Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_core / e4adff0721930dcb6969245bfa298b6abd48d2d4^! / . / debuggerd / libdebuggerd / scudo.cpp
commite4adff0721930dcb6969245bfa298b6abd48d2d4[log] [tgz]
authorMitch Phillips <mitchp@google.com>Thu Jan 21 20:41:50 2021 -0800
committerMitch Phillips <mitchp@google.com>Thu Jan 21 20:49:06 2021 -0800
treed2887b534e002d17c2df01b723681620191ddf22
parent79f7e3f1fc900519b4eebd0674e18f0aa0d7fd42 [diff] [blame]
[MTE] Cleanup tagged si_addr refs to fix mappings OOB bug.

Currently, all MTE failures end up displaying 'Fault address falls at
0x<addr> after any mapped regions'. Clearly when scanning, we should use
the untagged address to figure out which ranges it's in.

I've taken the liberty of removing all si_addr parsing and moving it
into the common ProcessInfo, as well as making it really explicit
whether you want the (possibly tagged) original si_addr, or whether you
want the untagged variant (for scanning /proc/maps or whatever).

This is not particularly easily testable, as ReadCrashInfo isn't easily
injectable and `dump_all_maps` should already be passed the untagged
pointer to scan for. I've tested this locally on FVP under SYNC MTE with
a simple UaF binary and noted the problem is fixed. Given that this is
making the code more clear, I'm hoping the owners see no need for a
regression test :).

Bug: 135772972
Test: On FVP, run 'adb shell MEMTAG_OPTIONS=sync sanitizer-status' and
      check that the use-after-free test ends up with the /proc/maps
      desription in the right place.
Change-Id: I220e4200c75a72474a95a67e5bbc36173a438dd2

diff --git a/debuggerd/libdebuggerd/scudo.cpp b/debuggerd/libdebuggerd/scudo.cpp
index f8bfe07..141c3bd 100644
--- a/debuggerd/libdebuggerd/scudo.cpp
+++ b/debuggerd/libdebuggerd/scudo.cpp

@@ -44,7 +44,7 @@
   auto region_info = AllocAndReadFully(process_memory, process_info.scudo_region_info,
                                        __scudo_get_region_info_size());
 
-  untagged_fault_addr_ = untag_address(process_info.fault_address);
+  untagged_fault_addr_ = process_info.untagged_fault_address;
   uintptr_t fault_page = untagged_fault_addr_ & ~(PAGE_SIZE - 1);
 
   uintptr_t memory_begin = fault_page - PAGE_SIZE * 16;
@@ -67,7 +67,7 @@
     memory_tags[(i - memory_begin) / kTagGranuleSize] = process_memory->ReadTag(i);
   }
 
-  __scudo_get_error_info(&error_info_, process_info.fault_address, stack_depot.get(),
+  __scudo_get_error_info(&error_info_, process_info.maybe_tagged_fault_address, stack_depot.get(),
                          region_info.get(), memory.get(), memory_tags.get(), memory_begin,
                          memory_end - memory_begin);
 }