This is an archive of the discontinued LLVM Phabricator instance.

Differential D79133

[scudo] Zero- and pattern-initialization of memory.
ClosedPublic

Authored by eugenis on Apr 29 2020, 2:55 PM.

Details

Reviewers
pcc
cryptoad
Commits
rG45b7d44ecb01: [scudo] Zero- and pattern-initialization of memory.
Summary

Implement pattern initialization of memory (excluding the secondary
allocator because it already has predictable memory contents).
Expose both zero and pattern initialization through the C API.

Diff Detail

Event Timeline

eugenis created this revision.Apr 29 2020, 2:55 PM
Herald added a project: Restricted Project. · View Herald TranscriptApr 29 2020, 2:55 PM
Herald added a subscriber: Restricted Project. · View Herald Transcript
Harbormaster failed remote builds in B55202: Diff 261050!Apr 29 2020, 3:41 PM
eugenis updated this revision to Diff 261100.Apr 29 2020, 5:10 PM

.

Harbormaster failed remote builds in B55235: Diff 261100!Apr 29 2020, 5:52 PM
cryptoad added a comment.Apr 30 2020, 8:36 AM

What should be the behavior of calloc with pattern_fill_contents, should it still be 0 or the pattern?

glider added a subscriber: glider.Apr 30 2020, 8:44 AM

Out of curiosity, is there any reason to have pattern initialization for heap?
As security researchers note (see the discussion of stack initialization on cfe-dev), zero-initialization has a smaller probability of making existing bugs exploitable.
On the other hand, there is no downside in making the heap zero-initialized, as library features do not introduce language dialects.

glider added a comment.Apr 30 2020, 9:13 AM

Re: calloc behavior, it probably should not return patter-initialized memory even if pattern initialization is enabled.
A lot of code depend on calloc returning zeroes.

compiler-rt/lib/scudo/standalone/combined.h
401–402

Please make this 0xAB a constant.

eugenis updated this revision to Diff 261321.Apr 30 2020, 12:43 PM

named constant for 0xAB

eugenis marked an inline comment as done.Apr 30 2020, 12:58 PM

Pattern initialization for heap can be used as a "poor man's MSan".
Also, it absolutely introduces a language dialect, as in certain code will now reliably work that did not work before. I think security considerations trump that in this case, but it's good to have pattern init as an option, at lease.

I agree on calloc, zeroing memory is in the function's contract.

Harbormaster failed remote builds in B55352: Diff 261321!Apr 30 2020, 2:00 PM
cryptoad accepted this revision.Apr 30 2020, 2:29 PM
cryptoad added inline comments.
compiler-rt/lib/scudo/standalone/tests/combined_test.cpp
140

s/PatterOrZeroFill/PatternOrZeroFill/

This revision is now accepted and ready to land.Apr 30 2020, 2:29 PM
eugenis updated this revision to Diff 261359.Apr 30 2020, 2:44 PM

fix a typo in a comment

eugenis marked an inline comment as done.Apr 30 2020, 2:44 PM
Closed by commit rG45b7d44ecb01: [scudo] Zero- and pattern-initialization of memory. (authored by eugenis). · Explain WhyApr 30 2020, 3:08 PM
This revision was automatically updated to reflect the committed changes.
Harbormaster failed remote builds in B55373: Diff 261359!Apr 30 2020, 3:08 PM

Revision Contents

PathSize
compiler-rt/
lib/
scudo/
standalone/
22 lines
9 lines
3 lines
10 lines
tests/
39 lines
15 lines

