14 Commits

Author SHA1 Message Date
Caslyn Tonelli
43ba321096 [gwp_asan] Exclude recoverable tests on Fuchsia
Signal handlers used by recoverable tests are unsupported on Fuchsia.

Exclude the set of tests that test recoverable code paths (i.e.
BacktraceGuardedPoolAllocator tests in recoverable.cpp) and always set
the `Recoverable` testing bool to `false` on the Fuchsia platform.

Differential Revision: https://reviews.llvm.org/D149311
2023-04-27 21:51:30 +00:00
Mitch Phillips
bc949f923e [GWP-ASan] Handle wild touches of the guarded pool.
AllocMeta could be null when returned from __gwp_asan_get_metadata() for
a bad access into the GuardedPagePool that was never allocated.
Currently, then we dereference the null pointer, oops.

Hoist the check up and print a message (only once in recoverable mode)
about the bad memory access.

Reviewed By: fmayer

Differential Revision: https://reviews.llvm.org/D144973
2023-02-28 14:05:51 -08:00
Mitch Phillips
35b5499d72 Reland: [GWP-ASan] Add recoverable mode.
The GWP-ASan recoverable mode allows a process to continue to function
after a GWP-ASan error is detected. The error will continue to be
dumped, but GWP-ASan now has APIs that a signal handler (like the
example optional crash handler) can call in order to allow the
continuation of a process.

When an error occurs with an allocation, the slot used for that
allocation will be permanently disabled. This means that free() of that
pointer is a no-op, and use-after-frees will succeed (writing and
reading the data present in the page).

For heap-buffer-overflow/underflow, the guard page is marked as accessible
and buffer-overflows will succeed (writing and reading the data present
in the now-accessible guard page). This does impact adjacent
allocations, buffer-underflow and buffer-overflows from adjacent
allocations will no longer touch an inaccessible guard page. This could
be improved in future by having two guard pages between each adjacent
allocation, but that's out of scope of this patch.

Each allocation only ever has a single error report generated. It's
whatever came first between invalid-free, double-free, use-after-free or
heap-buffer-overflow, but only one.

Reviewed By: eugenis, fmayer

Differential Revision: https://reviews.llvm.org/D140173
2023-01-17 10:21:01 -08:00
Mitch Phillips
7cc12cb6c8 Revert "[GWP-ASan] Add recoverable mode."
This reverts commit 90a9beb7cc9755791caa23dfc4e36bc544e98ed3.

Reason: Broke an internal build.
2023-01-12 15:59:58 -08:00
Mitch Phillips
90a9beb7cc [GWP-ASan] Add recoverable mode.
The GWP-ASan recoverable mode allows a process to continue to function
after a GWP-ASan error is detected. The error will continue to be
dumped, but GWP-ASan now has APIs that a signal handler (like the
example optional crash handler) can call in order to allow the
continuation of a process.

When an error occurs with an allocation, the slot used for that
allocation will be permanently disabled. This means that free() of that
pointer is a no-op, and use-after-frees will succeed (writing and
reading the data present in the page).

For heap-buffer-overflow/underflow, the guard page is marked as accessible
and buffer-overflows will succeed (writing and reading the data present
in the now-accessible guard page). This does impact adjacent
allocations, buffer-underflow and buffer-overflows from adjacent
allocations will no longer touch an inaccessible guard page. This could
be improved in future by having two guard pages between each adjacent
allocation, but that's out of scope of this patch.

Each allocation only ever has a single error report generated. It's
whatever came first between invalid-free, double-free, use-after-free or
heap-buffer-overflow, but only one.

Reviewed By: eugenis, fmayer

Differential Revision: https://reviews.llvm.org/D140173
2023-01-11 13:11:23 -08:00
Alexander Belyaev
f58a1f65e7 [rt][nfc] Rewrite #ifndef as #if defined(). 2021-07-19 14:17:13 +02:00
David Spickett
3d5c1a8173 [compiler-rt][GWP-ASAN] Disable 2 tests on Armv7 Linux
These have been failing on our bots for a while due to
incomplete backtraces. (you don't get the names of the
functions that did the access, just the reporter frames)

See:
https://lab.llvm.org/buildbot/#/builders/170/builds/180
2021-07-19 10:45:11 +00:00
Mitch Phillips
dd1c4bd09d Name all DEATH tests using 'DeathTest' suffix.
gtest highly recommends this prefix, and runs death tests first
(https://github.com/google/googletest/blob/master/docs/advanced.md#death-test-naming).
This may help with some spurious bot failures like
https://lab.llvm.org/buildbot/#/builders/169/builds/1290/steps/25/logs/stdio.

Reviewed By: cryptoad, vitalybuka

Differential Revision: https://reviews.llvm.org/D105371
2021-07-02 13:51:16 -07:00
Mitch Phillips
d19af2f247 [GWP-ASan] Crash handler API returns sizeof(collected trace)
Summary:
Fix up a slight bug with the crash handler API, where we say that we
return the size of the collected trace (instead of the size of the trace
that's returned) when the return buffer is too small, and the result is
truncated.

Also, as a result, patch up a small uninitialized memory bug.

Reviewers: morehouse, eugenis

Reviewed By: eugenis

Subscribers: #sanitizers

Tags: #sanitizers

Differential Revision: https://reviews.llvm.org/D84652
2020-07-27 10:51:55 -07:00
Mitch Phillips
1216f4c0ea [GWP-ASan] Use functions in backtrace test, not line numbers.
Summary:
There's no unwinding functionality on Android that allows for line
numbers to be retrieved in-process. As a result, we can't have
this backtrace test run on Android.

Cleanup the test to use optnone functions instead, which is more stable
than line numbers anyway.

Reviewers: eugenis

Reviewed By: eugenis

Subscribers: #sanitizers, morehouse, cferris

Tags: #sanitizers

Differential Revision: https://reviews.llvm.org/D76807
2020-03-26 10:10:24 -07:00
Mitch Phillips
a4e8d89704 [GWP-ASan] Only pack frames that are stored.
Summary:
Backtrace() returns the number of frames that are *available*, rather
than the number of frames stored. When we pack, we supply the number of
frames we have stored. The number of available frames can exceed the
number of stored frames, leading to stack OOB read.

Fix up this problem.

Reviewers: eugenis

Reviewed By: eugenis

Subscribers: #sanitizers, morehouse, cferris, pcc

Tags: #sanitizers

Differential Revision: https://reviews.llvm.org/D76722
2020-03-24 14:37:09 -07:00
Mitch Phillips
a62586846f [GWP-ASan] Crash Handler API.
Summary:
Forewarning: This patch looks big in #LOC changed. I promise it's not that bad, it just moves a lot of content from one file to another. I've gone ahead and left inline comments on Phabricator for sections where this has happened.

This patch:
 1. Introduces the crash handler API (crash_handler_api.h).
 2. Moves information required for out-of-process crash handling into an AllocatorState. This is a trivially-copied POD struct that designed to be recovered from a deceased process, and used by the crash handler to create a GWP-ASan report (along with the other trivially-copied Metadata struct).
 3. Implements the crash handler API using the AllocatorState and Metadata.
 4. Adds tests for the crash handler.
 5. Reimplements the (now optionally linked by the supporting allocator) in-process crash handler (i.e. the segv handler) using the new crash handler API.
 6. Minor updates Scudo & Scudo Standalone to fix compatibility.
 7. Changed capitalisation of errors (e.g. /s/Use after free/Use After Free).

Reviewers: cryptoad, eugenis, jfb

Reviewed By: eugenis

Subscribers: merge_guards_bot, pcc, jfb, dexonsmith, mgorny, cryptoad, #sanitizers, llvm-commits

Tags: #sanitizers, #llvm

Differential Revision: https://reviews.llvm.org/D73557
2020-02-05 15:39:17 -08:00
Nico Weber
4a1a113a99 Remove a few straggler ".cc"s in compiler-rt/lib
llvm-svn: 367589
2019-08-01 17:53:25 +00:00
Mitch Phillips
7339ca278c [GWP-ASan] Add generic unwinders and structure backtrace output.
Summary:
Adds two flavours of generic unwinder and all the supporting cruft. If the
supporting allocator is okay with bringing in sanitizer_common, they can use
the fast frame-pointer based unwinder from sanitizer_common. Otherwise, we also
provide the backtrace() libc-based unwinder as well. Of course, the allocator
can always specify its own unwinder and unwinder-symbolizer.

The slightly changed output format is exemplified in the first comment on this
patch. It now better incorporates backtrace information, and displays
allocation details on the second line.

Reviewers: eugenis, vlad.tsyrklevich

Reviewed By: eugenis, vlad.tsyrklevich

Subscribers: srhines, kubamracek, mgorny, cryptoad, #sanitizers, llvm-commits, morehouse

Tags: #sanitizers, #llvm

Differential Revision: https://reviews.llvm.org/D63841

llvm-svn: 364941
2019-07-02 16:04:52 +00:00