This is an archive of the discontinued LLVM Phabricator instance.

Differential D48664

[HWASan] Do not retag allocas before return from the function.
ClosedPublic

Authored by alekseyshl on Jun 27 2018, 11:12 AM.

Details

Reviewers
eugenis
Commits
rG788764ca1252: [HWASan] Do not retag allocas before return from the function.
rL336011: [HWASan] Do not retag allocas before return from the function.
Summary

Retagging allocas before returning from the function might help
detecting use after return bugs, but it does not work at all in real
life, when instrumented and non-instrumented code is intermixed.
Consider the following code:

F_non_instrumented() {
  T x;
  F1_instrumented(&x);
  ...
}

{
  F_instrumented();
  F_non_instrumented();
}
  • F_instrumented call leaves the stack below the current sp tagged randomly for UAR detection
  • F_non_instrumented allocates its own vars on that tagged stack, not generating any tags, that is the address of x has tag 0, but the shadow memory still contains tags left behind by F_instrumented on the previous step
  • F1_instrumented verifies &x before using it and traps on tag mismatch, 0 vs whatever tag was set by F_instrumented

Diff Detail

Repository
rL LLVM

Event Timeline

alekseyshl created this revision.Jun 27 2018, 11:12 AM
Herald added a subscriber: srhines. · View Herald TranscriptJun 27 2018, 11:13 AM
eugenis accepted this revision.Jun 28 2018, 1:58 PM

LGTM, but I don't like the flag name. Not retagging sounds like we leave randomly tagged stack frame after returning from a function. Rename it to something like zero-uar-tag, or retag-to-zero ?

This revision is now accepted and ready to land.Jun 28 2018, 1:58 PM
alekseyshl edited the summary of this revision. (Show Details)Jun 28 2018, 2:47 PM
alekseyshl updated this revision to Diff 153413.Jun 28 2018, 2:59 PM
  • Renamed the flag
Harbormaster completed remote builds in B19862: Diff 153413.Jun 28 2018, 2:59 PM
alekseyshl added a comment.Jun 28 2018, 2:59 PM

How about this name?

eugenis added a comment.Jun 28 2018, 3:06 PM

Good, but please update flag description, too.

alekseyshl added a comment.Jun 28 2018, 4:21 PM
In D48664#1147385, @eugenis wrote:

Good, but please update flag description, too.

I did

eugenis added a comment.Jun 28 2018, 4:26 PM

OK.

Closed by commit rL336011: [HWASan] Do not retag allocas before return from the function. (authored by alekseyshl). · Explain WhyJun 29 2018, 1:25 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
llvm/
trunk/
lib/
Transforms/
Instrumentation/
10 lines
test/
Instrumentation/
HWAddressSanitizer/
22 lines
22 lines

Diff 153563

llvm/trunk/lib/Transforms/Instrumentation/HWAddressSanitizer.cpp

Show First 20 LinesShow All 89 Lines▼ Show 20 Linesstatic cl::opt<bool> ClRecover(
"hwasan-recover", "hwasan-recover",
cl::desc("Enable recovery mode (continue-after-error)."), cl::desc("Enable recovery mode (continue-after-error)."),
cl::Hidden, cl::init(false)); cl::Hidden, cl::init(false));
static cl::opt<bool> ClInstrumentStack("hwasan-instrument-stack", static cl::opt<bool> ClInstrumentStack("hwasan-instrument-stack",
cl::desc("instrument stack (allocas)"), cl::desc("instrument stack (allocas)"),
cl::Hidden, cl::init(true)); cl::Hidden, cl::init(true));
static cl::opt<bool> ClUARRetagToZero(
"hwasan-uar-retag-to-zero",
cl::desc("Clear alloca tags before returning from the function to allow "
"non-instrumented and instrumented function calls mix. When set "
"to false, allocas are retagged before returning from the "
"function to detect use after return."),
cl::Hidden, cl::init(true));
static cl::opt<bool> ClGenerateTagsWithCalls( static cl::opt<bool> ClGenerateTagsWithCalls(
"hwasan-generate-tags-with-calls", "hwasan-generate-tags-with-calls",
cl::desc("generate new tags with runtime library calls"), cl::Hidden, cl::desc("generate new tags with runtime library calls"), cl::Hidden,
cl::init(false)); cl::init(false));
static cl::opt<int> ClMatchAllTag( static cl::opt<int> ClMatchAllTag(
"hwasan-match-all-tag", "hwasan-match-all-tag",
cl::desc("don't report bad accesses via pointers with this tag"), cl::desc("don't report bad accesses via pointers with this tag"),
▲ Show 20 LinesShow All 466 Lines▼ Show 20 LinesValue *HWAddressSanitizer::getAllocaTag(IRBuilder<> &IRB, Value *StackTag,
AllocaInst *AI, unsigned AllocaNo) { AllocaInst *AI, unsigned AllocaNo) {
if (ClGenerateTagsWithCalls) if (ClGenerateTagsWithCalls)
return getNextTagWithCall(IRB); return getNextTagWithCall(IRB);
return IRB.CreateXor(StackTag, return IRB.CreateXor(StackTag,
ConstantInt::get(IntptrTy, RetagMask(AllocaNo))); ConstantInt::get(IntptrTy, RetagMask(AllocaNo)));
} }
Value *HWAddressSanitizer::getUARTag(IRBuilder<> &IRB, Value *StackTag) { Value *HWAddressSanitizer::getUARTag(IRBuilder<> &IRB, Value *StackTag) {
if (ClUARRetagToZero)
return ConstantInt::get(IntptrTy, 0);
if (ClGenerateTagsWithCalls) if (ClGenerateTagsWithCalls)
return getNextTagWithCall(IRB); return getNextTagWithCall(IRB);
return IRB.CreateXor(StackTag, ConstantInt::get(IntptrTy, 0xFFU)); return IRB.CreateXor(StackTag, ConstantInt::get(IntptrTy, 0xFFU));
} }
// Add a tag to an address. // Add a tag to an address.
Value *HWAddressSanitizer::tagPointer(IRBuilder<> &IRB, Type *Ty, Value *HWAddressSanitizer::tagPointer(IRBuilder<> &IRB, Type *Ty,
Value *PtrLong, Value *Tag) { Value *PtrLong, Value *Tag) {
▲ Show 20 LinesShow All 166 LinesShow Last 20 Lines