Diff 261372

compiler-rt/lib/scudo/standalone/combined.h

Show First 20 LinesShow All 141 Lines▼ Show 20 Lines if (UNLIKELY(!getRandom(&Cookie, sizeof(Cookie))))
Cookie = static_cast<u32>(getMonotonicTime() ^ Cookie = static_cast<u32>(getMonotonicTime() ^
(reinterpret_cast<uptr>(this) >> 4)); (reinterpret_cast<uptr>(this) >> 4));
initFlags(); initFlags();
reportUnrecognizedFlags(); reportUnrecognizedFlags();
// Store some flags locally. // Store some flags locally.
Options.MayReturnNull = getFlags()->may_return_null; Options.MayReturnNull = getFlags()->may_return_null;
Options.ZeroContents = getFlags()->zero_contents; Options.FillContents =
getFlags()->zero_contents
? ZeroFill
: (getFlags()->pattern_fill_contents ? PatternOrZeroFill : NoFill);
Options.DeallocTypeMismatch = getFlags()->dealloc_type_mismatch; Options.DeallocTypeMismatch = getFlags()->dealloc_type_mismatch;
Options.DeleteSizeMismatch = getFlags()->delete_size_mismatch; Options.DeleteSizeMismatch = getFlags()->delete_size_mismatch;
Options.TrackAllocationStacks = false; Options.TrackAllocationStacks = false;
Options.QuarantineMaxChunkSize = Options.QuarantineMaxChunkSize =
static_cast<u32>(getFlags()->quarantine_max_chunk_size); static_cast<u32>(getFlags()->quarantine_max_chunk_size);
Stats.initLinkerInitialized(); Stats.initLinkerInitialized();
const s32 ReleaseToOsIntervalMs = getFlags()->release_to_os_interval_ms; const s32 ReleaseToOsIntervalMs = getFlags()->release_to_os_interval_ms;
▲ Show 20 LinesShow All 92 Lines▼ Show 20 Lines
#ifdef GWP_ASAN_HOOKS #ifdef GWP_ASAN_HOOKS
if (UNLIKELY(GuardedAlloc.shouldSample())) { if (UNLIKELY(GuardedAlloc.shouldSample())) {
if (void *Ptr = GuardedAlloc.allocate(roundUpTo(Size, Alignment))) if (void *Ptr = GuardedAlloc.allocate(roundUpTo(Size, Alignment)))
return Ptr; return Ptr;
} }
#endif // GWP_ASAN_HOOKS #endif // GWP_ASAN_HOOKS
ZeroContents |= static_cast<bool>(Options.ZeroContents); FillContentsMode FillContents =
ZeroContents ? ZeroFill : Options.FillContents;
if (UNLIKELY(Alignment > MaxAlignment)) { if (UNLIKELY(Alignment > MaxAlignment)) {
if (Options.MayReturnNull) if (Options.MayReturnNull)
return nullptr; return nullptr;
reportAlignmentTooBig(Alignment, MaxAlignment); reportAlignmentTooBig(Alignment, MaxAlignment);
} }
if (Alignment < MinAlignment) if (Alignment < MinAlignment)
Alignment = MinAlignment; Alignment = MinAlignment;
Show All 36 Lines if (LIKELY(PrimaryT::canAllocate(NeededSize))) {
else else
ClassId = 0; ClassId = 0;
} }
if (UnlockRequired) if (UnlockRequired)
TSD->unlock(); TSD->unlock();
} }
if (UNLIKELY(ClassId == 0)) if (UNLIKELY(ClassId == 0))
Block = Secondary.allocate(NeededSize, Alignment, &SecondaryBlockEnd, Block = Secondary.allocate(NeededSize, Alignment, &SecondaryBlockEnd,
ZeroContents); FillContents);
if (UNLIKELY(!Block)) { if (UNLIKELY(!Block)) {
if (Options.MayReturnNull) if (Options.MayReturnNull)
return nullptr; return nullptr;
reportOutOfMemory(NeededSize); reportOutOfMemory(NeededSize);
} }
const uptr BlockUptr = reinterpret_cast<uptr>(Block); const uptr BlockUptr = reinterpret_cast<uptr>(Block);
▲ Show 20 LinesShow All 65 Lines▼ Show 20 Lines if (ClassId) {
// Clear any stack metadata that may have previously been stored in // Clear any stack metadata that may have previously been stored in
// the chunk data. // the chunk data.
memset(TaggedPtr, 0, archMemoryTagGranuleSize()); memset(TaggedPtr, 0, archMemoryTagGranuleSize());
} }
} else { } else {
TaggedPtr = prepareTaggedChunk(Ptr, Size, BlockEnd); TaggedPtr = prepareTaggedChunk(Ptr, Size, BlockEnd);
} }
storeAllocationStackMaybe(Ptr); storeAllocationStackMaybe(Ptr);
} else if (UNLIKELY(ZeroContents)) { } else if (UNLIKELY(FillContents != NoFill)) {
// This condition is not necessarily unlikely, but since memset is // This condition is not necessarily unlikely, but since memset is
// costly, we might as well mark it as such. // costly, we might as well mark it as such.
memset(Block, 0, PrimaryT::getSizeByClassId(ClassId)); memset(Block, FillContents == ZeroFill ? 0 : PatternFillByte,
PrimaryT::getSizeByClassId(ClassId));
gliderUnsubmitted
Done
ReplyInline Actions

