This is an archive of the discontinued LLVM Phabricator instance.

Differential D50655

[scudo] Fix race condition in deallocation path when Quarantine is bypassed
ClosedPublic

Authored by cryptoad on Aug 13 2018, 11:37 AM.

Details

Reviewers
alekseyshl
eugenis
kcc
vitalybuka
Commits
rG3afc797e42f8: [scudo] Fix race condition in deallocation path when Quarantine is bypassed
rL339705: [scudo] Fix race condition in deallocation path when Quarantine is bypassed
rCRT339705: [scudo] Fix race condition in deallocation path when Quarantine is bypassed
Summary

There is a race window in the deallocation path when the Quarantine is bypassed.
Initially we would just erase the header of a chunk if we were not to use the
Quarantine, as opposed to using a compare-exchange primitive, to make things
faster.

It turned out to be a poor decision, as 2 threads (or more) could simultaneously
deallocate the same pointer, and if the checks were to done before the header
got erased, this would result in the pointer being added twice (or more) to
distinct thread caches, and eventually be reused.

Winning the race is not trivial but can happen with enough control over the
allocation primitives. The repro added attempts to trigger the bug, with a
moderate success rate, but it should be enough to notice if the bug ever make
its way back into the code.

Since I am changing things in this file, there are 2 smaller changes tagging
along, marking a variable const, and improving the Quarantine bypass test at
runtime.

Diff Detail

Event Timeline

cryptoad created this revision.Aug 13 2018, 11:37 AM
Herald added subscribers: Restricted Project, delcypher. · View Herald TranscriptAug 13 2018, 11:37 AM
Harbormaster completed remote builds in B21403: Diff 160416.Aug 13 2018, 11:37 AM
cryptoad updated this revision to Diff 160443.Aug 13 2018, 1:53 PM

Account for 0 size, which is more common than one would expect.

Harbormaster completed remote builds in B21409: Diff 160443.Aug 13 2018, 1:53 PM
eugenis accepted this revision.Aug 13 2018, 2:00 PM
eugenis added reviewers: kcc, vitalybuka.

I'm not very familiar with this code, but the change kind of makes sense.

lib/scudo/scudo_allocator.cpp
392

why are you removing this condition?

(Quarantine.GetCacheSize() == 0)

This revision is now accepted and ready to land.Aug 13 2018, 2:00 PM
vitalybuka accepted this revision.Aug 13 2018, 2:05 PM
cryptoad added inline comments.Aug 13 2018, 2:29 PM
lib/scudo/scudo_allocator.cpp
392

So I moved (Quarantine.GetCacheSize() == 0) higher (in init), effectively setting QuarantineChunksUpToSize to 0 in that case.
It was something I intended to do before to consolidate the conditions into a single memory read.

cryptoad updated this revision to Diff 160462.Aug 13 2018, 3:06 PM

Grammar/punctuation corrections in comments.

cryptoad added inline comments.Aug 14 2018, 11:09 AM
lib/scudo/scudo_allocator.cpp
392

Does the answer address your concerns?

eugenis accepted this revision.Aug 14 2018, 11:32 AM

LGTM

lib/scudo/scudo_allocator.cpp
392

Yes it does!
Sorry I missed it.

Closed by commit rCRT339705: [scudo] Fix race condition in deallocation path when Quarantine is bypassed (authored by cryptoad). · Explain WhyAug 14 2018, 11:35 AM
This revision was automatically updated to reflect the committed changes.
cryptoad mentioned this in D51224: [scudo] Replace eraseHeader with compareExchangeHeader for Quarantined chunks.Aug 24 2018, 10:25 AM
cryptoad mentioned this in rCRT340633: [scudo] Replace eraseHeader with compareExchangeHeader for Quarantined chunks.Aug 24 2018, 11:22 AM
cryptoad mentioned this in rL340633: [scudo] Replace eraseHeader with compareExchangeHeader for Quarantined chunks.

Revision Contents

PathSize
lib/
scudo/
12 lines
test/
scudo/
69 lines

Diff 160650

lib/scudo/scudo_allocator.cpp

Show First 20 LinesShow All 258 Lines▼ Show 20 Lines void init() {
SetAllocatorMayReturnNull(common_flags()->allocator_may_return_null); SetAllocatorMayReturnNull(common_flags()->allocator_may_return_null);
Backend.init(common_flags()->allocator_release_to_os_interval_ms); Backend.init(common_flags()->allocator_release_to_os_interval_ms);
HardRssLimitMb = common_flags()->hard_rss_limit_mb; HardRssLimitMb = common_flags()->hard_rss_limit_mb;
SoftRssLimitMb = common_flags()->soft_rss_limit_mb; SoftRssLimitMb = common_flags()->soft_rss_limit_mb;
Quarantine.Init( Quarantine.Init(
static_cast<uptr>(getFlags()->QuarantineSizeKb) << 10, static_cast<uptr>(getFlags()->QuarantineSizeKb) << 10,
static_cast<uptr>(getFlags()->ThreadLocalQuarantineSizeKb) << 10); static_cast<uptr>(getFlags()->ThreadLocalQuarantineSizeKb) << 10);
QuarantineChunksUpToSize = getFlags()->QuarantineChunksUpToSize; QuarantineChunksUpToSize = (Quarantine.GetCacheSize() == 0) ? 0 :
getFlags()->QuarantineChunksUpToSize;
DeallocationTypeMismatch = getFlags()->DeallocationTypeMismatch; DeallocationTypeMismatch = getFlags()->DeallocationTypeMismatch;
DeleteSizeMismatch = getFlags()->DeleteSizeMismatch; DeleteSizeMismatch = getFlags()->DeleteSizeMismatch;
ZeroContents = getFlags()->ZeroContents; ZeroContents = getFlags()->ZeroContents;
if (UNLIKELY(!GetRandom(reinterpret_cast<void *>(&Cookie), sizeof(Cookie), if (UNLIKELY(!GetRandom(reinterpret_cast<void *>(&Cookie), sizeof(Cookie),
/*blocking=*/false))) { /*blocking=*/false))) {
Cookie = static_cast<u32>((NanoTime() >> 12) ^ Cookie = static_cast<u32>((NanoTime() >> 12) ^
(reinterpret_cast<uptr>(this) >> 4)); (reinterpret_cast<uptr>(this) >> 4));
▲ Show 20 LinesShow All 108 Lines▼ Show 20 Lines void *allocate(uptr Size, uptr Alignment, AllocType Type,
return Ptr; return Ptr;
} }
// Place a chunk in the quarantine or directly deallocate it in the event of // Place a chunk in the quarantine or directly deallocate it in the event of
// a zero-sized quarantine, or if the size of the chunk is greater than the // a zero-sized quarantine, or if the size of the chunk is greater than the
// quarantine chunk size threshold. // quarantine chunk size threshold.
void quarantineOrDeallocateChunk(void *Ptr, UnpackedHeader *Header, void quarantineOrDeallocateChunk(void *Ptr, UnpackedHeader *Header,
uptr Size) { uptr Size) {
const bool BypassQuarantine = (Quarantine.GetCacheSize() == 0) || const bool BypassQuarantine = !Size || (Size > QuarantineChunksUpToSize);
eugenisUnsubmitted
Not Done
ReplyInline Actions

why are you removing this condition?

(Quarantine.GetCacheSize() == 0)

eugenis: why are you removing this condition? (Quarantine.GetCacheSize() == 0)
cryptoadAuthorUnsubmitted
Not Done
ReplyInline Actions

So I moved (Quarantine.GetCacheSize() == 0) higher (in init), effectively setting QuarantineChunksUpToSize to 0 in that case.
It was something I intended to do before to consolidate the conditions into a single memory read.

cryptoad: So I moved `(Quarantine.GetCacheSize() == 0)` higher (in `init`), effectively setting…
cryptoadAuthorUnsubmitted
Not Done
ReplyInline Actions

Does the answer address your concerns?

cryptoad: Does the answer address your concerns?
eugenisUnsubmitted
Not Done
ReplyInline Actions

Yes it does!
Sorry I missed it.

