This is an archive of the discontinued LLVM Phabricator instance.

Differential D86168

[DFSan] Handle mmap() calls before interceptors are installed.
ClosedPublic

Authored by morehouse on Aug 18 2020, 1:23 PM.

Details

Reviewers
vitalybuka
kcc
pcc
Commits
rG4deda57106f7: [DFSan] Handle mmap() calls before interceptors are installed.
Summary

InitializeInterceptors() calls dlsym(), which calls calloc(). Depending
on the allocator implementation, calloc() may invoke mmap(), which
results in a segfault since REAL(mmap) is still being resolved.

We fix this by doing a direct syscall if interceptors haven't been fully
resolved yet.

Diff Detail

Event Timeline

morehouse created this revision.Aug 18 2020, 1:23 PM
Herald added a project: Restricted Project. · View Herald TranscriptAug 18 2020, 1:23 PM
Herald added a subscriber: Restricted Project. · View Herald Transcript
morehouse requested review of this revision.Aug 18 2020, 1:23 PM
Harbormaster completed remote builds in B68797: Diff 286385.Aug 18 2020, 1:52 PM
vitalybuka added inline comments.Aug 18 2020, 7:04 PM
compiler-rt/lib/dfsan/dfsan_interceptors.cpp
23

Have you considered EnsureInterceptorsInitialized from compiler-rt/lib/cfi/cfi.cpp or compiler-rt/lib/safestack/safestack.cpp
I suspect it should not work as you can't do INTERCEPT_FUNCTION here

Anyway as is it's a data race, some synchronization is needed.

morehouse added inline comments.Aug 19 2020, 8:15 AM
compiler-rt/lib/dfsan/dfsan_interceptors.cpp
23

Initialization happens during preinit_array, when we're single-threaded. The issue this solves is that initialization calls dlysm calls calloc calls mmap. If we did lazy-initialization, we'd get infinite recursion.

vitalybuka accepted this revision.Aug 19 2020, 2:50 PM
vitalybuka added inline comments.
compiler-rt/lib/dfsan/dfsan_interceptors.cpp
23

Interesting, I never considered that. Maybe it's relevant for other EnsureInterceptorsInitialized and we don't need locking there.

28

Can you please fix this ?
clang-format: please reformat the code

This revision is now accepted and ready to land.Aug 19 2020, 2:50 PM
vitalybuka added inline comments.Aug 19 2020, 2:51 PM
compiler-rt/lib/dfsan/dfsan_interceptors.cpp
27

can you comment about threading here?

vitalybuka added inline comments.Aug 19 2020, 2:59 PM
compiler-rt/lib/dfsan/dfsan_interceptors.cpp
23

Also it's not true for !SANITIZER_CAN_USE_PREINIT_ARRAY. I don't see any attempts to init dfsan without SANITIZER_CAN_USE_PREINIT_ARRAY, so I guess it's fine.

morehouse updated this revision to Diff 286670.Aug 19 2020, 3:04 PM
  • Reformat and add comment on synchronization.
Herald added a subscriber: jfb. · View Herald TranscriptAug 19 2020, 3:04 PM
morehouse marked 5 inline comments as done.Aug 19 2020, 3:05 PM
This revision was landed with ongoing or failed builds.Aug 19 2020, 3:08 PM
Closed by commit rG4deda57106f7: [DFSan] Handle mmap() calls before interceptors are installed. (authored by morehouse). · Explain Why
This revision was automatically updated to reflect the committed changes.
morehouse added a commit: rG4deda57106f7: [DFSan] Handle mmap() calls before interceptors are installed..
Harbormaster completed remote builds in B68951: Diff 286670.Aug 19 2020, 3:35 PM

Revision Contents

PathSize
compiler-rt/
lib/
dfsan/
25 lines
test/
dfsan/
32 lines

Diff 286671

compiler-rt/lib/dfsan/dfsan_interceptors.cpp

//===-- dfsan_interceptors.cpp --------------------------------------------===// //===-- dfsan_interceptors.cpp --------------------------------------------===//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// //
// This file is a part of DataFlowSanitizer. // This file is a part of DataFlowSanitizer.
// //
// Interceptors for standard library functions. // Interceptors for standard library functions.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include <sys/syscall.h>
#include <unistd.h>
#include "dfsan/dfsan.h" #include "dfsan/dfsan.h"
#include "interception/interception.h" #include "interception/interception.h"
#include "sanitizer_common/sanitizer_common.h" #include "sanitizer_common/sanitizer_common.h"
using namespace __sanitizer; using namespace __sanitizer;
static bool interceptors_initialized;
vitalybukaUnsubmitted
Done
ReplyInline Actions

Have you considered EnsureInterceptorsInitialized from compiler-rt/lib/cfi/cfi.cpp or compiler-rt/lib/safestack/safestack.cpp
I suspect it should not work as you can't do INTERCEPT_FUNCTION here

