Commit Graph

88 Commits

Author SHA1 Message Date
Kostya Serebryany
ee9bb8761c [hwasan] On every use-after-free print a developer note: the index of this heap object in the thread's deallocation ring buffer. Mostly useful to hwasan developers, will hopefully let us know the good size of the deallocation ring buffer
llvm-svn: 342014
2018-09-12 00:58:15 +00:00
Evgeniy Stepanov
d263cb8ea1 [hwasan] Export memory stats through /proc/$PID/maps.
Adds a line to /proc/$PID/maps with more or less up-to-date memory
stats of the process.

llvm-svn: 341735
2018-09-08 00:11:12 +00:00
Evgeniy Stepanov
5b332abd66 [hwasan] Fix malloc overflow detection.
Check size limit before rounding up, otherwise malloc((size_t)-1)
would happily allocate 0 bytes.

Steal a nice test case from scudo.

llvm-svn: 341612
2018-09-07 00:27:11 +00:00
Kostya Serebryany
f9ec62cb3a [hwasan] change the thread list so that main_thread can also be removed
llvm-svn: 341610
2018-09-07 00:16:55 +00:00
Evgeniy Stepanov
fe4808eba7 [hwasan] Remove allocator interceptors.
Summary:
When building without COMPILER_RT_HWASAN_WITH_INTERCEPTORS, skip
interceptors for malloc/free/etc and only export their versions with
__sanitizer_ prefix.

Also remove a hack in mallinfo() interceptor that does not apply to
hwasan.

Reviewers: kcc

Subscribers: kubamracek, krytarowski, llvm-commits

Differential Revision: https://reviews.llvm.org/D51711

llvm-svn: 341598
2018-09-06 22:53:08 +00:00
Kostya Serebryany
f1f556c179 [hwasan] fix pthread_exit
llvm-svn: 341594
2018-09-06 22:13:43 +00:00
Kostya Serebryany
950a1a3936 [hwasan] introduce __hwasan_print_memory_usage
llvm-svn: 341592
2018-09-06 22:08:41 +00:00
Kostya Serebryany
68902c7050 [hwasan] when verbose_threads==1, print the memory usage per thread
llvm-svn: 341507
2018-09-05 23:52:31 +00:00
Kostya Serebryany
b29d42ee31 [hwasan] simplify the code, NFC
llvm-svn: 341501
2018-09-05 23:22:38 +00:00
Evgeniy Stepanov
6afce6a438 [hwasan] Don't handle signals on Android.
Sigtrap is used for error reporting, but all other signals are better
left for the platform.

In particular, sanitizer signal handlers do not dump registers or
memory which makes debugging harder for no good reason.

llvm-svn: 341500
2018-09-05 22:46:19 +00:00
Kostya Serebryany
ee0e2f8323 [hwasan] revert r341435 as it breaks the bot on aarch64
llvm-svn: 341441
2018-09-05 01:29:08 +00:00
Kostya Serebryany
c12cc9b85c [hwasan] fix colored output
llvm-svn: 341440
2018-09-05 01:27:48 +00:00
Kostya Serebryany
5d05be84b7 [hwasan] print thread IDs when reporting a bug (also had to fix pthread_create on Linux)
llvm-svn: 341438
2018-09-05 01:16:50 +00:00
Kostya Serebryany
9fbedcad71 [hwasan] use real TLS on linux to store the current thread -- this way we can call t->Destroy in __hwasan_thread_exit, same as on Android
llvm-svn: 341435
2018-09-05 00:17:23 +00:00
Kostya Serebryany
2768b52117 [hwasan] simplify the code, NFC
llvm-svn: 341432
2018-09-05 00:01:45 +00:00
Kostya Serebryany
c551220de8 [hwasan] remove stale Thread:: data members. While doing so noticed that GetThreadStackAndTls was always called with 'at_initialization=true', fixed that.
llvm-svn: 341431
2018-09-04 23:57:09 +00:00
Kostya Serebryany
3d8f49a6bf [hwasan] add a unique id to a thread and add debug prints for thread creation/destruction
llvm-svn: 341428
2018-09-04 23:26:08 +00:00
Evgeniy Stepanov
5abf7d90ac [hwasan] Fix new[] with zero size.
Fixes "allocator is out of memory trying to allocate 0x0 bytes" by
always allocating at least one byte.

