[PATCH] D102379: scudo: Check for UAF in ring buffer before OOB in more distant blocks.
Peter Collingbourne via Phabricator via llvm-commits
llvm-commits at lists.llvm.org
Thu May 13 18:14:43 PDT 2021
This revision was automatically updated to reflect the committed changes.
Closed by commit rG9567131d0365: scudo: Check for UAF in ring buffer before OOB in more distant blocks. (authored by pcc).
Repository:
rG LLVM Github Monorepo
CHANGES SINCE LAST ACTION
https://reviews.llvm.org/D102379/new/
https://reviews.llvm.org/D102379
Files:
compiler-rt/lib/scudo/standalone/combined.h
Index: compiler-rt/lib/scudo/standalone/combined.h
===================================================================
--- compiler-rt/lib/scudo/standalone/combined.h
+++ compiler-rt/lib/scudo/standalone/combined.h
@@ -927,12 +927,25 @@
auto *Depot = reinterpret_cast<const StackDepot *>(DepotPtr);
size_t NextErrorReport = 0;
+
+ // Check for OOB in the current block and the two surrounding blocks. Beyond
+ // that, UAF is more likely.
if (extractTag(FaultAddr) != 0)
getInlineErrorInfo(ErrorInfo, NextErrorReport, FaultAddr, Depot,
RegionInfoPtr, Memory, MemoryTags, MemoryAddr,
- MemorySize);
+ MemorySize, 0, 2);
+
+ // Check the ring buffer. For primary allocations this will only find UAF;
+ // for secondary allocations we can find either UAF or OOB.
getRingBufferErrorInfo(ErrorInfo, NextErrorReport, FaultAddr, Depot,
RingBufferPtr);
+
+ // Check for OOB in the 28 blocks surrounding the 3 we checked earlier.
+ // Beyond that we are likely to hit false positives.
+ if (extractTag(FaultAddr) != 0)
+ getInlineErrorInfo(ErrorInfo, NextErrorReport, FaultAddr, Depot,
+ RegionInfoPtr, Memory, MemoryTags, MemoryAddr,
+ MemorySize, 2, 16);
}
private:
@@ -1247,7 +1260,8 @@
const StackDepot *Depot,
const char *RegionInfoPtr, const char *Memory,
const char *MemoryTags, uintptr_t MemoryAddr,
- size_t MemorySize) {
+ size_t MemorySize, size_t MinDistance,
+ size_t MaxDistance) {
uptr UntaggedFaultAddr = untagPointer(FaultAddr);
u8 FaultAddrTag = extractTag(FaultAddr);
BlockInfo Info =
@@ -1308,12 +1322,10 @@
return NextErrorReport == NumErrorReports;
};
- if (CheckOOB(Info.BlockBegin))
+ if (MinDistance == 0 && CheckOOB(Info.BlockBegin))
return;
- // Check for OOB in the 30 surrounding blocks. Beyond that we are likely to
- // hit false positives.
- for (int I = 1; I != 16; ++I)
+ for (size_t I = Max<size_t>(MinDistance, 1); I != MaxDistance; ++I)
if (CheckOOB(Info.BlockBegin + I * Info.BlockSize) ||
CheckOOB(Info.BlockBegin - I * Info.BlockSize))
return;
-------------- next part --------------
A non-text attachment was scrubbed...
Name: D102379.345325.patch
Type: text/x-patch
Size: 2467 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20210514/b3e75266/attachment.bin>
More information about the llvm-commits
mailing list