This is an archive of the discontinued LLVM Phabricator instance.

Differential D80805

[KernelAddressSanitizer] Make globals constructors compatible with kernel
ClosedPublic

Authored by melver on May 29 2020, 8:17 AM.

Details

Reviewers
glider
andreyknvl
Commits
rG866ee2353f7d: [KernelAddressSanitizer] Make globals constructors compatible with kernel
Summary

This makes -fsanitize=kernel-address emit the correct globals
constructors for the kernel. We had to do the following:

  • Disable generation of constructors that rely on linker features such as dead-global elimination.
  • Only emit constructors for globals *not* in explicit sections. The kernel uses sections for special globals, which we should not touch.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=203493

Tested:

  1. With 'clang/test/CodeGen/asan-globals.cpp'.
  2. With test_kasan.ko, we can see:

    BUG: KASAN: global-out-of-bounds in kasan_global_oob+0xb3/0xba [test_kasan]

Diff Detail

Event Timeline

melver created this revision.May 29 2020, 8:17 AM
Herald added a project: Restricted Project. · View Herald TranscriptMay 29 2020, 8:17 AM
Herald added subscribers: llvm-commits, hiraditya. · View Herald Transcript
melver edited the summary of this revision. (Show Details)May 29 2020, 8:22 AM
melver updated this revision to Diff 267253.May 29 2020, 8:26 AM

Add missing comment.

glider added a comment.May 29 2020, 8:51 AM

Could you please add an IR test for this?

Harbormaster failed remote builds in B58432: Diff 267250!May 29 2020, 9:13 AM
Harbormaster failed remote builds in B58434: Diff 267253!May 29 2020, 9:46 AM
nickdesaulniers added a subscriber: nickdesaulniers.May 29 2020, 10:16 AM
melver added a comment.May 29 2020, 11:42 AM
In D80805#2063225, @glider wrote:

Could you please add an IR test for this?

Was planning to -- sorry, I should have mentioned: before I go add tests, does this look sane to you?

andreyknvl added a comment.May 29 2020, 12:24 PM

The change looks good to me.

glider added a comment.Jun 2 2020, 5:41 AM
In D80805#2063679, @melver wrote:
In D80805#2063225, @glider wrote:

Could you please add an IR test for this?

Was planning to -- sorry, I should have mentioned: before I go add tests, does this look sane to you?

I thought we didn't have support for __attribute__((constructor)) in the kernel? Does GCC emit constructors for globals with KASAN?

melver added a comment.Jun 2 2020, 10:05 AM
In D80805#2068575, @glider wrote:
In D80805#2063679, @melver wrote:
In D80805#2063225, @glider wrote:

Could you please add an IR test for this?

Was planning to -- sorry, I should have mentioned: before I go add tests, does this look sane to you?

I thought we didn't have support for __attribute__((constructor)) in the kernel? Does GCC emit constructors for globals with KASAN?

I don't think this has much to do with attribute((constructor)), since that's never used explicitly. But implicit constructors are emitted. GCC emits them with KASAN. The disassembled constructors for globals to initialize KASAN with both GCC and Clang are now pretty much identical (apart from symbol names).

The kernel calls them here: https://elixir.bootlin.com/linux/latest/source/init/main.c#L1046

glider added a comment.Jun 2 2020, 10:31 AM

Cool, didn't know that; then the change sure looks reasonable.

melver updated this revision to Diff 268796.Jun 5 2020, 7:39 AM

Update IR test.

Herald added a project: Restricted Project. · View Herald TranscriptJun 5 2020, 7:39 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
melver edited the summary of this revision. (Show Details)Jun 5 2020, 7:40 AM
Harbormaster failed remote builds in B59249: Diff 268796!Jun 5 2020, 8:19 AM
glider accepted this revision.Jun 5 2020, 10:13 AM

LGTM

This revision is now accepted and ready to land.Jun 5 2020, 10:13 AM
Closed by commit rG866ee2353f7d: [KernelAddressSanitizer] Make globals constructors compatible with kernel (authored by melver). · Explain WhyJun 5 2020, 11:46 AM
This revision was automatically updated to reflect the committed changes.
thakis added a subscriber: thakis.Jun 5 2020, 1:25 PM

