allocators: Apply manual ASan poisoning to `PoolResource` #32581

pull dergoegge wants to merge 1 commits into bitcoin:master from dergoegge:2025-05-pool-poison changing 3 files +32 −1

dergoegge commented at 5:18 PM on May 21, 2025: member

Currently ASan will not detect use-after-free issues for memory allocated by a PoolResource. This is because ASan is only aware of the memory chunks allocated by PoolResource but not the individual "sub-chunks" within.

E.g. this test will not produce an ASan error even though the referenced coin has been deallocated:

diff --git a/src/test/coins_tests.cpp b/src/test/coins_tests.cpp
index c46144b34b..aa6ca15ce1 100644
--- a/src/test/coins_tests.cpp
+++ b/src/test/coins_tests.cpp
@@ -508,6 +508,17 @@ BOOST_FIXTURE_TEST_CASE(updatecoins_simulation_test, UpdateTest)
     BOOST_CHECK(spent_a_duplicate_coinbase);
 }

+BOOST_AUTO_TEST_CASE(asan_uaf)
+{
+    CCoinsMapMemoryResource cache_coins_memory_resource{};
+    CCoinsMap map(0, SaltedOutpointHasher(/*deterministic=*/true), CCoinsMap::key_equal{}, &cache_coins_memory_resource);
+    COutPoint outpoint{};
+    map.emplace(outpoint, Coin{});
+    auto& coin = map.at(outpoint);
+    map.erase(outpoint);
+    coin.coin.nHeight = 1;
+}
+
 BOOST_AUTO_TEST_CASE(ccoins_serialization)
 {
     // Good example

Fix this by applying manual ASan poisoning for memory allocated by PoolResource:

Newly allocated chunks are poisoned as a whole
"Sub-chunks" are unpoisoned/re-poisoned during allocation/deallocation

With the poisoning applied, ASan catches the issue in the test above:

$ ./build_unit/bin/test_bitcoin --run_test="coins_tests/asan_uaf"
Running 1 test case...
=================================================================
==366064==ERROR: AddressSanitizer: use-after-poison on address 0x7f99c3204870 at pc 0x55569dab6f8a bp 0x7ffe0210e4d0 sp 0x7ffe0210e4c8
READ of size 4 at 0x7f99c3204870 thread T0 (b-test)

DrahtBot commented at 5:18 PM on May 21, 2025: contributor



The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.



Code Coverage & Benchmarks

For details see: https://corecheck.dev/bitcoin/bitcoin/pulls/32581.



Reviews

See the guideline for information on the review process.

Type Reviewers

ACK marcofleon, achow101

Concept ACK sipa, fanquake, l0rinc

If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.
dergoegge marked this as a draft on May 21, 2025
dergoegge commented at 5:37 PM on May 21, 2025: member

Draft until I sort out the CI failures
DrahtBot added the label CI failed on May 21, 2025
DrahtBot commented at 9:30 PM on May 21, 2025: contributor


🚧 At least one of the CI tasks failed. Task tidy: https://github.com/bitcoin/bitcoin/runs/42652441080 LLM reason (✨ experimental): The CI failure is due to the use of undeclared identifiers related to ASAN in the pool.h file, resulting in compilation errors. 

<details><summary>Hints</summary>

Try to run the tests locally, according to the documentation. However, a CI failure may still happen due to a number of reasons, for example:
- Possibly due to a silent merge conflict (the changes in this pull request being incompatible with the current code in the target branch). If so, make sure to rebase on the latest commit of the target branch.
- A sanitizer issue, which can only be found by compiling with the sanitizer and running the affected test.
- An intermittent issue.
Leave a comment here, if you need help tracking down a confusing failure.

</details>
sipa commented at 9:32 PM on May 21, 2025: member

Concept ACK
dergoegge force-pushed on May 22, 2025
dergoegge force-pushed on May 22, 2025
dergoegge marked this as ready for review on May 22, 2025
l0rinc commented at 8:30 AM on May 22, 2025: contributor

This is because ASan is only aware of the memory chunks allocated by PoolResource but not the individual "sub-chunks" within

What's the deeper explanation for this? Can we refactor the code or patch the sanitizers instead of annotating our code in places where we already know the code is problematic? Don't have a lot of experience in this area, I might be off, was just wondering if there's a more general solution.
fanquake commented at 8:38 AM on May 22, 2025: member

Concept ACK
dergoegge commented at 9:03 AM on May 22, 2025: member

What's the depper explanation for this?

At a high level PoolResource allocates larger chunks of memory (by default 262144 bytes per chunk) and allows for smaller memory sections within those chunks to be allocated (in a way that is optimized for node based containers, e.g. std::unordered_map).

ASan instruments calls to e.g. malloc/free and new/delete to detect UaF and other issues, so for PoolResource it'll be aware of the allocations of the larger chunks. However, it does not instrument our custom allocate/deallocate functions and that is likely also not practical to do in a general way, because the exact instrumentation needed depends heavily on the allocator implementation.

In our case, PoolResource uses the memory allocated for the chunks for both allocating smaller sections as well as its internal free list. That is why if you look at the patch here, internally unpoisoning the free list pointers is necessary before accessing them. Every custom allocator implementation might have different implementation quirks like this and it does not seem feasible for ASan to figure this out on its own.
DrahtBot removed the label CI failed on May 22, 2025
l0rinc commented at 9:27 AM on May 22, 2025: contributor

Thanks for clarifying. Though https://github.com/google/sanitizers/wiki/AddressSanitizerManualPoisoning seems quite old (2015), a recent https://blog.trailofbits.com/2024/05/16/understanding-addresssanitizer-better-memory-safety-for-your-code article also confirms Incorrect access to memory managed by a custom allocator won’t raise an error unless the allocator performs annotations. The sanitizer description also mentioned thread safety warnings and alignment restrictions - but I think we should be okay in both cases here. Concept ACK
dergoegge force-pushed on May 23, 2025
[allocators] Apply manual ASan poisoning to PoolResource ad132761fc
dergoegge force-pushed on May 23, 2025
DrahtBot added the label CI failed on May 23, 2025
DrahtBot commented at 9:10 AM on May 23, 2025: contributor


🚧 At least one of the CI tasks failed. Task fuzzer,address,undefined,integer, no depends: https://github.com/bitcoin/bitcoin/runs/42771108504 LLM reason (✨ experimental): The CI failure is due to build errors caused by macro redefinitions of ASAN_POISON_MEMORY_REGION and ASAN_UNPOISON_MEMORY_REGION. 

<details><summary>Hints</summary>

Try to run the tests locally, according to the documentation. However, a CI failure may still happen due to a number of reasons, for example:
- Possibly due to a silent merge conflict (the changes in this pull request being incompatible with the current code in the target branch). If so, make sure to rebase on the latest commit of the target branch.
- A sanitizer issue, which can only be found by compiling with the sanitizer and running the affected test.
- An intermittent issue.
Leave a comment here, if you need help tracking down a confusing failure.

</details>
DrahtBot removed the label CI failed on May 23, 2025
fanquake added this to the milestone 30.0 on Jul 2, 2025
fanquake commented at 1:57 PM on July 2, 2025: member

Added this to 30.0. cc @marcofleon
marcofleon commented at 1:37 PM on July 7, 2025: contributor

code review ACK ad132761fc49c38769c09653a265fdbc3b93eda5

Built with ASan and ran the unit tests to be sure. Also added a small use-after-free test in pool_tests that passes on master but not on this PR, as expected. Nice.
DrahtBot requested review from fanquake on Jul 7, 2025
DrahtBot requested review from sipa on Jul 7, 2025
DrahtBot requested review from l0rinc on Jul 7, 2025
achow101 commented at 9:08 PM on August 4, 2025: member

ACK ad132761fc49c38769c09653a265fdbc3b93eda5
fanquake merged this on Aug 5, 2025
fanquake closed this on Aug 5, 2025