This is an archive of the discontinued LLVM Phabricator instance.

Differential D94212

scudo: Add support for tracking stack traces of secondary allocations.
ClosedPublic

Authored by pcc on Jan 6 2021, 8:37 PM.

Details

Reviewers
eugenis
hctim
cryptoad
jfb
Commits
rG1f55fa0b99e0: scudo: Add support for tracking stack traces of secondary allocations.
Summary

There is no centralized store of information related to secondary
allocations. Moreover the allocations themselves become inaccessible
when the allocation is freed in order to implement UAF detection,
so we can't store information there to be used in case of UAF
anyway.

Therefore our storage location for tracking stack traces of secondary
allocations is a secondary ring buffer. The ring buffer is copied to
the process creating the crash dump when a fault occurs.

In order to support the scenario where an access to the ring buffer
is interrupted by a concurrently occurring crash, the secondary
ring buffer is accessed in a lock-free manner. This requires the
use of 128-bit atomics, which are generally only supported on 64-bit
platforms. Therefore the secondary ring buffer is disabled on 32-bit
platforms. The ring buffer would be unused on such platforms anyway
due to the lack of support for memory tagging on platforms other
than arm64.

This change enables 16-byte compare-exchange instructions on x86 in
order to avoid a warning where 128-bit atomics are used. Since the code
wouldn't actually be called in production on x86 as mentioned, this is
mostly in order to provide compile-time coverage and support fuzzing.

Depends on D93731

Diff Detail

Event Timeline

pcc created this revision.Jan 6 2021, 8:37 PM
Herald added a reviewer: jfb. · View Herald TranscriptJan 6 2021, 8:37 PM
Herald added subscribers: pengfei, jfb, kristof.beyls, mgorny. · View Herald Transcript
pcc requested review of this revision.Jan 6 2021, 8:37 PM
Herald added projects: Restricted Project, Restricted Project. · View Herald TranscriptJan 6 2021, 8:37 PM
Herald added a subscriber: Restricted Project. · View Herald Transcript
Harbormaster completed remote builds in B84288: Diff 315040.Jan 6 2021, 9:37 PM
eugenis added a comment.Jan 8 2021, 3:47 PM

Can we have a setting where the secondary ring buffer is used for primary allocations, too? The primary record could be pushed when the chunk is about to be reused.

compiler-rt/lib/scudo/standalone/combined.h
1339

This loop seems expensive. Why not store alloc and dealloc as two independent events? It will use a bit more memory, but given the same memory budget, dealloc events should survive longer because they will be generally closer to the end of the ring (and they are the most interesting ones).

pcc added a comment.Jan 8 2021, 5:51 PM
In D94212#2488097, @eugenis wrote:

Can we have a setting where the secondary ring buffer is used for primary allocations, too? The primary record could be pushed when the chunk is about to be reused.

Let's do that in a separate change.

compiler-rt/lib/scudo/standalone/combined.h
1339

Hmm, I wouldn't expect it to be that expensive compared to the cost of the allocation itself.

I thought about storing these as two separate events but I wasn't sure that just a deallocation stack trace on its own would be useful. But having given it more thought I suppose that:

  1. We don't need to concern ourselves too much with memory usage here because secondary allocations are rare enough that we can choose a relatively small buffer size, so doubling it shouldn't matter that much
  2. Just the deallocation stack trace would be better than nothing. That being said, we could store the allocation trace and tid inline with the allocation and copy them into the ring buffer entry on deallocation. That would cost more memory, but as mentioned in 1) that should be inconsequential.

So let's go with the separate events.

pcc updated this revision to Diff 316322.Jan 12 2021, 9:58 PM
  • Instead of updating an existing ring buffer entry, create a new entry
Harbormaster completed remote builds in B84974: Diff 316322.Jan 12 2021, 10:28 PM
pcc updated this revision to Diff 320975.Feb 2 2021, 7:39 PM
  • Use ring buffer for primary deallocations as well
pcc updated this revision to Diff 320976.Feb 2 2021, 7:41 PM
  • Update comment
Harbormaster completed remote builds in B87626: Diff 320975.Feb 2 2021, 8:15 PM
Harbormaster completed remote builds in B87627: Diff 320976.Feb 2 2021, 8:22 PM
eugenis added inline comments.Feb 24 2021, 3:52 PM
compiler-rt/lib/scudo/standalone/combined.h
1115

Does this actually do anything if all stores are relaxed?

1138

Why create this ring buffer entry while the allocation is still alive?
This would add some complexity to error reporting, but we could iterate over the live secondary allocations to find the right one. That should reduce ring buffer traffic by 2x (not counting primary of course).

pcc added inline comments.Feb 24 2021, 8:00 PM
compiler-rt/lib/scudo/standalone/combined.h
1115

The goal is to guard against the thread executing this access being interrupted by a crash, not against concurrent access. By the time the ring buffer entry is accessed the thread will have been stopped so the effects of any stores will have been committed to memory.

That being said, I suspect that the compiler would be allowed to eliminate this store, so we may need something stronger here.

1138

It would add quite a bit of complexity. malloc_iterate is implemented via pointer chasing, whereas __scudo_get_error_info expects a few fixed blocks of data to be copied. Implementing the pointer chasing on the __scudo_get_error_info side would probably require callbacks to read memory, or something like that. It doesn't seem worth it to reduce ring buffer traffic for secondary allocations, which are quite uncommon anyway.

pcc updated this revision to Diff 326275.Feb 24 2021, 8:43 PM
  • Use acquire/release for accesses to Ptr
Harbormaster completed remote builds in B90738: Diff 326275.Feb 24 2021, 11:06 PM
eugenis accepted this revision.Feb 25 2021, 3:37 PM

LGTM with a nit

compiler-rt/lib/scudo/standalone/combined.h
1138

Would __atomic_signal_fence(__ATOMIC_SEQ_CST) be more appropriate?

This revision is now accepted and ready to land.Feb 25 2021, 3:37 PM
pcc added inline comments.Feb 25 2021, 4:26 PM
compiler-rt/lib/scudo/standalone/combined.h
1138

(assuming this was meant as a reply to the other comment)

Yes, that's a good idea, I'll do that.

This revision was landed with ongoing or failed builds.Mar 9 2021, 11:43 AM
Closed by commit rG1f55fa0b99e0: scudo: Add support for tracking stack traces of secondary allocations. (authored by pcc). · Explain Why
This revision was automatically updated to reflect the committed changes.
pcc added a commit: rG1f55fa0b99e0: scudo: Add support for tracking stack traces of secondary allocations..

Revision Contents

PathSize
compiler-rt/
lib/
scudo/
standalone/
411 lines
fuzz/
14 lines
include/
scudo/
9 lines
9 lines
21 lines

Diff 326275

compiler-rt/lib/scudo/standalone/combined.h

Show First 20 LinesShow All 441 Lines▼ Show 20 Lines if (LIKELY(ClassId)) {
// the chunk data. // the chunk data.
memset(TaggedPtr, 0, archMemoryTagGranuleSize()); memset(TaggedPtr, 0, archMemoryTagGranuleSize());
} }
} else { } else {
const uptr OddEvenMask = const uptr OddEvenMask =
computeOddEvenMaskForPointerMaybe(Options, BlockUptr, BlockSize); computeOddEvenMaskForPointerMaybe(Options, BlockUptr, BlockSize);
TaggedPtr = prepareTaggedChunk(Ptr, Size, OddEvenMask, BlockEnd); TaggedPtr = prepareTaggedChunk(Ptr, Size, OddEvenMask, BlockEnd);
} }
storeAllocationStackMaybe(Options, Ptr); storePrimaryAllocationStackMaybe(Options, Ptr);
} else { } else {
Block = addHeaderTag(Block); Block = addHeaderTag(Block);
Ptr = addHeaderTag(Ptr); Ptr = addHeaderTag(Ptr);
if (UNLIKELY(FillContents != NoFill)) { if (UNLIKELY(FillContents != NoFill)) {
// This condition is not necessarily unlikely, but since memset is // This condition is not necessarily unlikely, but since memset is
// costly, we might as well mark it as such. // costly, we might as well mark it as such.
memset(Block, FillContents == ZeroFill ? 0 : PatternFillByte, memset(Block, FillContents == ZeroFill ? 0 : PatternFillByte,
PrimaryT::getSizeByClassId(ClassId)); PrimaryT::getSizeByClassId(ClassId));
} }
} }
} else { } else {
Block = addHeaderTag(Block); Block = addHeaderTag(Block);
Ptr = addHeaderTag(Ptr); Ptr = addHeaderTag(Ptr);
if (UNLIKELY(useMemoryTagging<Params>(Options))) if (UNLIKELY(useMemoryTagging<Params>(Options))) {
storeTags(reinterpret_cast<uptr>(Block), reinterpret_cast<uptr>(Ptr)); storeTags(reinterpret_cast<uptr>(Block), reinterpret_cast<uptr>(Ptr));
storeSecondaryAllocationStackMaybe(Options, Ptr, Size);
}
} }
Chunk::UnpackedHeader Header = {}; Chunk::UnpackedHeader Header = {};
if (UNLIKELY(UnalignedUserPtr != UserPtr)) { if (UNLIKELY(UnalignedUserPtr != UserPtr)) {
const uptr Offset = UserPtr - UnalignedUserPtr; const uptr Offset = UserPtr - UnalignedUserPtr;
DCHECK_GE(Offset, 2 * sizeof(u32)); DCHECK_GE(Offset, 2 * sizeof(u32));
// The BlockMarker has no security purpose, but is specifically meant for // The BlockMarker has no security purpose, but is specifically meant for
// the chunk iteration function that can be used in debugging situations. // the chunk iteration function that can be used in debugging situations.
▲ Show 20 LinesShow All 137 Lines▼ Show 20 Lines if (reinterpret_cast<uptr>(OldTaggedPtr) + NewSize <= BlockEnd) {
if (NewSize > OldSize || (OldSize - NewSize) < getPageSizeCached()) { if (NewSize > OldSize || (OldSize - NewSize) < getPageSizeCached()) {
Chunk::UnpackedHeader NewHeader = OldHeader; Chunk::UnpackedHeader NewHeader = OldHeader;
NewHeader.SizeOrUnusedBytes = NewHeader.SizeOrUnusedBytes =
(ClassId ? NewSize (ClassId ? NewSize
: BlockEnd - : BlockEnd -
(reinterpret_cast<uptr>(OldTaggedPtr) + NewSize)) & (reinterpret_cast<uptr>(OldTaggedPtr) + NewSize)) &
Chunk::SizeOrUnusedBytesMask; Chunk::SizeOrUnusedBytesMask;
Chunk::compareExchangeHeader(Cookie, OldPtr, &NewHeader, &OldHeader); Chunk::compareExchangeHeader(Cookie, OldPtr, &NewHeader, &OldHeader);
if (UNLIKELY(ClassId && useMemoryTagging<Params>(Options))) { if (UNLIKELY(useMemoryTagging<Params>(Options))) {
if (ClassId) {
resizeTaggedChunk(reinterpret_cast<uptr>(OldTaggedPtr) + OldSize, resizeTaggedChunk(reinterpret_cast<uptr>(OldTaggedPtr) + OldSize,
reinterpret_cast<uptr>(OldTaggedPtr) + NewSize, reinterpret_cast<uptr>(OldTaggedPtr) + NewSize,
BlockEnd); BlockEnd);
storeAllocationStackMaybe(Options, OldPtr); storePrimaryAllocationStackMaybe(Options, OldPtr);
} else {
storeSecondaryAllocationStackMaybe(Options, OldPtr, NewSize);
}
} }
return OldTaggedPtr; return OldTaggedPtr;
} }
} }
// Otherwise we allocate a new one, and deallocate the old one. Some // Otherwise we allocate a new one, and deallocate the old one. Some
// allocators will allocate an even larger chunk (by a fixed factor) to // allocators will allocate an even larger chunk (by a fixed factor) to
// allow for potential further in-place realloc. The gains of such a trick // allow for potential further in-place realloc. The gains of such a trick
▲ Show 20 LinesShow All 226 Lines▼ Show 20 Lines#endif // GWP_ASAN_HOOKS
const char *getRegionInfoArrayAddress() const { const char *getRegionInfoArrayAddress() const {
return Primary.getRegionInfoArrayAddress(); return Primary.getRegionInfoArrayAddress();
} }
static uptr getRegionInfoArraySize() { static uptr getRegionInfoArraySize() {
return PrimaryT::getRegionInfoArraySize(); return PrimaryT::getRegionInfoArraySize();
} }
static void getErrorInfo(struct scudo_error_info *ErrorInfo, const char *getRingBufferAddress() const {
uintptr_t FaultAddr, const char *DepotPtr, return reinterpret_cast<const char *>(&RingBuffer);
const char *RegionInfoPtr, const char *Memory, }
const char *MemoryTags, uintptr_t MemoryAddr,
size_t MemorySize) {
*ErrorInfo = {};
if (!allocatorSupportsMemoryTagging<Params>() ||
MemoryAddr + MemorySize < MemoryAddr)
return;
uptr UntaggedFaultAddr = untagPointer(FaultAddr);
u8 FaultAddrTag = extractTag(FaultAddr);
BlockInfo Info =
PrimaryT::findNearestBlock(RegionInfoPtr, UntaggedFaultAddr);
auto GetGranule = [&](uptr Addr, const char **Data, uint8_t *Tag) -> bool {
if (Addr < MemoryAddr || Addr + archMemoryTagGranuleSize() < Addr ||
Addr + archMemoryTagGranuleSize() > MemoryAddr + MemorySize)
return false;
*Data = &Memory[Addr - MemoryAddr];
*Tag = static_cast<u8>(
MemoryTags[(Addr - MemoryAddr) / archMemoryTagGranuleSize()]);
return true;
};
auto ReadBlock = [&](uptr Addr, uptr *ChunkAddr,
Chunk::UnpackedHeader *Header, const u32 **Data,
u8 *Tag) {
const char *BlockBegin;
u8 BlockBeginTag;
if (!GetGranule(Addr, &BlockBegin, &BlockBeginTag))
return false;
uptr ChunkOffset = getChunkOffsetFromBlock(BlockBegin);
*ChunkAddr = Addr + ChunkOffset;
const char *ChunkBegin; static uptr getRingBufferSize() { return sizeof(RingBuffer); }
if (!GetGranule(*ChunkAddr, &ChunkBegin, Tag))
return false;
*Header = *reinterpret_cast<const Chunk::UnpackedHeader *>(
ChunkBegin - Chunk::getHeaderSize());
*Data = reinterpret_cast<const u32 *>(ChunkBegin);
