cleanup uaf ptr page code

struct · struct · commit 57527d4a0079 · 2022-12-10T16:48:46.000-05:00
diff --git a/Makefile b/Makefile
@@ -68,7 +68,8 @@ STARTUP_MEM_USAGE = -DSMALL_MEM_STARTUP=0
 PRE_POPULATE_PAGES = -DPRE_POPULATE_PAGES=0
 
 ## Enable some functionality that like IsoAlloc internals
-## for tests that need to verify security properties
+## for tests that need to verify security properties.
+## Only test code should use this.
 UNIT_TESTING = -DUNIT_TESTING=1
 
 ## Enable the malloc/free and new/delete hooks
@@ -183,6 +184,15 @@ AUTO_CTOR_DTOR = -DAUTO_CTOR_DTOR=1
 ## that call free will segfault
 ISO_DTOR_CLEANUP = -DISO_DTOR_CLEANUP=0
 
+## Register a signal handler for SIGSEGV that inspects si_addr
+## for an address managed by IsoAlloc. Optionally used when
+## UAF_PTR_PAGE is enabled for better crash handling
+SIGNAL_HANDLER = -DSIGNAL_HANDLER=1
+
+## If you know your target will have an ARMv8.1-A or newer and
+## supports Top Byte Ignore (TBI) then you want to enable this
+ARM_TBI = 0
+
 LTO = -flto
 
 LIBNAME = libisoalloc.so
@@ -248,8 +258,9 @@ CFLAGS += $(COMMON_CFLAGS) $(SECURITY_FLAGS) $(BUILD_ERROR_FLAGS) $(HOOKS) $(HEA
 	-std=c11 $(SANITIZER_SUPPORT) $(ALLOC_SANITY) $(MEMCPY_SANITY) $(UNINIT_READ_SANITY) $(CPU_PIN) $(SCHED_GETCPU) \
 	$(EXPERIMENTAL) $(UAF_PTR_PAGE) $(VERIFY_FREE_BIT_SLOTS) $(NAMED_MAPPINGS) $(ABORT_ON_NULL) $(NO_ZERO_ALLOCATIONS) \
 	$(ABORT_NO_ENTROPY) $(ISO_DTOR_CLEANUP) $(RANDOMIZE_FREELIST) $(USE_SPINLOCK) $(HUGE_PAGES) $(USE_MLOCK) \
-	$(MEMORY_TAGGING) $(STRONG_SIZE_ISOLATION) $(MEMSET_SANITY) $(AUTO_CTOR_DTOR)
-CXXFLAGS += $(COMMON_CFLAGS) -DCPP_SUPPORT=1 -std=c++17 $(SANITIZER_SUPPORT) $(HOOKS)
+	$(MEMORY_TAGGING) $(STRONG_SIZE_ISOLATION) $(MEMSET_SANITY) $(AUTO_CTOR_DTOR) $(SIGNAL_HANDLER)
+CXXFLAGS = $(COMMON_CFLAGS) -DCPP_SUPPORT=1 -std=c++17 $(SANITIZER_SUPPORT) $(HOOKS)
+
 EXE_CFLAGS = -fPIE
 GDB_FLAGS = -g -ggdb3 -fno-omit-frame-pointer
 PERF_FLAGS = -pg -DPERF_TEST_BUILD=1
@@ -318,7 +329,7 @@ tests: clean library_debug_unit_tests
 	@echo "make tests"
 	$(CC) $(CFLAGS) $(EXE_CFLAGS) $(DEBUG_LOG_FLAGS) $(GDB_FLAGS) $(OS_FLAGS) tests/rand_freelist.c $(ISO_ALLOC_PRINTF_SRC) -o $(BUILD_DIR)/rand_freelist $(LDFLAGS)
 	$(CC) $(CFLAGS) $(EXE_CFLAGS) $(DEBUG_LOG_FLAGS) $(GDB_FLAGS) $(OS_FLAGS) tests/tests.c $(ISO_ALLOC_PRINTF_SRC) -o $(BUILD_DIR)/tests $(LDFLAGS)
-	$(CC) $(CFLAGS) $(EXE_CFLAGS) $(DEBUG_LOG_FLAGS) $(GDB_FLAGS) $(OS_FLAGS) tests/uaf.c $(ISO_ALLOC_PRINTF_SRC) -o $(BUILD_DIR)/uaf $(LDFLAGS)
+	$(CC) $(CFLAGS) $(EXE_CFLAGS) $(DEBUG_LOG_FLAGS) $(GDB_FLAGS) $(OS_FLAGS) $(UNIT_TESTING) tests/uaf.c $(ISO_ALLOC_PRINTF_SRC) -o $(BUILD_DIR)/uaf $(LDFLAGS)
 	$(CC) $(CFLAGS) $(EXE_CFLAGS) $(DEBUG_LOG_FLAGS) $(GDB_FLAGS) $(OS_FLAGS) tests/interfaces_test.c $(ISO_ALLOC_PRINTF_SRC) -o $(BUILD_DIR)/interfaces_test $(LDFLAGS)
 	$(CC) $(CFLAGS) $(EXE_CFLAGS) $(DEBUG_LOG_FLAGS) $(GDB_FLAGS) $(OS_FLAGS) tests/thread_tests.c $(ISO_ALLOC_PRINTF_SRC) -o $(BUILD_DIR)/thread_tests $(LDFLAGS)
 	$(CC) $(CFLAGS) $(EXE_CFLAGS) $(DEBUG_LOG_FLAGS) $(GDB_FLAGS) $(OS_FLAGS) $(UNIT_TESTING) tests/big_canary_test.c $(ISO_ALLOC_PRINTF_SRC) -o $(BUILD_DIR)/big_canary_test $(LDFLAGS)
diff --git a/include/conf.h b/include/conf.h
@@ -45,7 +45,6 @@
  * magic value that is written */
 #if UAF_PTR_PAGE
 #define UAF_PTR_PAGE_ODDS 1000000
-#define UAF_PTR_PAGE_ADDR 0xFF41414142434445
 #endif
 
 /* Zones can be retired after a certain number of
diff --git a/include/iso_alloc_ds.h b/include/iso_alloc_ds.h
@@ -102,6 +102,9 @@ typedef struct {
 #if NO_ZERO_ALLOCATIONS
     void *zero_alloc_page;
 #endif
+#if UAF_PTR_PAGE
+    void *uaf_ptr_page;
+#endif
 } __attribute__((aligned(sizeof(int64_t)))) iso_alloc_root;
 
 typedef struct {
diff --git a/include/iso_alloc_internal.h b/include/iso_alloc_internal.h
@@ -38,6 +38,7 @@ assert(sizeof(size_t) >= 64)
 #include <string.h>
 #include <unistd.h>
 #include <stdarg.h>
+#include <signal.h>
 #include <sys/mman.h>
 #include <sys/types.h>
 
@@ -327,10 +328,6 @@ extern pthread_mutex_t root_busy_mutex;
 #define UNLOCK_BIG_ZONE()
 #endif
 
-#if NO_ZERO_ALLOCATIONS
-extern void *_zero_alloc_page;
-#endif
-
 /* The global root */
 extern iso_alloc_root *_root;
 
@@ -402,6 +399,10 @@ INTERNAL_HIDDEN int64_t check_canary_no_abort(iso_alloc_zone_t *zone, const void
 INTERNAL_HIDDEN void _iso_alloc_initialize(void);
 INTERNAL_HIDDEN void _iso_alloc_destroy(void);
 
+#if SIGNAL_HANDLER
+INTERNAL_HIDDEN void handle_signal(int sig, siginfo_t *si, void *ctx);
+#endif
+
 #if EXPERIMENTAL
 INTERNAL_HIDDEN void _iso_alloc_search_stack(uint8_t *stack_start);
 #endif
diff --git a/src/iso_alloc.c b/src/iso_alloc.c
@@ -253,13 +253,28 @@ INTERNAL_HIDDEN void _iso_alloc_initialize(void) {
     _root->zero_alloc_page = mmap_pages(g_page_size, false, NULL, PROT_NONE);
 #endif
 
+#if UAF_PTR_PAGE
+    _root->uaf_ptr_page = mmap_pages(g_page_size, false, NULL, PROT_NONE);
+#endif
+
 #if ALLOC_SANITY && UNINIT_READ_SANITY
     _iso_alloc_setup_userfaultfd();
 #endif
 
 #if ALLOC_SANITY
     _sanity_canary = us_rand_uint64(&_root->seed);
 #endif
+
+#if SIGNAL_HANDLER
+    struct sigaction sa;
+    sigemptyset(&sa.sa_mask);
+    sa.sa_flags = SA_NODEFER | SA_SIGINFO;
+    sa.sa_sigaction = &handle_signal;
+
+    if(sigaction(SIGSEGV, &sa, NULL) == ERR) {
+        LOG("Could not register signal handler");
+    }
+#endif
 }
 
 #if AUTO_CTOR_DTOR
@@ -1909,6 +1924,10 @@ INTERNAL_HIDDEN void _iso_alloc_destroy(void) {
     munmap(_root->zero_alloc_page, g_page_size);
 #endif
 
+#if UAF_PTR_PAGE
+    munmap(_root->uaf_ptr_page, g_page_size);
+#endif
+
 #if DEBUG && (LEAK_DETECTOR || MEM_USAGE)
 #if MEM_USAGE
     uint64_t mb = 0;
diff --git a/src/iso_alloc_search.c b/src/iso_alloc_search.c
@@ -25,7 +25,7 @@ INTERNAL_HIDDEN void *_iso_alloc_ptr_search(void *n, bool poison) {
                     return search;
                 } else {
 #if UAF_PTR_PAGE
-                    *(uint64_t *) search = UAF_PTR_PAGE_ADDR;
+                    *(uint64_t *) search = (uint64_t)(_root->uaf_ptr_page);
                     return search;
 #endif
                 }
diff --git a/src/iso_alloc_signal.c b/src/iso_alloc_signal.c
@@ -0,0 +1,25 @@
+/* iso_alloc_signal.c - A secure memory allocator
+ * Copyright 2022 - chris.rohlf@gmail.com */
+
+#include "iso_alloc_internal.h"
+
+#if SIGNAL_HANDLER
+INTERNAL_HIDDEN void handle_signal(int sig, siginfo_t *si, void *ctx) {
+#if UAF_PTR_PAGE
+    void *crash_addr = si->si_addr;
+
+    if(si->si_addr == NULL) {
+        LOG_AND_ABORT("si->si_addr == NULL");
+    }
+
+    /* Check for the address within 2 pages in
+     * either direction of _root->uaf_ptr_page */
+    if(crash_addr >= _root->uaf_ptr_page - (g_page_size * 2) &&
+       crash_addr <= _root->uaf_ptr_page + (g_page_size * 2)) {
+        LOG_AND_ABORT("Use after free detected! Crashed at _root->uaf_ptr_page 0x%x", si->si_addr);
+    }
+
+    LOG_AND_ABORT("Unknown segmentation fault @ 0x%p", crash_addr);
+#endif
+}
+#endif
diff --git a/tests/uaf.c b/tests/uaf.c
@@ -26,7 +26,8 @@ int main(int argc, char *argv[]) {
 
     /* Dereference a pointer that should have been
      * detected and overwritten with UAF_PTR_PAGE */
-    fprintf(stdout, "Dereferencing test->str @ %p. Fault address will be %lx\n", test->str, UAF_PTR_PAGE_ADDR);
+    iso_alloc_root *root = _get_root();
+    fprintf(stdout, "Dereferencing test->str @ %p. Fault address will be %p\n", test->str, root->uaf_ptr_page);
     fprintf(stdout, "[%s]\n", test->str);
     iso_free_permanently(test);
 

Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,7 @@ INTERNAL_HIDDEN void _iso_alloc_ptr_search(void n, bool poison) {`
`25`	`25`	`return search;`
`26`	`26`	`} else {`
`27`	`27`	`#if UAF_PTR_PAGE`
`28`		`- (uint64_t ) search = UAF_PTR_PAGE_ADDR;`
	`28`	`+ (uint64_t ) search = (uint64_t)(_root->uaf_ptr_page);`
`29`	`29`	`return search;`
`30`	`30`	`#endif`
`31`	`31`	`}`