Please make this 0xAB a constant.

glider: Please make this 0xAB a constant.
} }
} }
Chunk::UnpackedHeader Header = {}; Chunk::UnpackedHeader Header = {};
if (UNLIKELY(UnalignedUserPtr != UserPtr)) { if (UNLIKELY(UnalignedUserPtr != UserPtr)) {
const uptr Offset = UserPtr - UnalignedUserPtr; const uptr Offset = UserPtr - UnalignedUserPtr;
DCHECK_GE(Offset, 2 * sizeof(u32)); DCHECK_GE(Offset, 2 * sizeof(u32));
// The BlockMarker has no security purpose, but is specifically meant for // The BlockMarker has no security purpose, but is specifically meant for
▲ Show 20 LinesShow All 314 Lines▼ Show 20 Lines#endif // GWP_ASAN_HOOKS
void disableMemoryTagging() { Primary.disableMemoryTagging(); } void disableMemoryTagging() { Primary.disableMemoryTagging(); }
void setTrackAllocationStacks(bool Track) { void setTrackAllocationStacks(bool Track) {
initThreadMaybe(); initThreadMaybe();
Options.TrackAllocationStacks = Track; Options.TrackAllocationStacks = Track;
} }
void setFillContents(FillContentsMode FillContents) {
initThreadMaybe();
Options.FillContents = FillContents;
}
const char *getStackDepotAddress() const { const char *getStackDepotAddress() const {
return reinterpret_cast<const char *>(&Depot); return reinterpret_cast<const char *>(&Depot);
} }
const char *getRegionInfoArrayAddress() const { const char *getRegionInfoArrayAddress() const {
return Primary.getRegionInfoArrayAddress(); return Primary.getRegionInfoArrayAddress();
} }
▲ Show 20 LinesShow All 158 Lines▼ Show 20 Linesprivate:
PrimaryT Primary; PrimaryT Primary;
SecondaryT Secondary; SecondaryT Secondary;
QuarantineT Quarantine; QuarantineT Quarantine;
u32 Cookie; u32 Cookie;
struct { struct {
u8 MayReturnNull : 1; // may_return_null u8 MayReturnNull : 1; // may_return_null
u8 ZeroContents : 1; // zero_contents FillContentsMode FillContents : 2; // zero_contents, pattern_fill_contents
u8 DeallocTypeMismatch : 1; // dealloc_type_mismatch u8 DeallocTypeMismatch : 1; // dealloc_type_mismatch
u8 DeleteSizeMismatch : 1; // delete_size_mismatch u8 DeleteSizeMismatch : 1; // delete_size_mismatch
u8 TrackAllocationStacks : 1; u8 TrackAllocationStacks : 1;
u32 QuarantineMaxChunkSize; // quarantine_max_chunk_size u32 QuarantineMaxChunkSize; // quarantine_max_chunk_size
} Options; } Options;
#ifdef GWP_ASAN_HOOKS #ifdef GWP_ASAN_HOOKS
gwp_asan::GuardedPoolAllocator GuardedAlloc; gwp_asan::GuardedPoolAllocator GuardedAlloc;
▲ Show 20 LinesShow All 146 LinesShow Last 20 Lines

compiler-rt/lib/scudo/standalone/common.h

Show First 20 LinesShow All 176 Lines▼ Show 20 Lines
struct BlockInfo { struct BlockInfo {
uptr BlockBegin; uptr BlockBegin;
uptr BlockSize; uptr BlockSize;
uptr RegionBegin; uptr RegionBegin;
uptr RegionEnd; uptr RegionEnd;
}; };
constexpr unsigned char PatternFillByte = 0xAB;
enum FillContentsMode {
NoFill = 0,
ZeroFill = 1,
PatternOrZeroFill = 2 // Pattern fill unless the memory is known to be
// zero-initialized already.
};
} // namespace scudo } // namespace scudo
#endif // SCUDO_COMMON_H_ #endif // SCUDO_COMMON_H_