llvm/trunk/test/Instrumentation/HWAddressSanitizer/alloca-with-calls.ll

; Test alloca instrumentation when tags are generated by HWASan function.
;
; RUN: opt < %s -hwasan -hwasan-generate-tags-with-calls -S | FileCheck %s
target datalayout = "e-m:e-i8:8:32-i16:16:32-i64:64-i128:128-n32:64-S128"
target triple = "aarch64--linux-android"
declare void @use32(i32*)
define void @test_alloca() sanitize_hwaddress {
; CHECK-LABEL: @test_alloca(
; CHECK: %[[T1:[^ ]*]] = call i8 @__hwasan_generate_tag()
; CHECK: %[[A:[^ ]*]] = zext i8 %[[T1]] to i64
; CHECK: %[[B:[^ ]*]] = ptrtoint i32* %x to i64
; CHECK: %[[C:[^ ]*]] = shl i64 %[[A]], 56
; CHECK: or i64 %[[B]], %[[C]]
entry:
%x = alloca i32, align 4
call void @use32(i32* nonnull %x)
ret void
}

llvm/trunk/test/Instrumentation/HWAddressSanitizer/alloca.ll

; Test basic address sanitizer instrumentation. ; Test alloca instrumentation.
; ;
; RUN: opt < %s -hwasan -S | FileCheck %s --check-prefixes=CHECK,DYNAMIC-SHADOW ; RUN: opt < %s -hwasan -S | FileCheck %s --check-prefixes=CHECK,DYNAMIC-SHADOW,NO-UAR-TAGS
; RUN: opt < %s -hwasan -hwasan-mapping-offset=0 -S | FileCheck %s --check-prefixes=CHECK,ZERO-BASED-SHADOW ; RUN: opt < %s -hwasan -hwasan-mapping-offset=0 -S | FileCheck %s --check-prefixes=CHECK,ZERO-BASED-SHADOW,NO-UAR-TAGS
; RUN: opt < %s -hwasan -hwasan-generate-tags-with-calls -S | FileCheck %s --check-prefix=WITH-CALLS ; RUN: opt < %s -hwasan -hwasan-uar-retag-to-zero=0 -S | FileCheck %s --check-prefixes=CHECK,DYNAMIC-SHADOW,UAR-TAGS
target datalayout = "e-m:e-i8:8:32-i16:16:32-i64:64-i128:128-n32:64-S128" target datalayout = "e-m:e-i8:8:32-i16:16:32-i64:64-i128:128-n32:64-S128"
target triple = "aarch64--linux-android" target triple = "aarch64--linux-android"
declare void @use32(i32*) declare void @use32(i32*)
define void @test_alloca() sanitize_hwaddress { define void @test_alloca() sanitize_hwaddress {
; CHECK-LABEL: @test_alloca( ; CHECK-LABEL: @test_alloca(
Show All 13 Lines
; CHECK: %[[E:[^ ]*]] = ptrtoint i32* %[[X]] to i64 ; CHECK: %[[E:[^ ]*]] = ptrtoint i32* %[[X]] to i64
; CHECK: %[[F:[^ ]*]] = lshr i64 %[[E]], 4 ; CHECK: %[[F:[^ ]*]] = lshr i64 %[[E]], 4
; DYNAMIC-SHADOW: %[[F_DYN:[^ ]*]] = add i64 %[[F]], %.hwasan.shadow ; DYNAMIC-SHADOW: %[[F_DYN:[^ ]*]] = add i64 %[[F]], %.hwasan.shadow