return true;
};
auto *Depot = reinterpret_cast<const StackDepot *>(DepotPtr); static const uptr MaxTraceSize = 64;
auto MaybeCollectTrace = [&](uintptr_t(&Trace)[MaxTraceSize], u32 Hash) { static void collectTraceMaybe(const StackDepot *Depot,
uintptr_t (&Trace)[MaxTraceSize], u32 Hash) {
uptr RingPos, Size; uptr RingPos, Size;
if (!Depot->find(Hash, &RingPos, &Size)) if (!Depot->find(Hash, &RingPos, &Size))
return; return;
for (unsigned I = 0; I != Size && I != MaxTraceSize; ++I) for (unsigned I = 0; I != Size && I != MaxTraceSize; ++I)
Trace[I] = (*Depot)[RingPos + I]; Trace[I] = (*Depot)[RingPos + I];
};
size_t NextErrorReport = 0;
// First, check for UAF.
{
uptr ChunkAddr;
Chunk::UnpackedHeader Header;
const u32 *Data;
uint8_t Tag;
if (ReadBlock(Info.BlockBegin, &ChunkAddr, &Header, &Data, &Tag) &&
Header.State != Chunk::State::Allocated &&
Data[MemTagPrevTagIndex] == FaultAddrTag) {
auto *R = &ErrorInfo->reports[NextErrorReport++];
R->error_type = USE_AFTER_FREE;
R->allocation_address = ChunkAddr;
R->allocation_size = Header.SizeOrUnusedBytes;
MaybeCollectTrace(R->allocation_trace,
Data[MemTagAllocationTraceIndex]);
R->allocation_tid = Data[MemTagAllocationTidIndex];
MaybeCollectTrace(R->deallocation_trace,
Data[MemTagDeallocationTraceIndex]);
R->deallocation_tid = Data[MemTagDeallocationTidIndex];
} }
}
auto CheckOOB = [&](uptr BlockAddr) {
if (BlockAddr < Info.RegionBegin || BlockAddr >= Info.RegionEnd)
return false;
uptr ChunkAddr;
Chunk::UnpackedHeader Header;
const u32 *Data;
uint8_t Tag;
if (!ReadBlock(BlockAddr, &ChunkAddr, &Header, &Data, &Tag) ||
Header.State != Chunk::State::Allocated || Tag != FaultAddrTag)
return false;
auto *R = &ErrorInfo->reports[NextErrorReport++]; static void getErrorInfo(struct scudo_error_info *ErrorInfo,
R->error_type = uintptr_t FaultAddr, const char *DepotPtr,
UntaggedFaultAddr < ChunkAddr ? BUFFER_UNDERFLOW : BUFFER_OVERFLOW; const char *RegionInfoPtr, const char *RingBufferPtr,
R->allocation_address = ChunkAddr; const char *Memory, const char *MemoryTags,
R->allocation_size = Header.SizeOrUnusedBytes; uintptr_t MemoryAddr, size_t MemorySize) {
MaybeCollectTrace(R->allocation_trace, Data[MemTagAllocationTraceIndex]); *ErrorInfo = {};
R->allocation_tid = Data[MemTagAllocationTidIndex]; if (!allocatorSupportsMemoryTagging<Params>() ||
return NextErrorReport == MemoryAddr + MemorySize < MemoryAddr)
sizeof(ErrorInfo->reports) / sizeof(ErrorInfo->reports[0]);
};
if (CheckOOB(Info.BlockBegin))
return; return;
// Check for OOB in the 30 surrounding blocks. Beyond that we are likely to auto *Depot = reinterpret_cast<const StackDepot *>(DepotPtr);
// hit false positives. size_t NextErrorReport = 0;
for (int I = 1; I != 16; ++I) if (extractTag(FaultAddr) != 0)
if (CheckOOB(Info.BlockBegin + I * Info.BlockSize) || getInlineErrorInfo(ErrorInfo, NextErrorReport, FaultAddr, Depot,
CheckOOB(Info.BlockBegin - I * Info.BlockSize)) RegionInfoPtr, Memory, MemoryTags, MemoryAddr,
return; MemorySize);
getRingBufferErrorInfo(ErrorInfo, NextErrorReport, FaultAddr, Depot,
RingBufferPtr);
} }
private: private:
using SecondaryT = MapAllocator<Params>; using SecondaryT = MapAllocator<Params>;
typedef typename PrimaryT::SizeClassMap SizeClassMap; typedef typename PrimaryT::SizeClassMap SizeClassMap;
static const uptr MinAlignmentLog = SCUDO_MIN_ALIGNMENT_LOG; static const uptr MinAlignmentLog = SCUDO_MIN_ALIGNMENT_LOG;
static const uptr MaxAlignmentLog = 24U; // 16 MB seems reasonable. static const uptr MaxAlignmentLog = 24U; // 16 MB seems reasonable.
static const uptr MinAlignment = 1UL << MinAlignmentLog; static const uptr MinAlignment = 1UL << MinAlignmentLog;
static const uptr MaxAlignment = 1UL << MaxAlignmentLog; static const uptr MaxAlignment = 1UL << MaxAlignmentLog;
static const uptr MaxAllowedMallocSize = static const uptr MaxAllowedMallocSize =
FIRST_32_SECOND_64(1UL << 31, 1ULL << 40); FIRST_32_SECOND_64(1UL << 31, 1ULL << 40);
static_assert(MinAlignment >= sizeof(Chunk::PackedHeader), static_assert(MinAlignment >= sizeof(Chunk::PackedHeader),
"Minimal alignment must at least cover a chunk header."); "Minimal alignment must at least cover a chunk header.");
static_assert(!allocatorSupportsMemoryTagging<Params>() || static_assert(!allocatorSupportsMemoryTagging<Params>() ||
MinAlignment >= archMemoryTagGranuleSize(), MinAlignment >= archMemoryTagGranuleSize(),
""); "");
static const u32 BlockMarker = 0x44554353U; static const u32 BlockMarker = 0x44554353U;
// These are indexes into an "array" of 32-bit values that store information // These are indexes into an "array" of 32-bit values that store information
// inline with a chunk that is relevant to diagnosing memory tag faults, where // inline with a chunk that is relevant to diagnosing memory tag faults, where
// 0 corresponds to the address of the user memory. This means that negative // 0 corresponds to the address of the user memory. This means that only
// indexes may be used to store information about allocations, while positive // negative indexes may be used. The smallest index that may be used is -2,
// indexes may only be used to store information about deallocations, because // which corresponds to 8 bytes before the user memory, because the chunk
// the user memory is in use until it has been deallocated. The smallest index // header size is 8 bytes and in allocators that support memory tagging the
// that may be used is -2, which corresponds to 8 bytes before the user // minimum alignment is at least the tag granule size (16 on aarch64).
// memory, because the chunk header size is 8 bytes and in allocators that
// support memory tagging the minimum alignment is at least the tag granule
// size (16 on aarch64), and the largest index that may be used is 3 because
// we are only guaranteed to have at least a granule's worth of space in the
// user memory.
static const sptr MemTagAllocationTraceIndex = -2; static const sptr MemTagAllocationTraceIndex = -2;
static const sptr MemTagAllocationTidIndex = -1; static const sptr MemTagAllocationTidIndex = -1;
static const sptr MemTagDeallocationTraceIndex = 0;
static const sptr MemTagDeallocationTidIndex = 1;
static const sptr MemTagPrevTagIndex = 2;
static const uptr MaxTraceSize = 64;
u32 Cookie; u32 Cookie;
u32 QuarantineMaxChunkSize; u32 QuarantineMaxChunkSize;
GlobalStats Stats; GlobalStats Stats;
PrimaryT Primary; PrimaryT Primary;
SecondaryT Secondary; SecondaryT Secondary;
QuarantineT Quarantine; QuarantineT Quarantine;
TSDRegistryT TSDRegistry; TSDRegistryT TSDRegistry;
#ifdef GWP_ASAN_HOOKS #ifdef GWP_ASAN_HOOKS
gwp_asan::GuardedPoolAllocator GuardedAlloc; gwp_asan::GuardedPoolAllocator GuardedAlloc;
#endif // GWP_ASAN_HOOKS #endif // GWP_ASAN_HOOKS
StackDepot Depot; StackDepot Depot;
struct AllocationRingBuffer {
struct Entry {
atomic_uptr Ptr;
atomic_uptr AllocationSize;
atomic_u32 AllocationTrace;
atomic_u32 AllocationTid;
atomic_u32 DeallocationTrace;
atomic_u32 DeallocationTid;
};
atomic_uptr Pos;
#ifdef SCUDO_FUZZ
static const uptr NumEntries = 2;
#else
static const uptr NumEntries = 32768;
#endif
Entry Entries[NumEntries];
};
AllocationRingBuffer RingBuffer;
// The following might get optimized out by the compiler. // The following might get optimized out by the compiler.
NOINLINE void performSanityChecks() { NOINLINE void performSanityChecks() {
// Verify that the header offset field can hold the maximum offset. In the // Verify that the header offset field can hold the maximum offset. In the
// case of the Secondary allocator, it takes care of alignment and the // case of the Secondary allocator, it takes care of alignment and the
// offset will always be small. In the case of the Primary, the worst case // offset will always be small. In the case of the Primary, the worst case
// scenario happens in the last size class, when the backend allocation // scenario happens in the last size class, when the backend allocation
// would already be aligned on the requested alignment, which would happen // would already be aligned on the requested alignment, which would happen
// to be the maximum alignment that would fit in that size class. As a // to be the maximum alignment that would fit in that size class. As a
Show All 40 Lines if (allocatorSupportsMemoryTagging<Params>())
Ptr = untagPointer(const_cast<void *>(Ptr)); Ptr = untagPointer(const_cast<void *>(Ptr));
return SecondaryT::getBlockEnd(getBlockBegin(Ptr, Header)) - return SecondaryT::getBlockEnd(getBlockBegin(Ptr, Header)) -
reinterpret_cast<uptr>(Ptr) - SizeOrUnusedBytes; reinterpret_cast<uptr>(Ptr) - SizeOrUnusedBytes;
} }
void quarantineOrDeallocateChunk(Options Options, void *Ptr, void quarantineOrDeallocateChunk(Options Options, void *Ptr,
Chunk::UnpackedHeader *Header, uptr Size) { Chunk::UnpackedHeader *Header, uptr Size) {
Chunk::UnpackedHeader NewHeader = *Header; Chunk::UnpackedHeader NewHeader = *Header;
if (UNLIKELY(NewHeader.ClassId && useMemoryTagging<Params>(Options))) { if (UNLIKELY(useMemoryTagging<Params>(Options))) {
u8 PrevTag = extractTag(loadTag(reinterpret_cast<uptr>(Ptr))); u8 PrevTag = 0;
if (NewHeader.ClassId) {
PrevTag = extractTag(loadTag(reinterpret_cast<uptr>(Ptr)));
if (!TSDRegistry.getDisableMemInit()) { if (!TSDRegistry.getDisableMemInit()) {
uptr TaggedBegin, TaggedEnd; uptr TaggedBegin, TaggedEnd;
const uptr OddEvenMask = computeOddEvenMaskForPointerMaybe( const uptr OddEvenMask = computeOddEvenMaskForPointerMaybe(
Options, reinterpret_cast<uptr>(getBlockBegin(Ptr, &NewHeader)), Options, reinterpret_cast<uptr>(getBlockBegin(Ptr, &NewHeader)),
SizeClassMap::getSizeByClassId(NewHeader.ClassId)); SizeClassMap::getSizeByClassId(NewHeader.ClassId));
// Exclude the previous tag so that immediate use after free is detected // Exclude the previous tag so that immediate use after free is
// 100% of the time. // detected 100% of the time.
setRandomTag(Ptr, Size, OddEvenMask | (1UL << PrevTag), &TaggedBegin, setRandomTag(Ptr, Size, OddEvenMask | (1UL << PrevTag), &TaggedBegin,
&TaggedEnd); &TaggedEnd);
} }
NewHeader.OriginOrWasZeroed = !TSDRegistry.getDisableMemInit(); NewHeader.OriginOrWasZeroed = !TSDRegistry.getDisableMemInit();
storeDeallocationStackMaybe(Options, Ptr, PrevTag); }
storeDeallocationStackMaybe(Options, Ptr, PrevTag, Size);
} }
// If the quarantine is disabled, the actual size of a chunk is 0 or larger // If the quarantine is disabled, the actual size of a chunk is 0 or larger
// than the maximum allowed, we return a chunk directly to the backend. // than the maximum allowed, we return a chunk directly to the backend.
// This purposefully underflows for Size == 0. // This purposefully underflows for Size == 0.
const bool BypassQuarantine = !Quarantine.getCacheSize() || const bool BypassQuarantine = !Quarantine.getCacheSize() ||
((Size - 1) >= QuarantineMaxChunkSize) || ((Size - 1) >= QuarantineMaxChunkSize) ||
!NewHeader.ClassId; !NewHeader.ClassId;
if (BypassQuarantine) { if (BypassQuarantine) {
Show All 36 Lines#endif
static uptr getChunkOffsetFromBlock(const char *Block) { static uptr getChunkOffsetFromBlock(const char *Block) {
u32 Offset = 0; u32 Offset = 0;
if (reinterpret_cast<const u32 *>(Block)[0] == BlockMarker) if (reinterpret_cast<const u32 *>(Block)[0] == BlockMarker)
Offset = reinterpret_cast<const u32 *>(Block)[1]; Offset = reinterpret_cast<const u32 *>(Block)[1];
return Offset + Chunk::getHeaderSize(); return Offset + Chunk::getHeaderSize();
} }
void storeAllocationStackMaybe(Options Options, void *Ptr) { void storePrimaryAllocationStackMaybe(Options Options, void *Ptr) {
if (!UNLIKELY(Options.get(OptionBit::TrackAllocationStacks))) if (!UNLIKELY(Options.get(OptionBit::TrackAllocationStacks)))
return; return;
auto *Ptr32 = reinterpret_cast<u32 *>(Ptr); auto *Ptr32 = reinterpret_cast<u32 *>(Ptr);
Ptr32[MemTagAllocationTraceIndex] = collectStackTrace(); Ptr32[MemTagAllocationTraceIndex] = collectStackTrace();
Ptr32[MemTagAllocationTidIndex] = getThreadID(); Ptr32[MemTagAllocationTidIndex] = getThreadID();
} }
void storeDeallocationStackMaybe(Options Options, void *Ptr, void storeRingBufferEntry(void *Ptr, u32 AllocationTrace, u32 AllocationTid,
uint8_t PrevTag) { uptr AllocationSize, u32 DeallocationTrace,
u32 DeallocationTid) {
uptr Pos = atomic_fetch_add(&RingBuffer.Pos, 1, memory_order_relaxed);
typename AllocationRingBuffer::Entry *Entry =
&RingBuffer.Entries[Pos % AllocationRingBuffer::NumEntries];
// First invalidate our entry so that we don't attempt to interpret a
// partially written state in getSecondaryErrorInfo().
atomic_store(&Entry->Ptr, 0, memory_order_acquire);
eugenisUnsubmitted
Not Done
ReplyInline Actions

