| Issue |
154140
|
| Summary |
[scudo] Crash from top-byte tagging when PR_TAGGED_ADDR_ENABLE not set
|
| Labels |
new issue
|
| Assignees |
|
| Reporter |
KonradHohentanner
|
**Summary**
On AArch64 systems with hardware MTE support present (HWCAP2_MTE) but where the dynamic loader does not automatically enable tagged addresses/MTE for the process (e.g., ld-linux-aarch64 in glibc), Scudo currently assumes it is running in an MTE-enabled environment.
This results in Scudo inserting non-zero top-byte tags (via addFixedTag) even when PR_TAGGED_ADDR_ENABLE and MTE faulting are not enabled, causing errors.
Android is unaffected because its dynamic loader explicitly enables tagged addresses/MTE via prctl(PR_SET_TAGGED_ADDR_CTRL, …).
**Environment**
Hardware: AArch64 with MTE
Kernel: recent Linux
libc/loader: glibc (no MTE enablement by default)
Scudo built with memory tagging support
**What happens**
Hardware advertises MTE via AT_HWCAP2 & HWCAP2_MTE.
The process does not have tagged addresses/MTE activated, no previous prctl(PR_SET_TAGGED_ADDR_CTRL, ...).
Scudo still adds non-zero tags to pointer top bytes in software (addFixedTag).
Those tagged pointers are reported as corrupted chunk header and cause a segmentation fault.
**Expected behavior**
Scudo should only insert top-byte tags when MTE/tagged addresses are actually enabled for the current process (i.e., after the loader/libc has called PR_SET_TAGGED_ADDR_CTRL).
**Fix**
On Linux systems, function systemSupportsMemoryTagging should additionally check whether TBI and/or MTE has been enabled for the current process.
We can prepare a pull request with this change if that would be helpful.
**Minimal reproduction (Ubuntu 22.04 Docker container running binary in QEMU)**
_Dockerfile_
```
FROM ubuntu:24.04
RUN apt-get update && apt-get install -y clang libc6-dev-arm64-cross libstdc++-11-dev-arm64-cross binutils-aarch64-linux-gnu qemu-user-static git lld
RUN mkdir /src && cat <<'EOF' > /src/test.c
#include <stdlib.h>
int main() {
void *ptr = malloc(56);
free(ptr); // Error does not appear without call to free
return 42;
}
EOF
RUN mkdir /output
RUN clang -fuse-ld=lld -target gnu-linux-aarch64 -o /output/test /src/test.c
RUN git clone --depth 1 --filter=tree:0 -n https://github.com/llvm/llvm-project.git /src/llvm-project
RUN cd /src/llvm-project && git sparse-checkout set compiler-rt/lib/scudo/standalone && git checkout
RUN clang++ -fuse-ld=lld -target gnu-linux-aarch64 -fPIC -g -std=c++17 -O2 -pthread -shared \
-I /src/llvm-project/compiler-rt/lib/scudo/standalone/include \
/src/llvm-project/compiler-rt/lib/scudo/standalone/*.cpp \
-o /output/libscudo.so
ENTRYPOINT ["qemu-aarch64-static", "-L", "/usr/aarch64-linux-gnu", "-E", "LD_PRELOAD=/output/libscudo.so", "/output/test"]
```
_Setup + Run Commands_
```
docker build . -t reproduce
docker run reproduce
```
leads to: _Scudo ERROR: corrupted chunk header at address 0x200402500ed2790: most likely due to memory corruption_
![]()
_______________________________________________
llvm-bugs mailing list
llvm-bugs@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs
