[compiler-rt] r195117 - [asan] new shadow poison magic for contiguous-container-buffer-overflow, addressed Alexey Samsonov's comments for r195011
Kostya Serebryany
kcc at google.com
Tue Nov 19 00:40:08 PST 2013
Author: kcc
Date: Tue Nov 19 02:40:07 2013
New Revision: 195117
URL: http://llvm.org/viewvc/llvm-project?rev=195117&view=rev
Log:
[asan] new shadow poison magic for contiguous-container-buffer-overflow, addressed Alexey Samsonov's comments for r195011
Added:
compiler-rt/trunk/lib/asan/lit_tests/TestCases/contiguous_container_crash.cc
Modified:
compiler-rt/trunk/include/sanitizer/common_interface_defs.h
compiler-rt/trunk/lib/asan/asan_internal.h
compiler-rt/trunk/lib/asan/asan_poisoning.cc
compiler-rt/trunk/lib/asan/asan_report.cc
compiler-rt/trunk/lib/sanitizer_common/sanitizer_internal_defs.h
Modified: compiler-rt/trunk/include/sanitizer/common_interface_defs.h
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/include/sanitizer/common_interface_defs.h?rev=195117&r1=195116&r2=195117&view=diff
==============================================================================
--- compiler-rt/trunk/include/sanitizer/common_interface_defs.h (original)
+++ compiler-rt/trunk/include/sanitizer/common_interface_defs.h Tue Nov 19 02:40:07 2013
@@ -71,8 +71,10 @@ extern "C" {
// Use with caution and don't use for anything other than vector-like classes.
//
// For AddressSanitizer, 'beg' should be 8-aligned.
- void __sanitizer_annotate_contiguous_container(void *beg, void *end,
- void *old_mid, void *new_mid);
+ void __sanitizer_annotate_contiguous_container(const void *beg,
+ const void *end,
+ const void *old_mid,
+ const void *new_mid);
#ifdef __cplusplus
} // extern "C"
Modified: compiler-rt/trunk/lib/asan/asan_internal.h
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/asan/asan_internal.h?rev=195117&r1=195116&r2=195117&view=diff
==============================================================================
--- compiler-rt/trunk/lib/asan/asan_internal.h (original)
+++ compiler-rt/trunk/lib/asan/asan_internal.h Tue Nov 19 02:40:07 2013
@@ -136,6 +136,7 @@ const int kAsanStackPartialRedzoneMagic
const int kAsanStackAfterReturnMagic = 0xf5;
const int kAsanInitializationOrderMagic = 0xf6;
const int kAsanUserPoisonedMemoryMagic = 0xf7;
+const int kAsanContiguousContainerOOBMagic = 0xfc;
const int kAsanStackUseAfterScopeMagic = 0xf8;
const int kAsanGlobalRedzoneMagic = 0xf9;
const int kAsanInternalHeapMagic = 0xfe;
Modified: compiler-rt/trunk/lib/asan/asan_poisoning.cc
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/asan/asan_poisoning.cc?rev=195117&r1=195116&r2=195117&view=diff
==============================================================================
--- compiler-rt/trunk/lib/asan/asan_poisoning.cc (original)
+++ compiler-rt/trunk/lib/asan/asan_poisoning.cc Tue Nov 19 02:40:07 2013
@@ -256,44 +256,47 @@ void __asan_unpoison_stack_memory(uptr a
PoisonAlignedStackMemory(addr, size, false);
}
-void __sanitizer_annotate_contiguous_container(void *beg_p, void *end_p,
- void *old_mid_p,
- void *new_mid_p) {
+void __sanitizer_annotate_contiguous_container(const void *beg_p,
+ const void *end_p,
+ const void *old_mid_p,
+ const void *new_mid_p) {
+ if (common_flags()->verbosity >= 2)
+ Printf("contiguous_container: %p %p %p %p\n", beg_p, end_p, old_mid_p,
+ new_mid_p);
uptr beg = reinterpret_cast<uptr>(beg_p);
uptr end= reinterpret_cast<uptr>(end_p);
uptr old_mid = reinterpret_cast<uptr>(old_mid_p);
uptr new_mid = reinterpret_cast<uptr>(new_mid_p);
uptr granularity = SHADOW_GRANULARITY;
- CHECK(beg <= end && beg <= old_mid && beg <= new_mid && old_mid <= end &&
- new_mid <= end && IsAligned(beg, granularity));
+ CHECK(beg <= old_mid && beg <= new_mid && old_mid <= end && new_mid <= end &&
+ IsAligned(beg, granularity));
CHECK_LE(end - beg,
FIRST_32_SECOND_64(1UL << 30, 1UL << 34)); // Sanity check.