Anyway as is it's a data race, some synchronization is needed.

vitalybuka: Have you considered EnsureInterceptorsInitialized from compiler-rt/lib/cfi/cfi.cpp or compiler…
morehouseAuthorUnsubmitted
Done
ReplyInline Actions

Initialization happens during preinit_array, when we're single-threaded. The issue this solves is that initialization calls dlysm calls calloc calls mmap. If we did lazy-initialization, we'd get infinite recursion.

morehouse: Initialization happens during preinit_array, when we're single-threaded. The issue this solves…
vitalybukaUnsubmitted
Done
ReplyInline Actions

Interesting, I never considered that. Maybe it's relevant for other EnsureInterceptorsInitialized and we don't need locking there.

vitalybuka: Interesting, I never considered that. Maybe it's relevant for other…
vitalybukaUnsubmitted
Done
ReplyInline Actions

Also it's not true for !SANITIZER_CAN_USE_PREINIT_ARRAY. I don't see any attempts to init dfsan without SANITIZER_CAN_USE_PREINIT_ARRAY, so I guess it's fine.

vitalybuka: Also it's not true for !SANITIZER_CAN_USE_PREINIT_ARRAY. I don't see any attempts to init…
INTERCEPTOR(void *, mmap, void *addr, SIZE_T length, int prot, int flags, INTERCEPTOR(void *, mmap, void *addr, SIZE_T length, int prot, int flags,
int fd, OFF_T offset) { int fd, OFF_T offset) {
void *res = REAL(mmap)(addr, length, prot, flags, fd, offset); void *res;
vitalybukaUnsubmitted
Done
ReplyInline Actions

can you comment about threading here?

vitalybuka: can you comment about threading here?
vitalybukaUnsubmitted
Done
ReplyInline Actions

Can you please fix this ?
clang-format: please reformat the code

vitalybuka: Can you please fix this ? clang-format: please reformat the code
// interceptors_initialized is set to true during preinit_array, when we're
// single-threaded. So we don't need to worry about accessing it atomically.
if (!interceptors_initialized)
res = (void *)syscall(__NR_mmap, addr, length, prot, flags, fd, offset);
else
res = REAL(mmap)(addr, length, prot, flags, fd, offset);
if (res != (void*)-1) if (res != (void *)-1)
dfsan_set_label(0, res, RoundUpTo(length, GetPageSize())); dfsan_set_label(0, res, RoundUpTo(length, GetPageSize()));
return res; return res;
} }
INTERCEPTOR(void *, mmap64, void *addr, SIZE_T length, int prot, int flags, INTERCEPTOR(void *, mmap64, void *addr, SIZE_T length, int prot, int flags,
int fd, OFF64_T offset) { int fd, OFF64_T offset) {
void *res = REAL(mmap64)(addr, length, prot, flags, fd, offset); void *res = REAL(mmap64)(addr, length, prot, flags, fd, offset);
if (res != (void*)-1) if (res != (void *)-1)
dfsan_set_label(0, res, RoundUpTo(length, GetPageSize())); dfsan_set_label(0, res, RoundUpTo(length, GetPageSize()));
return res; return res;
} }
namespace __dfsan { namespace __dfsan {
void InitializeInterceptors() { void InitializeInterceptors() {
static int inited = 0; CHECK(!interceptors_initialized);
CHECK_EQ(inited, 0);
INTERCEPT_FUNCTION(mmap); INTERCEPT_FUNCTION(mmap);
INTERCEPT_FUNCTION(mmap64); INTERCEPT_FUNCTION(mmap64);
inited = 1;
interceptors_initialized = true;
} }
} // namespace __dfsan } // namespace __dfsan

compiler-rt/test/dfsan/interceptors.c

  • This file was added.
// RUN: %clang_dfsan -fno-sanitize=dataflow -DCALLOC -c %s -o %t-calloc.o
// RUN: %clang_dfsan %s %t-calloc.o -o %t
// RUN: %run %t
//
// Tests that calling mmap() during during dfsan initialization works.
#include <assert.h>
#include <sanitizer/dfsan_interface.h>
#include <string.h>
#include <sys/mman.h>
#include <unistd.h>
#ifdef CALLOC
// dfsan_init() installs interceptors via dlysm(), which calls calloc().
// Calling mmap() from here should work even if interceptors haven't been fully
// set up yet.
void *calloc(size_t Num, size_t Size) {
size_t PageSize = getpagesize();
Size = Size * Num;
Size = (Size + PageSize - 1) & ~(PageSize - 1); // Round up to PageSize.
void *Ret = mmap(NULL, Size, PROT_READ | PROT_WRITE,
MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
assert(Ret != MAP_FAILED);
return Ret;
}
#else
int main() { return 0; }
#endif // CALLOC