Fix invalid memory write in case of failing mmap(...) in PosixLockedPageAllocator::AllocateLocked#15117
Merged
laanwj merged 1 commit intobitcoin:masterfrom Jan 9, 2019
Conversation
…geAllocator::AllocateLocked
practicalswift
changed the title
practicalswift
changed the title
Empact
reviewed
Jan 7, 2019
| return static_cast<T*>(LockedPoolManager::Instance().alloc(sizeof(T) * n)); | ||
| T* allocation = static_cast<T*>(LockedPoolManager::Instance().alloc(sizeof(T) * n)); | ||
| if (!allocation) { | ||
| throw std::bad_alloc(); |
Contributor
Author
There was a problem hiding this comment.
I don't think bad_alloc have any parameterized ctor:s?
Contributor
There was a problem hiding this comment.
Indeed - I guess the other option would be to log it in the allocate method. (nit only)
Empact
reviewed
Jan 7, 2019
| addr = mmap(nullptr, len, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0); | ||
| if (addr == MAP_FAILED) { | ||
| return nullptr; | ||
| } |
Contributor
There was a problem hiding this comment.
Judging from leveldb's handling, and the mmap docs, the null value case is negligible:
bitcoin/src/leveldb/util/env_posix.cc
Lines 367 to 372 in 9c71998
Contributor
Author
There was a problem hiding this comment.
I'm not sure how to parse TBH: are you suggesting a change here? :-)
Contributor
There was a problem hiding this comment.
Just that the if (addr) is strictly unnecessary.
Contributor
|
Concept ACK |
Member
|
TIL. Always thought it returned utACK ca126d4 |
Contributor
|
Concept ACK. I too assumed mmap returned NULL on failure. |
Contributor
|
Concept ACK - good spot! |
laanwj
added a commit
that referenced
this pull request
Jan 9, 2019
…n PosixLockedPageAllocator::AllocateLocked ca126d4 Fix out-of-bounds write in case of failing mmap(...) in PosixLockedPageAllocator::AllocateLocked (practicalswift) Pull request description: `mmap(...)` returns `MAP_FAILED` (`(void *) -1`) in case of allocation failure. `PosixLockedPageAllocator::AllocateLocked(...)` did not check for allocation failures prior to this PR. Instead the invalid memory address `(void *) -1` (`0xffffffffffffffff`) was passed to the caller as if it was a valid address. After some operations the address is wrapped around from `0xffffffffffffffff` to `0x00000003ffdf` (`0xffffffffffffffff + 262112 == 0x00000003ffdf`); The resulting address `0x00000003ffdf` is then written to. Before this patch (with failing `mmap` call): ``` $ src/bitcoind … 2019-01-06T16:28:14Z Using the 'sse4(1way),sse41(4way)' SHA256 implementation 2019-01-06T16:28:14Z Using RdRand as an additional entropy source Segmentation fault (core dumped) ``` Before this patch (under `valgrind` with failing `mmap` call): ``` $ valgrind src/bitcoind … 2019-01-06T16:28:51Z Using the 'sse4(1way),sse41(4way)' SHA256 implementation ==17812== Invalid write of size 1 ==17812== at 0x500B7E: void __gnu_cxx::new_allocator<unsigned char>::construct<unsigned char>(unsigned char*) (new_allocator.h:136) ==17812== by 0x500B52: _ZNSt16allocator_traitsI16secure_allocatorIhEE12_S_constructIhJEEENSt9enable_ifIXsr6__and_INS2_18__construct_helperIT_JDpT0_EE4typeEEE5valueEvE4typeERS1_PS6_DpOS7_ (alloc_traits.h:243) ==17812== by 0x500B22: _ZNSt16allocator_traitsI16secure_allocatorIhEE9constructIhJEEEDTcl12_S_constructfp_fp0_spclsr3stdE7forwardIT0_Efp1_EEERS1_PT_DpOS4_ (alloc_traits.h:344) ==17812== by 0x500982: unsigned char* std::__uninitialized_default_n_a<unsigned char*, unsigned long, secure_allocator<unsigned char> >(unsigned char*, unsigned long, secure_allocator<unsigned char>&) (stl_uninitialized.h:631) ==17812== by 