Does this actually do anything if all stores are relaxed?

eugenis: Does this actually do anything if all stores are relaxed?
pccAuthorUnsubmitted
Done
ReplyInline Actions

The goal is to guard against the thread executing this access being interrupted by a crash, not against concurrent access. By the time the ring buffer entry is accessed the thread will have been stopped so the effects of any stores will have been committed to memory.

That being said, I suspect that the compiler would be allowed to eliminate this store, so we may need something stronger here.

pcc: The goal is to guard against the thread executing this access being interrupted by a crash, not…
atomic_store_relaxed(&Entry->AllocationTrace, AllocationTrace);
atomic_store_relaxed(&Entry->AllocationTid, AllocationTid);
atomic_store_relaxed(&Entry->AllocationSize, AllocationSize);
atomic_store_relaxed(&Entry->DeallocationTrace, DeallocationTrace);
atomic_store_relaxed(&Entry->DeallocationTid, DeallocationTid);
atomic_store(&Entry->Ptr, reinterpret_cast<uptr>(Ptr),
memory_order_release);
}
void storeSecondaryAllocationStackMaybe(Options Options, void *Ptr,
uptr Size) {
if (!UNLIKELY(Options.get(OptionBit::TrackAllocationStacks)))
return;
u32 Trace = collectStackTrace();
u32 Tid = getThreadID();
auto *Ptr32 = reinterpret_cast<u32 *>(Ptr);
Ptr32[MemTagAllocationTraceIndex] = Trace;
Ptr32[MemTagAllocationTidIndex] = Tid;
storeRingBufferEntry(untagPointer(Ptr), Trace, Tid, Size, 0, 0);
eugenisUnsubmitted
Not Done
ReplyInline Actions

