[compiler-rt] r305489 - [ubsan] Fix a faulty memory accessibility check

Vedant Kumar via llvm-commits llvm-commits at lists.llvm.org
Thu Jun 15 11:23:16 PDT 2017 

Author: vedantk
Date: Thu Jun 15 13:23:16 2017
New Revision: 305489

URL: http://llvm.org/viewvc/llvm-project?rev=305489&view=rev
Log:
[ubsan] Fix a faulty memory accessibility check

The dynamic type check needs to inspect vtables, but could crash if it
encounters a vtable pointer to inaccessible memory. In the first attempt
to fix the issue (r304437), we performed a memory accessibility check on
the wrong range of memory. This should *really* fix the problem.

Patch by Max Moroz!

Differential Revision: https://reviews.llvm.org/D34215

Added:
    compiler-rt/trunk/test/ubsan/TestCases/TypeCheck/Linux/
    compiler-rt/trunk/test/ubsan/TestCases/TypeCheck/Linux/PR33221.cpp
    compiler-rt/trunk/test/ubsan/TestCases/TypeCheck/Linux/lit.local.cfg
Modified:
    compiler-rt/trunk/lib/ubsan/ubsan_type_hash_itanium.cc
    compiler-rt/trunk/test/ubsan/TestCases/TypeCheck/PR33221.cpp

Modified: compiler-rt/trunk/lib/ubsan/ubsan_type_hash_itanium.cc
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/ubsan/ubsan_type_hash_itanium.cc?rev=305489&r1=305488&r2=305489&view=diff
==============================================================================
--- compiler-rt/trunk/lib/ubsan/ubsan_type_hash_itanium.cc (original)
+++ compiler-rt/trunk/lib/ubsan/ubsan_type_hash_itanium.cc Thu Jun 15 13:23:16 2017
@@ -197,9 +197,9 @@ struct VtablePrefix {
 };
 VtablePrefix *getVtablePrefix(void *Vtable) {
   VtablePrefix *Vptr = reinterpret_cast<VtablePrefix*>(Vtable);
-  if (!IsAccessibleMemoryRange((uptr)Vptr, sizeof(VtablePrefix)))
-    return nullptr;
   VtablePrefix *Prefix = Vptr - 1;
+  if (!IsAccessibleMemoryRange((uptr)Prefix, sizeof(VtablePrefix)))
+    return nullptr;
   if (!Prefix->TypeInfo)
     // This can't possibly be a valid vtable.
     return nullptr;

Added: compiler-rt/trunk/test/ubsan/TestCases/TypeCheck/Linux/PR33221.cpp
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/test/ubsan/TestCases/TypeCheck/Linux/PR33221.cpp?rev=305489&view=auto
==============================================================================
--- compiler-rt/trunk/test/ubsan/TestCases/TypeCheck/Linux/PR33221.cpp (added)
+++ compiler-rt/trunk/test/ubsan/TestCases/TypeCheck/Linux/PR33221.cpp Thu Jun 15 13:23:16 2017
@@ -0,0 +1,50 @@
+// RUN: %clangxx -std=c++11 -frtti -fsanitize=vptr -g %s -O3 -o %t
+// RUN: %run %t &> %t.log
+// RUN: cat %t.log | not count 0 && FileCheck --input-file %t.log %s || cat %t.log | count 0
+
+// REQUIRES: cxxabi
+
+#include <sys/mman.h>
+#include <unistd.h>
+
+class Base {
+public:
+  int i;
+  virtual void print() {}
+};
+
+class Derived : public Base {
+public:
+  void print() {}
+};
+
+
+int main() {
+  int page_size = getpagesize();
+
+  void *non_accessible = mmap(nullptr, page_size, PROT_NONE,
+                              MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+  
+  if (non_accessible == MAP_FAILED)
+    return 0;
+
+  void *accessible = mmap((char*)non_accessible + page_size, page_size,
+                          PROT_READ | PROT_WRITE,
+                          MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+  if (accessible == MAP_FAILED)
+    return 0;
+
+  char *c = new char[sizeof(Derived)];
+
+  // The goal is to trigger a condition when Vptr points to accessible memory,
+  // but VptrPrefix does not. That has been triggering SIGSEGV in UBSan code.
+  void **vtable_ptr = reinterpret_cast<void **>(c);
+  *vtable_ptr = (void*)accessible;
+
+  Derived *list = (Derived *)c;
+
+// CHECK: PR33221.cpp:[[@LINE+2]]:19: runtime error: member access within address {{.*}} which does not point to an object of type 'Base'
+// CHECK-NEXT: invalid vptr
+  int foo = list->i;
+  return 0;
+}

Added: compiler-rt/trunk/test/ubsan/TestCases/TypeCheck/Linux/lit.local.cfg
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/test/ubsan/TestCases/TypeCheck/Linux/lit.local.cfg?rev=305489&view=auto
==============================================================================
--- compiler-rt/trunk/test/ubsan/TestCases/TypeCheck/Linux/lit.local.cfg (added)
+++ compiler-rt/trunk/test/ubsan/TestCases/TypeCheck/Linux/lit.local.cfg Thu Jun 15 13:23:16 2017
@@ -0,0 +1,9 @@
+def getRoot(config):
+  if not config.parent:
+    return config
+  return getRoot(config.parent)
+
+root = getRoot(config)
+
+if root.host_os not in ['Linux']:
+  config.unsupported = True

Modified: compiler-rt/trunk/test/ubsan/TestCases/TypeCheck/PR33221.cpp
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/test/ubsan/TestCases/TypeCheck/PR33221.cpp?rev=305489&r1=305488&r2=305489&view=diff
==============================================================================
--- compiler-rt/trunk/test/ubsan/TestCases/TypeCheck/PR33221.cpp (original)
+++ compiler-rt/trunk/test/ubsan/TestCases/TypeCheck/PR33221.cpp Thu Jun 15 13:23:16 2017
@@ -18,7 +18,7 @@ public:
 
 int main() {
   char *c = new char[sizeof(Derived)];
-  memset((void *)c, 0, sizeof(Derived));
+  memset((void *)c, 0xFF, sizeof(Derived));
   Derived *list = (Derived *)c;
 
 // CHECK: PR33221.cpp:[[@LINE+2]]:19: runtime error: member access within address {{.*}} which does not point to an object of type 'Base'

More information about the llvm-commits mailing list