Commit Graph

168 Commits

Author SHA1 Message Date
Matthew Parkinson
208ab9a8e8 Rederive allocator id for remotes.
Storing a pointer to an allocator id in an unused object could be a
gadget for escallating priviledge of an attacker, by enabling
use-after-free to corrupt the allocator structure, and then create more
damage.

This commit adds an alternative implementation that does not cache the
allocator id.
2021-05-18 14:58:15 +01:00
Matthew Parkinson
b3796c123e Move remote cache out of alloc.h
Consolidate the remote code into a single file.
2021-05-18 14:58:15 +01:00
Matthew Parkinson
118eecb2e6 Check for heap corruption
The allocator id and sizeclass are stored in deallocated objects to
provide quick lookup.  This adds checks that these are actually correct.
2021-05-18 14:58:15 +01:00
Nathaniel Filardo
8390a70a48 Fix static-sized alloc paths, add compilation test
The CapPtr refactoring was largely compiler guided; unfortunately, it turns out
that the static-sized alloc function is not well exercised.  As such, some type
errors and unnecessary unsafety lurked behind missing template instantiation.

Correct those and add calls to the test harness to make sure we always generate
at least one instance of each small/medium/large case.  While here, it doesn't
hurt to make sure that we call all three possible dealloc() flavors as well.
This will, if nothing else, force instantiation of the static-sized dealloc
template as well.
2021-04-20 12:17:46 +01:00
Nathaniel Filardo
c673b2e0ba SP: pass CBChunk, not CBArena, down to Superslab ops 2021-04-09 12:39:29 +01:00
Nathaniel Filardo
95871ff8a1 SP: free lists and remote queues are CBAlloc
Continue tightening the screws on pointer bounds.

Notably, pointers in remote queues are bounded to the free objects.  While we
believe that something like MTE is required to make in-band metadata safe, this
is a kind of defense in depth for StrictProvenance architectures: UAF for small
and medium objects expose mostly other (free) small or medium objects and not
allocator metadata (modulo some potential aliasing when Superslabs and
Mediumslabs interconvert).  This might shift the burdon on an attacker from
simply holding a UAF pointer to having had to farm several heap pointers.

The policy of bounding remote queue pointers may make the allocator's behavior
for small objects unexpected: while initial object construction during
allocation (that is, when the free list is empty) continues to cleave out
exportable pointers from elevated pointers to internal slabs, reuse pulls from
free lists of *already-bounded* objects.  These objects are queued by the
deallocation side, of course, but these paths now include "parallel
reconstruction" of a pointer to the free object from the amplified view of the
returned pointer, rather than queueing amplified pointers and leaving
reconstruction to the allocation side.

Medium objects are possibly similarly mysterious with the added twist that
medium slabs do not store pointers but rather always cleave from their
self-reference (but their interface has always operated using pointers).
Nevertheless, pointers to medium objects end up in remote queues, so we continue
to engage in "parallel reconstruction" in the deallocation paths.
2021-04-09 12:39:29 +01:00
Nathaniel Filardo
cf50fc5e55 SP: mediumslab: reduce capptr_export calls
Mediumslabs are strung on a dllist and used to feed the allocator there.  If we
ensure that these (and the root pointer to the list itself) are already
exported, then our alloc paths can bound these to arrive at exposible pointers.

The dealloc paths, where we might want a non-exported pointer, already have one,
as they have gone through amplification to get an arena-bounded pointer.

The sole wrinkle in this plan is that we might need a pointer without platform
constraints to manipulate the memory map for page-based zeroing.  Since we have
ample room in the Mediumslab header (a few kilobytes end up being used for
padding; the curious should see b8b5f305 and 3d3b0487), just cache therein a
copy of the CBChunk-bound pointer used in Mediumslab::init() for ::alloc().
2021-04-09 12:39:29 +01:00
Nathaniel Filardo
f7821e11eb SP: LargeAlloc return CBChunk & chase consequences
Even if we opt not to bound these pointers internally (if they aren't headed out
to the user program or we later derive bounded pointers), they should still be
annotated as something other than CBArena, ensuring that we do not attempt to
use them for general amplification.
2021-04-09 12:39:29 +01:00
Nathaniel Filardo
54fec3821f SP: alloc paths: begin using CBAllocE
Begin turning the screws on bounds: pointers the allocator is about to reveal
must be annotated as CBAllocE.  Use the PAL's capptr_export and the AAL's
capptr_bound<> to get them there.
2021-04-09 12:39:29 +01:00
Nathaniel Filardo
f2f1eb33d6 SP: amplify on dealloc and query paths 2021-04-09 12:39:29 +01:00
Nathaniel Filardo
d9822036b2 SP: add bounds placeholders to message queues
Like all the annotations so far, leave these as CBArena-bounded.