Why create this ring buffer entry while the allocation is still alive?
This would add some complexity to error reporting, but we could iterate over the live secondary allocations to find the right one. That should reduce ring buffer traffic by 2x (not counting primary of course).

eugenis: Why create this ring buffer entry while the allocation is still alive? This would add some…
pccAuthorUnsubmitted
Done
ReplyInline Actions

It would add quite a bit of complexity. malloc_iterate is implemented via pointer chasing, whereas __scudo_get_error_info expects a few fixed blocks of data to be copied. Implementing the pointer chasing on the __scudo_get_error_info side would probably require callbacks to read memory, or something like that. It doesn't seem worth it to reduce ring buffer traffic for secondary allocations, which are quite uncommon anyway.

pcc: It would add quite a bit of complexity. malloc_iterate is implemented via pointer chasing…
eugenisUnsubmitted
Not Done
ReplyInline Actions

Would __atomic_signal_fence(__ATOMIC_SEQ_CST) be more appropriate?

eugenis: Would `__atomic_signal_fence(__ATOMIC_SEQ_CST)` be more appropriate?
pccAuthorUnsubmitted
Done
ReplyInline Actions

(assuming this was meant as a reply to the other comment)

Yes, that's a good idea, I'll do that.

pcc: (assuming this was meant as a reply to the other comment) Yes, that's a good idea, I'll do…
}
void storeDeallocationStackMaybe(Options Options, void *Ptr, u8 PrevTag,
uptr Size) {
if (!UNLIKELY(Options.get(OptionBit::TrackAllocationStacks))) if (!UNLIKELY(Options.get(OptionBit::TrackAllocationStacks)))
return; return;
// Disable tag checks here so that we don't need to worry about zero sized
// allocations.
ScopedDisableMemoryTagChecks x;
auto *Ptr32 = reinterpret_cast<u32 *>(Ptr); auto *Ptr32 = reinterpret_cast<u32 *>(Ptr);
Ptr32[MemTagDeallocationTraceIndex] = collectStackTrace(); u32 AllocationTrace = Ptr32[MemTagAllocationTraceIndex];
Ptr32[MemTagDeallocationTidIndex] = getThreadID(); u32 AllocationTid = Ptr32[MemTagAllocationTidIndex];
Ptr32[MemTagPrevTagIndex] = PrevTag;
u32 DeallocationTrace = collectStackTrace();
u32 DeallocationTid = getThreadID();
storeRingBufferEntry(addFixedTag(untagPointer(Ptr), PrevTag),
AllocationTrace, AllocationTid, Size,
DeallocationTrace, DeallocationTid);
}
static const size_t NumErrorReports =
sizeof(((scudo_error_info *)0)->reports) /
sizeof(((scudo_error_info *)0)->reports[0]);
static void getInlineErrorInfo(struct scudo_error_info *ErrorInfo,
size_t &NextErrorReport, uintptr_t FaultAddr,
const StackDepot *Depot,
const char *RegionInfoPtr, const char *Memory,
const char *MemoryTags, uintptr_t MemoryAddr,
size_t MemorySize) {
uptr UntaggedFaultAddr = untagPointer(FaultAddr);
u8 FaultAddrTag = extractTag(FaultAddr);
BlockInfo Info =
PrimaryT::findNearestBlock(RegionInfoPtr, UntaggedFaultAddr);
auto GetGranule = [&](uptr Addr, const char **Data, uint8_t *Tag) -> bool {
if (Addr < MemoryAddr || Addr + archMemoryTagGranuleSize() < Addr ||
Addr + archMemoryTagGranuleSize() > MemoryAddr + MemorySize)
return false;
*Data = &Memory[Addr - MemoryAddr];
*Tag = static_cast<u8>(
MemoryTags[(Addr - MemoryAddr) / archMemoryTagGranuleSize()]);
return true;
};
auto ReadBlock = [&](uptr Addr, uptr *ChunkAddr,
Chunk::UnpackedHeader *Header, const u32 **Data,
u8 *Tag) {
const char *BlockBegin;
u8 BlockBeginTag;
if (!GetGranule(Addr, &BlockBegin, &BlockBeginTag))
return false;
uptr ChunkOffset = getChunkOffsetFromBlock(BlockBegin);
*ChunkAddr = Addr + ChunkOffset;
const char *ChunkBegin;
if (!GetGranule(*ChunkAddr, &ChunkBegin, Tag))
return false;
*Header = *reinterpret_cast<const Chunk::UnpackedHeader *>(
ChunkBegin - Chunk::getHeaderSize());
*Data = reinterpret_cast<const u32 *>(ChunkBegin);
return true;
};
if (NextErrorReport == NumErrorReports)
return;
auto CheckOOB = [&](uptr BlockAddr) {
if (BlockAddr < Info.RegionBegin || BlockAddr >= Info.RegionEnd)
return false;
uptr ChunkAddr;
Chunk::UnpackedHeader Header;
const u32 *Data;
uint8_t Tag;
if (!ReadBlock(BlockAddr, &ChunkAddr, &Header, &Data, &Tag) ||
Header.State != Chunk::State::Allocated || Tag != FaultAddrTag)
return false;
auto *R = &ErrorInfo->reports[NextErrorReport++];
R->error_type =
UntaggedFaultAddr < ChunkAddr ? BUFFER_UNDERFLOW : BUFFER_OVERFLOW;
R->allocation_address = ChunkAddr;
R->allocation_size = Header.SizeOrUnusedBytes;
collectTraceMaybe(Depot, R->allocation_trace,
Data[MemTagAllocationTraceIndex]);
R->allocation_tid = Data[MemTagAllocationTidIndex];
return NextErrorReport == NumErrorReports;
};
if (CheckOOB(Info.BlockBegin))
return;
// Check for OOB in the 30 surrounding blocks. Beyond that we are likely to
// hit false positives.
for (int I = 1; I != 16; ++I)
if (CheckOOB(Info.BlockBegin + I * Info.BlockSize) ||
CheckOOB(Info.BlockBegin - I * Info.BlockSize))
return;
}
static void getRingBufferErrorInfo(struct scudo_error_info *ErrorInfo,
size_t &NextErrorReport,
uintptr_t FaultAddr,
const StackDepot *Depot,
const char *RingBufferPtr) {
auto *RingBuffer =
reinterpret_cast<const AllocationRingBuffer *>(RingBufferPtr);
uptr Pos = atomic_load_relaxed(&RingBuffer->Pos);
for (uptr I = Pos - 1; I != Pos - 1 - AllocationRingBuffer::NumEntries &&
NextErrorReport != NumErrorReports;
--I) {
auto *Entry = &RingBuffer->Entries[I % AllocationRingBuffer::NumEntries];
uptr EntryPtr = atomic_load_relaxed(&Entry->Ptr);
uptr UntaggedEntryPtr = untagPointer(EntryPtr);
uptr EntrySize = atomic_load_relaxed(&Entry->AllocationSize);
if (!EntryPtr || FaultAddr < EntryPtr - getPageSizeCached() ||
FaultAddr >= EntryPtr + EntrySize + getPageSizeCached())
continue;
u32 AllocationTrace = atomic_load_relaxed(&Entry->AllocationTrace);
u32 AllocationTid = atomic_load_relaxed(&Entry->AllocationTid);
u32 DeallocationTrace = atomic_load_relaxed(&Entry->DeallocationTrace);
u32 DeallocationTid = atomic_load_relaxed(&Entry->DeallocationTid);
// For UAF the ring buffer will contain two entries, one for the
// allocation and another for the deallocation. Don't report buffer
// overflow/underflow using the allocation entry if we have already
// collected a report from the deallocation entry.
if (!DeallocationTrace) {
bool Found = false;
for (uptr J = 0; J != NextErrorReport; ++J) {
if (ErrorInfo->reports[J].allocation_address == UntaggedEntryPtr) {
Found = true;
break;
}
}
if (Found)
continue;
}
auto *R = &ErrorInfo->reports[NextErrorReport++];
if (DeallocationTid)
R->error_type = USE_AFTER_FREE;
else if (FaultAddr < EntryPtr)
R->error_type = BUFFER_UNDERFLOW;
else
R->error_type = BUFFER_OVERFLOW;
R->allocation_address = UntaggedEntryPtr;
R->allocation_size = EntrySize;
collectTraceMaybe(Depot, R->allocation_trace, AllocationTrace);
R->allocation_tid = AllocationTid;
collectTraceMaybe(Depot, R->deallocation_trace, DeallocationTrace);
R->deallocation_tid = DeallocationTid;
}
} }
uptr getStats(ScopedString *Str) { uptr getStats(ScopedString *Str) {
Primary.getStats(Str); Primary.getStats(Str);
Secondary.getStats(Str); Secondary.getStats(Str);
Quarantine.getStats(Str); Quarantine.getStats(Str);
return Str->length(); return Str->length();
} }
}; };
} // namespace scudo } // namespace scudo
#endif // SCUDO_COMBINED_H_ #endif // SCUDO_COMBINED_H_
eugenisUnsubmitted
Not Done
ReplyInline Actions

