This is an archive of the discontinued LLVM Phabricator instance.

Differential D76722

[GWP-ASan] Only pack frames that are stored.
ClosedPublic

Authored by hctim on Mar 24 2020, 12:21 PM.

Details

Reviewers
eugenis
Commits
rGa4e8d89704d2: [GWP-ASan] Only pack frames that are stored.
Summary

Backtrace() returns the number of frames that are *available*, rather
than the number of frames stored. When we pack, we supply the number of
frames we have stored. The number of available frames can exceed the
number of stored frames, leading to stack OOB read.

Fix up this problem.

Diff Detail

Event Timeline

hctim created this revision.Mar 24 2020, 12:21 PM
Herald added a project: Restricted Project. · View Herald TranscriptMar 24 2020, 12:21 PM
Herald added a subscriber: Restricted Project. · View Herald Transcript
Harbormaster failed remote builds in B50292: Diff 252392!Mar 24 2020, 12:54 PM
hctim updated this revision to Diff 252420.Mar 24 2020, 1:56 PM

Add a test to catch the old behaviour.

hctim updated this revision to Diff 252421.Mar 24 2020, 1:58 PM

Don't know where the code changes went, let's try this!

eugenis accepted this revision.Mar 24 2020, 2:04 PM

LGTM

This revision is now accepted and ready to land.Mar 24 2020, 2:04 PM
Harbormaster failed remote builds in B50307: Diff 252420!Mar 24 2020, 2:34 PM
Harbormaster failed remote builds in B50308: Diff 252421!
Closed by commit rGa4e8d89704d2: [GWP-ASan] Only pack frames that are stored. (authored by hctim). · Explain WhyMar 24 2020, 3:06 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
compiler-rt/
lib/
gwp_asan/
5 lines
tests/
37 lines

Diff 252437

compiler-rt/lib/gwp_asan/common.cpp

Show First 20 LinesShow All 53 Lines▼ Show 20 Linesvoid AllocationMetadata::CallSiteInfo::RecordBacktrace(
options::Backtrace_t Backtrace) { options::Backtrace_t Backtrace) {
TraceSize = 0; TraceSize = 0;
if (!Backtrace) if (!Backtrace)
return; return;
uintptr_t UncompressedBuffer[kMaxTraceLengthToCollect]; uintptr_t UncompressedBuffer[kMaxTraceLengthToCollect];
size_t BacktraceLength = size_t BacktraceLength =
Backtrace(UncompressedBuffer, kMaxTraceLengthToCollect); Backtrace(UncompressedBuffer, kMaxTraceLengthToCollect);
// Backtrace() returns the number of available frames, which may be greater
// than the number of frames in the buffer. In this case, we need to only pack
// the number of frames that are in the buffer.
if (BacktraceLength > kMaxTraceLengthToCollect)
BacktraceLength = kMaxTraceLengthToCollect;
TraceSize = TraceSize =
compression::pack(UncompressedBuffer, BacktraceLength, CompressedTrace, compression::pack(UncompressedBuffer, BacktraceLength, CompressedTrace,
AllocationMetadata::kStackFrameStorageBytes); AllocationMetadata::kStackFrameStorageBytes);
} }
size_t AllocatorState::maximumAllocationSize() const { return PageSize; } size_t AllocatorState::maximumAllocationSize() const { return PageSize; }
uintptr_t AllocatorState::slotToAddr(size_t N) const { uintptr_t AllocatorState::slotToAddr(size_t N) const {
Show All 31 Lines

compiler-rt/lib/gwp_asan/tests/backtrace.cpp

//===-- backtrace.cpp -------------------------------------------*- C++ -*-===// //===-- backtrace.cpp -------------------------------------------*- C++ -*-===//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include <string> #include <string>
#include "gwp_asan/crash_handler.h"
#include "gwp_asan/tests/harness.h" #include "gwp_asan/tests/harness.h"
TEST_F(BacktraceGuardedPoolAllocator, DoubleFree) { TEST_F(BacktraceGuardedPoolAllocator, DoubleFree) {
void *Ptr = GPA.allocate(1); void *Ptr = GPA.allocate(1);
GPA.deallocate(Ptr); GPA.deallocate(Ptr);
std::string DeathRegex = "Double Free.*"; std::string DeathRegex = "Double Free.*";
DeathRegex.append("backtrace\\.cpp:25.*"); DeathRegex.append("backtrace\\.cpp:26.*");
DeathRegex.append("was deallocated.*"); DeathRegex.append("was deallocated.*");
DeathRegex.append("backtrace\\.cpp:15.*"); DeathRegex.append("backtrace\\.cpp:16.*");
DeathRegex.append("was allocated.*"); DeathRegex.append("was allocated.*");
DeathRegex.append("backtrace\\.cpp:14.*"); DeathRegex.append("backtrace\\.cpp:15.*");
ASSERT_DEATH(GPA.deallocate(Ptr), DeathRegex); ASSERT_DEATH(GPA.deallocate(Ptr), DeathRegex);
} }
TEST_F(BacktraceGuardedPoolAllocator, UseAfterFree) { TEST_F(BacktraceGuardedPoolAllocator, UseAfterFree) {
char *Ptr = static_cast<char *>(GPA.allocate(1)); char *Ptr = static_cast<char *>(GPA.allocate(1));
GPA.deallocate(Ptr); GPA.deallocate(Ptr);
std::string DeathRegex = "Use After Free.*"; std::string DeathRegex = "Use After Free.*";
DeathRegex.append("backtrace\\.cpp:40.*"); DeathRegex.append("backtrace\\.cpp:41.*");
DeathRegex.append("was deallocated.*"); DeathRegex.append("was deallocated.*");
DeathRegex.append("backtrace\\.cpp:30.*"); DeathRegex.append("backtrace\\.cpp:31.*");
DeathRegex.append("was allocated.*"); DeathRegex.append("was allocated.*");
DeathRegex.append("backtrace\\.cpp:29.*"); DeathRegex.append("backtrace\\.cpp:30.*");
ASSERT_DEATH({ *Ptr = 7; }, DeathRegex); ASSERT_DEATH({ *Ptr = 7; }, DeathRegex);
} }
TEST(Backtrace, Short) {
gwp_asan::AllocationMetadata Meta;
Meta.AllocationTrace.RecordBacktrace(
[](uintptr_t *TraceBuffer, size_t /* Size */) -> size_t {
TraceBuffer[0] = 123u;
TraceBuffer[1] = 321u;
return 2u;
});
uintptr_t TraceOutput[2] = {};
EXPECT_EQ(2u, __gwp_asan_get_allocation_trace(&Meta, TraceOutput, 2));
EXPECT_EQ(TraceOutput[0], 123u);
EXPECT_EQ(TraceOutput[1], 321u);
}
TEST(Backtrace, ExceedsStorableLength) {
gwp_asan::AllocationMetadata Meta;
Meta.AllocationTrace.RecordBacktrace(
[](uintptr_t * /* TraceBuffer */, size_t /* Size */) -> size_t {
return SIZE_MAX; // Wow, that's big!
});
uintptr_t TraceOutput;
EXPECT_EQ(1u, __gwp_asan_get_allocation_trace(&Meta, &TraceOutput, 1));
}