[PATCH] D50655: [scudo] Fix race condition in deallocation path when Quarantine is bypassed
Kostya Kortchinsky via Phabricator via llvm-commits
llvm-commits at lists.llvm.org
Mon Aug 13 11:37:24 PDT 2018
cryptoad created this revision.
cryptoad added reviewers: alekseyshl, eugenis.
Herald added subscribers: Sanitizers, delcypher.
There is a race window in the deallocation path when the Quarantine is bypassed.
Initially we would just erase the header of a chunk if we were not to use the
Quarantine, as opposed to using a compare-exchange primitive, to make things
faster.
It turned out to be a poor decision, as 2 threads (or more) could simultaneously
deallocate the same pointer, and if the checks were to done before the header
got erased, this would result in the pointer being added twice (or more) to
distinct thread caches, and eventually be reused.
Winning the race is not trivial but can happen with enough control over the
allocation primitives. The repro added attempts to trigger the bug, with a
moderate success rate, but it should be enough to notice if the bug ever make
its way back into the code.
Since I am changing things in this file, there are 2 smaller changes tagging
along, marking a variable `const`, and improving the Quarantine bypass test at
runtime.
Repository:
rCRT Compiler Runtime
https://reviews.llvm.org/D50655
Files:
lib/scudo/scudo_allocator.cpp
test/scudo/dealloc-race.c
-------------- next part --------------
A non-text attachment was scrubbed...
Name: D50655.160416.patch
Type: text/x-patch
Size: 3832 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20180813/a72bc08c/attachment-0001.bin>
More information about the llvm-commits
mailing list