Hi, this broke check-clang on mac: http://45.33.8.238/mac/14998/step_7.txt

Please take a look, and if it takes a while to fix please revert while you investigate.

nickdesaulniers added inline comments.Jun 5 2020, 1:31 PM
clang/test/CodeGen/asan-globals.cpp
14 ↗(On Diff #268898)

/Users/thakis/src/llvm-project/clang/test/CodeGen/asan-globals.cpp:14:28: error: argument to 'section' attribute is not valid for this target: mach-o section specifier requires a segment and section separated by a comma
int attribute((section(".foo.bar"))) sectioned_global;

^

http://45.33.8.238/mac/14998/step_7.txt

Using an explicit Linux target triple would avoid this.

See also attribute-section-data-common.c for the OSX portable example.

thakis added inline comments.Jun 5 2020, 1:36 PM
clang/test/CodeGen/asan-globals.cpp
14 ↗(On Diff #268898)

Using an explicit Linux target triple would avoid this.

It'd also make the test fewer things, since it currently tests asan on mac (when run on mac).

If the attribute-section-data-common.c approach works here, great. If not, maybe the linux-specific bits could go in a new test file?

Are you planning on fixing the test, or should we revert for now so we can figure things out without the tree being red?

melver added a comment.Jun 5 2020, 2:05 PM
In D80805#2077396, @thakis wrote:

Hi, this broke check-clang on mac: http://45.33.8.238/mac/14998/step_7.txt

Please take a look, and if it takes a while to fix please revert while you investigate.

Sent https://reviews.llvm.org/D81306

Revision Contents

PathSize
llvm/
include/
llvm/
Transforms/
Utils/
2 lines
lib/
Transforms/
Instrumentation/
50 lines
Utils/
16 lines

Diff 267250

llvm/include/llvm/Transforms/Utils/ModuleUtils.h

Show All 36 Lines
/// Same as appendToGlobalCtors(), but for global dtors. /// Same as appendToGlobalCtors(), but for global dtors.
void appendToGlobalDtors(Module &M, Function *F, int Priority, void appendToGlobalDtors(Module &M, Function *F, int Priority,
Constant *Data = nullptr); Constant *Data = nullptr);
FunctionCallee declareSanitizerInitFunction(Module &M, StringRef InitName, FunctionCallee declareSanitizerInitFunction(Module &M, StringRef InitName,
ArrayRef<Type *> InitArgTypes); ArrayRef<Type *> InitArgTypes);
Function *createSanitizerCtor(Module &M, StringRef CtorName);
/// Creates sanitizer constructor function, and calls sanitizer's init /// Creates sanitizer constructor function, and calls sanitizer's init
/// function from it. /// function from it.
/// \return Returns pair of pointers to constructor, and init functions /// \return Returns pair of pointers to constructor, and init functions
/// respectively. /// respectively.
std::pair<Function *, FunctionCallee> createSanitizerCtorAndInitFunctions( std::pair<Function *, FunctionCallee> createSanitizerCtorAndInitFunctions(
Module &M, StringRef CtorName, StringRef InitName, Module &M, StringRef CtorName, StringRef InitName,
ArrayRef<Type *> InitArgTypes, ArrayRef<Value *> InitArgs, ArrayRef<Type *> InitArgTypes, ArrayRef<Value *> InitArgs,
StringRef VersionCheckName = StringRef()); StringRef VersionCheckName = StringRef());
▲ Show 20 LinesShow All 67 LinesShow Last 20 Lines

llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp

Show First 20 LinesShow All 583 Lines▼ Show 20 Lines
char ASanGlobalsMetadataWrapperPass::ID = 0; char ASanGlobalsMetadataWrapperPass::ID = 0;
/// AddressSanitizer: instrument the code in module to find memory bugs. /// AddressSanitizer: instrument the code in module to find memory bugs.
struct AddressSanitizer { struct AddressSanitizer {
AddressSanitizer(Module &M, const GlobalsMetadata *GlobalsMD, AddressSanitizer(Module &M, const GlobalsMetadata *GlobalsMD,
bool CompileKernel = false, bool Recover = false, bool CompileKernel = false, bool Recover = false,
bool UseAfterScope = false) bool UseAfterScope = false)
: UseAfterScope(UseAfterScope || ClUseAfterScope), GlobalsMD(*GlobalsMD) { : CompileKernel(ClEnableKasan.getNumOccurrences() > 0 ? ClEnableKasan
this->Recover = ClRecover.getNumOccurrences() > 0 ? ClRecover : Recover; : CompileKernel),
this->CompileKernel = Recover(ClRecover.getNumOccurrences() > 0 ? ClRecover : Recover),
ClEnableKasan.getNumOccurrences() > 0 ? ClEnableKasan : CompileKernel; UseAfterScope(UseAfterScope || ClUseAfterScope), GlobalsMD(*GlobalsMD) {
C = &(M.getContext()); C = &(M.getContext());
LongSize = M.getDataLayout().getPointerSizeInBits(); LongSize = M.getDataLayout().getPointerSizeInBits();
IntptrTy = Type::getIntNTy(*C, LongSize); IntptrTy = Type::getIntNTy(*C, LongSize);
TargetTriple = Triple(M.getTargetTriple()); TargetTriple = Triple(M.getTargetTriple());
Mapping = getShadowMapping(TargetTriple, LongSize, this->CompileKernel); Mapping = getShadowMapping(TargetTriple, LongSize, this->CompileKernel);
} }
▲ Show 20 LinesShow All 132 Lines▼ Show 20 Linesprivate:
bool UseAfterScope; bool UseAfterScope;
}; };
class ModuleAddressSanitizer { class ModuleAddressSanitizer {
public: public:
ModuleAddressSanitizer(Module &M, const GlobalsMetadata *GlobalsMD, ModuleAddressSanitizer(Module &M, const GlobalsMetadata *GlobalsMD,
bool CompileKernel = false, bool Recover = false, bool CompileKernel = false, bool Recover = false,
bool UseGlobalsGC = true, bool UseOdrIndicator = false) bool UseGlobalsGC = true, bool UseOdrIndicator = false)
: GlobalsMD(*GlobalsMD), UseGlobalsGC(UseGlobalsGC && ClUseGlobalsGC), : GlobalsMD(*GlobalsMD),
CompileKernel(ClEnableKasan.getNumOccurrences() > 0 ? ClEnableKasan
: CompileKernel),
Recover(ClRecover.getNumOccurrences() > 0 ? ClRecover : Recover),
UseGlobalsGC(UseGlobalsGC && ClUseGlobalsGC && !this->CompileKernel),
// Enable aliases as they should have no downside with ODR indicators. // Enable aliases as they should have no downside with ODR indicators.
UsePrivateAlias(UseOdrIndicator || ClUsePrivateAlias), UsePrivateAlias(UseOdrIndicator || ClUsePrivateAlias),
UseOdrIndicator(UseOdrIndicator || ClUseOdrIndicator), UseOdrIndicator(UseOdrIndicator || ClUseOdrIndicator),
// Not a typo: ClWithComdat is almost completely pointless without // Not a typo: ClWithComdat is almost completely pointless without
// ClUseGlobalsGC (because then it only works on modules without // ClUseGlobalsGC (because then it only works on modules without
// globals, which are rare); it is a prerequisite for ClUseGlobalsGC; // globals, which are rare); it is a prerequisite for ClUseGlobalsGC;
// and both suffer from gold PR19002 for which UseGlobalsGC constructor // and both suffer from gold PR19002 for which UseGlobalsGC constructor
// argument is designed as workaround. Therefore, disable both // argument is designed as workaround. Therefore, disable both
// ClWithComdat and ClUseGlobalsGC unless the frontend says it's ok to // ClWithComdat and ClUseGlobalsGC unless the frontend says it's ok to
// do globals-gc. // do globals-gc.
UseCtorComdat(UseGlobalsGC && ClWithComdat) { UseCtorComdat(UseGlobalsGC && ClWithComdat && !this->CompileKernel) {
this->Recover = ClRecover.getNumOccurrences() > 0 ? ClRecover : Recover;
this->CompileKernel =
ClEnableKasan.getNumOccurrences() > 0 ? ClEnableKasan : CompileKernel;
C = &(M.getContext()); C = &(M.getContext());
