[llvm-bugs] [Bug 27646] New: MemorySanitizer va arg helpers are broken if function has many parameters before vararg part.

via llvm-bugs llvm-bugs at lists.llvm.org
Wed May 4 10:30:16 PDT 2016 

https://llvm.org/bugs/show_bug.cgi?id=27646

            Bug ID: 27646
           Summary: MemorySanitizer va arg helpers are broken if function
                    has many parameters before vararg part.
           Product: libraries
           Version: trunk
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P
         Component: Miscellaneous Instrumentation passes
          Assignee: unassignedbugs at nondot.org
          Reporter: koriakin at 0x04.net
                CC: llvm-bugs at lists.llvm.org
    Classification: Unclassified

The x86_64 and aarch64 vararg helpers in memorysanitizer pass currently assume
no non-vararg argument ends up in the overflow area - if that's not true, the
data stored to __msan_va_arg_tls will be misaligned with the overflow pointer
computed by va_start.  Here's a testcase for x86_64:

#include <stdio.h>
#include <stdarg.h>

int passarg(int a, int b, int c, int d, int e, int f, int g, ...) {
        va_list v;
        va_start(v, g);
        int res = va_arg(v, int);
        va_end(v);
        return res;
}

int main() {
        int undef;
        int res = passarg(undef, undef, undef, undef, undef, undef, undef, 2);
        if (res)
                printf("%d\n", res);
        return 0;
}

Compiling with -fsanitize=memory and running results in:

==22438==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x4889ef in main (/home/mwk/llvm/llvm/a.out+0x4889ef)
    #1 0x7f78129fe70f in __libc_start_main (/usr/lib/libc.so.6+0x2070f)
    #2 0x418e38 in _start (/home/mwk/llvm/llvm/a.out+0x418e38)

This is because va_arg effectively reads the shadow belonging to argument g.

aarch64 should be suspectible to the same issue, but I haven't checked it.

mips64 is even worse, since it assumes there's exactly one non-vararg argument.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20160504/1858bb9c/attachment.html>

More information about the llvm-bugs mailing list