[compiler-rt] [HWASan] Prevent same tag for adjacent heap objects (PR #69337)
via llvm-commits
llvm-commits at lists.llvm.org
Fri Nov 17 05:52:11 PST 2023
================
@@ -345,13 +364,21 @@ static void HwasanDeallocate(StackTrace *stack, void *tagged_ptr) {
// Always store full 8-bit tags on free to maximize UAF detection.
tag_t tag;
if (t) {
- // Make sure we are not using a short granule tag as a poison tag. This
- // would make us attempt to read the memory on a UaF.
- // The tag can be zero if tagging is disabled on this thread.
- do {
- tag = t->GenerateRandomTag(/*num_bits=*/8);
- } while (
- UNLIKELY((tag < kShadowAlignment || tag == pointer_tag) && tag != 0));
+ if (t->TaggingDisabled()) {
+ tag = 0;
+ } else {
+ tag_t previous_tag = *(tag_t *)(MemToShadow((uptr)(aligned_ptr)-1));
+ tag_t following_tag = *(
+ tag_t *)(MemToShadow((uptr)(aligned_ptr) + TaggedSize(orig_size)));
+ // Make sure we are not using a short granule tag as a poison tag. This
+ // would make us attempt to read the memory on a UaF.
+ // The tag can be zero if tagging is disabled on this thread.
+ do {
+ tag = t->GenerateRandomTag(/*num_bits=*/8);
+ } while (UNLIKELY(tag < kShadowAlignment || tag == pointer_tag ||
+ tag == previous_tag || tag == following_tag) &&
+ tag != 0);
----------------
KonradHohentanner wrote:
I left the condition in to keep the previous functionality, where the tag after free could still be zero. Otherwise the tag < kShadowAlignment condition will continue the loop for tag == zero .
https://github.com/llvm/llvm-project/pull/69337
More information about the llvm-commits
mailing list