compiler-rt/lib/scudo/standalone/flags.inc

Show All 28 LinesSCUDO_FLAG(bool, dealloc_type_mismatch, false,
"eg: malloc/delete, new/free, new/delete[], etc.") "eg: malloc/delete, new/free, new/delete[], etc.")
SCUDO_FLAG(bool, delete_size_mismatch, true, SCUDO_FLAG(bool, delete_size_mismatch, true,
"Terminate on a size mismatch between a sized-delete and the actual " "Terminate on a size mismatch between a sized-delete and the actual "
"size of a chunk (as provided to new/new[]).") "size of a chunk (as provided to new/new[]).")
SCUDO_FLAG(bool, zero_contents, false, "Zero chunk contents on allocation.") SCUDO_FLAG(bool, zero_contents, false, "Zero chunk contents on allocation.")
SCUDO_FLAG(bool, pattern_fill_contents, false,
"Pattern fill chunk contents on allocation.")
SCUDO_FLAG(int, rss_limit_mb, -1, SCUDO_FLAG(int, rss_limit_mb, -1,
"Enforce an upper limit (in megabytes) to the process RSS. The " "Enforce an upper limit (in megabytes) to the process RSS. The "
"allocator will terminate or return NULL when allocations are " "allocator will terminate or return NULL when allocations are "
"attempted past that limit (depending on may_return_null). Negative " "attempted past that limit (depending on may_return_null). Negative "
"values disable the feature.") "values disable the feature.")
SCUDO_FLAG(bool, may_return_null, true, SCUDO_FLAG(bool, may_return_null, true,
"Indicate whether the allocator should terminate instead of " "Indicate whether the allocator should terminate instead of "
"returning NULL in otherwise non-fatal error scenarios, eg: OOM, " "returning NULL in otherwise non-fatal error scenarios, eg: OOM, "
"invalid allocation alignments, etc.") "invalid allocation alignments, etc.")
SCUDO_FLAG(int, release_to_os_interval_ms, SCUDO_ANDROID ? INT32_MIN : 5000, SCUDO_FLAG(int, release_to_os_interval_ms, SCUDO_ANDROID ? INT32_MIN : 5000,
"Interval (in milliseconds) at which to attempt release of unused " "Interval (in milliseconds) at which to attempt release of unused "
"memory to the OS. Negative values disable the feature.") "memory to the OS. Negative values disable the feature.")

