[PATCH] D114022: [scudo] Fix MTE crash in storeEndMarker.
Evgenii Stepanov via Phabricator via llvm-commits
llvm-commits at lists.llvm.org
Tue Nov 16 12:18:28 PST 2021
eugenis created this revision.
eugenis added reviewers: pcc, hctim, fmayer.
Herald added a subscriber: cryptoad.
eugenis requested review of this revision.
Herald added a project: Sanitizers.
Herald added a subscriber: Sanitizers.
The bounds check in storeEndMarker incorrectly compares tagged against
untagged address in the in-place realloc case. This can cause the tag
store to go into an unmapped page to the right of the region mapping.
Repository:
rG LLVM Github Monorepo
https://reviews.llvm.org/D114022
Files:
compiler-rt/lib/scudo/standalone/combined.h
compiler-rt/lib/scudo/standalone/tests/combined_test.cpp
Index: compiler-rt/lib/scudo/standalone/tests/combined_test.cpp
===================================================================
--- compiler-rt/lib/scudo/standalone/tests/combined_test.cpp
+++ compiler-rt/lib/scudo/standalone/tests/combined_test.cpp
@@ -679,3 +679,23 @@
Allocator->setOption(scudo::Option::ThreadDisableMemInit, 0);
}
+
+SCUDO_TYPED_TEST(ScudoCombinedTest, ReallocateInPlaceStress) {
+ auto *Allocator = this->Allocator.get();
+
+ // Regression test: make realloc-in-place happen at the very right end of a
+ // mapped region.
+ constexpr int nPtrs = 10000;
+ for (int i = 1; i < 32; ++i) {
+ scudo::uptr Size = 16 * i - 1;
+ std::vector<void *> Ptrs;
+ for (int i = 0; i < nPtrs; ++i) {
+ void *P = Allocator->allocate(Size, Origin);
+ P = Allocator->reallocate(P, Size + 1);
+ Ptrs.push_back(P);
+ }
+
+ for (int i = 0; i < nPtrs; ++i)
+ Allocator->deallocate(Ptrs[i], Origin);
+ }
+}
Index: compiler-rt/lib/scudo/standalone/combined.h
===================================================================
--- compiler-rt/lib/scudo/standalone/combined.h
+++ compiler-rt/lib/scudo/standalone/combined.h
@@ -1166,7 +1166,8 @@
void storeEndMarker(uptr End, uptr Size, uptr BlockEnd) {
DCHECK_EQ(BlockEnd, untagPointer(BlockEnd));
uptr UntaggedEnd = untagPointer(End);
- if (UntaggedEnd != BlockEnd) {
+ uptr UntaggedBlockEnd = untagPointer(BlockEnd);
+ if (UntaggedEnd != UntaggedBlockEnd) {
storeTag(UntaggedEnd);
if (Size == 0)
*reinterpret_cast<u8 *>(UntaggedEnd) = extractTag(End);
-------------- next part --------------
A non-text attachment was scrubbed...
Name: D114022.387732.patch
Type: text/x-patch
Size: 1596 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20211116/8b8cefcd/attachment.bin>
More information about the llvm-commits
mailing list