<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On 5 September 2017 at 14:08, Evgeniy Stepanov via llvm-commits <span dir="ltr"><<a href="mailto:llvm-commits@lists.llvm.org" target="_blank">llvm-commits@lists.llvm.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Author: eugenis<br>
Date: Tue Sep 5 14:08:56 2017<br>
New Revision: 312576<br>
<br>
URL: <a href="http://llvm.org/viewvc/llvm-project?rev=312576&view=rev" rel="noreferrer" target="_blank">http://llvm.org/viewvc/llvm-<wbr>project?rev=312576&view=rev</a><br>
Log:<br>
[msan] Check sigset_t and sigaction arguments.<br>
<br>
Summary:<br>
Check sigset_t arguments in ppoll, sig*wait*, sigprocmask<br>
interceptors, and the entire "struct sigaction" in sigaction. This<br>
can be done because sigemptyset/sigfullset are intercepted and<br>
signal masks should be correctly marked as initialized.<br>
<br>
Reviewers: vitalybuka<br>
<br>
Subscribers: kubamracek, llvm-commits<br>
<br>
Differential Revision: <a href="https://reviews.llvm.org/D37367" rel="noreferrer" target="_blank">https://reviews.llvm.org/<wbr>D37367</a><br>
<br>
Added:<br>
compiler-rt/trunk/test/msan/<wbr>Linux/poll.cc<br>
compiler-rt/trunk/test/msan/<wbr>sigaction.cc<br>
Modified:<br>
compiler-rt/trunk/lib/msan/<wbr>msan_interceptors.cc<br>
compiler-rt/trunk/lib/<wbr>sanitizer_common/sanitizer_<wbr>common_interceptors.inc<br>
compiler-rt/trunk/test/msan/<wbr>sigwait.cc<br>
<br>
Modified: compiler-rt/trunk/lib/msan/<wbr>msan_interceptors.cc<br>
URL: <a href="http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/msan/msan_interceptors.cc?rev=312576&r1=312575&r2=312576&view=diff" rel="noreferrer" target="_blank">http://llvm.org/viewvc/llvm-<wbr>project/compiler-rt/trunk/lib/<wbr>msan/msan_interceptors.cc?rev=<wbr>312576&r1=312575&r2=312576&<wbr>view=diff</a><br>
==============================<wbr>==============================<wbr>==================<br>
--- compiler-rt/trunk/lib/msan/<wbr>msan_interceptors.cc (original)<br>
+++ compiler-rt/trunk/lib/msan/<wbr>msan_interceptors.cc Tue Sep 5 14:08:56 2017<br>
@@ -983,11 +983,21 @@ static void SignalAction(int signo, void<br>
cb(signo, si, uc);<br>
}<br>
<br>
+static void read_sigaction(const __sanitizer_sigaction *act) {<br>
+ CHECK_UNPOISONED(&act->sa_<wbr>flags, sizeof(act->sa_flags));<br>
+ if (act->sa_flags & __sanitizer::sa_siginfo)<br>
+ CHECK_UNPOISONED(&act-><wbr>sigaction, sizeof(act->sigaction));<br>
+ else<br>
+ CHECK_UNPOISONED(&act-><wbr>handler, sizeof(act->handler));<br>
+ CHECK_UNPOISONED(&act->sa_<wbr>mask, sizeof(act->sa_mask));<br>
+}<br>
+<br>
INTERCEPTOR(int, sigaction, int signo, const __sanitizer_sigaction *act,<br>
__sanitizer_sigaction *oldact) {<br>
ENSURE_MSAN_INITED();<br>
// FIXME: check that *act is unpoisoned.<br></blockquote><div><br></div><div>Can this FIXME be removed now?</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
// That requires intercepting all of sigemptyset, sigfillset, etc.<br>
+ if (act) read_sigaction(act);<br>
int res;<br>
if (flags()->wrap_signals) {<br>
SpinMutexLock lock(&sigactions_mu);<br>
<br>
Modified: compiler-rt/trunk/lib/<wbr>sanitizer_common/sanitizer_<wbr>common_interceptors.inc<br>
URL: <a href="http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/sanitizer_common/sanitizer_common_interceptors.inc?rev=312576&r1=312575&r2=312576&view=diff" rel="noreferrer" target="_blank">http://llvm.org/viewvc/llvm-<wbr>project/compiler-rt/trunk/lib/<wbr>sanitizer_common/sanitizer_<wbr>common_interceptors.inc?rev=<wbr>312576&r1=312575&r2=312576&<wbr>view=diff</a><br>
==============================<wbr>==============================<wbr>==================<br>
--- compiler-rt/trunk/lib/<wbr>sanitizer_common/sanitizer_<wbr>common_interceptors.inc (original)<br>
+++ compiler-rt/trunk/lib/<wbr>sanitizer_common/sanitizer_<wbr>common_interceptors.inc Tue Sep 5 14:08:56 2017<br>
@@ -3589,7 +3589,7 @@ INTERCEPTOR(int, ppoll, __sanitizer_poll<br>
if (fds && nfds) read_pollfd(ctx, fds, nfds);<br>
if (timeout_ts)<br>
COMMON_INTERCEPTOR_READ_RANGE(<wbr>ctx, timeout_ts, struct_timespec_sz);<br>
- // FIXME: read sigmask when all of sigemptyset, etc are intercepted.<br>
