[PATCH] D102376: scudo: Require fault address to be in bounds for UAF.
Evgenii Stepanov via Phabricator via llvm-commits
llvm-commits at lists.llvm.org
Wed May 12 16:49:52 PDT 2021
eugenis added inline comments.
================
Comment at: compiler-rt/lib/scudo/standalone/combined.h:1350
+ } else {
+ if (FaultAddr < EntryPtr - getPageSizeCached() ||
+ FaultAddr >= EntryPtr + EntrySize + getPageSizeCached())
----------------
pcc wrote:
> eugenis wrote:
> > getPageSizeCached is an arbitrary threshold for reporting secondary oob, right? That could use a comment. In general, it would be great to list the assumption reporting code makes about the buffer contents - ex. the fact that allocation-without-deallocation entries are only possible for secondary.
> >
> It's based on the size of the guard region on either side of the allocation, which is guaranteed to be at least a page (guard page on the right, guard page + tagged region on the left). I'll add some comments here.
Ah good point. Since we do not tag secondary allocations, we would not know what to do with anything we find beyond the guard page anyway!
Repository:
rG LLVM Github Monorepo
CHANGES SINCE LAST ACTION
https://reviews.llvm.org/D102376/new/
https://reviews.llvm.org/D102376
More information about the llvm-commits
mailing list