This is an archive of the discontinued LLVM Phabricator instance.

Differential D76665

[asan] Stop instrumenting user-defined ELF sections
ClosedPublic

Authored by mgorny on Mar 23 2020, 8:34 PM.

Details

Reviewers
joerg
kcc
krytarowski
vitalybuka
lebedev.ri
Commits
rG66e493f81e8e: [asan] Stop instrumenting user-defined ELF sections
Summary

Do not instrument user-defined ELF sections (whose names resemble valid
C identifiers). They may have special use semantics and modifying them
may break programs. This is e.g. the case with NetBSD __link_set API
that expects these sections to store consecutive array elements.

Diff Detail

Event Timeline

krytarowski created this revision.Mar 23 2020, 8:34 PM
Herald added a project: Restricted Project. · View Herald TranscriptMar 23 2020, 8:34 PM
Herald added subscribers: llvm-commits, hiraditya. · View Herald Transcript
Harbormaster completed remote builds in B50206: Diff 252210.Mar 23 2020, 9:13 PM
lebedev.ri added a comment.Mar 24 2020, 12:11 AM

This is probably missing a test

vitalybuka requested changes to this revision.Apr 8 2020, 6:19 PM
This revision now requires changes to proceed.Apr 8 2020, 6:19 PM
R3x added a subscriber: R3x.May 25 2020, 5:04 PM

@lebedev.ri Can you point me to where this test needs to be added and an example of the same?

mgorny added a subscriber: mgorny.May 28 2020, 12:09 PM
mgorny commandeered this revision.Jun 1 2020, 8:31 AM
mgorny updated this revision to Diff 267631.
mgorny edited reviewers, added: krytarowski; removed: mgorny.

Added a test.

pcc added a subscriber: pcc.Jun 1 2020, 10:18 AM
pcc added inline comments.
llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp
1859

What do the names of these sections look like? From the test I presume that they have C identifier names and are enumerated via __start_/__stop_. In that case we should exclude all C identifier named sections from instrumentation (not just link_set*) in order to fix similar bugs involving those sections.

mgorny marked an inline comment as done.Jun 1 2020, 11:49 AM
mgorny added inline comments.
llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp
1859

They are created via the following macro:

#define	__link_set_make_entry(set, sym)					\
	static void const * const __link_set_##set##_sym_##sym		\
	    __section("link_set_" #set) __used = (const void *)&sym

So the link_set_ name is enforced on our end. Of course, people can do any crazy things they like, so can't tell if anyone else has a similar use case.

krytarowski added inline comments.Jun 2 2020, 5:30 AM
llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp
1859

@pcc can you suggest how to implement a generalized version of this patch that disables instrumentation of user-defined sections?

pcc added inline comments.Jun 5 2020, 12:05 PM
llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp
1859

Something like:

if (ELF) {
  for (char C : Section) {
    if (!((C >= 'A' && C <= 'Z') || (C >= 'a' && C <= 'a') || (C >= '0' && C <= '9') || C == '_')))
      return false;
  }
}
lebedev.ri resigned from this revision.Jun 12 2020, 5:29 AM
mgorny updated this revision to Diff 270713.Jun 15 2020, 3:58 AM
mgorny retitled this revision from [asan] Stop instrumenting NetBSD-specific link_set sections to [asan] Stop instrumenting user-defined ELF sections.
mgorny edited the summary of this revision. (Show Details)

Is this what you had in mind? I'm sorry it took me this long to get to it again.

glider added a subscriber: glider.Jun 16 2020, 12:47 AM
glider added inline comments.
llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp
1887

Drive-by comment: if we don't instrument sections with names resembling valid C identifiers, then there should be a test checking that we instrument a section with a name that's an invalid identifier.

vitalybuka resigned from this revision.Jul 6 2020, 9:45 PM
kcc added a comment.Jul 7 2020, 6:49 PM

can we instead slap an attribute on these special variables?

mgorny added a comment.Jul 7 2020, 11:24 PM
In D76665#2138050, @kcc wrote:

can we instead slap an attribute on these special variables?

Could you explain, please?

kcc added a comment.Jul 8 2020, 2:53 PM

Will adding attribute((no_sanitize("address"))) to your global solve the problem you are trying to solve?
(sorry for being too terse last time)

krytarowski added a comment.EditedJul 20 2020, 5:48 AM
In D76665#2140245, @kcc wrote:

Will adding attribute((no_sanitize("address"))) to your global solve the problem you are trying to solve?
(sorry for being too terse last time)

It does not work (last time I checked).

Also GCC does the same thing of not instrumenting user defined sections.

mgorny updated this revision to Diff 279277.Jul 20 2020, 9:25 AM

Here's a version with the extra test.

krytarowski added a comment.Jul 20 2020, 12:14 PM

@glider + @pcc please have a look!

krytarowski added a comment.Aug 6 2020, 4:38 AM

Ping?

krytarowski added a comment.Aug 25 2020, 12:25 PM

Ping?

lebedev.ri added a subscriber: lebedev.ri.Aug 25 2020, 12:26 PM
In D76665#2161919, @krytarowski wrote:
In D76665#2140245, @kcc wrote:

Will adding attribute((no_sanitize("address"))) to your global solve the problem you are trying to solve?
(sorry for being too terse last time)

It does not work (last time I checked).

Does not work how?

Also GCC does the same thing of not instrumenting user defined sections.

krytarowski added a comment.EditedSep 5 2020, 12:57 PM
In D76665#2237050, @lebedev.ri wrote:
In D76665#2161919, @krytarowski wrote:
In D76665#2140245, @kcc wrote:

Will adding attribute((no_sanitize("address"))) to your global solve the problem you are trying to solve?
(sorry for being too terse last time)

It does not work (last time I checked).

Does not work how?

Also GCC does the same thing of not instrumenting user defined sections.

I cannot get a user defined section uninstrumented without the proposed patch. Elements in such sections are not in consecutive order. This is a known problem and fixed by GCC in a similar way to this patch here.

Also reading the context of this patch, some other platforms have faced the same problem.

krytarowski accepted this revision.Oct 2 2020, 8:23 AM
This revision is now accepted and ready to land.Oct 2 2020, 8:23 AM
krytarowski added a comment.Oct 2 2020, 8:24 AM

Confirmed to work.

Closed by commit rG66e493f81e8e: [asan] Stop instrumenting user-defined ELF sections (authored by mgorny). · Explain WhyOct 3 2020, 10:55 AM
This revision was automatically updated to reflect the committed changes.
mgorny added a commit: rG66e493f81e8e: [asan] Stop instrumenting user-defined ELF sections.

Revision Contents

PathSize
llvm/
lib/
Transforms/
Instrumentation/
8 lines
test/
Instrumentation/
AddressSanitizer/
14 lines
17 lines

Diff 295988

llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp

Show First 20 LinesShow All 1,850 Lines▼ Show 20 Linesbool ModuleAddressSanitizer::shouldInstrumentGlobal(GlobalVariable *G) const {
// semantics: no duplicates, any, or exact match. // semantics: no duplicates, any, or exact match.
if (Comdat *C = G->getComdat()) { if (Comdat *C = G->getComdat()) {
switch (C->getSelectionKind()) { switch (C->getSelectionKind()) {
case Comdat::Any: case Comdat::Any:
case Comdat::ExactMatch: case Comdat::ExactMatch:
case Comdat::NoDuplicates: case Comdat::NoDuplicates:
break; break;
case Comdat::Largest: case Comdat::Largest:
case Comdat::SameSize: case Comdat::SameSize:
pccUnsubmitted
Not Done
ReplyInline Actions

What do the names of these sections look like? From the test I presume that they have C identifier names and are enumerated via __start_/__stop_. In that case we should exclude all C identifier named sections from instrumentation (not just link_set*) in order to fix similar bugs involving those sections.

pcc: What do the names of these sections look like? From the test I presume that they have C…
mgornyAuthorUnsubmitted
Done
ReplyInline Actions

They are created via the following macro:

#define	__link_set_make_entry(set, sym)					\
	static void const * const __link_set_##set##_sym_##sym		\
	    __section("link_set_" #set) __used = (const void *)&sym

So the link_set_ name is enforced on our end. Of course, people can do any crazy things they like, so can't tell if anyone else has a similar use case.

mgorny: They are created via the following macro: ``` #define __link_set_make_entry(set, sym) \…
krytarowskiUnsubmitted
Not Done
ReplyInline Actions

@pcc can you suggest how to implement a generalized version of this patch that disables instrumentation of user-defined sections?

krytarowski: @pcc can you suggest how to implement a generalized version of this patch that disables…
pccUnsubmitted
Not Done
ReplyInline Actions

