patch 'malloc: fix ASan handling for unmapped memory' has been queued to stable release 21.11.2

[Kevin Traynor <ktraynor@redhat.com>]

Hi,

FYI, your patch has been queued to stable release 21.11.2

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 05/15/22. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/kevintraynor/dpdk-stable

This queued commit can be viewed at:
https://github.com/kevintraynor/dpdk-stable/commit/de48c79f3bc2af6a9ac271e575f73bcb66b20c9c

Thanks.

Kevin

---
From de48c79f3bc2af6a9ac271e575f73bcb66b20c9c Mon Sep 17 00:00:00 2001
From: Anatoly Burakov <anatoly.burakov@intel.com>
Date: Wed, 4 May 2022 14:31:58 +0000
Subject: [PATCH] malloc: fix ASan handling for unmapped memory

[ upstream commit 4d8bdd8b56a102fbe7d8ca167d5044625f4dbb32 ]

Currently, when we free previously allocated memory, we mark the area as
"freed" for ASan purposes (flag 0xfd). However, sometimes, freeing a
malloc element will cause pages to be unmapped from memory and re-backed
with anonymous memory again. This may cause ASan's "use-after-free"
error down the line, because the allocator will try to write into
memory areas recently marked as "freed".

To fix this, we need to mark the unmapped memory area as "available",
and fixup surrounding malloc element header/trailers to enable later
malloc routines to safely write into new malloc elements' headers or
trailers.

Bugzilla ID: 994
Fixes: 6cc51b1293ce ("mem: instrument allocator for ASan")

Reported-by: David Marchand <david.marchand@redhat.com>
Signed-off-by: Anatoly Burakov <anatoly.burakov@intel.com>
---
 lib/eal/common/malloc_elem.h |  4 ++++
 lib/eal/common/malloc_heap.c | 35 +++++++++++++++++++++++++++++++++++
 2 files changed, 39 insertions(+)

diff --git a/lib/eal/common/malloc_elem.h b/lib/eal/common/malloc_elem.h
index 15d8ba7af2..c5f26ffd2f 100644
--- a/lib/eal/common/malloc_elem.h
+++ b/lib/eal/common/malloc_elem.h
@@ -273,4 +273,8 @@ old_malloc_size(struct malloc_elem *elem)
 #define __rte_no_asan
 
+static inline void
+asan_set_zone(void *ptr __rte_unused, size_t len __rte_unused,
+		uint32_t val __rte_unused) { }
+
 static inline void
 asan_set_freezone(void *ptr __rte_unused, size_t size __rte_unused) { }
diff --git a/lib/eal/common/malloc_heap.c b/lib/eal/common/malloc_heap.c
index 55aad2711b..1ca01e0901 100644
--- a/lib/eal/common/malloc_heap.c
+++ b/lib/eal/common/malloc_heap.c
@@ -861,4 +861,5 @@ malloc_heap_free(struct malloc_elem *elem)
 	unsigned int i, n_segs, before_space, after_space;
 	int ret;
+	bool unmapped = false;
 	const struct internal_config *internal_conf =
 		eal_get_internal_configuration();
@@ -1027,4 +1028,7 @@ malloc_heap_free(struct malloc_elem *elem)
 	}
 
+	/* we didn't exit early, meaning we have unmapped some pages */
+	unmapped = true;
+
 	RTE_LOG(DEBUG, EAL, "Heap on socket %d was shrunk by %zdMB\n",
 		msl->socket_id, aligned_len >> 20ULL);
@@ -1034,4 +1038,35 @@ free_unlock:
 	asan_set_freezone(asan_ptr, asan_data_len);
 
+	/* if we unmapped some memory, we need to do additional work for ASan */
+	if (unmapped) {
+		void *asan_end = RTE_PTR_ADD(asan_ptr, asan_data_len);
+		void *aligned_end = RTE_PTR_ADD(aligned_start, aligned_len);
+		void *aligned_trailer = RTE_PTR_SUB(aligned_start,
+				MALLOC_ELEM_TRAILER_LEN);
+
+		/*
+		 * There was a memory area that was unmapped. This memory area
+		 * will have to be marked as available for ASan, because we will
+		 * want to use it next time it gets mapped again. The OS memory
+		 * protection should trigger a fault on access to these areas
+		 * anyway, so we are not giving up any protection.
+		 */
+		asan_set_zone(aligned_start, aligned_len, 0x00);
+
+		/*
+		 * ...however, when we unmap pages, we create new free elements
+		 * which might have been marked as "freed" with an earlier
+		 * `asan_set_freezone` call. So, if there is an area past the
+		 * unmapped space that was marked as freezone for ASan, we need
+		 * to mark the malloc header as available.
+		 */
+		if (asan_end > aligned_end)
+			asan_set_zone(aligned_end, MALLOC_ELEM_HEADER_LEN, 0x00);
+
+		/* if there's space before unmapped memory, mark as available */
+		if (asan_ptr < aligned_start)
+			asan_set_zone(aligned_trailer, MALLOC_ELEM_TRAILER_LEN, 0x00);
+	}
+
 	rte_spinlock_unlock(&(heap->lock));
 	return ret;
-- 
2.34.1

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2022-05-10 13:24:22.147587271 +0100
+++ 0020-malloc-fix-ASan-handling-for-unmapped-memory.patch	2022-05-10 13:24:21.611646370 +0100
@@ -1 +1 @@
-From 4d8bdd8b56a102fbe7d8ca167d5044625f4dbb32 Mon Sep 17 00:00:00 2001
+From de48c79f3bc2af6a9ac271e575f73bcb66b20c9c Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit 4d8bdd8b56a102fbe7d8ca167d5044625f4dbb32 ]
+
@@ -20 +21,0 @@
-Cc: stable@dpdk.org
@@ -30 +31 @@
-index f2aa98821b..c5f65895e1 100644
+index 15d8ba7af2..c5f26ffd2f 100644
@@ -33 +34 @@
-@@ -279,4 +279,8 @@ old_malloc_size(struct malloc_elem *elem)
+@@ -273,4 +273,8 @@ old_malloc_size(struct malloc_elem *elem)
@@ -43 +44 @@
-index 6c572b6f2c..a3d26fcbea 100644
+index 55aad2711b..1ca01e0901 100644
@@ -46 +47 @@
-@@ -862,4 +862,5 @@ malloc_heap_free(struct malloc_elem *elem)
+@@ -861,4 +861,5 @@ malloc_heap_free(struct malloc_elem *elem)
@@ -52 +53 @@
-@@ -1028,4 +1029,7 @@ malloc_heap_free(struct malloc_elem *elem)
+@@ -1027,4 +1028,7 @@ malloc_heap_free(struct malloc_elem *elem)
@@ -60 +61 @@
-@@ -1035,4 +1039,35 @@ free_unlock:
+@@ -1034,4 +1038,35 @@ free_unlock: