This is an archive of the discontinued LLVM Phabricator instance.

Differential D56603

[HWASAN] Improve tag-mismatch diagnostics
ClosedPublic

Authored by evgeny777 on Jan 11 2019, 8:33 AM.

Details

Reviewers
kcc
eugenis
Commits
rG0d7952ce78f0: [HWASAN] Improve tag mismatch diagnostics
rCRT351730: [HWASAN] Improve tag mismatch diagnostics
rL351730: [HWASAN] Improve tag mismatch diagnostics
Summary

This patch improves tag-mismatch report in the following ways:

  • SigTrap explicitly sets X0 register so fault address and tags are correctly shown on AArch64
  • Access sizes not equal to power of 2 are correctly shown on both AArch64 and X86_64
  • ptr and mem tags are displayed correctly when SigTrap is invoked from CheckAddressSized

Diff Detail

Repository
rL LLVM

Event Timeline

evgeny777 created this revision.Jan 11 2019, 8:33 AM
Herald added subscribers: kristof.beyls, javed.absar, kubamracek. · View Herald TranscriptJan 11 2019, 8:33 AM
eugenis added inline comments.Jan 11 2019, 9:01 AM
lib/hwasan/hwasan_checks.h
98 ↗(On Diff #181283)

This would report an error with the size of the memory access being equal to the distance from the first bad granule to the end of the memset() buffer. This sounds very confusing.

I suggest doing the sized version of SigTrap with the starting address and the full size of the buffer, and then adding extra analysis in reporting code. The result could be a note saying that the first bad byte is somewhere at offset [A, A+16] from the start of the accessed range.

evgeny777 updated this revision to Diff 181508.Jan 14 2019, 1:54 AM

Addressed review comments

evgeny777 added a child revision: D56673: [HWASAN/compiler-rt] Instrument globals.Jan 14 2019, 10:26 AM
eugenis added inline comments.Jan 14 2019, 4:48 PM
lib/hwasan/hwasan_checks.h
27 ↗(On Diff #181508)

this can be done better with register asm:

register uptr x0 asm("x0") = p;

and then use "r"(x0) in asm constraints.

It would also tell the compiler that x0 is clobbered, which might matter in the -fsanitize-recover mode.

lib/hwasan/hwasan_report.cc
408 ↗(On Diff #181508)

Reuse __hwasan_test_shadow.

evgeny777 marked an inline comment as done.Jan 15 2019, 6:56 AM
evgeny777 added inline comments.
lib/hwasan/hwasan_report.cc
408 ↗(On Diff #181508)

This function looks a bit strange to me. For instance it can return -1 either in case of error or in case of a tag mismatch when address is equal to start of granule plus one. It would make much more sense if this function returned pointer instead of offset

evgeny777 updated this revision to Diff 181784.Jan 15 2019, 7:41 AM

Changed way X0 and X1 are assigned on AArch64

eugenis added inline comments.Jan 15 2019, 12:56 PM
lib/hwasan/hwasan_report.cc
408 ↗(On Diff #181508)

Oh, that's a good catch! I'd prefer the interface to stay as it is for consistency with __msan_test_shadow, but fix the return offset to be within [0, sz] is case of an error.

Also, this function assumes that tag 0 is match-all, which is not the case. The ptr_tag==0 check could be removed.

eugenis added inline comments.Jan 15 2019, 12:59 PM
lib/hwasan/hwasan_checks.h
28 ↗(On Diff #181784)

brk %1

evgeny777 updated this revision to Diff 182004.Jan 16 2019, 4:20 AM

Addressed

eugenis accepted this revision.Jan 17 2019, 3:53 PM
eugenis added a subscriber: pcc.

LGTM

lib/hwasan/hwasan_report.cc
415 ↗(On Diff #182004)

This phrase sounds awkward. There should probably be a "the" before "first", at least... @pcc

This revision is now accepted and ready to land.Jan 17 2019, 3:53 PM
eugenis requested changes to this revision.Jan 17 2019, 3:55 PM

And we should probably skip this note in the case where it is obvious - for example, for an 8 byte, 8-aligned access!

