diff options
author | Peter Collingbourne <peter@pcc.me.uk> | 2021-05-14 04:54:00 +0000 |
---|---|---|
committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2021-05-14 04:54:00 +0000 |
commit | 7d88d84d77ee07b2c46719691f28cacaa195cf26 (patch) | |
tree | e370884fdad9d5f95b9407d7916497730cb21bda | |
parent | e00e922984eac3c5bab3dd70054a27b1bdc7afd2 (diff) | |
parent | bccf0d417b0526018a82115fed3e9d64b41d74d8 (diff) | |
download | scudo-7d88d84d77ee07b2c46719691f28cacaa195cf26.tar.gz |
scudo: Check for UAF in ring buffer before OOB in more distant blocks. am: a5ea25ba9d am: bccf0d417b
Original change: https://android-review.googlesource.com/c/platform/external/scudo/+/1707707
Change-Id: I6b9c58f6aaafc12f4a60dc02edcbeecea7cc218d
-rw-r--r-- | standalone/combined.h | 24 |
1 files changed, 18 insertions, 6 deletions
diff --git a/standalone/combined.h b/standalone/combined.h index 70aeaa8ab7a..95fc8d9bbbe 100644 --- a/standalone/combined.h +++ b/standalone/combined.h @@ -927,12 +927,25 @@ public: auto *Depot = reinterpret_cast<const StackDepot *>(DepotPtr); size_t NextErrorReport = 0; + + // Check for OOB in the current block and the two surrounding blocks. Beyond + // that, UAF is more likely. if (extractTag(FaultAddr) != 0) getInlineErrorInfo(ErrorInfo, NextErrorReport, FaultAddr, Depot, RegionInfoPtr, Memory, MemoryTags, MemoryAddr, - MemorySize); + MemorySize, 0, 2); + + // Check the ring buffer. For primary allocations this will only find UAF; + // for secondary allocations we can find either UAF or OOB. getRingBufferErrorInfo(ErrorInfo, NextErrorReport, FaultAddr, Depot, RingBufferPtr); + + // Check for OOB in the 28 blocks surrounding the 3 we checked earlier. + // Beyond that we are likely to hit false positives. + if (extractTag(FaultAddr) != 0) + getInlineErrorInfo(ErrorInfo, NextErrorReport, FaultAddr, Depot, + RegionInfoPtr, Memory, MemoryTags, MemoryAddr, + MemorySize, 2, 16); } private: @@ -1247,7 +1260,8 @@ private: const StackDepot *Depot, const char *RegionInfoPtr, const char *Memory, const char *MemoryTags, uintptr_t MemoryAddr, - size_t MemorySize) { + size_t MemorySize, size_t MinDistance, + size_t MaxDistance) { uptr UntaggedFaultAddr = untagPointer(FaultAddr); u8 FaultAddrTag = extractTag(FaultAddr); BlockInfo Info = @@ -1308,12 +1322,10 @@ private: return NextErrorReport == NumErrorReports; }; - if (CheckOOB(Info.BlockBegin)) + if (MinDistance == 0 && CheckOOB(Info.BlockBegin)) return; - // Check for OOB in the 30 surrounding blocks. Beyond that we are likely to - // hit false positives. - for (int I = 1; I != 16; ++I) + for (size_t I = Max<size_t>(MinDistance, 1); I != MaxDistance; ++I) if (CheckOOB(Info.BlockBegin + I * Info.BlockSize) || CheckOOB(Info.BlockBegin - I * Info.BlockSize)) return; |