[compiler-rt] r274074 - [msan] Fix handling of padding in sendmsg control data.
Evgeniy Stepanov via llvm-commits
llvm-commits at lists.llvm.org
Tue Jun 28 15:42:31 PDT 2016
Author: eugenis
Date: Tue Jun 28 17:42:31 2016
New Revision: 274074
URL: http://llvm.org/viewvc/llvm-project?rev=274074&view=rev
Log:
[msan] Fix handling of padding in sendmsg control data.
Added:
compiler-rt/trunk/test/msan/Linux/cmsghdr.cc
Modified:
compiler-rt/trunk/lib/sanitizer_common/sanitizer_common_interceptors.inc
Modified: compiler-rt/trunk/lib/sanitizer_common/sanitizer_common_interceptors.inc
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/sanitizer_common/sanitizer_common_interceptors.inc?rev=274074&r1=274073&r2=274074&view=diff
==============================================================================
--- compiler-rt/trunk/lib/sanitizer_common/sanitizer_common_interceptors.inc (original)
+++ compiler-rt/trunk/lib/sanitizer_common/sanitizer_common_interceptors.inc Tue Jun 28 17:42:31 2016
@@ -2499,6 +2499,34 @@ INTERCEPTOR(SSIZE_T, recvmsg, int fd, st
#endif
#if SANITIZER_INTERCEPT_SENDMSG
+static void read_msghdr_control(void *ctx, void *control, uptr controllen) {
+ const unsigned kCmsgDataOffset =
+ RoundUpTo(sizeof(__sanitizer_cmsghdr), sizeof(uptr));
+
+ char *p = (char *)control;
+ char *const control_end = p + controllen;
+ while (true) {
+ if (p + sizeof(__sanitizer_cmsghdr) > control_end) break;
+ __sanitizer_cmsghdr *cmsg = (__sanitizer_cmsghdr *)p;
+ COMMON_INTERCEPTOR_READ_RANGE(ctx, &cmsg->cmsg_len, sizeof(cmsg->cmsg_len));
+
+ if (p + RoundUpTo(cmsg->cmsg_len, sizeof(uptr)) > control_end) break;
+
+ COMMON_INTERCEPTOR_READ_RANGE(ctx, &cmsg->cmsg_level,
+ sizeof(cmsg->cmsg_level));
+ COMMON_INTERCEPTOR_READ_RANGE(ctx, &cmsg->cmsg_type,
+ sizeof(cmsg->cmsg_type));
+
+ if (cmsg->cmsg_len > kCmsgDataOffset) {
+ char *data = p + kCmsgDataOffset;
+ unsigned data_len = cmsg->cmsg_len - kCmsgDataOffset;
+ if (data_len > 0) COMMON_INTERCEPTOR_READ_RANGE(ctx, data, data_len);
+ }
+
+ p += RoundUpTo(cmsg->cmsg_len, sizeof(uptr));
+ }
+}
+
static void read_msghdr(void *ctx, struct __sanitizer_msghdr *msg,
SSIZE_T maxlen) {
#define R(f) \
@@ -2518,7 +2546,7 @@ static void read_msghdr(void *ctx, struc
sizeof(*msg->msg_iov) * msg->msg_iovlen);
read_iovec(ctx, msg->msg_iov, msg->msg_iovlen, maxlen);
if (msg->msg_control && msg->msg_controllen)
- COMMON_INTERCEPTOR_READ_RANGE(ctx, msg->msg_control, msg->msg_controllen);
+ read_msghdr_control(ctx, msg->msg_control, msg->msg_controllen);
}
INTERCEPTOR(SSIZE_T, sendmsg, int fd, struct __sanitizer_msghdr *msg,
Added: compiler-rt/trunk/test/msan/Linux/cmsghdr.cc
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/test/msan/Linux/cmsghdr.cc?rev=274074&view=auto
==============================================================================
--- compiler-rt/trunk/test/msan/Linux/cmsghdr.cc (added)
+++ compiler-rt/trunk/test/msan/Linux/cmsghdr.cc Tue Jun 28 17:42:31 2016
@@ -0,0 +1,101 @@
+// RUN: %clangxx_msan %s -std=c++11 -DSENDMSG -DPOISONFD -o %t && not %run %t 2>&1 | FileCheck %s --check-prefix=SENDMSG
+// RUN: %clangxx_msan %s -std=c++11 -DSENDMSG -DPOISONCRED -o %t && not %run %t 2>&1 | FileCheck %s --check-prefix=SENDMSG