0x60BFC2: std::vector<unsigned char, secure_allocator<unsigned char> >::_M_default_initialize(unsigned long) (stl_vector.h:1347) ==17812== by 0x60BD86: std::vector<unsigned char, secure_allocator<unsigned char> >::vector(unsigned long, secure_allocator<unsigned char> const&) (stl_vector.h:285) ==17812== by 0x60BB55: ECC_Start() (key.cpp:351) ==17812== by 0x16AC90: AppInitSanityChecks() (init.cpp:1162) ==17812== by 0x15BAC9: AppInit(int, char**) (bitcoind.cpp:138) ==17812== by 0x15B6C8: main (bitcoind.cpp:201) ==17812== Address 0x3ffdf is not stack'd, malloc'd or (recently) free'd … Segmentation fault (core dumped) ``` After this patch (with failing `mmap` call): ``` $ src/bitcoind … 2019-01-06T15:50:18Z Using the 'sse4(1way),sse41(4way)' SHA256 implementation 2019-01-06T15:50:18Z Using RdRand as an additional entropy source 2019-01-06T15:50:18Z ************************ EXCEPTION: St9bad_alloc std::bad_alloc bitcoin in AppInit() ************************ EXCEPTION: St9bad_alloc std::bad_alloc bitcoin in AppInit() 2019-01-06T15:50:18Z Shutdown: In progress... 2019-01-06T15:50:18Z Shutdown: done ``` To simulate the failing `mmap` call apply the following to `master`: ```diff diff --git a/src/support/lockedpool.cpp b/src/support/lockedpool.cpp index 8d577cf..ce79e569b 100644 --- a/src/support/lockedpool.cpp +++ b/src/support/lockedpool.cpp @@ -247,7 +247,8 @@ void *PosixLockedPageAllocator::AllocateLocked(size_t len, bool *lockingSuccess) { void *addr; len = align_up(len, page_size); - addr = mmap(nullptr, len, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0); + // addr = mmap(nullptr, len, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0); + addr = MAP_FAILED; if (addr) { *lockingSuccess = mlock(addr, len) == 0; } ``` Tree-SHA512: 66947f5fc0fbb19afb3e1edbd51df07df9d16b77018cff3d48d30f378a53d6a0dc62bc36622b3966b7e374e61edbcca114ef4ac8ae8d725022c1a597edcbf7c7
zkbot
added a commit
to zcash/zcash
that referenced
this pull request
Sep 29, 2020
Locked memory manager Add a pool for locked memory chunks, replacing `LockedPageManager`. Cherry-picked from the following upstream PRs: - bitcoin/bitcoin#8321 - bitcoin/bitcoin#8753 - bitcoin/bitcoin#9063 - bitcoin/bitcoin#9070 - bitcoin/bitcoin#11385 - bitcoin/bitcoin#12048 - Excludes change to benchmark. - bitcoin/bitcoin#15117 - bitcoin/bitcoin#16161 - Excludes Travis CI changes. - Includes change from bitcoin/bitcoin#13163 - bitcoin/bitcoin#15600 - bitcoin/bitcoin#18443 - Assorted small changes from: - bitcoin/bitcoin#9233 - bitcoin/bitcoin#10483 - bitcoin/bitcoin#10645 - bitcoin/bitcoin#10969 - bitcoin/bitcoin#11351 - bitcoin/bitcoin#19111 - Excludes change to `src/rpc/server.cpp` - bitcoin/bitcoin#9804 - Only the commit for `src/key.cpp` - bitcoin/bitcoin#9598
jasonbcox
pushed a commit
to Bitcoin-ABC/bitcoin-abc
that referenced
this pull request
Nov 11, 2020
…geAllocator::AllocateLocked Summary: PR description: > mmap(...) returns MAP_FAILED ((void *) -1) in case of allocation failure. > > PosixLockedPageAllocator::AllocateLocked(...) did not check for allocation failures prior to this PR. > > Instead the invalid memory address (void *) -1 (0xffffffffffffffff) was passed to the caller as if it was a valid address. > > After some operations the address is wrapped around from 0xffffffffffffffff to 0x00000003ffdf (0xffffffffffffffff + 262112 == 0x00000003ffdf); > > The resulting address 0x00000003ffdf is then written to. > > Before this patch (with failing mmap call): > > ``` > $ src/bitcoind > … > 2019-01-06T16:28:14Z Using the 'sse4(1way),sse41(4way)' SHA256 