[PATCH] D137352: [scudo] Detect double free when running with MTE.

Evgenii Stepanov via Phabricator via llvm-commits llvm-commits at lists.llvm.org
Wed Nov 16 15:54:07 PST 2022 

eugenis updated this revision to Diff 475942.
eugenis added a comment.

expanded comments


Repository:
  rG LLVM Github Monorepo

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D137352/new/

https://reviews.llvm.org/D137352

Files:
  compiler-rt/lib/scudo/standalone/combined.h
  compiler-rt/lib/scudo/standalone/tests/combined_test.cpp


Index: compiler-rt/lib/scudo/standalone/tests/combined_test.cpp
===================================================================
--- compiler-rt/lib/scudo/standalone/tests/combined_test.cpp
+++ compiler-rt/lib/scudo/standalone/tests/combined_test.cpp
@@ -395,6 +395,27 @@
   }
 }
 
+SCUDO_TYPED_TEST(ScudoCombinedDeathTest, FreeWithTagMismatch) {
+  auto *Allocator = this->Allocator.get();
+
+  if (!Allocator->useMemoryTaggingTestOnly())
+    return;
+
+  // Check that double free is detected.
+  for (scudo::uptr SizeLog = 0U; SizeLog <= 20U; SizeLog++) {
+    const scudo::uptr Size = 1U << SizeLog;
+    EXPECT_DEATH(
+        {
+          disableDebuggerdMaybe();
+          void *P = Allocator->allocate(Size, Origin);
+          scudo::uptr NewTag = (scudo::extractTag(reinterpret_cast<scudo::uptr>(P)) + 1) % 16;
+          void *Q = scudo::addFixedTag(scudo::untagPointer(P), NewTag);
+          Allocator->deallocate(Q, Origin);
+        },
+        "");
+  }
+}
+
 SCUDO_TYPED_TEST(ScudoCombinedDeathTest, DisableMemoryTagging) {
   auto *Allocator = this->Allocator.get();
 
Index: compiler-rt/lib/scudo/standalone/combined.h
===================================================================
--- compiler-rt/lib/scudo/standalone/combined.h
+++ compiler-rt/lib/scudo/standalone/combined.h
@@ -560,7 +560,16 @@
       }
     }
 
+    // Try to detect deallocation with a wrong MTE tag by touching the first
+    // byte with a correctly tagged pointer. Skip zero-sized allocations that do
+    // not always store the correct tag value anywhere (for example, a zero
+    // size, 32 byte aligned allocation in a 32-byte size class will end up with
+    // header at offset 16 in the block, payload at offset 32, and no space to
+    // store the tag).
     const uptr Size = getSize(Ptr, &Header);
+    if (useMemoryTagging<Params>(Options) && Size != 0)
+      *(char volatile *)TaggedPtr;
+
     if (DeleteSize && Options.get(OptionBit::DeleteSizeMismatch)) {
       if (UNLIKELY(DeleteSize != Size))
         reportDeleteSizeMismatch(Ptr, DeleteSize, Size);


-------------- next part --------------
A non-text attachment was scrubbed...
Name: D137352.475942.patch
Type: text/x-patch
Size: 2078 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20221116/0948b964/attachment.bin>

More information about the llvm-commits mailing list