eugenis: Yes it does! Sorry I missed it.
(Size > QuarantineChunksUpToSize);
if (BypassQuarantine) { if (BypassQuarantine) {
Chunk::eraseHeader(Ptr); UnpackedHeader NewHeader = *Header;
NewHeader.State = ChunkAvailable;
Chunk::compareExchangeHeader(Ptr, &NewHeader, Header);
void *BackendPtr = Chunk::getBackendPtr(Ptr, Header); void *BackendPtr = Chunk::getBackendPtr(Ptr, Header);
if (Header->ClassId) { if (Header->ClassId) {
bool UnlockRequired; bool UnlockRequired;
ScudoTSD *TSD = getTSDAndLock(&UnlockRequired); ScudoTSD *TSD = getTSDAndLock(&UnlockRequired);
getBackend().deallocatePrimary(&TSD->Cache, BackendPtr, getBackend().deallocatePrimary(&TSD->Cache, BackendPtr,
Header->ClassId); Header->ClassId);
if (UnlockRequired) if (UnlockRequired)
TSD->unlock(); TSD->unlock();
▲ Show 20 LinesShow All 266 Lines▼ Show 20 Lines
} }
void *scudoValloc(uptr Size) { void *scudoValloc(uptr Size) {
return SetErrnoOnNull( return SetErrnoOnNull(
Instance.allocate(Size, GetPageSizeCached(), FromMemalign)); Instance.allocate(Size, GetPageSizeCached(), FromMemalign));
} }
void *scudoPvalloc(uptr Size) { void *scudoPvalloc(uptr Size) {
uptr PageSize = GetPageSizeCached(); const uptr PageSize = GetPageSizeCached();
if (UNLIKELY(CheckForPvallocOverflow(Size, PageSize))) { if (UNLIKELY(CheckForPvallocOverflow(Size, PageSize))) {
errno = ENOMEM; errno = ENOMEM;
if (Instance.canReturnNull()) if (Instance.canReturnNull())
return nullptr; return nullptr;
reportPvallocOverflow(Size); reportPvallocOverflow(Size);
} }
// pvalloc(0) should allocate one page. // pvalloc(0) should allocate one page.
Size = Size ? RoundUpTo(Size, PageSize) : PageSize; Size = Size ? RoundUpTo(Size, PageSize) : PageSize;
▲ Show 20 LinesShow All 87 LinesShow Last 20 Lines

test/scudo/dealloc-race.c

// RUN: %clang_scudo %s -O2 -o %t
// RUN: %env_scudo_opts="QuarantineChunksUpToSize=0" %run %t 2>&1
// This test attempts to reproduce a race condition in the deallocation path
// when bypassing the Quarantine. The old behavior was to zero-out the chunk
// header after checking its checksum, state & various other things, but that
// left a window during which 2 (or more) threads could deallocate the same
// chunk, with a net result of having said chunk present in those distinct
// thread caches.
// A passing test means all the children died with an error. The failing
// scenario involves winning a race, so repro can be scarce.
#include <pthread.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/wait.h>
const int kNumThreads = 2;
pthread_t tid[kNumThreads];
pthread_cond_t cond = PTHREAD_COND_INITIALIZER;
pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
char go = 0;
// Frees the pointer passed when signaled to.
void *thread_free(void *p) {
pthread_mutex_lock(&mutex);
while (!go)
pthread_cond_wait(&cond, &mutex);
pthread_mutex_unlock(&mutex);
free(p);
return 0;
}
// Allocates a chunk, and attempts to free it "simultaneously" by 2 threads.
void child(void) {
void *p = malloc(16);
for (int i = 0; i < kNumThreads; i++)
pthread_create(&tid[i], 0, thread_free, p);
pthread_mutex_lock(&mutex);
go = 1;
pthread_cond_broadcast(&cond);
pthread_mutex_unlock(&mutex);
for (int i = 0; i < kNumThreads; i++)
pthread_join(tid[i], 0);
}
int main(int argc, char** argv) {
const int kChildren = 40;
pid_t pid;
for (int i = 0; i < kChildren; ++i) {
pid = fork();
if (pid < 0) {
exit(1);
} else if (pid == 0) {
child();
exit(0);
} else {
int status;
wait(&status);
// A 0 status means the child didn't die with an error. The race was won.
if (status == 0)
exit(1);
}
}
return 0;
}