; DYNAMIC-SHADOW: %[[X_SHADOW:[^ ]*]] = inttoptr i64 %[[F_DYN]] to i8* ; DYNAMIC-SHADOW: %[[X_SHADOW:[^ ]*]] = inttoptr i64 %[[F_DYN]] to i8*
; ZERO-BASED-SHADOW: %[[X_SHADOW:[^ ]*]] = inttoptr i64 %[[F]] to i8* ; ZERO-BASED-SHADOW: %[[X_SHADOW:[^ ]*]] = inttoptr i64 %[[F]] to i8*
; CHECK: call void @llvm.memset.p0i8.i64(i8* align 1 %[[X_SHADOW]], i8 %[[X_TAG2]], i64 1, i1 false) ; CHECK: call void @llvm.memset.p0i8.i64(i8* align 1 %[[X_SHADOW]], i8 %[[X_TAG2]], i64 1, i1 false)
; CHECK: call void @use32(i32* nonnull %[[X_HWASAN]]) ; CHECK: call void @use32(i32* nonnull %[[X_HWASAN]])
; CHECK: %[[X_TAG_UAR:[^ ]*]] = xor i64 %[[BASE_TAG]], 255 ; UAR-TAGS: %[[BASE_TAG_COMPL:[^ ]*]] = xor i64 %[[BASE_TAG]], 255
; CHECK: %[[X_TAG_UAR2:[^ ]*]] = trunc i64 %[[X_TAG_UAR]] to i8 ; UAR-TAGS: %[[X_TAG_UAR:[^ ]*]] = trunc i64 %[[BASE_TAG_COMPL]] to i8
; CHECK: %[[E2:[^ ]*]] = ptrtoint i32* %[[X]] to i64 ; CHECK: %[[E2:[^ ]*]] = ptrtoint i32* %[[X]] to i64
; CHECK: %[[F2:[^ ]*]] = lshr i64 %[[E2]], 4 ; CHECK: %[[F2:[^ ]*]] = lshr i64 %[[E2]], 4
; DYNAMIC-SHADOW: %[[F2_DYN:[^ ]*]] = add i64 %[[F2]], %.hwasan.shadow ; DYNAMIC-SHADOW: %[[F2_DYN:[^ ]*]] = add i64 %[[F2]], %.hwasan.shadow
; DYNAMIC-SHADOW: %[[X_SHADOW2:[^ ]*]] = inttoptr i64 %[[F2_DYN]] to i8* ; DYNAMIC-SHADOW: %[[X_SHADOW2:[^ ]*]] = inttoptr i64 %[[F2_DYN]] to i8*
; ZERO-BASED-SHADOW: %[[X_SHADOW2:[^ ]*]] = inttoptr i64 %[[F2]] to i8* ; ZERO-BASED-SHADOW: %[[X_SHADOW2:[^ ]*]] = inttoptr i64 %[[F2]] to i8*
; CHECK: call void @llvm.memset.p0i8.i64(i8* align 1 %[[X_SHADOW2]], i8 %[[X_TAG_UAR2]], i64 1, i1 false) ; NO-UAR-TAGS: call void @llvm.memset.p0i8.i64(i8* align 1 %[[X_SHADOW2]], i8 0, i64 1, i1 false)
; UAR-TAGS: call void @llvm.memset.p0i8.i64(i8* align 1 %[[X_SHADOW2]], i8 %[[X_TAG_UAR]], i64 1, i1 false)
; CHECK: ret void ; CHECK: ret void
entry: entry:
%x = alloca i32, align 4 %x = alloca i32, align 4
call void @use32(i32* nonnull %x) call void @use32(i32* nonnull %x)
ret void ret void
} }
; WITH-CALLS-LABEL: @test_alloca(
; WITH-CALLS: %[[T1:[^ ]*]] = call i8 @__hwasan_generate_tag()
; WITH-CALLS: %[[A:[^ ]*]] = zext i8 %[[T1]] to i64
; WITH-CALLS: %[[B:[^ ]*]] = ptrtoint i32* %x to i64
; WITH-CALLS: %[[C:[^ ]*]] = shl i64 %[[A]], 56
; WITH-CALLS: or i64 %[[B]], %[[C]]