This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
compiler-rt/lib/scudo/standalone/
-
lib/
-
scudo/
-
standalone/
-
chunk.h
1/1
combined.h
-
tests/
-
combined_test.cpp

Differential D70908

[scudo][standalone] Add chunk ownership function
ClosedPublic

Authored by cryptoad on Dec 2 2019, 8:50 AM.

Download Raw Diff

Details

Reviewers

hctim
pcc
cferris
eugenis
vitalybuka

Commits

rG5595249e48ef: [scudo][standalone] Add chunk ownership function

Summary

In order to be compliant with tcmalloc's extension ownership
determination function, we have to expose a function that will
say if a chunk was allocated by us.

As to whether or not this has security consequences: someone
able to call this function repeatedly could use it to determine
secrets (cookie) or craft a valid header. So this should not be
exposed directly to untrusted user input.

Add related tests.

Additionally clang-format caught a few things to change.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

cryptoad created this revision.Dec 2 2019, 8:50 AM

Herald added projects: Restricted Project, Restricted Project. · View Herald TranscriptDec 2 2019, 8:50 AM

Herald added subscribers: Restricted Project, jfb, JDevlieghere. · View Herald Transcript

Harbormaster completed remote builds in B41722: Diff 231721.Dec 2 2019, 8:52 AM

So the model presented asserts that if the chunk header is truncated, the pointer is not owned by us. Is this WAI? I can forsee that a chunk header was truncated, and then the pointer to the associated allocation is checked for ownership, which the ownership will fail as the chunk header check didn't succeed.

compiler-rt/lib/scudo/standalone/combined.h
483	Why blank assert log here?

In D70908#1765712, @hctim wrote:

So the model presented asserts that if the chunk header is truncated, the pointer is not owned by us. Is this WAI? I can forsee that a chunk header was truncated, and then the pointer to the associated allocation is checked for ownership, which the ownership will fail as the chunk header check didn't succeed.

I think that not claiming ownership of a corrupted chunk is something we can live with.
The ownership concept for tcmalloc has strong requirements, which I think are fulfilled by this implementation.

Adding a log for the new static_assert.

Harbormaster completed remote builds in B41739: Diff 231772.Dec 2 2019, 1:24 PM

In D70908#1765917, @cryptoad wrote:

I think that not claiming ownership of a corrupted chunk is something we can live with.
The ownership concept for tcmalloc has strong requirements, which I think are fulfilled by this implementation.

Ack - would you mind mentioning this decision in the function description comment?

Otherwise LGTM.

This revision is now accepted and ready to land.Dec 2 2019, 1:27 PM

Adding a comment saying that a corrupted chunk won't be reported
as owned (well technically it might be "owned"), but that it's WAI.

Harbormaster completed remote builds in B41743: Diff 231778.Dec 2 2019, 2:11 PM

Closed by commit rG5595249e48ef: [scudo][standalone] Add chunk ownership function (authored by cryptoad). · Explain WhyDec 3 2019, 8:33 AM

This revision was automatically updated to reflect the committed changes.

Revision Contents

Path

Size

compiler-rt/

lib/

scudo/

standalone/

chunk.h

12 lines

combined.h

15 lines

tests/

combined_test.cpp

7 lines

Diff 231920

compiler-rt/lib/scudo/standalone/chunk.h

Show First 20 Lines • Show All 85 Lines • ▼ Show 20 Lines	constexpr uptr getHeaderSize() {
return roundUpTo(sizeof(PackedHeader), 1U << SCUDO_MIN_ALIGNMENT_LOG);		return roundUpTo(sizeof(PackedHeader), 1U << SCUDO_MIN_ALIGNMENT_LOG);
}		}

inline AtomicPackedHeader getAtomicHeader(void Ptr) {		inline AtomicPackedHeader getAtomicHeader(void Ptr) {
return reinterpret_cast<AtomicPackedHeader *>(reinterpret_cast<uptr>(Ptr) -		return reinterpret_cast<AtomicPackedHeader *>(reinterpret_cast<uptr>(Ptr) -
getHeaderSize());		getHeaderSize());
}		}

inline		inline const AtomicPackedHeader getConstAtomicHeader(const void Ptr) {
const AtomicPackedHeader getConstAtomicHeader(const void Ptr) {
return reinterpret_cast<const AtomicPackedHeader *>(		return reinterpret_cast<const AtomicPackedHeader *>(
reinterpret_cast<uptr>(Ptr) - getHeaderSize());		reinterpret_cast<uptr>(Ptr) - getHeaderSize());
}		}