int LongSize = M.getDataLayout().getPointerSizeInBits(); int LongSize = M.getDataLayout().getPointerSizeInBits();
IntptrTy = Type::getIntNTy(*C, LongSize); IntptrTy = Type::getIntNTy(*C, LongSize);
TargetTriple = Triple(M.getTargetTriple()); TargetTriple = Triple(M.getTargetTriple());
Mapping = getShadowMapping(TargetTriple, LongSize, this->CompileKernel); Mapping = getShadowMapping(TargetTriple, LongSize, this->CompileKernel);
} }
bool instrumentModule(Module &); bool instrumentModule(Module &);
▲ Show 20 LinesShow All 1,064 Lines▼ Show 20 Lines case Comdat::NoDuplicates:
break; break;
case Comdat::Largest: case Comdat::Largest:
case Comdat::SameSize: case Comdat::SameSize:
return false; return false;
} }
} }
if (G->hasSection()) { if (G->hasSection()) {
// The kernel uses explicit sections for mostly special global variables
// that we should not instrument. E.g. the kernel may rely on their layout
// without redzones, or remove them at link time ("discard.*"), etc.
if (CompileKernel)
return false;
StringRef Section = G->getSection(); StringRef Section = G->getSection();
// Globals from llvm.metadata aren't emitted, do not instrument them. // Globals from llvm.metadata aren't emitted, do not instrument them.
if (Section == "llvm.metadata") return false; if (Section == "llvm.metadata") return false;
// Do not instrument globals from special LLVM sections. // Do not instrument globals from special LLVM sections.
if (Section.find("__llvm") != StringRef::npos || Section.find("__LLVM") != StringRef::npos) return false; if (Section.find("__llvm") != StringRef::npos || Section.find("__LLVM") != StringRef::npos) return false;
// Do not instrument function pointers to initialization and termination // Do not instrument function pointers to initialization and termination
▲ Show 20 LinesShow All 566 Lines▼ Show 20 Linesint ModuleAddressSanitizer::GetAsanVersion(const Module &M) const {
// shadow. // shadow.
Version += (LongSize == 32 && isAndroid); Version += (LongSize == 32 && isAndroid);
return Version; return Version;
} }
bool ModuleAddressSanitizer::instrumentModule(Module &M) { bool ModuleAddressSanitizer::instrumentModule(Module &M) {
initializeCallbacks(M); initializeCallbacks(M);
if (CompileKernel)
return false;
// Create a module constructor. A destructor is created lazily because not all // Create a module constructor. A destructor is created lazily because not all
// platforms, and not all modules need it. // platforms, and not all modules need it.
if (CompileKernel) {
// The kernel always builds with its own runtime, and therefore does not
// need the init and version check calls.
AsanCtorFunction = createSanitizerCtor(M, kAsanModuleCtorName);
} else {
std::string AsanVersion = std::to_string(GetAsanVersion(M)); std::string AsanVersion = std::to_string(GetAsanVersion(M));
std::string VersionCheckName = std::string VersionCheckName =
ClInsertVersionCheck ? (kAsanVersionCheckNamePrefix + AsanVersion) : ""; ClInsertVersionCheck ? (kAsanVersionCheckNamePrefix + AsanVersion) : "";
std::tie(AsanCtorFunction, std::ignore) = createSanitizerCtorAndInitFunctions( std::tie(AsanCtorFunction, std::ignore) =
M, kAsanModuleCtorName, kAsanInitName, /*InitArgTypes=*/{}, createSanitizerCtorAndInitFunctions(M, kAsanModuleCtorName,
kAsanInitName, /*InitArgTypes=*/{},
/*InitArgs=*/{}, VersionCheckName); /*InitArgs=*/{}, VersionCheckName);
}
bool CtorComdat = true; bool CtorComdat = true;
// TODO(glider): temporarily disabled globals instrumentation for KASan.
if (ClGlobals) { if (ClGlobals) {
IRBuilder<> IRB(AsanCtorFunction->getEntryBlock().getTerminator()); IRBuilder<> IRB(AsanCtorFunction->getEntryBlock().getTerminator());
InstrumentGlobals(IRB, M, &CtorComdat); InstrumentGlobals(IRB, M, &CtorComdat);
} }
const uint64_t Priority = GetCtorAndDtorPriority(TargetTriple); const uint64_t Priority = GetCtorAndDtorPriority(TargetTriple);
// Put the constructor and destructor in comdat if both // Put the constructor and destructor in comdat if both
▲ Show 20 LinesShow All 962 LinesShow Last 20 Lines

