[llvm-bugs] [Bug 45583] New: DFSan does not trasfer labels on realloc

[via llvm-bugs]

https://bugs.llvm.org/show_bug.cgi?id=45583

            Bug ID: 45583
           Summary: DFSan does not trasfer labels on realloc
           Product: compiler-rt
           Version: 10.0
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P
         Component: dfsan
          Assignee: unassignedbugs at nondot.org
          Reporter: elia.f.geretto at gmail.com
                CC: llvm-bugs at lists.llvm.org

Created attachment 23382
  --> https://bugs.llvm.org/attachment.cgi?id=23382&action=edit
Reproducer (glibc)

When a dynamically allocated buffer is moved due to a `realloc`,
DataFlowSanitizer does not correctly transfer the taint labels to the shadow
memory for the new location. I am attaching a reproducer that works with glibc
2.30.

This bug is caused by `realloc` being marked as `discard` in
`compiler-rt/lib/dfsan/done_abilist.txt`, while instead it needs a custom
wrapper to be handled correctly. Moreover, marking `realloc` as `discard` while
it should not be also silences the warning which tells the user that a custom
wrapper is missing, effectively masking the incorrect behavior.

Implementing the custom wrapper is not obvious since it probably requires to
use allocator introspection to have good performance. It is necessary to
retrieve the size of the old chunk passed to `realloc`. Allocator
introspection, however, is not standard and is thus different for every
allocator on every platform.

In the meantime, if this bug is confirmed, it could be a good idea to remove
`realloc` from the `done_abilist.txt` file so that a warning is shown when
`realloc` is called.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20200417/015c8ea4/attachment-0001.html>