// We do not need a cryptographically strong hash for the checksum, but a CRC		// We do not need a cryptographically strong hash for the checksum, but a CRC
// type function that can alert us in the event a header is invalid or		// type function that can alert us in the event a header is invalid or
// corrupted. Ideally slightly better than a simple xor of all fields.		// corrupted. Ideally slightly better than a simple xor of all fields.
static inline u16 computeHeaderChecksum(u32 Cookie, const void *Ptr,		static inline u16 computeHeaderChecksum(u32 Cookie, const void *Ptr,
Show All 9 Lines
inline void storeHeader(u32 Cookie, void *Ptr,		inline void storeHeader(u32 Cookie, void *Ptr,
UnpackedHeader *NewUnpackedHeader) {		UnpackedHeader *NewUnpackedHeader) {
NewUnpackedHeader->Checksum =		NewUnpackedHeader->Checksum =
computeHeaderChecksum(Cookie, Ptr, NewUnpackedHeader);		computeHeaderChecksum(Cookie, Ptr, NewUnpackedHeader);
PackedHeader NewPackedHeader = bit_cast<PackedHeader>(*NewUnpackedHeader);		PackedHeader NewPackedHeader = bit_cast<PackedHeader>(*NewUnpackedHeader);
atomic_store_relaxed(getAtomicHeader(Ptr), NewPackedHeader);		atomic_store_relaxed(getAtomicHeader(Ptr), NewPackedHeader);
}		}

inline		inline void loadHeader(u32 Cookie, const void *Ptr,
void loadHeader(u32 Cookie, const void *Ptr,
UnpackedHeader *NewUnpackedHeader) {		UnpackedHeader *NewUnpackedHeader) {
PackedHeader NewPackedHeader = atomic_load_relaxed(getConstAtomicHeader(Ptr));		PackedHeader NewPackedHeader = atomic_load_relaxed(getConstAtomicHeader(Ptr));
*NewUnpackedHeader = bit_cast<UnpackedHeader>(NewPackedHeader);		*NewUnpackedHeader = bit_cast<UnpackedHeader>(NewPackedHeader);
if (UNLIKELY(NewUnpackedHeader->Checksum !=		if (UNLIKELY(NewUnpackedHeader->Checksum !=
computeHeaderChecksum(Cookie, Ptr, NewUnpackedHeader)))		computeHeaderChecksum(Cookie, Ptr, NewUnpackedHeader)))
reportHeaderCorruption(const_cast<void *>(Ptr));		reportHeaderCorruption(const_cast<void *>(Ptr));
}		}

inline void compareExchangeHeader(u32 Cookie, void *Ptr,		inline void compareExchangeHeader(u32 Cookie, void *Ptr,
UnpackedHeader *NewUnpackedHeader,		UnpackedHeader *NewUnpackedHeader,
UnpackedHeader *OldUnpackedHeader) {		UnpackedHeader *OldUnpackedHeader) {
NewUnpackedHeader->Checksum =		NewUnpackedHeader->Checksum =
computeHeaderChecksum(Cookie, Ptr, NewUnpackedHeader);		computeHeaderChecksum(Cookie, Ptr, NewUnpackedHeader);
PackedHeader NewPackedHeader = bit_cast<PackedHeader>(*NewUnpackedHeader);		PackedHeader NewPackedHeader = bit_cast<PackedHeader>(*NewUnpackedHeader);
PackedHeader OldPackedHeader = bit_cast<PackedHeader>(*OldUnpackedHeader);		PackedHeader OldPackedHeader = bit_cast<PackedHeader>(*OldUnpackedHeader);
if (UNLIKELY(!atomic_compare_exchange_strong(		if (UNLIKELY(!atomic_compare_exchange_strong(
getAtomicHeader(Ptr), &OldPackedHeader, NewPackedHeader,		getAtomicHeader(Ptr), &OldPackedHeader, NewPackedHeader,
memory_order_relaxed)))		memory_order_relaxed)))
reportHeaderRace(Ptr);		reportHeaderRace(Ptr);
}		}

inline		inline bool isValid(u32 Cookie, const void *Ptr,
bool isValid(u32 Cookie, const void Ptr, UnpackedHeader NewUnpackedHeader) {		UnpackedHeader *NewUnpackedHeader) {
PackedHeader NewPackedHeader = atomic_load_relaxed(getConstAtomicHeader(Ptr));		PackedHeader NewPackedHeader = atomic_load_relaxed(getConstAtomicHeader(Ptr));
*NewUnpackedHeader = bit_cast<UnpackedHeader>(NewPackedHeader);		*NewUnpackedHeader = bit_cast<UnpackedHeader>(NewPackedHeader);
return NewUnpackedHeader->Checksum ==		return NewUnpackedHeader->Checksum ==
computeHeaderChecksum(Cookie, Ptr, NewUnpackedHeader);		computeHeaderChecksum(Cookie, Ptr, NewUnpackedHeader);
}		}

} // namespace Chunk		} // namespace Chunk

} // namespace scudo		} // namespace scudo

#endif // SCUDO_CHUNK_H_		#endif // SCUDO_CHUNK_H_

compiler-rt/lib/scudo/standalone/combined.h

Show First 20 Lines • Show All 451 Lines • ▼ Show 20 Lines	uptr getUsableSize(const void *Ptr) {
return getSize(Ptr, &Header);		return getSize(Ptr, &Header);
}		}

void getStats(StatCounters S) {		void getStats(StatCounters S) {
initThreadMaybe();		initThreadMaybe();
Stats.get(S);		Stats.get(S);
}		}

		// Returns true if the pointer provided was allocated by the current
		// allocator instance, which is compliant with tcmalloc's ownership concept.
		// A corrupted chunk will not be reported as owned, which is WAI.
		bool isOwned(const void *Ptr) {
		initThreadMaybe();
		if (!Ptr \|\| !isAligned(reinterpret_cast<uptr>(Ptr), MinAlignment))
		return false;
		Chunk::UnpackedHeader Header;
		return Chunk::isValid(Cookie, Ptr, &Header) &&
		Header.State == Chunk::State::Allocated;
		}

private:		private:
using SecondaryT = typename Params::Secondary;		using SecondaryT = typename Params::Secondary;
typedef typename PrimaryT::SizeClassMap SizeClassMap;		typedef typename PrimaryT::SizeClassMap SizeClassMap;

static const uptr MinAlignmentLog = SCUDO_MIN_ALIGNMENT_LOG;		static const uptr MinAlignmentLog = SCUDO_MIN_ALIGNMENT_LOG;
static const uptr MaxAlignmentLog = 24U; // 16 MB seems reasonable.		static const uptr MaxAlignmentLog = 24U; // 16 MB seems reasonable.
static const uptr MinAlignment = 1UL << MinAlignmentLog;		static const uptr MinAlignment = 1UL << MinAlignmentLog;
static const uptr MaxAlignment = 1UL << MaxAlignmentLog;		static const uptr MaxAlignment = 1UL << MaxAlignmentLog;
static const uptr MaxAllowedMallocSize =		static const uptr MaxAllowedMallocSize =
FIRST_32_SECOND_64(1UL << 31, 1ULL << 40);		FIRST_32_SECOND_64(1UL << 31, 1ULL << 40);

		static_assert(MinAlignment >= sizeof(Chunk::PackedHeader),
		hctimUnsubmitted Done Reply Inline Actions Why blank assert log here? hctim: Why blank assert log here?
		"Minimal alignment must at least cover a chunk header.");

// Constants used by the chunk iteration mechanism.		// Constants used by the chunk iteration mechanism.
static const u32 BlockMarker = 0x44554353U;		static const u32 BlockMarker = 0x44554353U;
static const uptr InvalidChunk = ~static_cast<uptr>(0);		static const uptr InvalidChunk = ~static_cast<uptr>(0);

GlobalStats Stats;		GlobalStats Stats;
TSDRegistryT TSDRegistry;		TSDRegistryT TSDRegistry;
PrimaryT Primary;		PrimaryT Primary;
SecondaryT Secondary;		SecondaryT Secondary;
▲ Show 20 Lines • Show All 129 Lines • Show Last 20 Lines

compiler-rt/lib/scudo/standalone/tests/combined_test.cpp

Show All 26 Lines	template <class Config> static void testAllocator() {
auto Deleter = [](AllocatorT *A) {		auto Deleter = [](AllocatorT *A) {
A->unmapTestOnly();		A->unmapTestOnly();
delete A;		delete A;
};		};
std::unique_ptr<AllocatorT, decltype(Deleter)> Allocator(new AllocatorT,		std::unique_ptr<AllocatorT, decltype(Deleter)> Allocator(new AllocatorT,
Deleter);		Deleter);
Allocator->reset();		Allocator->reset();

		EXPECT_FALSE(Allocator->isOwned(&Mutex));
		EXPECT_FALSE(Allocator->isOwned(&Allocator));
		scudo::u64 StackVariable = 0x42424242U;
		EXPECT_FALSE(Allocator->isOwned(&StackVariable));
		EXPECT_EQ(StackVariable, 0x42424242U);

constexpr scudo::uptr MinAlignLog = FIRST_32_SECOND_64(3U, 4U);		constexpr scudo::uptr MinAlignLog = FIRST_32_SECOND_64(3U, 4U);

// This allocates and deallocates a bunch of chunks, with a wide range of		// This allocates and deallocates a bunch of chunks, with a wide range of
// sizes and alignments, with a focus on sizes that could trigger weird		// sizes and alignments, with a focus on sizes that could trigger weird
// behaviors (plus or minus a small delta of a power of two for example).		// behaviors (plus or minus a small delta of a power of two for example).
for (scudo::uptr SizeLog = 0U; SizeLog <= 20U; SizeLog++) {		for (scudo::uptr SizeLog = 0U; SizeLog <= 20U; SizeLog++) {
for (scudo::uptr AlignLog = MinAlignLog; AlignLog <= 16U; AlignLog++) {		for (scudo::uptr AlignLog = MinAlignLog; AlignLog <= 16U; AlignLog++) {
const scudo::uptr Align = 1U << AlignLog;		const scudo::uptr Align = 1U << AlignLog;
for (scudo::sptr Delta = -32; Delta <= 32; Delta++) {		for (scudo::sptr Delta = -32; Delta <= 32; Delta++) {
if (static_cast<scudo::sptr>(1U << SizeLog) + Delta <= 0)		if (static_cast<scudo::sptr>(1U << SizeLog) + Delta <= 0)
continue;		continue;
const scudo::uptr Size = (1U << SizeLog) + Delta;		const scudo::uptr Size = (1U << SizeLog) + Delta;
void *P = Allocator->allocate(Size, Origin, Align);		void *P = Allocator->allocate(Size, Origin, Align);
EXPECT_NE(P, nullptr);		EXPECT_NE(P, nullptr);
		EXPECT_TRUE(Allocator->isOwned(P));
EXPECT_TRUE(scudo::isAligned(reinterpret_cast<scudo::uptr>(P), Align));		EXPECT_TRUE(scudo::isAligned(reinterpret_cast<scudo::uptr>(P), Align));
EXPECT_LE(Size, Allocator->getUsableSize(P));		EXPECT_LE(Size, Allocator->getUsableSize(P));
memset(P, 0xaa, Size);		memset(P, 0xaa, Size);
Allocator->deallocate(P, Origin, Size);		Allocator->deallocate(P, Origin, Size);
}		}
}		}
}		}
Allocator->releaseToOS();		Allocator->releaseToOS();
▲ Show 20 Lines • Show All 231 Lines • Show Last 20 Lines