[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: *alloc: Take advantage of CHERI bounds-checking
|
From: |
Sam James |
|
Subject: |
Re: *alloc: Take advantage of CHERI bounds-checking |
|
Date: |
Sat, 11 Nov 2023 20:22:31 +0000 |
|
User-agent: |
mu4e 1.10.8; emacs 30.0.50 |
Bruno Haible <bruno@clisp.org> writes:
> I was impressed by the fact that CHERI detected the multithread-safety
> bug of gnulib's use of rand() in the test suite.
>
> Now I'd like to try CHERI on packages like gettext, and see whether
> it finds bugs that neither valgrind nor the gcc bounds-checking options
> can detect.
>
> For this purpose, it is useful if all functions that allocate memory
> blocks return bounds for these memory blocks that are as tight as possible.
> malloc(), realloc(), reallocarray(), alloca() already do so.
> (To convince yourself, use a C program that makes use of these functions,
> and print the return values from within gdb. gdb prints pointers with bounds.)
>
> This set of patches handles most memory allocators that we have in gnulib.
Oh, TIL. I didn't realise CHERI provided an API for this. Thank you!
I don't think this applies to gnulib, but it feels relevant enough for
me to mention it: for packages with their own allocator where they
retain a pool, it may be worth adding ASAN attributes/hooks.
Emacs did this a little while ago in
https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=cb242bf1514ade34ab93b1db1ea7550093ae5839
to find UAFs where the memory might get reused yet but isn't yet
returned to the underlying malloc/free impl.
>
> The API is documented in
> <https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-947.pdf>.
>
>
> 2023-11-11 Bruno Haible <bruno@clisp.org>
>
> malloca: Take advantage of CHERI bounds-checking.
> * lib/malloca.h: Include <cheri.h>.
> (malloca) [CHERI]: In the stack-allocation case, return a pointer with
> a tight lower bound and a tight upper bound.
> * lib/malloca.c: Include <cheri.h>.
> (small_t) [CHERI]: Define as uintptr_t.
> (mmalloca) [CHERI]: Return a pointer with a tight upper bound.
> (freea) [CHERI]: Update.
>
> 2023-11-11 Bruno Haible <bruno@clisp.org>
>
> safe-alloc: Take advantage of CHERI bounds-checking.
> * lib/safe-alloc.h: Include <cheri.h>.
> (safe_alloc_realloc_n): When count or size is 0, return a pointer whose
> bounds are of size 0, not 1.
>
> 2023-11-11 Bruno Haible <bruno@clisp.org>
>
> ialloc: Take advantage of CHERI bounds-checking.
> * lib/ialloc.h: Include <cheri.h>.
> (irealloc): When s is 0, return a pointer whose bounds are of size 0,
> not 1.
> (ireallocarray): When n or s is 0, return a pointer whose bounds are of
> size 0, not 1.
>
> 2023-11-11 Bruno Haible <bruno@clisp.org>
>
> eealloc: Take advantage of CHERI bounds-checking.
> * lib/eealloc.h: Include <cheri.h>.
> (eemalloc): When n is 0, return a pointer whose bounds are of size 0,
> not 1.
> (eerealloc): Likewise.
>
> 2023-11-11 Bruno Haible <bruno@clisp.org>
>
> alignalloc: Take advantage of CHERI bounds-checking.
> * lib/alignalloc.h: Include <cheri.h>.
> (alignalloc): When size is 0, return a pointer whose bounds are of
> size 0, not 1.
>
> [2. text/x-patch;
> 0001-alignalloc-Take-advantage-of-CHERI-bounds-checking.patch]...
>
> [3. text/x-patch;
> 0002-eealloc-Take-advantage-of-CHERI-bounds-checking.patch]...
>
> [4. text/x-patch;
> 0003-ialloc-Take-advantage-of-CHERI-bounds-checking.patch]...
>
> [5. text/x-patch;
> 0004-safe-alloc-Take-advantage-of-CHERI-bounds-checking.patch]...
>
> [6. text/x-patch;
> 0005-malloca-Take-advantage-of-CHERI-bounds-checking.patch]...