compiler-rt/lib/scudo/standalone/secondary.h

Show First 20 LinesShow All 230 Lines▼ Show 20 Lines if (LIKELY(S))
S->link(&Stats); S->link(&Stats);
} }
void init(GlobalStats *S, s32 ReleaseToOsInterval = -1) { void init(GlobalStats *S, s32 ReleaseToOsInterval = -1) {
memset(this, 0, sizeof(*this)); memset(this, 0, sizeof(*this));
initLinkerInitialized(S, ReleaseToOsInterval); initLinkerInitialized(S, ReleaseToOsInterval);
} }
void *allocate(uptr Size, uptr AlignmentHint = 0, uptr *BlockEnd = nullptr, void *allocate(uptr Size, uptr AlignmentHint = 0, uptr *BlockEnd = nullptr,
bool ZeroContents = false); FillContentsMode FillContents = NoFill);
void deallocate(void *Ptr); void deallocate(void *Ptr);
static uptr getBlockEnd(void *Ptr) { static uptr getBlockEnd(void *Ptr) {
return LargeBlock::getHeader(Ptr)->BlockEnd; return LargeBlock::getHeader(Ptr)->BlockEnd;
} }
static uptr getBlockSize(void *Ptr) { static uptr getBlockSize(void *Ptr) {
▲ Show 20 LinesShow All 46 Lines▼ Show 20 Lines
// an allocation from the Secondary with a large alignment would end up wasting // an allocation from the Secondary with a large alignment would end up wasting
// VA space (even though we are not committing the whole thing), hence the need // VA space (even though we are not committing the whole thing), hence the need
// to trim off some of the reserved space. // to trim off some of the reserved space.
// For allocations requested with an alignment greater than or equal to a page, // For allocations requested with an alignment greater than or equal to a page,
// the committed memory will amount to something close to Size - AlignmentHint // the committed memory will amount to something close to Size - AlignmentHint
// (pending rounding and headers). // (pending rounding and headers).
template <class CacheT> template <class CacheT>
void *MapAllocator<CacheT>::allocate(uptr Size, uptr AlignmentHint, void *MapAllocator<CacheT>::allocate(uptr Size, uptr AlignmentHint,
uptr *BlockEnd, bool ZeroContents) { uptr *BlockEnd,
FillContentsMode FillContents) {
DCHECK_GE(Size, AlignmentHint); DCHECK_GE(Size, AlignmentHint);
const uptr PageSize = getPageSizeCached(); const uptr PageSize = getPageSizeCached();
const uptr RoundedSize = const uptr RoundedSize =
roundUpTo(Size + LargeBlock::getHeaderSize(), PageSize); roundUpTo(Size + LargeBlock::getHeaderSize(), PageSize);
if (AlignmentHint < PageSize && CacheT::canCache(RoundedSize)) { if (AlignmentHint < PageSize && CacheT::canCache(RoundedSize)) {
LargeBlock::Header *H; LargeBlock::Header *H;
if (Cache.retrieve(RoundedSize, &H)) { if (Cache.retrieve(RoundedSize, &H)) {
if (BlockEnd) if (BlockEnd)
*BlockEnd = H->BlockEnd; *BlockEnd = H->BlockEnd;
void *Ptr = reinterpret_cast<void *>(reinterpret_cast<uptr>(H) + void *Ptr = reinterpret_cast<void *>(reinterpret_cast<uptr>(H) +
LargeBlock::getHeaderSize()); LargeBlock::getHeaderSize());
if (ZeroContents) if (FillContents)
memset(Ptr, 0, H->BlockEnd - reinterpret_cast<uptr>(Ptr)); memset(Ptr, FillContents == ZeroFill ? 0 : PatternFillByte,
H->BlockEnd - reinterpret_cast<uptr>(Ptr));
const uptr BlockSize = H->BlockEnd - reinterpret_cast<uptr>(H); const uptr BlockSize = H->BlockEnd - reinterpret_cast<uptr>(H);
{ {
ScopedLock L(Mutex); ScopedLock L(Mutex);
InUseBlocks.push_back(H); InUseBlocks.push_back(H);
AllocatedBytes += BlockSize; AllocatedBytes += BlockSize;
NumberOfAllocs++; NumberOfAllocs++;
Stats.add(StatAllocated, BlockSize); Stats.add(StatAllocated, BlockSize);
Stats.add(StatMapped, H->MapSize); Stats.add(StatMapped, H->MapSize);
▲ Show 20 LinesShow All 97 LinesShow Last 20 Lines

compiler-rt/lib/scudo/standalone/tests/combined_test.cpp

Show First 20 LinesShow All 109 Lines▼ Show 20 Linestemplate <class Config> static void testAllocator() {
// Ensure that specifying ZeroContents returns a zero'd out block. // Ensure that specifying ZeroContents returns a zero'd out block.
for (scudo::uptr SizeLog = 0U; SizeLog <= 20U; SizeLog++) { for (scudo::uptr SizeLog = 0U; SizeLog <= 20U; SizeLog++) {
for (scudo::uptr Delta = 0U; Delta <= 4U; Delta++) { for (scudo::uptr Delta = 0U; Delta <= 4U; Delta++) {
const scudo::uptr Size = (1U << SizeLog) + Delta * 128U; const scudo::uptr Size = (1U << SizeLog) + Delta * 128U;
void *P = Allocator->allocate(Size, Origin, 1U << MinAlignLog, true); void *P = Allocator->allocate(Size, Origin, 1U << MinAlignLog, true);
EXPECT_NE(P, nullptr); EXPECT_NE(P, nullptr);
for (scudo::uptr I = 0; I < Size; I++) for (scudo::uptr I = 0; I < Size; I++)
EXPECT_EQ((reinterpret_cast<char *>(P))[I], 0); ASSERT_EQ((reinterpret_cast<char *>(P))[I], 0);
memset(P, 0xaa, Size);
Allocator->deallocate(P, Origin, Size);
}
}
Allocator->releaseToOS();
// Ensure that specifying ZeroContents returns a zero'd out block.
Allocator->setFillContents(scudo::ZeroFill);
for (scudo::uptr SizeLog = 0U; SizeLog <= 20U; SizeLog++) {
for (scudo::uptr Delta = 0U; Delta <= 4U; Delta++) {
const scudo::uptr Size = (1U << SizeLog) + Delta * 128U;
void *P = Allocator->allocate(Size, Origin, 1U << MinAlignLog, false);
EXPECT_NE(P, nullptr);
for (scudo::uptr I = 0; I < Size; I++)
ASSERT_EQ((reinterpret_cast<char *>(P))[I], 0);
memset(P, 0xaa, Size);
Allocator->deallocate(P, Origin, Size);
}
}
Allocator->releaseToOS();
// Ensure that specifying PatternOrZeroFill returns a pattern-filled block in
cryptoadUnsubmitted
Done
ReplyInline Actions

