caio/clang-p2996
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
dda73336ad22bd0b5ecda17040c50fb10fcbe5fb
clang-p2996/compiler-rt/lib/gwp_asan/optional/segv_handler_posix.cpp
Mitch Phillips bc949f923e [GWP-ASan] Handle wild touches of the guarded pool. 
AllocMeta could be null when returned from __gwp_asan_get_metadata() for
a bad access into the GuardedPagePool that was never allocated.
Currently, then we dereference the null pointer, oops.

Hoist the check up and print a message (only once in recoverable mode)
about the bad memory access.

Reviewed By: fmayer

Differential Revision: https://reviews.llvm.org/D144973
2023-02-28 14:05:51 -08:00

270 lines
10 KiB
C++
Raw Blame History

//===-- segv_handler_posix.cpp ----------------------------------*- C++ -*-===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
#include "gwp_asan/common.h"
#include "gwp_asan/crash_handler.h"
#include "gwp_asan/guarded_pool_allocator.h"
#include "gwp_asan/optional/segv_handler.h"
#include "gwp_asan/options.h"
// RHEL creates the PRIu64 format macro (for printing uint64_t's) only when this
// macro is defined before including <inttypes.h>.
#ifndef __STDC_FORMAT_MACROS
#define __STDC_FORMAT_MACROS 1
#endif
#include <assert.h>
#include <inttypes.h>
#include <signal.h>
#include <stdio.h>
using gwp_asan::AllocationMetadata;
using gwp_asan::Error;
using gwp_asan::GuardedPoolAllocator;
using gwp_asan::Printf_t;
using gwp_asan::backtrace::PrintBacktrace_t;
using gwp_asan::backtrace::SegvBacktrace_t;
namespace {
struct ScopedEndOfReportDecorator {
ScopedEndOfReportDecorator(gwp_asan::Printf_t Printf) : Printf(Printf) {}
~ScopedEndOfReportDecorator() { Printf("*** End GWP-ASan report ***\n"); }
gwp_asan::Printf_t Printf;
};
// Prints the provided error and metadata information.
void printHeader(Error E, uintptr_t AccessPtr,
const gwp_asan::AllocationMetadata *Metadata,
Printf_t Printf) {
// Print using intermediate strings. Platforms like Android don't like when
// you print multiple times to the same line, as there may be a newline
// appended to a log file automatically per Printf() call.
constexpr size_t kDescriptionBufferLen = 128;
char DescriptionBuffer[kDescriptionBufferLen] = "";
bool AccessWasInBounds = false;
if (E != Error::UNKNOWN && Metadata != nullptr) {
uintptr_t Address = __gwp_asan_get_allocation_address(Metadata);
size_t Size = __gwp_asan_get_allocation_size(Metadata);
if (AccessPtr < Address) {
snprintf(DescriptionBuffer, kDescriptionBufferLen,
"(%zu byte%s to the left of a %zu-byte allocation at 0x%zx) ",
Address - AccessPtr, (Address - AccessPtr == 1) ? "" : "s", Size,
Address);
} else if (AccessPtr > Address) {
snprintf(DescriptionBuffer, kDescriptionBufferLen,
"(%zu byte%s to the right of a %zu-byte allocation at 0x%zx) ",
AccessPtr - Address, (AccessPtr - Address == 1) ? "" : "s", Size,
Address);
} else if (E == Error::DOUBLE_FREE) {
snprintf(DescriptionBuffer, kDescriptionBufferLen,
"(a %zu-byte allocation) ", Size);
} else {
AccessWasInBounds = true;
snprintf(DescriptionBuffer, kDescriptionBufferLen,
"(%zu byte%s into a %zu-byte allocation at 0x%zx) ",
AccessPtr - Address, (AccessPtr - Address == 1) ? "" : "s", Size,
Address);
}
}
// Possible number of digits of a 64-bit number: ceil(log10(2^64)) == 20. Add
// a null terminator, and round to the nearest 8-byte boundary.
uint64_t ThreadID = gwp_asan::getThreadID();
constexpr size_t kThreadBufferLen = 24;
char ThreadBuffer[kThreadBufferLen];
if (ThreadID == gwp_asan::kInvalidThreadID)
snprintf(ThreadBuffer, kThreadBufferLen, "<unknown>");
else
snprintf(ThreadBuffer, kThreadBufferLen, "%" PRIu64, ThreadID);
const char *OutOfBoundsAndUseAfterFreeWarning = "";
if (E == Error::USE_AFTER_FREE && !AccessWasInBounds) {
OutOfBoundsAndUseAfterFreeWarning =
" (warning: buffer overflow/underflow detected on a free()'d "
"allocation. This either means you have a buffer-overflow and a "
"use-after-free at the same time, or you have a long-lived "
"use-after-free bug where the allocation/deallocation metadata below "
"has already been overwritten and is likely bogus)";
}
Printf("%s%s at 0x%zx %sby thread %s here:\n", gwp_asan::ErrorToString(E),
OutOfBoundsAndUseAfterFreeWarning, AccessPtr, DescriptionBuffer,
ThreadBuffer);
}
static bool HasReportedBadPoolAccess = false;
static const char *kUnknownCrashText =
"GWP-ASan cannot provide any more information about this error. This may "
"occur due to a wild memory access into the GWP-ASan pool, or an "
"overflow/underflow that is > 512B in length.\n";
void dumpReport(uintptr_t ErrorPtr, const gwp_asan::AllocatorState *State,
const gwp_asan::AllocationMetadata *Metadata,
SegvBacktrace_t SegvBacktrace, Printf_t Printf,
PrintBacktrace_t PrintBacktrace, void *Context) {
assert(State && "dumpReport missing Allocator State.");
assert(Metadata && "dumpReport missing Metadata.");
assert(Printf && "dumpReport missing Printf.");
assert(__gwp_asan_error_is_mine(State, ErrorPtr) &&
"dumpReport() called on a non-GWP-ASan error.");
uintptr_t InternalErrorPtr =
__gwp_asan_get_internal_crash_address(State, ErrorPtr);
if (InternalErrorPtr)
ErrorPtr = InternalErrorPtr;
const gwp_asan::AllocationMetadata *AllocMeta =
__gwp_asan_get_metadata(State, Metadata, ErrorPtr);
if (AllocMeta == nullptr) {
if (HasReportedBadPoolAccess) return;
HasReportedBadPoolAccess = true;
Printf("*** GWP-ASan detected a memory error ***\n");
ScopedEndOfReportDecorator Decorator(Printf);
Printf(kUnknownCrashText);
return;
}
// It's unusual for a signal handler to be invoked multiple times for the same
// allocation, but it's possible in various scenarios, like:
// 1. A double-free or invalid-free was invoked in one thread at the same
// time as a buffer-overflow or use-after-free in another thread, or
// 2. Two threads do a use-after-free or buffer-overflow at the same time.
// In these instances, we've already dumped a report for this allocation, so
// skip dumping this issue as well.
if (AllocMeta->HasCrashed)
return;
Printf("*** GWP-ASan detected a memory error ***\n");
ScopedEndOfReportDecorator Decorator(Printf);
Error E = __gwp_asan_diagnose_error(State, Metadata, ErrorPtr);
if (E == Error::UNKNOWN) {
Printf(kUnknownCrashText);
return;
}
// Print the error header.
printHeader(E, ErrorPtr, AllocMeta, Printf);
// Print the fault backtrace.
static constexpr unsigned kMaximumStackFramesForCrashTrace = 512;
uintptr_t Trace[kMaximumStackFramesForCrashTrace];
size_t TraceLength =
SegvBacktrace(Trace, kMaximumStackFramesForCrashTrace, Context);
PrintBacktrace(Trace, TraceLength, Printf);
// Maybe print the deallocation trace.
if (__gwp_asan_is_deallocated(AllocMeta)) {
uint64_t ThreadID = __gwp_asan_get_deallocation_thread_id(AllocMeta);
if (ThreadID == gwp_asan::kInvalidThreadID)
Printf("0x%zx was deallocated by thread <unknown> here:\n", ErrorPtr);
else
Printf("0x%zx was deallocated by thread %zu here:\n", ErrorPtr, ThreadID);
TraceLength = __gwp_asan_get_deallocation_trace(
AllocMeta, Trace, kMaximumStackFramesForCrashTrace);
PrintBacktrace(Trace, TraceLength, Printf);
}
// Print the allocation trace.
uint64_t ThreadID = __gwp_asan_get_allocation_thread_id(AllocMeta);
if (ThreadID == gwp_asan::kInvalidThreadID)
Printf("0x%zx was allocated by thread <unknown> here:\n", ErrorPtr);
else
Printf("0x%zx was allocated by thread %zu here:\n", ErrorPtr, ThreadID);
TraceLength = __gwp_asan_get_allocation_trace(
AllocMeta, Trace, kMaximumStackFramesForCrashTrace);
PrintBacktrace(Trace, TraceLength, Printf);
}
struct sigaction PreviousHandler;
bool SignalHandlerInstalled;
bool RecoverableSignal;
gwp_asan::GuardedPoolAllocator *GPAForSignalHandler;
Printf_t PrintfForSignalHandler;
PrintBacktrace_t PrintBacktraceForSignalHandler;
SegvBacktrace_t BacktraceForSignalHandler;
static void sigSegvHandler(int sig, siginfo_t *info, void *ucontext) {
const gwp_asan::AllocatorState *State =
GPAForSignalHandler->getAllocatorState();
void *FaultAddr = info->si_addr;
uintptr_t FaultAddrUPtr = reinterpret_cast<uintptr_t>(FaultAddr);
if (__gwp_asan_error_is_mine(State, FaultAddrUPtr)) {
GPAForSignalHandler->preCrashReport(FaultAddr);
dumpReport(FaultAddrUPtr, State, GPAForSignalHandler->getMetadataRegion(),
BacktraceForSignalHandler, PrintfForSignalHandler,
PrintBacktraceForSignalHandler, ucontext);
if (RecoverableSignal) {
GPAForSignalHandler->postCrashReportRecoverableOnly(FaultAddr);
return;
}
}
// Process any previous handlers as long as the crash wasn't a GWP-ASan crash
// in recoverable mode.
if (PreviousHandler.sa_flags & SA_SIGINFO) {
PreviousHandler.sa_sigaction(sig, info, ucontext);
} else if (PreviousHandler.sa_handler == SIG_DFL) {
// If the previous handler was the default handler, cause a core dump.
signal(SIGSEGV, SIG_DFL);
raise(SIGSEGV);
} else if (PreviousHandler.sa_handler == SIG_IGN) {
// If the previous segv handler was SIGIGN, crash iff we were responsible
// for the crash.
if (__gwp_asan_error_is_mine(GPAForSignalHandler->getAllocatorState(),
reinterpret_cast<uintptr_t>(info->si_addr))) {
signal(SIGSEGV, SIG_DFL);
raise(SIGSEGV);
}
} else {
PreviousHandler.sa_handler(sig);
}
}
} // anonymous namespace
namespace gwp_asan {
namespace segv_handler {
void installSignalHandlers(gwp_asan::GuardedPoolAllocator *GPA, Printf_t Printf,
PrintBacktrace_t PrintBacktrace,
SegvBacktrace_t SegvBacktrace, bool Recoverable) {
assert(GPA && "GPA wasn't provided to installSignalHandlers.");
assert(Printf && "Printf wasn't provided to installSignalHandlers.");
assert(PrintBacktrace &&
"PrintBacktrace wasn't provided to installSignalHandlers.");
assert(SegvBacktrace &&
"SegvBacktrace wasn't provided to installSignalHandlers.");
GPAForSignalHandler = GPA;
PrintfForSignalHandler = Printf;
PrintBacktraceForSignalHandler = PrintBacktrace;
BacktraceForSignalHandler = SegvBacktrace;
RecoverableSignal = Recoverable;
struct sigaction Action = {};
Action.sa_sigaction = sigSegvHandler;
Action.sa_flags = SA_SIGINFO;
sigaction(SIGSEGV, &Action, &PreviousHandler);
SignalHandlerInstalled = true;
}
void uninstallSignalHandlers() {
if (SignalHandlerInstalled) {
sigaction(SIGSEGV, &PreviousHandler, nullptr);
SignalHandlerInstalled = false;
}
}
} // namespace segv_handler
} // namespace gwp_asan
Reference in New Issue View Git Blame Copy Permalink