However, we can start to do a little better than we were doing before: for
not-large deallocations, we know that the internal superslab pointer is
sufficiently authoritative that we can use it to get to data structures rather
than also passing an amplified pointer to the allocation in question.  This,
then, partially reverts some of the earlier changes made while plumbing
CapPtr<>s through the system.

While here, avoid quite as many void*-s in favor of Remote* or SlabNext*.
2021-04-09 12:39:29 +01:00
Nathaniel Filardo
78ab0a7937 SP: external_pointer should not leak authority
Work with high-authority pointers internally, but then copy the address onto to
the low-authority pointer originally given to us (using the same primitive as
amplification, just backwards).  This ensures that clients cannot behave
non-monotonically even if they have access to external_pointer().  That is, we
are not an amplification oracle, though we might reveal the address of an object
somewhere clients cannot otherwise access.  Notably, we might reveal if a
{Super,Medium,}Slab has changed sizeclass (or been repurposed as or from a
Largealloc), forming a covert channel for data but not capabilities.  Of course,
if the pointer provided to external_alloc() is still useful, the implied UAF in
these scenarios is still its own problem.
2021-04-09 12:39:29 +01:00
Nathaniel Filardo
c5aff8ed74 SP: plumb CapPtr through cache_friendly functions
Change these functions from being void* to void* to either consuming or
producing FreeObject*-s as appropriate.
2021-04-09 12:39:29 +01:00
Nathaniel Filardo
97f508e2b3 SP: further CapPtr plumbing 2021-04-09 12:39:29 +01:00
Nathaniel Filardo
3541a0cfe1 SP: Allocator::large_alloc return CapPtr<>
Document and suppress MSVC's confusion with CapPtr<>'s constructor (the
suppression has to happen at the definition, not the use, of the constructor) in
the case of never-needs-initialization Allocator-s.
2021-04-09 12:39:29 +01:00
Nathaniel Filardo
d9ee19a16c SP: use CapPtr<>s in address_space, largealloc 2021-04-09 12:39:29 +01:00
Nathaniel Filardo
005f5787ef SP: start plumbing CapPtr<>s 2021-04-09 12:39:29 +01:00
Nathaniel Filardo
ebe8489910 Size-known large dealloc paths should also round up
Like we already do in the size-unknown case.  This ensures that in the CHERI
case we'll always bound to the size of the segment we return to the large alloc,
not to a subset.  It has the added bonus of ensuring that our bounds are
precisely representable.
2021-04-06 16:25:57 +01:00
Nathaniel Filardo
7f841ff081 NFC: Introduce and switch to pal_zero
This wrapper will allow us to pass `AuthPtr<T,B> p` to zero() without needing to
write `p.unsafe_auth_ptr` to get to a `T*` inside.  Moreover, it will give us a
convenient point to assert that `B` is such that the pointer can be used to
manipulate the memory map (i.e. is not exported).
2021-04-06 16:25:57 +01:00
Nathaniel Filardo
4cfcf344fc NFC: LargeAlloc::alloc() take rsize and size both
Mostly for similarity with mediumslabs.  Might shave off a few instructions on
some rare paths (when we know that size == rsize == SUPERSLAB_SIZE).
2021-04-06 16:25:57 +01:00
Nathaniel Filardo
c94e37f5fc alloc: pass rsize, not size, down to Mediumslab::alloc
When we get to CHERI, sizes derived from sizeclasses are always precisely
representable, while other sizes may not be.

This should induce no change in behavior without CHERI, except that we might
PAL::zero slightly more memory this way.
2021-04-06 16:25:57 +01:00
Nathaniel Filardo
a1f17e6060 Mediumslab: pre-factor init() to take explicit self 2021-04-06 16:25:57 +01:00
Matthew Parkinson
f15dc6ee2e Expose Entropy
Define various parts of random that can be used to make the layout of
memory more random.  Thread this through the allocator.

Expose the concept as part of the Pal. Subsequent commits will expose
that on different platforms.
2021-04-06 14:09:18 +01:00
Matthew Parkinson
578abd8db4 Randomise slab allocation pattern (#304)
The slab allocation pattern is randomised based on the deallocation
pattern.  This achieved by using two queues to enqueue free elements
onto.  We pick "randomly", which queue to add to, and then when we take
the free_queue to use, we splice the two queues together.
2021-03-24 16:12:22 +00:00
Nathaniel Filardo
6442f4edd8 NFC: make Superslab interfaces static
As with 4f6cf8cb40, this will let us annotate
the explicit pointers
2021-03-24 11:55:05 +00:00
Matthew Parkinson
d56a99a747 Remove USE_MEASURE
The initial performance monitoring for snmalloc used timing of small
operations to guide the design. This feature has not been maintained or
used for several years.

This commit removes the feature.
2021-03-21 19:00:54 +00:00
Matthew Parkinson
ca1540c0d9 Remove allow_reserve feature
This was original designed for Project Snowflake to enable a careful
interoperation between an allocator and the thread suspend behaviour in
.NET.

This feature is not being tested or used by any current project.  This
form of interop would be better served by designing a special Pal to
interop with the CLR if this is ever needed.

This commit removes the feature.
2021-03-21 19:00:54 +00:00
Matthew Parkinson
8824622136 Better reciprocal division and modulus.
The previous reciprocal division branch on the prime that the sizeclass
was constructed from. All sizeclasses can be represented as
  2^n * {1,3,5,7}
This lead to a very small table, but some work to calculate the
appropriate shifts and multiplications to implement reciprocal division.

This commit uses a completely uniform representation for every
sizeclass using a lookup table.  Due to the precise ranges that we query
the modulus and rounding on, we can do this much more efficiently.

The func-release-rounding exhaustively tests all the queries we are
interested in.
2021-03-19 20:11:15 +00:00
Nathaniel Filardo
486ef10c21 NFC: bump pointers have just one associated Slab
Rather than ::get()-ing the `Superslab` and `Slab` for each object we just
created from the bump pointer, recognize that these objects necessarily come
from the same `Slab` (and so the same `Superslab`).  In the eventuality of
CHERI, this means we'll amplify once per bump pointer, not once per created
object.
2021-03-19 15:17:56 +00:00
Nathaniel Filardo
c5e08573bf NFC: prepare RemoteCache API for amplification
When post()-ing the RemoteCache to message queues, we push an entire bucket
onto a remote allocator's incoming queue (specifically, the allocator owning
the front Remote in the bucket we're moving).  In order to do that, we need to
exceed the bounds of the Remote allocation and reference its Allocslab header
(to get the ->message_queue).  On StrictProvenance architectures, this will
require that we amplify the head Remote* and then engage in some pointer math.

While Remotes contain the address of the message_queue as the allocator's
identity, this may not be a pointer, just an address, and may have undergone
obfuscation anyway.
2021-03-19 15:17:56 +00:00
Matthew Parkinson
ed615eade9 Refactor checks to improve codegen. 2021-03-19 11:28:39 +00:00
Matthew Parkinson
50f412157f Protect free list pointers stored in object space
Free list pointers can be exploited by attackers. This commit implements
a simple encoding scheme to detect corruption of the pointers.  This can
be used to detect UAF and double free.

This does not currently address anything for Medium or Large
allocations.  It also does not address cross thread deallocations.

Co-authored-by: Nathaniel Wesley Filardo <nfilardo@microsoft.com>
2021-03-19 11:28:39 +00:00
Nathaniel Filardo
cbab7a3455 NFC: pointer_offset* functions always return void*
This requires that the caller perform the cast on the output rather than the
input, which is a little closer to the truth.  Shuffle some casts into the right
position.
2021-03-16 09:29:19 +00:00
Nathaniel Filardo
f295a3f191 alloc: de-static external_pointer
Like alloc_size, this will require amplification internally.

This patch also restores performance to the status quo ante; Clang can once
again see enough to generate the same code as it did before de-static-ing
alloc_size.
2021-03-16 09:29:19 +00:00
Nathaniel Filardo
1042fc908a alloc: de-static alloc_size
We're going to need to amplify the pointer and that's going to require access
to our AddressSpaceManager, which we only get non-statically through our
LargeAlloc.

This patch unto itself makes the world slower, perhaps because Clang can't see
the certainty of aliasing of the static and non-static paths to the same
structure.  However, when we also de-static external_pointer, that goes away and
things return to the status quo ante.
2021-03-16 09:29:19 +00:00
Nathaniel Filardo
c9588655b0 NFC: alloc_size s/size/chunkmap_slab_kind/
While here, SNMALLOC_ASSERT() that large allocs end up with sensible slab kind
values.
2021-03-16 09:29:19 +00:00
Nathaniel Filardo
08344cfa94 NFC: external_pointer s/size/chunkmap_slab_kind/
While here, SNMALLOC_ASSERT() that large allocs end up with sensible slab kind
values.
2021-03-16 09:29:19 +00:00
Nathaniel Filardo
4f6cf8cb40 NFC: make Slab, Mediumslab interfaces static
Going forward, this gives us explicit pointers with which to carry bounds
annotations.  Otherwise, assuming AuthPtr overloads operator->, a OOP-style call
like

    AuthPtr<Slab, Bounds> slab;
    slab->foo()

will create a `Slab* this` within the body of `Slab::foo`, leaving it unable to
see or propagate the Bounds annotation.  If it invokes callees that expect
`AuthPtr` arguments, it will therefore have to fabricate new `Bounds` unsafely.
2021-03-16 09:29:19 +00:00
Nathaniel Filardo
49fefc3f83 NFC: introduce SlabNext type for intra-small-slab free pointers
Mostly cosmetic, but eliminates some void*-s and makes intention clearer.
2021-03-16 09:29:19 +00:00
Matthew Parkinson
59edf294d0 Move link out of object space.
The link object was previously stored in a disused object.  This is
good for reducing meta-data, but if we want to reduce the meta-data
corruption potential, then this is not a good design choice.

