<html>

    <head>

      <base href="https://bugs.llvm.org/">

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - DFSan does not trasfer labels on realloc"

   href="https://bugs.llvm.org/show_bug.cgi?id=45583">45583</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>DFSan does not trasfer labels on realloc

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>compiler-rt

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>10.0

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>PC

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Linux

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>enhancement

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>dfsan

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>unassignedbugs@nondot.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>elia.f.geretto@gmail.com

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>llvm-bugs@lists.llvm.org

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Created <span class=""><a href="attachment.cgi?id=23382" name="attach_23382" title="Reproducer (glibc)">attachment 23382</a> <a href="attachment.cgi?id=23382&action=edit" title="Reproducer (glibc)">[details]</a></span>

Reproducer (glibc)

When a dynamically allocated buffer is moved due to a `realloc`,

DataFlowSanitizer does not correctly transfer the taint labels to the shadow

memory for the new location. I am attaching a reproducer that works with glibc

2.30.

This bug is caused by `realloc` being marked as `discard` in

`compiler-rt/lib/dfsan/done_abilist.txt`, while instead it needs a custom

wrapper to be handled correctly. Moreover, marking `realloc` as `discard` while

it should not be also silences the warning which tells the user that a custom

wrapper is missing, effectively masking the incorrect behavior.

Implementing the custom wrapper is not obvious since it probably requires to

use allocator introspection to have good performance. It is necessary to

retrieve the size of the old chunk passed to `realloc`. Allocator

introspection, however, is not standard and is thus different for every

allocator on every platform.

In the meantime, if this bug is confirmed, it could be a good idea to remove

`realloc` from the `done_abilist.txt` file so that a warning is shown when

`realloc` is called.</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are on the CC list for the bug.</li>

      </ul>

    </body>

</html>