Merge pull request #165 from struct/cleanup_uaf_ptr_page

Cleanup UAF_PTR_PAGE feature

Author: struct

.github/workflows/testsuite.yml

@@ -7,34 +7,6 @@ jobs:
       - uses: actions/checkout@v2
       - run: make tests
       - run: make cpp_tests
-  testsuite-clang7:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-      - run: sudo apt install clang-7
-      - run: make tests
-      - run: make cpp_tests
-  testsuite-clang8:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-      - run: sudo apt install clang-8
-      - run: make tests
-      - run: make cpp_tests
-  testsuite-clang9:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-      - run: sudo apt install clang-9
-      - run: make tests
-      - run: make cpp_tests
-  testsuite-clang10:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-      - run: sudo apt install clang-10
-      - run: make tests
-      - run: make cpp_tests
   testsuite-clang11:
     runs-on: ubuntu-latest
     steps:
@@ -59,7 +31,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
-      - run: sudo apt install clang clang-format
+      - run: sudo apt install clang clang-format-12
       - run: make format-ci
   testsuite-gcc:
     runs-on: ubuntu-latest

Makefile

@@ -68,7 +68,8 @@ STARTUP_MEM_USAGE = -DSMALL_MEM_STARTUP=0
 PRE_POPULATE_PAGES = -DPRE_POPULATE_PAGES=0
 
 ## Enable some functionality that like IsoAlloc internals
-## for tests that need to verify security properties
+## for tests that need to verify security properties.
+## Only test code should use this.
 UNIT_TESTING = -DUNIT_TESTING=1
 
 ## Enable the malloc/free and new/delete hooks
@@ -183,6 +184,15 @@ AUTO_CTOR_DTOR = -DAUTO_CTOR_DTOR=1
 ## that call free will segfault
 ISO_DTOR_CLEANUP = -DISO_DTOR_CLEANUP=0
 
+## Register a signal handler for SIGSEGV that inspects si_addr
+## for an address managed by IsoAlloc. Optionally used when
+## UAF_PTR_PAGE is enabled for better crash handling
+SIGNAL_HANDLER = -DSIGNAL_HANDLER=0
+
+## If you know your target will have an ARMv8.1-A or newer and
+## supports Top Byte Ignore (TBI) then you want to enable this
+ARM_TBI = 0
+
 LTO = -flto
 
 LIBNAME = libisoalloc.so
@@ -248,8 +258,9 @@ CFLAGS += $(COMMON_CFLAGS) $(SECURITY_FLAGS) $(BUILD_ERROR_FLAGS) $(HOOKS) $(HEA
 	-std=c11 $(SANITIZER_SUPPORT) $(ALLOC_SANITY) $(MEMCPY_SANITY) $(UNINIT_READ_SANITY) $(CPU_PIN) $(SCHED_GETCPU) \
 	$(EXPERIMENTAL) $(UAF_PTR_PAGE) $(VERIFY_FREE_BIT_SLOTS) $(NAMED_MAPPINGS) $(ABORT_ON_NULL) $(NO_ZERO_ALLOCATIONS) \
 	$(ABORT_NO_ENTROPY) $(ISO_DTOR_CLEANUP) $(RANDOMIZE_FREELIST) $(USE_SPINLOCK) $(HUGE_PAGES) $(USE_MLOCK) \
-	$(MEMORY_TAGGING) $(STRONG_SIZE_ISOLATION) $(MEMSET_SANITY) $(AUTO_CTOR_DTOR)
-CXXFLAGS += $(COMMON_CFLAGS) -DCPP_SUPPORT=1 -std=c++17 $(SANITIZER_SUPPORT) $(HOOKS)
+	$(MEMORY_TAGGING) $(STRONG_SIZE_ISOLATION) $(MEMSET_SANITY) $(AUTO_CTOR_DTOR) $(SIGNAL_HANDLER)
+CXXFLAGS = $(COMMON_CFLAGS) -DCPP_SUPPORT=1 -std=c++17 $(SANITIZER_SUPPORT) $(HOOKS)
+
 EXE_CFLAGS = -fPIE
 GDB_FLAGS = -g -ggdb3 -fno-omit-frame-pointer
 PERF_FLAGS = -pg -DPERF_TEST_BUILD=1
@@ -318,7 +329,7 @@ tests: clean library_debug_unit_tests
 	@echo "make tests"
 	$(CC) $(CFLAGS) $(EXE_CFLAGS) $(DEBUG_LOG_FLAGS) $(GDB_FLAGS) $(OS_FLAGS) tests/rand_freelist.c $(ISO_ALLOC_PRINTF_SRC) -o $(BUILD_DIR)/rand_freelist $(LDFLAGS)
 	$(CC) $(CFLAGS) $(EXE_CFLAGS) $(DEBUG_LOG_FLAGS) $(GDB_FLAGS) $(OS_FLAGS) tests/tests.c $(ISO_ALLOC_PRINTF_SRC) -o $(BUILD_DIR)/tests $(LDFLAGS)
-	$(CC) $(CFLAGS) $(EXE_CFLAGS) $(DEBUG_LOG_FLAGS) $(GDB_FLAGS) $(OS_FLAGS) tests/uaf.c $(ISO_ALLOC_PRINTF_SRC) -o $(BUILD_DIR)/uaf $(LDFLAGS)
+	$(CC) $(CFLAGS) $(EXE_CFLAGS) $(DEBUG_LOG_FLAGS) $(GDB_FLAGS) $(OS_FLAGS) $(UNIT_TESTING) tests/uaf.c $(ISO_ALLOC_PRINTF_SRC) -o $(BUILD_DIR)/uaf $(LDFLAGS)
 	$(CC) $(CFLAGS) $(EXE_CFLAGS) $(DEBUG_LOG_FLAGS) $(GDB_FLAGS) $(OS_FLAGS) tests/interfaces_test.c $(ISO_ALLOC_PRINTF_SRC) -o $(BUILD_DIR)/interfaces_test $(LDFLAGS)
 	$(CC) $(CFLAGS) $(EXE_CFLAGS) $(DEBUG_LOG_FLAGS) $(GDB_FLAGS) $(OS_FLAGS) tests/thread_tests.c $(ISO_ALLOC_PRINTF_SRC) -o $(BUILD_DIR)/thread_tests $(LDFLAGS)
 	$(CC) $(CFLAGS) $(EXE_CFLAGS) $(DEBUG_LOG_FLAGS) $(GDB_FLAGS) $(OS_FLAGS) $(UNIT_TESTING) tests/big_canary_test.c $(ISO_ALLOC_PRINTF_SRC) -o $(BUILD_DIR)/big_canary_test $(LDFLAGS)
@@ -400,10 +411,10 @@ install:
 	cp -pR build/$(LIBNAME) /usr/lib/
 
 format:
-	clang-format $(SRC_DIR)/*.* tests/*.* include/*.h -i
+	clang-format-12 $(SRC_DIR)/*.* tests/*.* include/*.h -i
 
 format-ci:
-	clang-format --Werror --dry-run $(SRC_DIR)/*.* tests/*.* include/*.h -i
+	clang-format-12 --Werror --dry-run $(SRC_DIR)/*.* tests/*.* include/*.h -i
 
 clean:
 	rm -rf build/* tests_perf_analysis.txt big_tests_perf_analysis.txt gmon.out test_output.txt *.dSYM core* iso_alloc_profiler.data

include/conf.h

@@ -45,7 +45,6 @@
  * magic value that is written */
 #if UAF_PTR_PAGE
 #define UAF_PTR_PAGE_ODDS 1000000
-#define UAF_PTR_PAGE_ADDR 0xFF41414142434445
 #endif
 
 /* Zones can be retired after a certain number of

include/iso_alloc_ds.h

@@ -102,6 +102,9 @@ typedef struct {
 #if NO_ZERO_ALLOCATIONS
     void *zero_alloc_page;
 #endif
+#if UAF_PTR_PAGE
+    void *uaf_ptr_page;
+#endif
 } __attribute__((aligned(sizeof(int64_t)))) iso_alloc_root;
 
 typedef struct {

include/iso_alloc_internal.h

@@ -38,6 +38,7 @@ assert(sizeof(size_t) >= 64)
 #include <string.h>
 #include <unistd.h>
 #include <stdarg.h>
+#include <signal.h>
 #include <sys/mman.h>
 #include <sys/types.h>
 
@@ -327,10 +328,6 @@ extern pthread_mutex_t root_busy_mutex;
 #define UNLOCK_BIG_ZONE()
 #endif
 
-#if NO_ZERO_ALLOCATIONS
-extern void *_zero_alloc_page;
-#endif
-
 /* The global root */
 extern iso_alloc_root *_root;
 
@@ -402,6 +399,10 @@ INTERNAL_HIDDEN int64_t check_canary_no_abort(iso_alloc_zone_t *zone, const void
 INTERNAL_HIDDEN void _iso_alloc_initialize(void);
 INTERNAL_HIDDEN void _iso_alloc_destroy(void);
 
+#if SIGNAL_HANDLER
+INTERNAL_HIDDEN void handle_signal(int sig, siginfo_t *si, void *ctx);
+#endif
+
 #if EXPERIMENTAL
 INTERNAL_HIDDEN void _iso_alloc_search_stack(uint8_t *stack_start);
 #endif

src/iso_alloc.c

@@ -253,13 +253,28 @@ INTERNAL_HIDDEN void _iso_alloc_initialize(void) {
     _root->zero_alloc_page = mmap_pages(g_page_size, false, NULL, PROT_NONE);
 #endif
 
+#if UAF_PTR_PAGE
+    _root->uaf_ptr_page = mmap_pages(g_page_size, false, NULL, PROT_NONE);
+#endif
+
 #if ALLOC_SANITY && UNINIT_READ_SANITY
     _iso_alloc_setup_userfaultfd();
 #endif
 
 #if ALLOC_SANITY
     _sanity_canary = us_rand_uint64(&_root->seed);
 #endif
+
+#if SIGNAL_HANDLER
+    struct sigaction sa;
+    sigemptyset(&sa.sa_mask);
+    sa.sa_flags = SA_NODEFER | SA_SIGINFO;
+    sa.sa_sigaction = &handle_signal;
+
+    if(sigaction(SIGSEGV, &sa, NULL) == ERR) {
+        LOG("Could not register signal handler");
+    }
+#endif
 }
 
 #if AUTO_CTOR_DTOR
@@ -1386,7 +1401,7 @@ INTERNAL_HIDDEN void iso_free_chunk_from_zone(iso_alloc_zone_t *zone, void *rest
         LOG_AND_ABORT("Chunk at 0x%p of zone[%d] is not %d byte aligned", p, zone->index, ALIGNMENT);
     }
 
-    const uint64_t chunk_offset = (uint64_t)(p - UNMASK_USER_PTR(zone));
+    const uint64_t chunk_offset = (uint64_t) (p - UNMASK_USER_PTR(zone));
     const size_t chunk_number = (chunk_offset >> zone->chunk_size_pow2);
     const bit_slot_t bit_slot = (chunk_number << BITS_PER_CHUNK_SHIFT);
     const bit_slot_t dwords_to_bit_slot = (bit_slot >> BITS_PER_QWORD_SHIFT);
@@ -1654,7 +1669,7 @@ INTERNAL_HIDDEN iso_alloc_zone_t *_iso_free_internal_unlocked(void *p, bool perm
                 /* We only need to refresh this single tag */
                 void *user_pages_start = UNMASK_USER_PTR(zone);
                 uint8_t *_mtp = (user_pages_start - g_page_size - ROUND_UP_PAGE(zone->chunk_count * MEM_TAG_SIZE));
-                uint64_t chunk_offset = (uint64_t)(p - user_pages_start);
+                uint64_t chunk_offset = (uint64_t) (p - user_pages_start);
                 _mtp += (chunk_offset >> zone->chunk_size_pow2);
 
                 /* Generate and write a new tag for this chunk */
@@ -1909,6 +1924,10 @@ INTERNAL_HIDDEN void _iso_alloc_destroy(void) {
     munmap(_root->zero_alloc_page, g_page_size);
 #endif
 
+#if UAF_PTR_PAGE
+    munmap(_root->uaf_ptr_page, g_page_size);
+#endif
+
 #if DEBUG && (LEAK_DETECTOR || MEM_USAGE)
 #if MEM_USAGE
     uint64_t mb = 0;

src/iso_alloc_mem_tags.c

@@ -14,7 +14,7 @@ INTERNAL_HIDDEN uint8_t _iso_alloc_get_mem_tag(void *p, iso_alloc_zone_t *zone)
     }
 
     uint8_t *_mtp = (user_pages_start - g_page_size - ROUND_UP_PAGE(zone->chunk_count * MEM_TAG_SIZE));
-    const uint64_t chunk_offset = (uint64_t)(p - user_pages_start);
+    const uint64_t chunk_offset = (uint64_t) (p - user_pages_start);
 
     /* Ensure the pointer is a multiple of chunk size */
     if(UNLIKELY((chunk_offset & (zone->chunk_size - 1)) != 0)) {

src/iso_alloc_profiler.c

@@ -160,7 +160,7 @@ INTERNAL_HIDDEN uint64_t _iso_alloc_zone_leak_detector(iso_alloc_zone_t *zone, b
 
     if(profile == false) {
         LOG("Zone[%d] Total number of %d byte chunks(%d) used and free'd (%d) (%d percent), in use = %d", zone->index, zone->chunk_size, zone->chunk_count,
-            was_used, (int32_t)((float) was_used / zone->chunk_count) * 100, in_use);
+            was_used, (int32_t) ((float) was_used / zone->chunk_count) * 100, in_use);
     }
 
     MASK_ZONE_PTRS(zone);
@@ -172,7 +172,7 @@ INTERNAL_HIDDEN uint64_t _iso_alloc_zone_leak_detector(iso_alloc_zone_t *zone, b
      * in use and previously used by this zone */
     if(profile == true) {
         uint64_t total = (in_use + was_used);
-        return (uint64_t)((float) (total / zone->chunk_count) * 100.0);
+        return (uint64_t) ((float) (total / zone->chunk_count) * 100.0);
     }
 #endif
     return in_use;
@@ -395,7 +395,7 @@ INTERNAL_HIDDEN void _iso_alloc_profile(size_t size) {
             used = _iso_alloc_zone_leak_detector(zone, true);
         }
 
-        used = (int32_t)((float) (used / zone->chunk_count) * 100.0);
+        used = (int32_t) ((float) (used / zone->chunk_count) * 100.0);
 
         if(used > CHUNK_USAGE_THRESHOLD) {
             _zone_profiler_map[zone->chunk_size].count++;

src/iso_alloc_search.c

@@ -25,7 +25,7 @@ INTERNAL_HIDDEN void *_iso_alloc_ptr_search(void *n, bool poison) {
                     return search;
                 } else {
 #if UAF_PTR_PAGE
-                    *(uint64_t *) search = UAF_PTR_PAGE_ADDR;
+                    *(uint64_t *) search = (uint64_t) (_root->uaf_ptr_page);
                     return search;
 #endif
                 }
@@ -82,7 +82,7 @@ INTERNAL_HIDDEN void _iso_alloc_search_stack(uint8_t *stack_start) {
                 LOG_AND_ABORT("Chunk at 0x%p of zone[%d] is not %d byte aligned", p, zone->index, ALIGNMENT);
             }
 
-            uint64_t chunk_offset = (uint64_t)(p - (uint64_t *) zone->user_pages_start);
+            uint64_t chunk_offset = (uint64_t) (p - (uint64_t *) zone->user_pages_start);
             LOG("zone[%d] user_pages_start=%p value=%p %lu %d", zone->index, zone->user_pages_start, p, chunk_offset, zone->chunk_size);
 
             /* Ensure the pointer is a multiple of chunk size */

src/iso_alloc_signal.c

@@ -0,0 +1,25 @@
+/* iso_alloc_signal.c - A secure memory allocator
+ * Copyright 2022 - chris.rohlf@gmail.com */
+
+#include "iso_alloc_internal.h"
+
+#if SIGNAL_HANDLER
+INTERNAL_HIDDEN void handle_signal(int sig, siginfo_t *si, void *ctx) {
+    void *crash_addr = si->si_addr;
+
+#if UAF_PTR_PAGE
+    if(si->si_addr == NULL) {
+        LOG_AND_ABORT("si->si_addr == NULL");
+    }
+
+    /* Check for the address within 2 pages in
+     * either direction of _root->uaf_ptr_page */
+    if(crash_addr >= _root->uaf_ptr_page - (g_page_size * 2) &&
+       crash_addr <= _root->uaf_ptr_page + (g_page_size * 2)) {
+        LOG_AND_ABORT("Use after free detected! Crashed at _root->uaf_ptr_page 0x%x", si->si_addr);
+    }
+#endif
+
+    LOG_AND_ABORT("Unknown segmentation fault @ 0x%p", crash_addr);
+}
+#endif