llvm-svn: 341229
2018-08-31 17:49:49 +00:00
Kostya Serebryany
f0965c3af4 [hwasan] move code around to remove an opaque class definition (HwasanThreadLocalMallocStorage) that had incorrect size and used 10x more than needed RAM (500K instead of 50K per thread)
llvm-svn: 341170
2018-08-31 06:08:48 +00:00
Kostya Serebryany
bca94773b7 [hwasan] simplify the code, NFC
llvm-svn: 341166
2018-08-31 05:55:18 +00:00
Kostya Serebryany
53cb061b32 [hwasan] report heap-buffer-overflow location, once, not once per each live thread
llvm-svn: 341160
2018-08-31 03:29:09 +00:00
Kostya Serebryany
1e2ec57803 [hwasan] properly report heap-buffer-overflow
llvm-svn: 341159
2018-08-31 03:18:31 +00:00
Kostya Serebryany
e775a3ee42 [hwasan] fix the build on Linux Ubuntu 14.04. We don't need __hwasan_shadow on Linux at all
llvm-svn: 341158
2018-08-31 02:38:23 +00:00
Kostya Serebryany
f8be3fa5b6 [hwasan] make malloc(0) return nullptr, add basic address description for stack addresses
llvm-svn: 341156
2018-08-31 01:38:00 +00:00
Kostya Serebryany
347b989cef [hwasan] fix the linux-only pthread_create interceptor and reinstate the two threaded tests
llvm-svn: 341143
2018-08-30 23:22:26 +00:00
Kostya Serebryany
e6507f02a0 [hwasan] use thread-local ring buffers to properly report heap-use-after-free
llvm-svn: 341133
2018-08-30 22:11:56 +00:00
Kostya Serebryany
c359d9b8fa [hwasan] simplify the thread hangling: instead of the ThreadRegistry (too heavy) simply maintain a linked list of Threads
llvm-svn: 341111
2018-08-30 20:15:39 +00:00
Kostya Serebryany
a4132df0ee [hwasan] add a simple threaded UAF test, make it work on x86 (need to disable tagging in malloc with inside pthread_create)
llvm-svn: 341007
2018-08-30 00:44:55 +00:00
Kostya Serebryany
d0cd2db23b [hwasan] add basic ThreadRegistry plumbing, also rename HwasanThread to Thread
llvm-svn: 341005
2018-08-30 00:13:20 +00:00
Kostya Serebryany
a050a8da03 [hwasan] remove even more stale code
llvm-svn: 340989
2018-08-29 22:54:52 +00:00
Kostya Serebryany
87bc568eca [hwasan] remove more stale code
llvm-svn: 340985
2018-08-29 22:47:53 +00:00
Kostya Serebryany
1e4498869d [hwasan] get rid of some macros, remove the fixed shadow mapping
llvm-svn: 340983
2018-08-29 22:42:16 +00:00
Kostya Serebryany
5d26313ce0 [hwasan] formatting change, NFC
llvm-svn: 340980
2018-08-29 22:23:34 +00:00
Kostya Serebryany
ab62b59a76 [hwasan] rename some variables and functions for better readability, NFC
llvm-svn: 340979
2018-08-29 22:21:22 +00:00
Kostya Serebryany
fd48b7d558 [hwasan] simplify the realloc implementation: always allocate/deallocate on realloc. This may slowdown some realloc-heavy code, but at least at this point a want simpler code. Also added a test
llvm-svn: 340973
2018-08-29 21:28:14 +00:00
Kostya Serebryany
51e1a83850 Add a thread-local ring buffer of heap allocations
Summary:
We need this in order to properly report heap-use-after-free,
since we don't have a quarantine.

This is a first part of the code, more like a proof of concept.
But I'd like to commit at as is and proceed with refactoring,
adding a ThreadRegistry, and extending the functionality.

Reviewers: eugenis

Subscribers: kubamracek, delcypher, #sanitizers, llvm-commits

Differential Revision: https://reviews.llvm.org/D51394

llvm-svn: 340971
2018-08-29 21:07:07 +00:00
Kostya Kortchinsky
65e1bcf2b2 [sanitizer] Revert D50940
Summary:
The previous version of the patch makes some code unable to distinguish
failure to map address 0 and error.
Revert to turn the bots back to green while figuring out a new approach.

Reviewers: eugenis

Reviewed By: eugenis

Subscribers: kubamracek, delcypher, #sanitizers, llvm-commits

Differential Revision: https://reviews.llvm.org/D51451

llvm-svn: 340957
2018-08-29 19:41:28 +00:00
Kostya Serebryany
a7c3846a2e [hwasan] implement detection of realloc-after-free
llvm-svn: 340593
2018-08-24 01:44:17 +00:00
Kostya Serebryany
c5f98d2ab2 [hwasan] implement detection of double-free (invalid-free)
llvm-svn: 340591
2018-08-24 01:12:26 +00:00
Kostya Kortchinsky
14b838a1ca [sanitizer] Change Mmap*NoAccess to return nullptr on error
Summary:
`MmapNoAccess` & `MmapFixedNoAccess` return directly the result of
`internal_mmap`, as opposed to other Mmap functions that return nullptr.

This inconsistency leads to some confusion for the callers, as some check for
`~(uptr)0` (`MAP_FAILED`) for failure (while it can fail with `-ENOMEM` for
example).

Two potential solutions: change the callers, or make the functions return
`nullptr` on failure to follow the precedent set by the other functions.
The second option looked more appropriate to me.

Correct the callers that were wrongly checking for `~(uptr)0` or
`MAP_FAILED`.