implementation > 2019-01-06T16:28:14Z Using RdRand as an additional entropy source > Segmentation fault (core dumped) > ``` > > After this patch (with failing mmap call): > ``` > $ src/bitcoind > … > 2019-01-06T15:50:18Z Using the 'sse4(1way),sse41(4way)' SHA256 implementation > 2019-01-06T15:50:18Z Using RdRand as an additional entropy source > 2019-01-06T15:50:18Z > > ************************ > EXCEPTION: St9bad_alloc > std::bad_alloc > bitcoin in AppInit() > > > > ************************ > EXCEPTION: St9bad_alloc > std::bad_alloc > bitcoin in AppInit() > > 2019-01-06T15:50:18Z Shutdown: In progress... > 2019-01-06T15:50:18Z Shutdown: done > ``` This is a backport of Core [[bitcoin/bitcoin#15117 | PR15117]] Test Plan: `ninja all check-all` Reviewers: #bitcoin_abc, majcosta Reviewed By: #bitcoin_abc, majcosta Differential Revision: https://reviews.bitcoinabc.org/D8354
PastaPastaPasta
pushed a commit
to PastaPastaPasta/dash
that referenced
this pull request
Jun 28, 2021
…(...) in PosixLockedPageAllocator::AllocateLocked ca126d4 Fix out-of-bounds write in case of failing mmap(...) in PosixLockedPageAllocator::AllocateLocked (practicalswift) Pull request description: `mmap(...)` returns `MAP_FAILED` (`(void *) -1`) in case of allocation failure. `PosixLockedPageAllocator::AllocateLocked(...)` did not check for allocation failures prior to this PR. Instead the invalid memory address `(void *) -1` (`0xffffffffffffffff`) was passed to the caller as if it was a valid address. After some operations the address is wrapped around from `0xffffffffffffffff` to `0x00000003ffdf` (`0xffffffffffffffff + 262112 == 0x00000003ffdf`); The resulting address `0x00000003ffdf` is then written to. Before this patch (with failing `mmap` call): ``` $ src/bitcoind … 2019-01-06T16:28:14Z Using the 'sse4(1way),sse41(4way)' SHA256 implementation 2019-01-06T16:28:14Z Using RdRand as an additional entropy source Segmentation fault (core dumped) ``` Before this patch (under `valgrind` with failing `mmap` call): ``` $ valgrind src/bitcoind … 2019-01-06T16:28:51Z Using the 'sse4(1way),sse41(4way)' SHA256 implementation ==17812== Invalid write of size 1 ==17812== at 0x500B7E: void __gnu_cxx::new_allocator<unsigned char>::construct<unsigned char>(unsigned char*) (new_allocator.h:136) ==17812== by 0x500B52: _ZNSt16allocator_traitsI16secure_allocatorIhEE12_S_constructIhJEEENSt9enable_ifIXsr6__and_INS2_18__construct_helperIT_JDpT0_EE4typeEEE5valueEvE4typeERS1_PS6_DpOS7_ (alloc_traits.h:243) ==17812== by 0x500B22: _ZNSt16allocator_traitsI16secure_allocatorIhEE9constructIhJEEEDTcl12_S_constructfp_fp0_spclsr3stdE7forwardIT0_Efp1_EEERS1_PT_DpOS4_ (alloc_traits.h:344) ==17812== by 0x500982: unsigned char* std::__uninitialized_default_n_a<unsigned char*, unsigned long, secure_allocator<unsigned char> >(unsigned char*, unsigned long, secure_allocator<unsigned char>&) (stl_uninitialized.h:631) ==17812== by 0x60BFC2: std::vector<unsigned char, secure_allocator<unsigned char> >::_M_default_initialize(unsigned long) (stl_vector.h:1347) ==17812== by 0x60BD86: std::vector<unsigned char, secure_allocator<unsigned char> >::vector(unsigned long, secure_allocator<unsigned char> const&) (stl_vector.h:285) ==17812== by 0x60BB55: ECC_Start() (key.cpp:351) ==17812== by 0x16AC90: AppInitSanityChecks() (init.cpp:1162) ==17812== by 0x15BAC9: AppInit(int, char**) (bitcoind.cpp:138) ==17812== by 0x15B6C8: main (bitcoind.cpp:201) ==17812== Address 0x3ffdf is not stack'd, malloc'd or (recently) free'd … Segmentation fault (core dumped) ``` After this patch (with failing `mmap` call): ``` $ src/bitcoind … 2019-01-06T15:50:18Z Using the 'sse4(1way),sse41(4way)' SHA256 implementation 2019-01-06T15:50:18Z Using RdRand as an additional entropy source 2019-01-06T15:50:18Z ************************ EXCEPTION: St9bad_alloc std::bad_alloc bitcoin in AppInit() ************************ EXCEPTION: St9bad_alloc std::bad_alloc bitcoin in AppInit() 2019-01-06T15:50:18Z Shutdown: In progress... 2019-01-06T15:50:18Z Shutdown: done ``` To simulate the failing `mmap` call apply the following to `master`: ```diff diff --git a/src/support/lockedpool.cpp b/src/support/lockedpool.cpp index 8d577cf..ce79e569b 100644 --- a/src/support/lockedpool.cpp +++ b/src/support/lockedpool.cpp @@ -247,7 +247,8 @@ void *PosixLockedPageAllocator::AllocateLocked(size_t len, bool *lockingSuccess) { void *addr; len = align_up(len, page_size); - addr = mmap(nullptr, len, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0); + // addr = mmap(nullptr, len, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0); + addr = MAP_FAILED; if (addr) { *lockingSuccess = mlock(addr, len) == 0; } ``` Tree-SHA512: 66947f5fc0fbb19afb3e1edbd51df07df9d16b77018cff3d48d30f378a53d6a0dc62bc36622b3966b7e374e61edbcca114ef4ac8ae8d725022c1a597edcbf7c7
furszy
added a commit
to PIVX-Project/PIVX
that referenced
this pull request
Sep 11, 2021
9295568 Fix segfault in allocator_tests/arena_tests (Jeffrey Czyz) f7d88f5 Define ARENA_DEBUG in GA test runs (furszy) cae2e13 Fix compilation errors in support/lockedpool.cpp (Jeffrey Czyz) d19359f fix nits: variable naming, typos (Martin Ankerl) 5cbd967 Use best-fit strategy in Arena, now O(log(n)) instead O(n) (Martin Ankerl) 1ccd62e Fix out-of-bounds write in case of failing mmap(...) in PosixLockedPageAllocator::AllocateLocked (practicalswift) 7ad7157 LockedPool: avoid quadratic-time allocation (Kaz Wesley) 39e1b3b LockedPool: fix explosion for illegal-sized alloc (Kaz Wesley) adb1f1c LockedPool: test handling of invalid allocations (Kaz Wesley) 626b865 Do not shadow variable, use deprecated MAP_ANON if MAP_ANONYMOUS is not defined. (Pavel Janík) Pull request description: Follow up to #2276. Completing the locked memory manager todo list. Back porting: * bitcoin#9063. * bitcoin#9070. * bitcoin#12048. * bitcoin#15117. * bitcoin#16161. ACKs for top commit: random-zebra: ACK 9295568 Fuzzbawls: ACK 9295568 Tree-SHA512: 0d14c7e8231386ee32f1fefac08de9ee278c02d6b0e5172c055851d33c803b0be3398fc5173457e539179712a13d4736033a926f318e576789b4d57b67eb0596
gades
pushed a commit
to cosanta/cosanta-core
that referenced
this pull request
Apr 29, 2022
…(...) in PosixLockedPageAllocator::AllocateLocked ca126d4 Fix out-of-bounds write in case of failing mmap(...) in PosixLockedPageAllocator::AllocateLocked (practicalswift) Pull request description: `mmap(...)` returns `MAP_FAILED` (`(void *) -1`) in case of allocation failure. `PosixLockedPageAllocator::AllocateLocked(...)` did not check for allocation failures prior to this PR. Instead the invalid memory address `(void *) -1` (`0xffffffffffffffff`) was passed to the caller as if it was a valid address. After some operations the address is wrapped around from `0xffffffffffffffff` to `0x00000003ffdf` (`0xffffffffffffffff + 262112 == 0x00000003ffdf`); The resulting address `0x00000003ffdf` is then written to. Before this patch (with failing `mmap` call): ``` $ src/bitcoind … 2019-01-06T16:28:14Z Using the 'sse4(1way),sse41(4way)' SHA256 implementation 2019-01-06T16:28:14Z Using RdRand as an additional entropy source Segmentation fault (core dumped) ``` Before this patch (under `valgrind` with failing `mmap` call): ``` $ valgrind src/bitcoind … 2019-01-06T16:28:51Z Using the 'sse4(1way),sse41(4way)' SHA256 implementation ==17812== Invalid write of size 1 ==17812== at 0x500B7E: void __gnu_cxx::new_allocator<unsigned char>::construct<unsigned char>(unsigned char*) (new_allocator.h:136) ==17812== by 0x500B52: _ZNSt16allocator_traitsI16secure_allocatorIhEE12_S_constructIhJEEENSt9enable_ifIXsr6__and_INS2_18__construct_helperIT_JDpT0_EE4typeEEE5valueEvE4typeERS1_PS6_DpOS7_ (alloc_traits.h:243) ==17812== by 0x500B22: _ZNSt16allocator_traitsI16secure_allocatorIhEE9constructIhJEEEDTcl12_S_constructfp_fp0_spclsr3stdE7forwardIT0_Efp1_EEERS1_PT_DpOS4_ (alloc_traits.h:344) ==17812== by 0x500982: unsigned char* std::__uninitialized_default_n_a<unsigned char*, unsigned long, secure_allocator<unsigned char> >(unsigned char*, unsigned long, secure_allocator<unsigned char>&) (stl_uninitialized.h:631) ==17812== by 0x60BFC2: std::vector<unsigned char, secure_allocator<unsigned char> >::_M_default_initialize(unsigned long) (stl_vector.h:1347) ==17812== by 0x60BD86: std::vector<unsigned char, secure_allocator<unsigned char> >::vector(unsigned long, secure_allocator<unsigned char> const&) (stl_vector.h:285) ==17812== by 0x60BB55: ECC_Start() (key.cpp:351) ==17812== by 0x16AC90: AppInitSanityChecks() (init.cpp:1162) ==17812== by 0x15BAC9: AppInit(int, char**) (bitcoind.cpp:138) ==17812== by 0x15B6C8: main (bitcoind.cpp:201) ==17812== Address 0x3ffdf is not stack'd, malloc'd or (recently) free'd … Segmentation fault (core dumped) ``` After this patch (with failing `mmap` call): ``` $ src/bitcoind … 2019-01-06T15:50:18Z Using the 'sse4(1way),sse41(4way)' SHA256 implementation 2019-01-06T15:50:18Z Using RdRand as an additional entropy source 2019-01-06T15:50:18Z ************************ EXCEPTION: St9bad_alloc std::bad_alloc bitcoin in AppInit() ************************ EXCEPTION: St9bad_alloc std::bad_alloc bitcoin in AppInit() 2019-01-06T15:50:18Z Shutdown: In progress... 2019-01-06T15:50:18Z Shutdown: done ``` To simulate the failing `mmap` call apply the following to `master`: ```diff diff --git a/src/support/lockedpool.cpp b/src/support/lockedpool.cpp index 8d577cf..ce79e569b 100644 --- a/src/support/lockedpool.cpp +++ b/src/support/lockedpool.cpp @@ -247,7 +247,8 @@ void *PosixLockedPageAllocator::AllocateLocked(size_t len, bool *lockingSuccess) { void *addr; len = align_up(len, page_size); - addr = mmap(nullptr, len, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0); + // addr = mmap(nullptr, len, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0); + addr = MAP_FAILED; if (addr) { *lockingSuccess = mlock(addr, len) == 0; } ``` Tree-SHA512: 66947f5fc0fbb19afb3e1edbd51df07df9d16b77018cff3d48d30f378a53d6a0dc62bc36622b3966b7e374e61edbcca114ef4ac8ae8d725022c1a597edcbf7c7
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
mmap(...)returnsMAP_FAILED((void *) -1) in case of allocation failure.PosixLockedPageAllocator::AllocateLocked(...)did not check for allocation failures prior to this PR.Instead the invalid memory address
(void *) -1(0xffffffffffffffff) was passed to the caller as if it was a valid address.After some operations the address is wrapped around from
0xffffffffffffffffto0x00000003ffdf(0xffffffffffffffff + 262112 == 0x00000003ffdf);The resulting address
0x00000003ffdfis then written to.Before this patch (with failing
mmapcall):Before this patch (under
valgrindwith failingmmapcall):After this patch (with failing
mmapcall):To simulate the failing
mmapcall apply the following tomaster: