Skip to content

[scudo] Fix stack depot validation. #87024

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 29, 2024
Merged

[scudo] Fix stack depot validation. #87024

merged 1 commit into from
Mar 29, 2024

Conversation

cferris1000
Copy link
Contributor

In the StackDepot::isValid function, there is work to validate the TabMask variable. Unfortunately, if TabMask is set to the maximum allowed value, TabSize = TabMask + 1 becomes zero and validation passes.

Disallow that case to prevent invalid reads into the Tab structure.

@cferris1000
[scudo] Fix stack depot validation.
69f3dd0 
In the StackDepot::isValid function, there is work to validate the
TabMask variable. Unfortunately, if TabMask is set to the maximum
allowed value, TabSize = TabMask + 1 becomes zero and validation
passes.

Disallow that case to prevent invalid reads into the Tab structure.
@llvmbot
Copy link
Member

llvmbot commented Mar 28, 2024

@llvm/pr-subscribers-compiler-rt-sanitizer

Author: Christopher Ferris (cferris1000)

Changes

In the StackDepot::isValid function, there is work to validate the TabMask variable. Unfortunately, if TabMask is set to the maximum allowed value, TabSize = TabMask + 1 becomes zero and validation passes.

Disallow that case to prevent invalid reads into the Tab structure.

Full diff: https://github.com/llvm/llvm-project/pull/87024.diff

1 Files Affected:

  • (modified) compiler-rt/lib/scudo/standalone/stack_depot.h (+1-1)
diff --git a/compiler-rt/lib/scudo/standalone/stack_depot.h b/compiler-rt/lib/scudo/standalone/stack_depot.h
index cf3cabf7085b60..98cd9707a64613 100644
--- a/compiler-rt/lib/scudo/standalone/stack_depot.h
+++ b/compiler-rt/lib/scudo/standalone/stack_depot.h
@@ -112,7 +112,7 @@ class alignas(atomic_u64) StackDepot {
     if (TabMask == 0)
       return false;
     uptr TabSize = TabMask + 1;
-    if (!isPowerOfTwo(TabSize))
+    if (TabSize == 0 || !isPowerOfTwo(TabSize))
       return false;
     uptr TabBytes = sizeof(atomic_u32) * TabSize;

@cferris1000 cferris1000 merged commit 7a87902 into llvm:main Mar 29, 2024
@cferris1000 cferris1000 deleted the stack_depot branch March 29, 2024 00:35
ChiaHungDuan
ChiaHungDuan reviewed Mar 29, 2024
View reviewed changes
compiler-rt/lib/scudo/standalone/stack_depot.h
Comment on lines +115 to 116
if (TabSize == 0 || !isPowerOfTwo(TabSize))
return false;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm wondering if we should fix isPowerOfTwo instead? Zero is not a power of 2.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It might be worth doing that, but I do worry that somewhere, something depends on the behavior.

I'll file a bug because I think that's a bigger change and requires some extra verification.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did a quick review and it seems to be fine (there's no additional zero check will be introduced). And yes, it's fine to track it later

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ChiaHungDuan ChiaHungDuan ChiaHungDuan left review comments

@fmayer fmayer fmayer approved these changes

Assignees
No one assigned
Labels
compiler-rt:sanitizer compiler-rt:scudo Scudo Hardened Allocator compiler-rt
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@cferris1000 @llvmbot @fmayer @ChiaHungDuan