uptr a = RoundDownTo(Min(old_mid, new_mid), granularity);
uptr c = RoundUpTo(Max(old_mid, new_mid), granularity);
- uptr b = new_mid;
- uptr b1 = RoundDownTo(b, granularity);
- uptr b2 = RoundUpTo(b, granularity);
- uptr d = old_mid;
- uptr d1 = RoundDownTo(d, granularity);
- uptr d2 = RoundUpTo(d, granularity);
+ uptr d1 = RoundDownTo(old_mid, granularity);
+ uptr d2 = RoundUpTo(old_mid, granularity);
// Currently we should be in this state:
// [a, d1) is good, [d2, c) is bad, [d1, d2) is partially good.
// Make a quick sanity check that we are indeed in this state.
if (d1 != d2)
- CHECK_EQ(*(u8*)MemToShadow(d1), d - d1);
+ CHECK_EQ(*(u8*)MemToShadow(d1), old_mid - d1);
if (a + granularity <= d1)
CHECK_EQ(*(u8*)MemToShadow(a), 0);
if (d2 + granularity <= c && c <= end)
- CHECK_EQ(*(u8 *)MemToShadow(c - granularity), kAsanUserPoisonedMemoryMagic);
+ CHECK_EQ(*(u8 *)MemToShadow(c - granularity),
+ kAsanContiguousContainerOOBMagic);
+ uptr b1 = RoundDownTo(new_mid, granularity);
+ uptr b2 = RoundUpTo(new_mid, granularity);
// New state:
// [a, b1) is good, [b2, c) is bad, [b1, b2) is partially good.
// FIXME: we may want to have a separate poison magic value.
PoisonShadow(a, b1 - a, 0);
- PoisonShadow(b2, c - b2, kAsanUserPoisonedMemoryMagic);
+ PoisonShadow(b2, c - b2, kAsanContiguousContainerOOBMagic);
if (b1 != b2) {
CHECK_EQ(b2 - b1, granularity);
- *(u8*)MemToShadow(b1) = static_cast<u8>(b - b1);
+ *(u8*)MemToShadow(b1) = static_cast<u8>(new_mid - b1);
}
}
Modified: compiler-rt/trunk/lib/asan/asan_report.cc
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/asan/asan_report.cc?rev=195117&r1=195116&r2=195117&view=diff
==============================================================================
--- compiler-rt/trunk/lib/asan/asan_report.cc (original)
+++ compiler-rt/trunk/lib/asan/asan_report.cc Tue Nov 19 02:40:07 2013
@@ -74,6 +74,7 @@ class Decorator: private __sanitizer::An
case kAsanInitializationOrderMagic:
return Cyan();
case kAsanUserPoisonedMemoryMagic:
+ case kAsanContiguousContainerOOBMagic:
return Blue();
case kAsanStackUseAfterScopeMagic:
return Magenta();
@@ -120,19 +121,21 @@ static void PrintLegend() {
for (u8 i = 1; i < SHADOW_GRANULARITY; i++)
PrintShadowByte("", i, " ");
Printf("\n");
- PrintShadowByte(" Heap left redzone: ", kAsanHeapLeftRedzoneMagic);
- PrintShadowByte(" Heap right redzone: ", kAsanHeapRightRedzoneMagic);
- PrintShadowByte(" Freed heap region: ", kAsanHeapFreeMagic);
- PrintShadowByte(" Stack left redzone: ", kAsanStackLeftRedzoneMagic);
- PrintShadowByte(" Stack mid redzone: ", kAsanStackMidRedzoneMagic);
- PrintShadowByte(" Stack right redzone: ", kAsanStackRightRedzoneMagic);
- PrintShadowByte(" Stack partial redzone: ", kAsanStackPartialRedzoneMagic);
- PrintShadowByte(" Stack after return: ", kAsanStackAfterReturnMagic);
- PrintShadowByte(" Stack use after scope: ", kAsanStackUseAfterScopeMagic);
- PrintShadowByte(" Global redzone: ", kAsanGlobalRedzoneMagic);
- PrintShadowByte(" Global init order: ", kAsanInitializationOrderMagic);
- PrintShadowByte(" Poisoned by user: ", kAsanUserPoisonedMemoryMagic);
- PrintShadowByte(" ASan internal: ", kAsanInternalHeapMagic);
+ PrintShadowByte(" Heap left redzone: ", kAsanHeapLeftRedzoneMagic);
+ PrintShadowByte(" Heap right redzone: ", kAsanHeapRightRedzoneMagic);
+ PrintShadowByte(" Freed heap region: ", kAsanHeapFreeMagic);
+ PrintShadowByte(" Stack left redzone: ", kAsanStackLeftRedzoneMagic);
+ PrintShadowByte(" Stack mid redzone: ", kAsanStackMidRedzoneMagic);
+ PrintShadowByte(" Stack right redzone: ", kAsanStackRightRedzoneMagic);
+ PrintShadowByte(" Stack partial redzone: ", kAsanStackPartialRedzoneMagic);
+ PrintShadowByte(" Stack after return: ", kAsanStackAfterReturnMagic);
+ PrintShadowByte(" Stack use after scope: ", kAsanStackUseAfterScopeMagic);
+ PrintShadowByte(" Global redzone: ", kAsanGlobalRedzoneMagic);
+ PrintShadowByte(" Global init order: ", kAsanInitializationOrderMagic);
+ PrintShadowByte(" Poisoned by user: ", kAsanUserPoisonedMemoryMagic);
+ PrintShadowByte(" Contiguous container OOB:",
+ kAsanContiguousContainerOOBMagic);
+ PrintShadowByte(" ASan internal: ", kAsanInternalHeapMagic);
}
static void PrintShadowMemoryForAddress(uptr addr) {
@@ -745,6 +748,9 @@ void __asan_report_error(uptr pc, uptr b
case kAsanUserPoisonedMemoryMagic:
bug_descr = "use-after-poison";
break;
+ case kAsanContiguousContainerOOBMagic:
+ bug_descr = "contiguous-container-buffer-overflow";
+ break;
case kAsanStackUseAfterScopeMagic:
bug_descr = "stack-use-after-scope";
break;
Added: compiler-rt/trunk/lib/asan/lit_tests/TestCases/contiguous_container_crash.cc
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/asan/lit_tests/TestCases/contiguous_container_crash.cc?rev=195117&view=auto
==============================================================================
--- compiler-rt/trunk/lib/asan/lit_tests/TestCases/contiguous_container_crash.cc (added)
+++ compiler-rt/trunk/lib/asan/lit_tests/TestCases/contiguous_container_crash.cc Tue Nov 19 02:40:07 2013
@@ -0,0 +1,16 @@
+// RUN: %clangxx_asan -O %s -o %t && not %t 2>&1 | FileCheck %s
+// Test crash due to __sanitizer_annotate_contiguous_container.
+
+extern "C" {
+void __sanitizer_annotate_contiguous_container(const void *beg, const void *end,
+ const void *old_mid,
+ const void *new_mid);
+} // extern "C"
+
+int main(int argc, char **argv) {
+ long t[100];
+ __sanitizer_annotate_contiguous_container(&t[0], &t[0] + 100, &t[0] + 100,
+ &t[0] + 50);
+ return t[60 * argc]; // Touches the poisoned memory.
+}
+// CHECK: AddressSanitizer: contiguous-container-buffer-overflow
Modified: compiler-rt/trunk/lib/sanitizer_common/sanitizer_internal_defs.h
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/sanitizer_common/sanitizer_internal_defs.h?rev=195117&r1=195116&r2=195117&view=diff
==============================================================================
--- compiler-rt/trunk/lib/sanitizer_common/sanitizer_internal_defs.h (original)
+++ compiler-rt/trunk/lib/sanitizer_common/sanitizer_internal_defs.h Tue Nov 19 02:40:07 2013
@@ -114,8 +114,10 @@ extern "C" {
SANITIZER_INTERFACE_ATTRIBUTE void __sanitizer_cov_dump();
SANITIZER_INTERFACE_ATTRIBUTE void __sanitizer_cov(void *pc);
SANITIZER_INTERFACE_ATTRIBUTE
- void __sanitizer_annotate_contiguous_container(void *beg, void *end,
- void *old_mid, void *new_mid);
+ void __sanitizer_annotate_contiguous_container(const void *beg,
+ const void *end,
+ const void *old_mid,
+ const void *new_mid);
} // extern "C"
More information about the llvm-commits
mailing list