This revision now requires changes to proceed.Jan 17 2019, 3:55 PM
evgeny777 updated this revision to Diff 182466.Jan 18 2019, 12:16 AM

assume that case is not "obvious" when offset is not zero.

eugenis accepted this revision.Jan 18 2019, 10:40 AM

LGTM with comments.

Please add a -NOT test line somewhere to check that the new note is not printed in "obvious" cases.

test/hwasan/TestCases/mem-intrinsics.c
27 ↗(On Diff #182466)

I think this could be flaky - there is a chance that PTR_TAG will the be last one on its line, and MEM_TAG - the first one on the following line. Align the buffer to at least 256 byte to prevent this from happening. Perhaps simply mmap a page of memory?

This revision is now accepted and ready to land.Jan 18 2019, 10:40 AM
Closed by commit rL351730: [HWASAN] Improve tag mismatch diagnostics (authored by evgeny777). · Explain WhyJan 21 2019, 1:51 AM
This revision was automatically updated to reflect the committed changes.
Herald added a subscriber: delcypher. · View Herald TranscriptJan 21 2019, 1:51 AM

Revision Contents

PathSize
compiler-rt/
trunk/
lib/
hwasan/
8 lines
26 lines
10 lines
test/
hwasan/
TestCases/
12 lines

Diff 182756

compiler-rt/trunk/lib/hwasan/hwasan.cc

Show First 20 LinesShow All 330 Lines▼ Show 20 Linesvoid __hwasan_print_shadow(const void *p, uptr sz) {
for (uptr s = shadow_first; s <= shadow_last; ++s) for (uptr s = shadow_first; s <= shadow_last; ++s)
Printf(" %zx: %x\n", ShadowToMem(s), *(tag_t *)s); Printf(" %zx: %x\n", ShadowToMem(s), *(tag_t *)s);
} }
sptr __hwasan_test_shadow(const void *p, uptr sz) { sptr __hwasan_test_shadow(const void *p, uptr sz) {
if (sz == 0) if (sz == 0)
return -1; return -1;
tag_t ptr_tag = GetTagFromPointer((uptr)p); tag_t ptr_tag = GetTagFromPointer((uptr)p);
if (ptr_tag == 0)
return -1;
uptr ptr_raw = UntagAddr(reinterpret_cast<uptr>(p)); uptr ptr_raw = UntagAddr(reinterpret_cast<uptr>(p));
uptr shadow_first = MemToShadow(ptr_raw); uptr shadow_first = MemToShadow(ptr_raw);
uptr shadow_last = MemToShadow(ptr_raw + sz - 1); uptr shadow_last = MemToShadow(ptr_raw + sz - 1);
for (uptr s = shadow_first; s <= shadow_last; ++s) for (uptr s = shadow_first; s <= shadow_last; ++s)
if (*(tag_t*)s != ptr_tag) if (*(tag_t *)s != ptr_tag) {
return ShadowToMem(s) - ptr_raw; sptr offset = ShadowToMem(s) - ptr_raw;
return offset < 0 ? 0 : offset;
}
return -1; return -1;
} }
u16 __sanitizer_unaligned_load16(const uu16 *p) { u16 __sanitizer_unaligned_load16(const uu16 *p) {
return *p; return *p;
} }
u32 __sanitizer_unaligned_load32(const uu32 *p) { u32 __sanitizer_unaligned_load32(const uu32 *p) {
return *p; return *p;
▲ Show 20 LinesShow All 144 LinesShow Last 20 Lines