This loop seems expensive. Why not store alloc and dealloc as two independent events? It will use a bit more memory, but given the same memory budget, dealloc events should survive longer because they will be generally closer to the end of the ring (and they are the most interesting ones).

eugenis: This loop seems expensive. Why not store alloc and dealloc as two independent events? It will…
pccAuthorUnsubmitted
Done
ReplyInline Actions

Hmm, I wouldn't expect it to be that expensive compared to the cost of the allocation itself.

I thought about storing these as two separate events but I wasn't sure that just a deallocation stack trace on its own would be useful. But having given it more thought I suppose that:

  1. We don't need to concern ourselves too much with memory usage here because secondary allocations are rare enough that we can choose a relatively small buffer size, so doubling it shouldn't matter that much
  2. Just the deallocation stack trace would be better than nothing. That being said, we could store the allocation trace and tid inline with the allocation and copy them into the ring buffer entry on deallocation. That would cost more memory, but as mentioned in 1) that should be inconsequential.

So let's go with the separate events.

pcc: Hmm, I wouldn't expect it to be that expensive compared to the cost of the allocation itself.

compiler-rt/lib/scudo/standalone/fuzz/get_error_info_fuzzer.cpp

Show All 31 Linesextern "C" int LLVMFuzzerTestOneInput(uint8_t *Data, size_t Size) {
std::string StackDepotBytes = std::string StackDepotBytes =
FDP.ConsumeRandomLengthString(FDP.remaining_bytes()); FDP.ConsumeRandomLengthString(FDP.remaining_bytes());
std::vector<char> StackDepot(sizeof(scudo::StackDepot), 0); std::vector<char> StackDepot(sizeof(scudo::StackDepot), 0);
for (size_t i = 0; i < StackDepotBytes.length() && i < StackDepot.size(); for (size_t i = 0; i < StackDepotBytes.length() && i < StackDepot.size();
++i) { ++i) {
StackDepot[i] = StackDepotBytes[i]; StackDepot[i] = StackDepotBytes[i];
} }
std::string RegionInfoBytes = FDP.ConsumeRemainingBytesAsString(); std::string RegionInfoBytes =
FDP.ConsumeRandomLengthString(FDP.remaining_bytes());
std::vector<char> RegionInfo(AllocatorT::getRegionInfoArraySize(), 0); std::vector<char> RegionInfo(AllocatorT::getRegionInfoArraySize(), 0);
for (size_t i = 0; i < RegionInfoBytes.length() && i < RegionInfo.size(); for (size_t i = 0; i < RegionInfoBytes.length() && i < RegionInfo.size();
++i) { ++i) {
RegionInfo[i] = RegionInfoBytes[i]; RegionInfo[i] = RegionInfoBytes[i];
} }
std::string RingBufferBytes = FDP.ConsumeRemainingBytesAsString();
std::vector<char> RingBuffer(AllocatorT::getRingBufferSize(), 0);
for (size_t i = 0; i < RingBufferBytes.length() && i < RingBuffer.size();
++i) {
RingBuffer[i] = RingBufferBytes[i];
}
scudo_error_info ErrorInfo; scudo_error_info ErrorInfo;
AllocatorT::getErrorInfo(&ErrorInfo, FaultAddr, StackDepot.data(), AllocatorT::getErrorInfo(&ErrorInfo, FaultAddr, StackDepot.data(),
RegionInfo.data(), Memory, MemoryTags, MemoryAddr, RegionInfo.data(), RingBuffer.data(), Memory,
MemorySize); MemoryTags, MemoryAddr, MemorySize);
return 0; return 0;
} }

