[compiler-rt] r185140 - [ASan][OSX] Make sure the zones created by malloc_create_zone() are write-protected.

Alexander Potapenko glider at google.com
Fri Jun 28 03:01:10 PDT 2013 

Author: glider
Date: Fri Jun 28 05:01:09 2013
New Revision: 185140

URL: http://llvm.org/viewvc/llvm-project?rev=185140&view=rev
Log:
[ASan][OSX]  Make sure the zones created by malloc_create_zone() are write-protected.
Add a test.

Added:
    compiler-rt/trunk/lib/asan/lit_tests/TestCases/Darwin/malloc_zone-protected.cc   (with props)
Modified:
    compiler-rt/trunk/lib/asan/asan_malloc_mac.cc

Modified: compiler-rt/trunk/lib/asan/asan_malloc_mac.cc
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/asan/asan_malloc_mac.cc?rev=185140&r1=185139&r2=185140&view=diff
==============================================================================
--- compiler-rt/trunk/lib/asan/asan_malloc_mac.cc (original)
+++ compiler-rt/trunk/lib/asan/asan_malloc_mac.cc Fri Jun 28 05:01:09 2013
@@ -19,6 +19,7 @@
 #include <CoreFoundation/CFBase.h>
 #include <dlfcn.h>
 #include <malloc/malloc.h>
+#include <sys/mman.h>
 
 #include "asan_allocator.h"
 #include "asan_interceptors.h"
@@ -49,6 +50,9 @@ INTERCEPTOR(malloc_zone_t *, malloc_crea
                                     &stack, FROM_MALLOC);
   internal_memcpy(new_zone, &asan_zone, sizeof(asan_zone));
   new_zone->zone_name = NULL;  // The name will be changed anyway.
+  // Prevent the client app from overwriting the zone contents.
+  // Library functions that need to modify the zone will set PROT_WRITE on it.
+  mprotect(new_zone, allocated_size, PROT_READ);
   return new_zone;
 }
 

Added: compiler-rt/trunk/lib/asan/lit_tests/TestCases/Darwin/malloc_zone-protected.cc
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/asan/lit_tests/TestCases/Darwin/malloc_zone-protected.cc?rev=185140&view=auto
==============================================================================
--- compiler-rt/trunk/lib/asan/lit_tests/TestCases/Darwin/malloc_zone-protected.cc (added)
+++ compiler-rt/trunk/lib/asan/lit_tests/TestCases/Darwin/malloc_zone-protected.cc Fri Jun 28 05:01:09 2013
@@ -0,0 +1,20 @@
+// Make sure the zones created by malloc_create_zone() are write-protected.
+#include <malloc/malloc.h>
+#include <stdio.h>
+
+// RUN: %clangxx_asan %s -o %t
+// RUN: %t 2>&1 | FileCheck %s
+
+
+void *pwn(malloc_zone_t *unused_zone, size_t unused_size) {
+  printf("PWNED\n");
+  return NULL;
+}
+
+int main() {
+  malloc_zone_t *zone = malloc_create_zone(0, 0);
+  zone->malloc = pwn;
+  void *v = malloc_zone_malloc(zone, 1);
+  // CHECK-NOT: PWNED
+  return 0;
+}

Propchange: compiler-rt/trunk/lib/asan/lit_tests/TestCases/Darwin/malloc_zone-protected.cc
------------------------------------------------------------------------------
    svn:eol-style = LF

More information about the llvm-commits mailing list