compiler-rt/trunk/lib/hwasan/hwasan_checks.h

//===-- hwasan_checks.h -----------------------------------------*- C++ -*-===// //===-- hwasan_checks.h -----------------------------------------*- C++ -*-===//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// //
// This file is a part of HWAddressSanitizer. // This file is a part of HWAddressSanitizer.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#ifndef HWASAN_CHECKS_H #ifndef HWASAN_CHECKS_H
#define HWASAN_CHECKS_H #define HWASAN_CHECKS_H
#include "hwasan_mapping.h" #include "hwasan_mapping.h"
#include "sanitizer_common/sanitizer_common.h"
namespace __hwasan { namespace __hwasan {
template <unsigned X> template <unsigned X>
__attribute__((always_inline)) static void SigTrap(uptr p) { __attribute__((always_inline)) static void SigTrap(uptr p) {
#if defined(__aarch64__) #if defined(__aarch64__)
(void)p; (void)p;
// 0x900 is added to do not interfere with the kernel use of lower values of // 0x900 is added to do not interfere with the kernel use of lower values of
// brk immediate. // brk immediate.
// FIXME: Add a constraint to put the pointer into x0, the same as x86 branch. register uptr x0 asm("x0") = p;
asm("brk %0\n\t" ::"n"(0x900 + X)); asm("brk %1\n\t" ::"r"(x0), "n"(0x900 + X));
#elif defined(__x86_64__) #elif defined(__x86_64__)
// INT3 + NOP DWORD ptr [EAX + X] to pass X to our signal handler, 5 bytes // INT3 + NOP DWORD ptr [EAX + X] to pass X to our signal handler, 5 bytes
// total. The pointer is passed via rdi. // total. The pointer is passed via rdi.
// 0x40 is added as a safeguard, to help distinguish our trap from others and // 0x40 is added as a safeguard, to help distinguish our trap from others and
// to avoid 0 offsets in the command (otherwise it'll be reduced to a // to avoid 0 offsets in the command (otherwise it'll be reduced to a
// different nop command, the three bytes one). // different nop command, the three bytes one).
asm volatile( asm volatile(
"int3\n" "int3\n"
"nopl %c0(%%rax)\n" ::"n"(0x40 + X), "nopl %c0(%%rax)\n" ::"n"(0x40 + X),
"D"(p)); "D"(p));
#else #else
// FIXME: not always sigill. // FIXME: not always sigill.
__builtin_trap(); __builtin_trap();
#endif #endif
// __builtin_unreachable(); // __builtin_unreachable();
} }
// Version with access size which is not power of 2
template <unsigned X>
__attribute__((always_inline)) static void SigTrap(uptr p, uptr size) {
#if defined(__aarch64__)
register uptr x0 asm("x0") = p;
register uptr x1 asm("x1") = size;
asm("brk %2\n\t" ::"r"(x0), "r"(x1), "n"(0x900 + X));
#elif defined(__x86_64__)
// Size is stored in rsi.
asm volatile(
"int3\n"
"nopl %c0(%%rax)\n" ::"n"(0x40 + X),
"D"(p), "S"(size));
#else
__builtin_trap();
#endif
// __builtin_unreachable();
}
enum class ErrorAction { Abort, Recover }; enum class ErrorAction { Abort, Recover };
enum class AccessType { Load, Store }; enum class AccessType { Load, Store };
template <ErrorAction EA, AccessType AT, unsigned LogSize> template <ErrorAction EA, AccessType AT, unsigned LogSize>
__attribute__((always_inline, nodebug)) static void CheckAddress(uptr p) { __attribute__((always_inline, nodebug)) static void CheckAddress(uptr p) {
tag_t ptr_tag = GetTagFromPointer(p); tag_t ptr_tag = GetTagFromPointer(p);
uptr ptr_raw = p & ~kAddressTagMask; uptr ptr_raw = p & ~kAddressTagMask;
tag_t mem_tag = *(tag_t *)MemToShadow(ptr_raw); tag_t mem_tag = *(tag_t *)MemToShadow(ptr_raw);
Show All 12 Lines if (sz == 0)
return; return;
tag_t ptr_tag = GetTagFromPointer(p); tag_t ptr_tag = GetTagFromPointer(p);
uptr ptr_raw = p & ~kAddressTagMask; uptr ptr_raw = p & ~kAddressTagMask;
tag_t *shadow_first = (tag_t *)MemToShadow(ptr_raw); tag_t *shadow_first = (tag_t *)MemToShadow(ptr_raw);
tag_t *shadow_last = (tag_t *)MemToShadow(ptr_raw + sz - 1); tag_t *shadow_last = (tag_t *)MemToShadow(ptr_raw + sz - 1);
for (tag_t *t = shadow_first; t <= shadow_last; ++t) for (tag_t *t = shadow_first; t <= shadow_last; ++t)
if (UNLIKELY(ptr_tag != *t)) { if (UNLIKELY(ptr_tag != *t)) {
SigTrap<0x20 * (EA == ErrorAction::Recover) + SigTrap<0x20 * (EA == ErrorAction::Recover) +
0x10 * (AT == AccessType::Store) + 0xf>(p); 0x10 * (AT == AccessType::Store) + 0xf>(p, sz);
if (EA == ErrorAction::Abort) if (EA == ErrorAction::Abort)
__builtin_unreachable(); __builtin_unreachable();
} }
} }
} // end namespace __hwasan } // end namespace __hwasan
#endif // HWASAN_CHECKS_H #endif // HWASAN_CHECKS_H