Something like:

if (ELF) {
  for (char C : Section) {
    if (!((C >= 'A' && C <= 'Z') || (C >= 'a' && C <= 'a') || (C >= '0' && C <= '9') || C == '_')))
      return false;
  }
}
pcc: Something like: ``` if (ELF) { for (char C : Section) { if (!((C >= 'A' && C <= 'Z') ||…
return false; return false;
} }
} }
if (G->hasSection()) { if (G->hasSection()) {
// The kernel uses explicit sections for mostly special global variables // The kernel uses explicit sections for mostly special global variables
// that we should not instrument. E.g. the kernel may rely on their layout // that we should not instrument. E.g. the kernel may rely on their layout
// without redzones, or remove them at link time ("discard.*"), etc. // without redzones, or remove them at link time ("discard.*"), etc.
Show All 10 Lines if (G->hasSection()) {
// Do not instrument function pointers to initialization and termination // Do not instrument function pointers to initialization and termination
// routines: dynamic linker will not properly handle redzones. // routines: dynamic linker will not properly handle redzones.
if (Section.startswith(".preinit_array") || if (Section.startswith(".preinit_array") ||
Section.startswith(".init_array") || Section.startswith(".init_array") ||
Section.startswith(".fini_array")) { Section.startswith(".fini_array")) {
return false; return false;
} }
// Do not instrument user-defined sections (with names resembling
// valid C identifiers)
gliderUnsubmitted
Not Done
ReplyInline Actions

Drive-by comment: if we don't instrument sections with names resembling valid C identifiers, then there should be a test checking that we instrument a section with a name that's an invalid identifier.

glider: Drive-by comment: if we don't instrument sections with names resembling valid C identifiers…
if (TargetTriple.isOSBinFormatELF()) {
if (std::all_of(Section.begin(), Section.end(),
[](char c) { return llvm::isAlnum(c) || c == '_'; }))
return false;
}
// On COFF, if the section name contains '$', it is highly likely that the // On COFF, if the section name contains '$', it is highly likely that the
// user is using section sorting to create an array of globals similar to // user is using section sorting to create an array of globals similar to
// the way initialization callbacks are registered in .init_array and // the way initialization callbacks are registered in .init_array and
// .CRT$XCU. The ATL also registers things in .ATL$__[azm]. Adding redzones // .CRT$XCU. The ATL also registers things in .ATL$__[azm]. Adding redzones
// to such globals is counterproductive, because the intent is that they // to such globals is counterproductive, because the intent is that they
// will form an array, and out-of-bounds accesses are expected. // will form an array, and out-of-bounds accesses are expected.
// See https://github.com/google/sanitizers/issues/305 // See https://github.com/google/sanitizers/issues/305
// and http://msdn.microsoft.com/en-US/en-en/library/bb918180(v=vs.120).aspx // and http://msdn.microsoft.com/en-US/en-en/library/bb918180(v=vs.120).aspx
▲ Show 20 LinesShow All 1,578 LinesShow Last 20 Lines

llvm/test/Instrumentation/AddressSanitizer/do-not-instrument-netbsd-link_set.ll

  • This file was added.
; This test checks that NetBSD link_set array elements remain consecutive.
; RUN: opt < %s -asan -asan-module -S | FileCheck %s
target datalayout = "e-m:e-i64:64-f80:128-n8:16:32:64-S128"
target triple = "x86_64-unknown-netbsd"
module asm ".hidden __stop_link_set_test_set"
@data1 = dso_local global i32 1, align 4
@data2 = dso_local global i32 2, align 4
@__link_set_test_set_sym_data1 = internal constant i8* bitcast (i32* @data1 to i8*), section "link_set_test_set", align 8
@__link_set_test_set_sym_data2 = internal constant i8* bitcast (i32* @data2 to i8*), section "link_set_test_set", align 8
; CHECK: @__link_set_test_set_sym_data1 = internal constant i8*{{.*}}, section "link_set_test_set"
; CHECK-NEXT: @__link_set_test_set_sym_data2 = internal constant i8*{{.*}}, section "link_set_test_set"

llvm/test/Instrumentation/AddressSanitizer/instrument-section-invalid-c-ident.ll

  • This file was added.
; This test checks that sections with names not resembling valid C identifiers
; are instrumented.
; RUN: opt < %s -asan -asan-module -S | FileCheck %s
target datalayout = "e-m:e-i64:64-f80:128-n8:16:32:64-S128"
target triple = "x86_64-unknown-netbsd"
module asm ".hidden invalid$c$name"
@data1 = dso_local global i32 1, align 4
@data2 = dso_local global i32 2, align 4
@__invalid$c$name_sym_data1 = internal constant i8* bitcast (i32* @data1 to i8*), section "invalid$c$name", align 8
@__invalid$c$name_sym_data2 = internal constant i8* bitcast (i32* @data2 to i8*), section "invalid$c$name", align 8
; CHECK: @"__invalid$c$name_sym_data1" = internal constant{{.*}}, section "invalid$c$name", comdat
; CHECK-NEXT: @"__invalid$c$name_sym_data2" = internal constant{{.*}}, section "invalid$c$name", comdat
; CHECK: @"__asan_global___invalid$c$name_sym_data1"
; CHECK-NEXT: @"__asan_global___invalid$c$name_sym_data2"