+// RUN: %clangxx_msan %s -std=c++11 -DSENDMSG -DPOISONLEN -o %t && not %run %t 2>&1 | FileCheck %s --check-prefix=SENDMSG
+// RUN: %clangxx_msan %s -std=c++11 -DSENDMSG -DPOISONLEVEL -o %t && not %run %t 2>&1 | FileCheck %s --check-prefix=SENDMSG
+// RUN: %clangxx_msan %s -std=c++11 -DSENDMSG -DPOISONTYPE -o %t && not %run %t 2>&1 | FileCheck %s --check-prefix=SENDMSG
+// RUN: %clangxx_msan %s -std=c++11 -DSENDMSG -DPOISONLEN2 -o %t && not %run %t 2>&1 | FileCheck %s --check-prefix=SENDMSG
+// RUN: %clangxx_msan %s -std=c++11 -DSENDMSG -DPOISONLEVEL2 -o %t && not %run %t 2>&1 | FileCheck %s --check-prefix=SENDMSG
+// RUN: %clangxx_msan %s -std=c++11 -DSENDMSG -DPOISONTYPE2 -o %t && not %run %t 2>&1 | FileCheck %s --check-prefix=SENDMSG
+// RUN: %clangxx_msan %s -std=c++11 -DSENDMSG -o %t && %run %t 2>&1 | FileCheck %s --check-prefix=NEGATIVE
+
+// UNSUPPORTED: android
+
+#include <assert.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <netdb.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <sanitizer/msan_interface.h>
+
+const int kBufSize = 10;
+
+int main() {
+ int ret;
+ char buf[kBufSize] = {0};
+ pthread_t client_thread;
+ struct sockaddr_un serveraddr;
+
+ int sock[2];
+ ret = socketpair(AF_UNIX, SOCK_STREAM, 0, sock);
+ assert(ret == 0);
+
+ int sockfd = sock[0];
+
+ struct iovec iov[] = {{buf, 10}};
+ struct msghdr msg = {0};
+ msg.msg_iov = iov;
+ msg.msg_iovlen = 1;
+ msg.msg_flags = 0;
+
+ static const int kNumFds = 3;
+ char controlbuf[CMSG_SPACE(kNumFds * sizeof(int)) +
+ CMSG_SPACE(sizeof(struct ucred))];
+ msg.msg_control = &controlbuf;
+ msg.msg_controllen = sizeof(controlbuf);
+
+ struct cmsghdr *cmsg = (struct cmsghdr *)&controlbuf;
+ assert(cmsg);
+ int myfds[kNumFds];
+ for (int &fd : myfds)
+ fd = sockfd;
+#ifdef POISONFD
+ __msan_poison(&myfds[1], sizeof(int));
+#endif
+ cmsg->cmsg_level = SOL_SOCKET;
+ cmsg->cmsg_type = SCM_RIGHTS;
+ cmsg->cmsg_len = CMSG_LEN(kNumFds * sizeof(int));
+ memcpy(CMSG_DATA(cmsg), myfds, kNumFds * sizeof(int));
+#ifdef POISONLEVEL
+ __msan_poison(&cmsg->cmsg_level, sizeof(cmsg->cmsg_level));
+#endif
+#ifdef POISONTYPE
+ __msan_poison(&cmsg->cmsg_type, sizeof(cmsg->cmsg_type));
+#endif
+#ifdef POISONLEN
+ __msan_poison(&cmsg->cmsg_len, sizeof(cmsg->cmsg_len));
+#endif
+
+ cmsg = (struct cmsghdr *)(&controlbuf[CMSG_SPACE(kNumFds * sizeof(int))]);
+ assert(cmsg);
+ struct ucred cred = {getpid(), getuid(), getgid()};
+#ifdef POISONCRED
+ __msan_poison(&cred.uid, sizeof(cred.uid));
+#endif
+ cmsg->cmsg_level = SOL_SOCKET;
+ cmsg->cmsg_type = SCM_CREDENTIALS;
+ cmsg->cmsg_len = CMSG_LEN(sizeof(struct ucred));
+ memcpy(CMSG_DATA(cmsg), &cred, sizeof(struct ucred));
+#ifdef POISONLEVEL2
+ __msan_poison(&cmsg->cmsg_level, sizeof(cmsg->cmsg_level));
+#endif
+#ifdef POISONTYPE2
+ __msan_poison(&cmsg->cmsg_type, sizeof(cmsg->cmsg_type));
+#endif
+#ifdef POISONLEN2
+ __msan_poison(&cmsg->cmsg_len, sizeof(cmsg->cmsg_len));
+#endif
+
+ ret = sendmsg(sockfd, &msg, 0);
+ // SENDMSG: MemorySanitizer: use-of-uninitialized-value
+ if (ret == -1) printf("%d: %s\n", errno, strerror(errno));
+ assert(ret > 0);
+
+ fprintf(stderr, "== done\n");
+ // NEGATIVE: == done
+ return 0;
+}
More information about the llvm-commits
mailing list