s/PatterOrZeroFill/PatternOrZeroFill/

cryptoad: s/PatterOrZeroFill/PatternOrZeroFill/
// the primary allocator, and either pattern or zero filled block in the
// secondary.
Allocator->setFillContents(scudo::PatternOrZeroFill);
for (scudo::uptr SizeLog = 0U; SizeLog <= 20U; SizeLog++) {
for (scudo::uptr Delta = 0U; Delta <= 4U; Delta++) {
const scudo::uptr Size = (1U << SizeLog) + Delta * 128U;
void *P = Allocator->allocate(Size, Origin, 1U << MinAlignLog, false);
EXPECT_NE(P, nullptr);
for (scudo::uptr I = 0; I < Size; I++) {
unsigned char V = (reinterpret_cast<unsigned char *>(P))[I];
if (AllocatorT::PrimaryT::canAllocate(Size))
ASSERT_EQ(V, scudo::PatternFillByte);
else
ASSERT_TRUE(V == scudo::PatternFillByte || V == 0);
}
memset(P, 0xaa, Size); memset(P, 0xaa, Size);
Allocator->deallocate(P, Origin, Size); Allocator->deallocate(P, Origin, Size);
} }
} }
Allocator->releaseToOS(); Allocator->releaseToOS();
// Verify that a chunk will end up being reused, at some point. // Verify that a chunk will end up being reused, at some point.
const scudo::uptr NeedleSize = 1024U; const scudo::uptr NeedleSize = 1024U;
▲ Show 20 LinesShow All 327 LinesShow Last 20 Lines

compiler-rt/lib/scudo/standalone/wrappers_c.inc

Show First 20 LinesShow All 222 Lines▼ Show 20 Lines
// and deallocations. This function only has an effect if the allocator and // and deallocations. This function only has an effect if the allocator and
// hardware support memory tagging. The program must be single threaded at the // hardware support memory tagging. The program must be single threaded at the
// point when the function is called. // point when the function is called.
INTERFACE WEAK void INTERFACE WEAK void
SCUDO_PREFIX(malloc_set_track_allocation_stacks)(int track) { SCUDO_PREFIX(malloc_set_track_allocation_stacks)(int track) {
SCUDO_ALLOCATOR.setTrackAllocationStacks(track); SCUDO_ALLOCATOR.setTrackAllocationStacks(track);
} }
// Sets whether scudo zero-initializes all allocated memory. The program must
// be single threaded at the point when the function is called.
INTERFACE WEAK void SCUDO_PREFIX(malloc_set_zero_contents)(int zero_contents) {
SCUDO_ALLOCATOR.setFillContents(zero_contents ? scudo::ZeroFill
: scudo::NoFill);
}
// Sets whether scudo pattern-initializes all allocated memory. The program must
// be single threaded at the point when the function is called.
INTERFACE WEAK void
SCUDO_PREFIX(malloc_set_pattern_fill_contents)(int pattern_fill_contents) {
SCUDO_ALLOCATOR.setFillContents(
pattern_fill_contents ? scudo::PatternOrZeroFill : scudo::NoFill);
}
} // extern "C" } // extern "C"