llvm/lib/Transforms/Utils/ModuleUtils.cpp

Show First 20 LinesShow All 113 Lines▼ Show 20 Linesllvm::declareSanitizerInitFunction(Module &M, StringRef InitName,
ArrayRef<Type *> InitArgTypes) { ArrayRef<Type *> InitArgTypes) {
assert(!InitName.empty() && "Expected init function name"); assert(!InitName.empty() && "Expected init function name");
return M.getOrInsertFunction( return M.getOrInsertFunction(
InitName, InitName,
FunctionType::get(Type::getVoidTy(M.getContext()), InitArgTypes, false), FunctionType::get(Type::getVoidTy(M.getContext()), InitArgTypes, false),
AttributeList()); AttributeList());
} }
Function *llvm::createSanitizerCtor(Module &M, StringRef CtorName) {
Function *Ctor = Function::Create(
FunctionType::get(Type::getVoidTy(M.getContext()), false),
GlobalValue::InternalLinkage, CtorName, &M);
BasicBlock *CtorBB = BasicBlock::Create(M.getContext(), "", Ctor);
ReturnInst::Create(M.getContext(), CtorBB);
return Ctor;
}
std::pair<Function *, FunctionCallee> llvm::createSanitizerCtorAndInitFunctions( std::pair<Function *, FunctionCallee> llvm::createSanitizerCtorAndInitFunctions(
Module &M, StringRef CtorName, StringRef InitName, Module &M, StringRef CtorName, StringRef InitName,
ArrayRef<Type *> InitArgTypes, ArrayRef<Value *> InitArgs, ArrayRef<Type *> InitArgTypes, ArrayRef<Value *> InitArgs,
StringRef VersionCheckName) { StringRef VersionCheckName) {
assert(!InitName.empty() && "Expected init function name"); assert(!InitName.empty() && "Expected init function name");
assert(InitArgs.size() == InitArgTypes.size() && assert(InitArgs.size() == InitArgTypes.size() &&
"Sanitizer's init function expects different number of arguments"); "Sanitizer's init function expects different number of arguments");
FunctionCallee InitFunction = FunctionCallee InitFunction =
declareSanitizerInitFunction(M, InitName, InitArgTypes); declareSanitizerInitFunction(M, InitName, InitArgTypes);
Function *Ctor = Function::Create( Function *Ctor = createSanitizerCtor(M, CtorName);
FunctionType::get(Type::getVoidTy(M.getContext()), false), IRBuilder<> IRB(Ctor->getEntryBlock().getTerminator());
GlobalValue::InternalLinkage, CtorName, &M);
BasicBlock *CtorBB = BasicBlock::Create(M.getContext(), "", Ctor);
IRBuilder<> IRB(ReturnInst::Create(M.getContext(), CtorBB));
IRB.CreateCall(InitFunction, InitArgs); IRB.CreateCall(InitFunction, InitArgs);
if (!VersionCheckName.empty()) { if (!VersionCheckName.empty()) {
FunctionCallee VersionCheckFunction = M.getOrInsertFunction( FunctionCallee VersionCheckFunction = M.getOrInsertFunction(
VersionCheckName, FunctionType::get(IRB.getVoidTy(), {}, false), VersionCheckName, FunctionType::get(IRB.getVoidTy(), {}, false),
AttributeList()); AttributeList());
IRB.CreateCall(VersionCheckFunction, {}); IRB.CreateCall(VersionCheckFunction, {});
} }
return std::make_pair(Ctor, InitFunction); return std::make_pair(Ctor, InitFunction);
▲ Show 20 LinesShow All 171 LinesShow Last 20 Lines