[PATCH] D77283: scudo: Add support for diagnosing memory errors when memory tagging is enabled.
Mitch Phillips via Phabricator via llvm-commits
llvm-commits at lists.llvm.org
Thu Apr 2 14:06:43 PDT 2020
hctim added inline comments.
================
Comment at: compiler-rt/lib/scudo/standalone/combined.h:739
+
+ static void getErrorInfo(struct scudo_error_info *ErrorInfo, uintptr_t Ptr,
+ const char *DepotPtr, const char *RegionInfoPtr,
----------------
This function makes me a little nervous, as it makes the assumption that the pointers we're provided are valid structs.
Especially in async mode, we can't make that assumption. Given that an attacker may have arbitrary write for some amount of time between fault and trap time, they have full access to whatever structs the crash handler is about to blindly use.
We should validate all these input structs for validity before operating on them. This function should be highly tested, and highly fuzzed. Thankfully, the crash handler on Android is always spawned with less privileges than the crashed process, but RCE in the crash handler is still no fun.
Repository:
rG LLVM Github Monorepo
CHANGES SINCE LAST ACTION
https://reviews.llvm.org/D77283/new/
https://reviews.llvm.org/D77283
More information about the llvm-commits
mailing list