compiler-rt/trunk/lib/hwasan/hwasan_report.cc

Show First 20 LinesShow All 393 Lines▼ Show 20 Linesvoid ReportTagMismatch(StackTrace *stack, uptr tagged_addr, uptr access_size,
// TODO: when possible, try to print heap-use-after-free, etc. // TODO: when possible, try to print heap-use-after-free, etc.
const char *bug_type = "tag-mismatch"; const char *bug_type = "tag-mismatch";
uptr pc = stack->size ? stack->trace[0] : 0; uptr pc = stack->size ? stack->trace[0] : 0;
Report("ERROR: %s: %s on address %p at pc %p\n", SanitizerToolName, bug_type, Report("ERROR: %s: %s on address %p at pc %p\n", SanitizerToolName, bug_type,
untagged_addr, pc); untagged_addr, pc);
Thread *t = GetCurrentThread(); Thread *t = GetCurrentThread();
sptr offset =
__hwasan_test_shadow(reinterpret_cast<void *>(tagged_addr), access_size);
CHECK(offset >= 0 && offset < static_cast<sptr>(access_size));
tag_t ptr_tag = GetTagFromPointer(tagged_addr); tag_t ptr_tag = GetTagFromPointer(tagged_addr);
tag_t *tag_ptr = reinterpret_cast<tag_t*>(MemToShadow(untagged_addr)); tag_t *tag_ptr =
reinterpret_cast<tag_t *>(MemToShadow(untagged_addr + offset));
tag_t mem_tag = *tag_ptr; tag_t mem_tag = *tag_ptr;
Printf("%s", d.Access()); Printf("%s", d.Access());
Printf("%s of size %zu at %p tags: %02x/%02x (ptr/mem) in thread T%zd\n", Printf("%s of size %zu at %p tags: %02x/%02x (ptr/mem) in thread T%zd\n",
is_store ? "WRITE" : "READ", access_size, untagged_addr, ptr_tag, is_store ? "WRITE" : "READ", access_size, untagged_addr, ptr_tag,
mem_tag, t->unique_id()); mem_tag, t->unique_id());
if (offset != 0)
Printf("Invalid access starting at offset [%zu, %zu)\n", offset,
Min(access_size, static_cast<uptr>(offset) + (1 << kShadowScale)));
Printf("%s", d.Default()); Printf("%s", d.Default());
stack->Print(); stack->Print();
PrintAddressDescription(tagged_addr, access_size, PrintAddressDescription(tagged_addr, access_size,
current_stack_allocations.get()); current_stack_allocations.get());
t->Announce(); t->Announce();
PrintTagsAroundAddr(tag_ptr); PrintTagsAroundAddr(tag_ptr);
ReportErrorSummary(bug_type, stack); ReportErrorSummary(bug_type, stack);
} }
} // namespace __hwasan } // namespace __hwasan

