[PATCH] D137352: [scudo] Detect double free when running with MTE.
Evgenii Stepanov via Phabricator via llvm-commits
llvm-commits at lists.llvm.org
Thu Nov 3 13:24:02 PDT 2022
eugenis created this revision.
eugenis added a reviewer: pcc.
Herald added subscribers: Enna1, cryptoad.
Herald added a project: All.
eugenis requested review of this revision.
Herald added a project: Sanitizers.
Herald added a subscriber: Sanitizers.
Try to trigger an MTE fault on double/invalid free by touching the first
byte of the allocation with the provided pointer.
Repository:
rG LLVM Github Monorepo
https://reviews.llvm.org/D137352
Files:
compiler-rt/lib/scudo/standalone/combined.h
compiler-rt/lib/scudo/standalone/tests/combined_test.cpp
Index: compiler-rt/lib/scudo/standalone/tests/combined_test.cpp
===================================================================
--- compiler-rt/lib/scudo/standalone/tests/combined_test.cpp
+++ compiler-rt/lib/scudo/standalone/tests/combined_test.cpp
@@ -395,6 +395,27 @@
}
}
+SCUDO_TYPED_TEST(ScudoCombinedDeathTest, FreeWithTagMismatch) {
+ auto *Allocator = this->Allocator.get();
+
+ if (!Allocator->useMemoryTaggingTestOnly())
+ return;
+
+ // Check that double free is detected.
+ for (scudo::uptr SizeLog = 0U; SizeLog <= 20U; SizeLog++) {
+ const scudo::uptr Size = 1U << SizeLog;
+ EXPECT_DEATH(
+ {
+ disableDebuggerdMaybe();
+ void *P = Allocator->allocate(Size, Origin);
+ scudo::uptr NewTag = (scudo::extractTag(reinterpret_cast<scudo::uptr>(P)) + 1) % 16;
+ void *Q = scudo::addFixedTag(scudo::untagPointer(P), NewTag);
+ Allocator->deallocate(Q, Origin);
+ },
+ "");
+ }
+}
+
SCUDO_TYPED_TEST(ScudoCombinedDeathTest, DisableMemoryTagging) {
auto *Allocator = this->Allocator.get();
Index: compiler-rt/lib/scudo/standalone/combined.h
===================================================================
--- compiler-rt/lib/scudo/standalone/combined.h
+++ compiler-rt/lib/scudo/standalone/combined.h
@@ -560,7 +560,13 @@
}
}
+ // Try to detect deallocation with a wrong MTE tag by touching the first
+ // byte with a correctly tagged pointer. Skip zero-sized allocations that do
+ // not always store the correct tag value anywhere.
const uptr Size = getSize(Ptr, &Header);
+ if (useMemoryTagging<Params>(Options) && Size != 0)
+ *(char volatile *)TaggedPtr;
+
if (DeleteSize && Options.get(OptionBit::DeleteSizeMismatch)) {
if (UNLIKELY(DeleteSize != Size))
reportDeleteSizeMismatch(Ptr, DeleteSize, Size);
-------------- next part --------------
A non-text attachment was scrubbed...
Name: D137352.473013.patch
Type: text/x-patch
Size: 1872 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20221103/88927735/attachment.bin>
More information about the llvm-commits
mailing list