[compiler-rt] r185138 - [ASan][OSX] Fix the incorrect malloc_create_zone() implementation that led to out-of-bounds mprotect()s
Alexander Potapenko
glider at google.com
Fri Jun 28 02:21:31 PDT 2013
Author: glider
Date: Fri Jun 28 04:21:31 2013
New Revision: 185138
URL: http://llvm.org/viewvc/llvm-project?rev=185138&view=rev
Log:
[ASan][OSX] Fix the incorrect malloc_create_zone() implementation that led to out-of-bounds mprotect()s
(https://code.google.com/p/address-sanitizer/issues/detail?id=203)
Add a test.
Added:
compiler-rt/trunk/lib/asan/lit_tests/TestCases/Darwin/malloc_set_zone_name-mprotect.cc (with props)
Modified:
compiler-rt/trunk/lib/asan/asan_malloc_mac.cc
Modified: compiler-rt/trunk/lib/asan/asan_malloc_mac.cc
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/asan/asan_malloc_mac.cc?rev=185138&r1=185137&r2=185138&view=diff
==============================================================================
--- compiler-rt/trunk/lib/asan/asan_malloc_mac.cc (original)
+++ compiler-rt/trunk/lib/asan/asan_malloc_mac.cc Fri Jun 28 04:21:31 2013
@@ -42,8 +42,11 @@ INTERCEPTOR(malloc_zone_t *, malloc_crea
vm_size_t start_size, unsigned zone_flags) {
if (!asan_inited) __asan_init();
GET_STACK_TRACE_MALLOC;
+ uptr page_size = GetPageSizeCached();
+ uptr allocated_size = RoundUpTo(sizeof(asan_zone), page_size);
malloc_zone_t *new_zone =
- (malloc_zone_t*)asan_malloc(sizeof(asan_zone), &stack);
+ (malloc_zone_t*)asan_memalign(page_size, allocated_size,
+ &stack, FROM_MALLOC);
internal_memcpy(new_zone, &asan_zone, sizeof(asan_zone));
new_zone->zone_name = NULL; // The name will be changed anyway.
return new_zone;
Added: compiler-rt/trunk/lib/asan/lit_tests/TestCases/Darwin/malloc_set_zone_name-mprotect.cc
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/asan/lit_tests/TestCases/Darwin/malloc_set_zone_name-mprotect.cc?rev=185138&view=auto
==============================================================================
--- compiler-rt/trunk/lib/asan/lit_tests/TestCases/Darwin/malloc_set_zone_name-mprotect.cc (added)
+++ compiler-rt/trunk/lib/asan/lit_tests/TestCases/Darwin/malloc_set_zone_name-mprotect.cc Fri Jun 28 04:21:31 2013
@@ -0,0 +1,51 @@
+// Regression test for a bug in malloc_create_zone()
+// (https://code.google.com/p/address-sanitizer/issues/detail?id=203)
+// The old implementation of malloc_create_zone() didn't always return a
+// page-aligned address, so we can only test on a best-effort basis.
+
+// RUN: %clangxx_asan %s -o %t
+// RUN: %t 2>&1
+
+#include <malloc/malloc.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdio.h>
+
+const int kNumIter = 4096;
+const int kNumZones = 100;
+int main() {
+ char *mem[kNumIter * 2];
+ // Allocate memory chunks from different size classes up to 1 page.
+ // (For the case malloc() returns memory chunks in descending order)
+ for (int i = 0; i < kNumIter; i++) {
+ mem[i] = (char*)malloc(8 * i);
+ }
+ // Try to allocate a page-aligned malloc zone. Otherwise the mprotect() call
+ // in malloc_set_zone_name() will silently fail.
+ malloc_zone_t *zone = NULL;
+ bool aligned = false;
+ for (int i = 0; i < kNumZones; i++) {
+ zone = malloc_create_zone(0, 0);
+ if (((uintptr_t)zone & (~0xfff)) == (uintptr_t)zone) {
+ aligned = true;
+ break;
+ }
+ }
+ if (!aligned) {
+ printf("Warning: couldn't allocate a page-aligned zone.");
+ return 0;
+ }
+ // malloc_set_zone_name() calls mprotect(zone, 4096, PROT_READ | PROT_WRITE),
+ // modifies the zone contents and then calls mprotect(zone, 4096, PROT_READ).
+ malloc_set_zone_name(zone, "foobar");
+ // Allocate memory chunks from different size classes again.
+ for (int i = 0; i < kNumIter; i++) {
+ mem[i + kNumIter] = (char*)malloc(8 * i);
+ }
+ // Access the allocated memory chunks and free them.
+ for (int i = 0; i < kNumIter * 2; i++) {
+ memset(mem[i], 'a', 8 * (i % kNumIter));
+ free(mem[i]);
+ }
+ return 0;
+}
Propchange: compiler-rt/trunk/lib/asan/lit_tests/TestCases/Darwin/malloc_set_zone_name-mprotect.cc
------------------------------------------------------------------------------
svn:eol-style = LF
More information about the llvm-commits
mailing list