compiler-rt/trunk/test/hwasan/TestCases/mem-intrinsics.c

// RUN: %clang_hwasan %s -DTEST_NO=1 -mllvm -hwasan-instrument-mem-intrinsics -o %t && not %run %t 2>&1 | FileCheck %s --check-prefix=WRITE // RUN: %clang_hwasan %s -DTEST_NO=1 -mllvm -hwasan-instrument-mem-intrinsics -o %t && not %run %t 2>&1 | FileCheck %s --check-prefix=WRITE
// RUN: %clang_hwasan %s -DTEST_NO=2 -mllvm -hwasan-instrument-mem-intrinsics -o %t && not %run %t 2>&1 | FileCheck %s --check-prefix=READ // RUN: %clang_hwasan %s -DTEST_NO=2 -mllvm -hwasan-instrument-mem-intrinsics -o %t && not %run %t 2>&1 | FileCheck %s --check-prefix=READ
// RUN: %clang_hwasan %s -DTEST_NO=3 -mllvm -hwasan-instrument-mem-intrinsics -o %t && not %run %t 2>&1 | FileCheck %s --check-prefix=WRITE // RUN: %clang_hwasan %s -DTEST_NO=3 -mllvm -hwasan-instrument-mem-intrinsics -o %t && not %run %t 2>&1 | FileCheck %s --check-prefix=WRITE
// RUN: %clang_hwasan %s -DTEST_NO=2 -mllvm -hwasan-instrument-mem-intrinsics -o %t && not %env_hwasan_opts=halt_on_error=0 %run %t 2>&1 | FileCheck %s --check-prefix=RECOVER // RUN: %clang_hwasan %s -DTEST_NO=2 -mllvm -hwasan-instrument-mem-intrinsics -o %t && not %env_hwasan_opts=halt_on_error=0 %run %t 2>&1 | FileCheck %s --check-prefix=RECOVER
// REQUIRES: stable-runtime // REQUIRES: stable-runtime
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
#include <unistd.h> #include <unistd.h>
int main() { int main() {
char Q[16]; char Q[16] __attribute__((aligned(256)));
char P[16]; char P[16] __attribute__((aligned(256)));
#if TEST_NO == 1 #if TEST_NO == 1
memset(Q, 0, 32); memset(Q, 0, 32);
#elif TEST_NO == 2 #elif TEST_NO == 2
memmove(Q, Q + 16, 16); memmove(Q, Q + 16, 16);
#elif TEST_NO == 3 #elif TEST_NO == 3
memcpy(Q, P, 32); memcpy(Q, P, 32);
#endif #endif
write(STDOUT_FILENO, "recovered\n", 10); write(STDOUT_FILENO, "recovered\n", 10);
// WRITE: ERROR: HWAddressSanitizer: tag-mismatch on address // WRITE: ERROR: HWAddressSanitizer: tag-mismatch on address
// WRITE: WRITE {{.*}} tags: [[PTR_TAG:..]]/[[MEM_TAG:..]] (ptr/mem) // WRITE: WRITE of size 32 at {{.*}} tags: [[PTR_TAG:..]]/[[MEM_TAG:..]] (ptr/mem)
// WRITE: Invalid access starting at offset [16, 32)
// WRITE: Memory tags around the buggy address (one tag corresponds to 16 bytes): // WRITE: Memory tags around the buggy address (one tag corresponds to 16 bytes):
// WRITE: =>{{.*}}[[MEM_TAG]] // WRITE: =>{{.*}}[[PTR_TAG]]{{[[:space:]]\[}}[[MEM_TAG]]
// WRITE-NOT: recovered // WRITE-NOT: recovered
// READ: ERROR: HWAddressSanitizer: tag-mismatch on address // READ: ERROR: HWAddressSanitizer: tag-mismatch on address
// READ-NOT: Invalid access starting at offset
// READ: READ {{.*}} tags: [[PTR_TAG:..]]/[[MEM_TAG:..]] (ptr/mem) // READ: READ {{.*}} tags: [[PTR_TAG:..]]/[[MEM_TAG:..]] (ptr/mem)
// READ: Memory tags around the buggy address (one tag corresponds to 16 bytes): // READ: Memory tags around the buggy address (one tag corresponds to 16 bytes):
// READ: =>{{.*}}[[MEM_TAG]] // READ: =>{{.*}}[[PTR_TAG]]{{[[:space:]]\[}}[[MEM_TAG]]
// READ-NOT: recovered // READ-NOT: recovered
// RECOVER: recovered // RECOVER: recovered
return 0; return 0;
} }