This commit moves it into the Metaslab.
2021-03-15 13:28:03 +00:00
Matthew Parkinson
e7dce55f19 Move is_start_of_object into Metaslab. 2021-03-15 13:28:03 +00:00
Nathaniel Wesley Filardo
e1ba7cd592 Systematize validity checks on dealloc paths (#285)
Replace the generic check_size() calls with per-{small,medium,large} code paths,
which follow the progression...

* _unchecked: no validation has been performed; check the chunkmap and move
  to...

* _checked_chunkmap: the chunkmap indicates that this is the correct slab-type,
  and so we have reason to believe that our supposed Allocslab pointers are of
  the correct types.  Use those pointers to read the sizeclass and move to...

* _checked_sizeclass: additionally, the Allocslab metadata confirms that our
  sizeclass matches the expected value.  Check that we are at the start of an
  object and move to...

* _start: we now believe we have a pointer to the start of a live object.  On
  a sufficiently capable architecture, we will eventually atomically check that
  our pointer is not (scheduled to be) revoked (and/or not reversioned).  If
  this test passes, our prior pointer arithmetic and loads are justified
  (assuming correctness of the quarantine/revocation/reuse) machinery.

The size-less dealloc(void*) path by necessity reads the chunkmap and sizeclass
data itself and so there's no reason to re-validate; as such, it jumps directly
to the _okcmsc point.  Similarly, we assume that remote queues are full of
already validated objects, and so the remote handling paths continue to jump
further along even than the _start methods.
2021-03-02 09:11:33 +00:00
Nathaniel Filardo
6259457790 Add -Wconversion to clang builds
MSVC has strong opinions on implicit conversions as used in CI, while Clang both
locally and in CI has weaker opinions.  In an effort to avoid subsequent
roundtrips through CI, make clang more strict.  Adding -Wconversion definitely
increases the strength of clang's opinions, apparently to include frowning on
some that even MSVC considers OK, so go make explicit the current implicit
behavior.
2021-03-01 20:18:01 +00:00
Nathaniel Filardo
023290664d NFC: Front "deallocating start of an object" tests
Confirm that the client has given dealloc() a start-of-object pointer before
that pointer propagates very far (esp., before it enters the remote queues).

As these tests are not free, structure the code so that future interfaces can
skip over them if there's reason to be sure we're at the start of an object.
(On CHERI, for example, one could imagine using sealed pointers.)

For architectures with SSM/MTE, immediately after this test we can update the
memory granule to guard against double-frees; leave TODOs in place.
2021-02-09 19:15:40 +00:00
Nathaniel Filardo
975a2bd6db handle_dealloc_remote: restructure to avoid amplification when routing
When forwarding a Remote message, we can now operate entirely with local state:
access to our RemoteCache and the message itself.
2020-12-21 14:12:02 +00:00
Nathaniel Filardo
bf742cef84 handle_dealloc_remote{,_slow}: use Remote's sizeclass information
This removes a bunch of pointer math (which would need amplification) to find
and read the sizeclass from slab headers.
2020-12-21 14:12:02 +00:00
Nathaniel Filardo
7c04a9dad6 Remote: store the sizeclass, too
Squeeze some bits out of allocator IDs so that we can land the sizeclass in
each Remote object.  The intent is that, on StrictProvenance architectures like
CHERI, we will be able to route Remote messages through RemoteCache-s without
needing to amplify back to read the sizeclass metadata field out of the slab
headers.
2020-12-21 14:12:02 +00:00
Nathaniel Filardo
c1d5f48797 Clarify ChunkMapSuperslabKind values 2020-12-16 15:57:19 +00:00
Matthew Parkinson
923705e514 Natural alignment for USE_MALLOC (#248)
* Add concept of natural alignment to tests.

snmalloc naturally aligns blocks very heavily, so that
the largest power-of-two in the rounded size is the alignment.
This checks that in the test, and provides a method for
finding the natural alignment of a block.

* Improve USE_MALLOC to provide alignment

snmalloc provides a lot of alginment guarantees. This ensures that when
we pass through to the system allocator we still get those alignment
guarantees.

The commit also fixes the tests to work with USE_MALLOC, and builds a
set of unit tests for ctest to check behaviour.
2020-09-28 10:08:19 +01:00
Nathaniel Filardo
1e8d0bd743 MemoryProviderStateMixin is not a PAL 2020-09-09 12:55:48 +01:00