpid();
mib[2] = PROC_PID_PAXFLAGS;
if (UNLIKELY(sysctl(mib, 3, &paxflags, &len, NULL, 0) == -1)) {
Printf("sysctl failed\n");
Die();
}
if (UNLIKELY(paxflags & CTL_PROC_PAXFLAGS_ASLR)) {
Printf("This sanitizer is not compatible with enabled ASLR\n");
Die();
}
#else
// Do nothing
#endif
}
void PrintModuleMap() { } void PrintModuleMap() { }
void CheckNoDeepBind(const char *filename, int flag) { void CheckNoDeepBind(const char *filename, int flag) {
#ifdef RTLD_DEEPBIND #ifdef RTLD_DEEPBIND
if (flag & RTLD_DEEPBIND) { if (flag & RTLD_DEEPBIND) {
Report( Report(
"You are trying to dlopen a %s shared library with RTLD_DEEPBIND flag" "You are trying to dlopen a %s shared library with RTLD_DEEPBIND flag"
" which is incompatibe with sanitizer runtime " " which is incompatibe with sanitizer runtime "
▲ Show 20 LinesShow All 56 LinesShow Last 20 Lines

lib/sanitizer_common/sanitizer_mac.cc

Show First 20 LinesShow All 334 Lines▼ Show 20 Lines
uptr ReadLongProcessName(/*out*/char *buf, uptr buf_len) { uptr ReadLongProcessName(/*out*/char *buf, uptr buf_len) {
return ReadBinaryName(buf, buf_len); return ReadBinaryName(buf, buf_len);
} }
void ReExec() { void ReExec() {
UNIMPLEMENTED(); UNIMPLEMENTED();
} }
void CheckASLR() {
// Do nothing
}
uptr GetPageSize() { uptr GetPageSize() {
return sysconf(_SC_PAGESIZE); return sysconf(_SC_PAGESIZE);
} }
extern "C" unsigned malloc_num_zones; extern "C" unsigned malloc_num_zones;
extern "C" malloc_zone_t **malloc_zones; extern "C" malloc_zone_t **malloc_zones;
malloc_zone_t sanitizer_zone; malloc_zone_t sanitizer_zone;
▲ Show 20 LinesShow All 715 LinesShow Last 20 Lines

lib/sanitizer_common/sanitizer_win.cc

Show First 20 LinesShow All 1,019 Lines▼ Show 20 Lines
void CheckVMASize() { void CheckVMASize() {
// Do nothing. // Do nothing.
} }
void MaybeReexec() { void MaybeReexec() {
// No need to re-exec on Windows. // No need to re-exec on Windows.
} }
void CheckASLR() {
// Do nothing
}
char **GetArgv() { char **GetArgv() {
// FIXME: Actually implement this function. // FIXME: Actually implement this function.
return 0; return 0;
} }
pid_t StartSubprocess(const char *program, const char *const argv[], pid_t StartSubprocess(const char *program, const char *const argv[],
fd_t stdin_fd, fd_t stdout_fd, fd_t stderr_fd) { fd_t stdin_fd, fd_t stdout_fd, fd_t stderr_fd) {
// FIXME: implement on this platform // FIXME: implement on this platform
Show All 34 Lines

lib/tsan/rtl/tsan_rtl.cc

Show First 20 LinesShow All 348 Lines▼ Show 20 Linesvoid Initialize(ThreadState *thr) {
ScopedIgnoreInterceptors ignore; ScopedIgnoreInterceptors ignore;
SanitizerToolName = "ThreadSanitizer"; SanitizerToolName = "ThreadSanitizer";
// Install tool-specific callbacks in sanitizer_common. // Install tool-specific callbacks in sanitizer_common.
SetCheckFailedCallback(TsanCheckFailed); SetCheckFailedCallback(TsanCheckFailed);
ctx = new(ctx_placeholder) Context; ctx = new(ctx_placeholder) Context;
const char *options = GetEnv(SANITIZER_GO ? "GORACE" : "TSAN_OPTIONS"); const char *options = GetEnv(SANITIZER_GO ? "GORACE" : "TSAN_OPTIONS");
CacheBinaryName(); CacheBinaryName();
CheckASLR();
InitializeFlags(&ctx->flags, options); InitializeFlags(&ctx->flags, options);
AvoidCVE_2016_2143(); AvoidCVE_2016_2143();
InitializePlatformEarly(); InitializePlatformEarly();
#if !SANITIZER_GO #if !SANITIZER_GO
// Re-exec ourselves if we need to set additional env or command line args. // Re-exec ourselves if we need to set additional env or command line args.
MaybeReexec(); MaybeReexec();
InitializeAllocator(); InitializeAllocator();
▲ Show 20 LinesShow All 719 LinesShow Last 20 Lines