TODO for follow up CLs:
- There are a couple of `internal_mmap` calls in XRay that check for
  MMAP_FAILED as a result as well (cc: @dberris); they should use
  `internal_iserror`;


Reviewers: eugenis, alekseyshl, dberris, kubamracek

Reviewed By: alekseyshl

Subscribers: kristina, kubamracek, delcypher, #sanitizers, dberris, llvm-commits

Differential Revision: https://reviews.llvm.org/D50940

llvm-svn: 340576
2018-08-23 21:13:39 +00:00
Kostya Serebryany
e2efbbe571 [hwasan] make error reporting look more like in asan, print the memory tag around the buggy access, simplify one test
llvm-svn: 340470
2018-08-22 22:55:16 +00:00
Kostya Serebryany
bb4cf6e1e1 [hwasan] remove stale data field
llvm-svn: 340442
2018-08-22 19:47:19 +00:00
Evgeniy Stepanov
4f0e10fff9 [hwasan] Add a (almost) no-interceptor mode.
Summary:
The idea behind this change is to allow sanitization of libc. We are prototyping on Bionic,
but the tool interface will be general enough (or at least generalizable) to support any other libc.

When libc depends on libclang_rt.hwasan, the latter can not interpose libc functions.
In fact, majority of interceptors become unnecessary when libc code is instrumented.

This change gets rid of most hwasan interceptors and provides interface for libc to notify
hwasan about thread creation and destruction events. Some interceptors (pthread_create)
are kept under #ifdef to enable testing with uninstrumented libc. They are expressed in
terms of the new libc interface.

The new cmake switch, COMPILER_RT_HWASAN_WITH_INTERCEPTORS, ON by default, builds testing
version of the library with the aforementioned pthread_create interceptor.
With the OFF setting, the library becomes more of a libc plugin.

Reviewers: vitalybuka, kcc, jfb

Subscribers: srhines, kubamracek, mgorny, jfb, llvm-commits

Differential Revision: https://reviews.llvm.org/D50922

llvm-svn: 340216
2018-08-20 21:49:15 +00:00
Evgeniy Stepanov
37fb896572 Revert "Revert "[hwasan] Add __hwasan_handle_longjmp.""
This reapplies commit r339935 with the following changes:
* make longjmp test C, not C++, to avoid dependency on libc++/libstdc++
* untag pointer in memset interceptor

x86_64 does not have TBI, so hwasan barely works there. Tests must be carefully
written in a way that does not leak tagged pointer to system libraries.

llvm-svn: 339963
2018-08-16 23:17:14 +00:00
Evgeniy Stepanov
7f9b4af184 Revert "[hwasan] Add __hwasan_handle_longjmp."
This reverts commit 339935 which breaks hwasan tests on x86_64.

llvm-svn: 339957
2018-08-16 22:28:02 +00:00
Evgeniy Stepanov
628e766ca3 [hwasan] Enable Android logging.
Summary: Enable syslog as soon as the shadow is mapped.

Reviewers: vitalybuka, kcc

Subscribers: srhines, kubamracek, llvm-commits

Differential Revision: https://reviews.llvm.org/D50865

llvm-svn: 339950
2018-08-16 21:56:04 +00:00
Evgeniy Stepanov
8bb383f1fb [hwasan] Add __hwasan_handle_longjmp.
Summary:
A callback to annotate longjmp-like code.

Unlike __asan_handle_no_return, in hwasan we can not conservatively
"unpoison" the entire thread stack, because there is no such thing as
unpoisoned memory. Pointer and memory tags must always match.

Reviewers: vitalybuka, kcc

Subscribers: kubamracek, llvm-commits

Differential Revision: https://reviews.llvm.org/D50752

llvm-svn: 339935
2018-08-16 20:46:41 +00:00
Evgeniy Stepanov
fa9f78553a [hwasan] Add malloc_fill_byte and free_fill_byte flags.
Reviewers: vitalybuka, kcc

Subscribers: kubamracek, llvm-commits

Differential Revision: https://reviews.llvm.org/D50753

llvm-svn: 339932
2018-08-16 20:13:09 +00:00
Evgeniy Stepanov
a265a13bbe [hwasan] Add a basic API.
Summary:
Add user tag manipulation functions:
  __hwasan_tag_memory
  __hwasan_tag_pointer
  __hwasan_print_shadow (very simple and ugly, for now)

Reviewers: vitalybuka, kcc

Subscribers: kubamracek, hiraditya, llvm-commits

Differential Revision: https://reviews.llvm.org/D50746

llvm-svn: 339746
2018-08-15 00:39:35 +00:00
Evgeniy Stepanov
d8cc7f9f07 [hwasan] Provide __sanitizer_* aliases to allocator functions.
Summary:
Export __sanitizer_malloc, etc as aliases to malloc, etc.
This way users can wrap sanitizer malloc, even in fully static binaries.

Both jemalloc and tcmalloc provide similar aliases (je_* and tc_*).

Reviewers: vitalybuka, kcc

Subscribers: llvm-commits, kubamracek

Differential Revision: https://reviews.llvm.org/D50570

llvm-svn: 339614
2018-08-13 21:07:27 +00:00