compiler-rt/lib/scudo/standalone/include/scudo/interface.h

Show First 20 LinesShow All 67 Lines▼ Show 20 Lines
// //
// memory_addr is the start address of memory in the crashing process's address // memory_addr is the start address of memory in the crashing process's address
// space. // space.
// //
// memory_size is the size of the memory region referred to by the memory // memory_size is the size of the memory region referred to by the memory
// pointer. // pointer.
void __scudo_get_error_info(struct scudo_error_info *error_info, void __scudo_get_error_info(struct scudo_error_info *error_info,
uintptr_t fault_addr, const char *stack_depot, uintptr_t fault_addr, const char *stack_depot,
const char *region_info, const char *memory, const char *region_info, const char *ring_buffer,
const char *memory_tags, uintptr_t memory_addr, const char *memory, const char *memory_tags,
size_t memory_size); uintptr_t memory_addr, size_t memory_size);
enum scudo_error_type { enum scudo_error_type {
UNKNOWN, UNKNOWN,
USE_AFTER_FREE, USE_AFTER_FREE,
BUFFER_OVERFLOW, BUFFER_OVERFLOW,
BUFFER_UNDERFLOW, BUFFER_UNDERFLOW,
}; };
Show All 15 Lines
}; };
const char *__scudo_get_stack_depot_addr(); const char *__scudo_get_stack_depot_addr();
size_t __scudo_get_stack_depot_size(); size_t __scudo_get_stack_depot_size();
const char *__scudo_get_region_info_addr(); const char *__scudo_get_region_info_addr();
size_t __scudo_get_region_info_size(); size_t __scudo_get_region_info_size();
const char *__scudo_get_ring_buffer_addr();
size_t __scudo_get_ring_buffer_size();
#ifndef M_DECAY_TIME #ifndef M_DECAY_TIME
#define M_DECAY_TIME -100 #define M_DECAY_TIME -100
#endif #endif
#ifndef M_PURGE #ifndef M_PURGE
#define M_PURGE -101 #define M_PURGE -101
#endif #endif
Show All 38 Lines

compiler-rt/lib/scudo/standalone/memtag.h

Show First 20 LinesShow All 294 Lines▼ Show 20 Linesinline void setRandomTag(void *Ptr, uptr Size, uptr ExcludeMask,
*TaggedBegin = selectRandomTag(reinterpret_cast<uptr>(Ptr), ExcludeMask); *TaggedBegin = selectRandomTag(reinterpret_cast<uptr>(Ptr), ExcludeMask);
*TaggedEnd = storeTags(*TaggedBegin, *TaggedBegin + Size); *TaggedEnd = storeTags(*TaggedBegin, *TaggedBegin + Size);
} }
inline void *untagPointer(void *Ptr) { inline void *untagPointer(void *Ptr) {
return reinterpret_cast<void *>(untagPointer(reinterpret_cast<uptr>(Ptr))); return reinterpret_cast<void *>(untagPointer(reinterpret_cast<uptr>(Ptr)));
} }
inline void *loadTag(void *Ptr) {
return reinterpret_cast<void *>(loadTag(reinterpret_cast<uptr>(Ptr)));
}
inline void *addFixedTag(void *Ptr, uptr Tag) {
return reinterpret_cast<void *>(
addFixedTag(reinterpret_cast<uptr>(Ptr), Tag));
}
template <typename Config> template <typename Config>
inline constexpr bool allocatorSupportsMemoryTagging() { inline constexpr bool allocatorSupportsMemoryTagging() {
return archSupportsMemoryTagging() && Config::MaySupportMemoryTagging; return archSupportsMemoryTagging() && Config::MaySupportMemoryTagging;
} }
} // namespace scudo } // namespace scudo
#endif #endif

compiler-rt/lib/scudo/standalone/wrappers_c_bionic.cpp

Show First 20 LinesShow All 42 Lines▼ Show 20 Lines
#include "wrappers_c.inc" #include "wrappers_c.inc"
#undef SCUDO_ALLOCATOR #undef SCUDO_ALLOCATOR
#undef SCUDO_PREFIX #undef SCUDO_PREFIX
// TODO(kostyak): support both allocators. // TODO(kostyak): support both allocators.
INTERFACE void __scudo_print_stats(void) { Allocator.printStats(); } INTERFACE void __scudo_print_stats(void) { Allocator.printStats(); }
INTERFACE void __scudo_get_error_info( INTERFACE void
struct scudo_error_info *error_info, uintptr_t fault_addr, __scudo_get_error_info(struct scudo_error_info *error_info,
const char *stack_depot, const char *region_info, const char *memory, uintptr_t fault_addr, const char *stack_depot,
const char *memory_tags, uintptr_t memory_addr, size_t memory_size) { const char *region_info, const char *ring_buffer,
const char *memory, const char *memory_tags,
uintptr_t memory_addr, size_t memory_size) {
Allocator.getErrorInfo(error_info, fault_addr, stack_depot, region_info, Allocator.getErrorInfo(error_info, fault_addr, stack_depot, region_info,
memory, memory_tags, memory_addr, memory_size); ring_buffer, memory, memory_tags, memory_addr,
memory_size);
} }
INTERFACE const char *__scudo_get_stack_depot_addr() { INTERFACE const char *__scudo_get_stack_depot_addr() {
return Allocator.getStackDepotAddress(); return Allocator.getStackDepotAddress();
} }
INTERFACE size_t __scudo_get_stack_depot_size() { INTERFACE size_t __scudo_get_stack_depot_size() {
return sizeof(scudo::StackDepot); return sizeof(scudo::StackDepot);
} }
INTERFACE const char *__scudo_get_region_info_addr() { INTERFACE const char *__scudo_get_region_info_addr() {
return Allocator.getRegionInfoArrayAddress(); return Allocator.getRegionInfoArrayAddress();
} }
INTERFACE size_t __scudo_get_region_info_size() { INTERFACE size_t __scudo_get_region_info_size() {
return Allocator.getRegionInfoArraySize(); return Allocator.getRegionInfoArraySize();
} }
INTERFACE const char *__scudo_get_ring_buffer_addr() {
return Allocator.getRingBufferAddress();
}
INTERFACE size_t __scudo_get_ring_buffer_size() {
return Allocator.getRingBufferSize();
}
#endif // SCUDO_ANDROID && _BIONIC #endif // SCUDO_ANDROID && _BIONIC