+ if (sigmask) COMMON_INTERCEPTOR_READ_RANGE(<wbr>ctx, sigmask, sizeof(*sigmask));<br>
int res =<br>
COMMON_INTERCEPTOR_BLOCK_REAL(<wbr>ppoll)(fds, nfds, timeout_ts, sigmask);<br>
if (fds && nfds) write_pollfd(ctx, fds, nfds);<br>
@@ -3630,7 +3630,7 @@ INTERCEPTOR(int, wordexp, char *s, __san<br>
INTERCEPTOR(int, sigwait, __sanitizer_sigset_t *set, int *sig) {<br>
void *ctx;<br>
COMMON_INTERCEPTOR_ENTER(ctx, sigwait, set, sig);<br>
- // FIXME: read sigset_t when all of sigemptyset, etc are intercepted<br>
+ if (set) COMMON_INTERCEPTOR_READ_RANGE(<wbr>ctx, set, sizeof(*set));<br>
// FIXME: under ASan the call below may write to freed memory and corrupt<br>
// its metadata. See<br>
// <a href="https://github.com/google/sanitizers/issues/321" rel="noreferrer" target="_blank">https://github.com/google/<wbr>sanitizers/issues/321</a>.<br>
@@ -3647,7 +3647,7 @@ INTERCEPTOR(int, sigwait, __sanitizer_si<br>
INTERCEPTOR(int, sigwaitinfo, __sanitizer_sigset_t *set, void *info) {<br>
void *ctx;<br>
COMMON_INTERCEPTOR_ENTER(ctx, sigwaitinfo, set, info);<br>
- // FIXME: read sigset_t when all of sigemptyset, etc are intercepted<br>
+ if (set) COMMON_INTERCEPTOR_READ_RANGE(<wbr>ctx, set, sizeof(*set));<br>
// FIXME: under ASan the call below may write to freed memory and corrupt<br>
// its metadata. See<br>
// <a href="https://github.com/google/sanitizers/issues/321" rel="noreferrer" target="_blank">https://github.com/google/<wbr>sanitizers/issues/321</a>.<br>
@@ -3666,7 +3666,7 @@ INTERCEPTOR(int, sigtimedwait, __sanitiz<br>
void *ctx;<br>
COMMON_INTERCEPTOR_ENTER(ctx, sigtimedwait, set, info, timeout);<br>
if (timeout) COMMON_INTERCEPTOR_READ_RANGE(<wbr>ctx, timeout, struct_timespec_sz);<br>
- // FIXME: read sigset_t when all of sigemptyset, etc are intercepted<br>
+ if (set) COMMON_INTERCEPTOR_READ_RANGE(<wbr>ctx, set, sizeof(*set));<br>
// FIXME: under ASan the call below may write to freed memory and corrupt<br>
// its metadata. See<br>
// <a href="https://github.com/google/sanitizers/issues/321" rel="noreferrer" target="_blank">https://github.com/google/<wbr>sanitizers/issues/321</a>.<br>
@@ -3729,7 +3729,7 @@ INTERCEPTOR(int, sigprocmask, int how, _<br>
__sanitizer_sigset_t *oldset) {<br>
void *ctx;<br>
COMMON_INTERCEPTOR_ENTER(ctx, sigprocmask, how, set, oldset);<br>
- // FIXME: read sigset_t when all of sigemptyset, etc are intercepted<br>
+ if (set) COMMON_INTERCEPTOR_READ_RANGE(<wbr>ctx, set, sizeof(*set));<br>
// FIXME: under ASan the call below may write to freed memory and corrupt<br>
// its metadata. See<br>
// <a href="https://github.com/google/sanitizers/issues/321" rel="noreferrer" target="_blank">https://github.com/google/<wbr>sanitizers/issues/321</a>.<br>
<br>
Added: compiler-rt/trunk/test/msan/<wbr>Linux/poll.cc<br>
URL: <a href="http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/test/msan/Linux/poll.cc?rev=312576&view=auto" rel="noreferrer" target="_blank">http://llvm.org/viewvc/llvm-<wbr>project/compiler-rt/trunk/<wbr>test/msan/Linux/poll.cc?rev=<wbr>312576&view=auto</a><br>
==============================<wbr>==============================<wbr>==================<br>
--- compiler-rt/trunk/test/msan/<wbr>Linux/poll.cc (added)<br>
+++ compiler-rt/trunk/test/msan/<wbr>Linux/poll.cc Tue Sep 5 14:08:56 2017<br>
@@ -0,0 +1,42 @@<br>
+// RUN: %clangxx_msan -O0 -std=c++11 -g %s -o %t<br>
+// RUN: %run %t _ 2>&1 | FileCheck %s --check-prefix=CLEAN<br>
+// RUN: not %run %t A 2>&1 | FileCheck %s --check-prefix=A<br>
+// RUN: not %run %t B 2>&1 | FileCheck %s --check-prefix=B<br>
+<br>
+#include <assert.h><br>
+#include <poll.h><br>
+#include <signal.h><br>
+#include <stdio.h><br>
+<br>
+#include <sanitizer/msan_interface.h><br>
+<br>
+int main(int argc, char **argv) {<br>
+ char T = argv[1][0];<br>
+<br>
+ struct timespec ts;<br>
+ ts.tv_sec = 0;<br>
+ ts.tv_nsec = 1000;<br>
+ int res = ppoll(nullptr, 0, &ts, nullptr);<br>
+ assert(res == 0);<br>
+<br>
+ if (T == 'A') {<br>
+ __msan_poison(&ts.tv_sec, sizeof(ts.tv_sec));<br>
+ ppoll(nullptr, 0, &ts, nullptr);<br>
+ // A: use-of-uninitialized-value<br>
+ }<br>
+<br>
+ // A-NOT: ==1<br>
+ // B: ==1<br>
+ fprintf(stderr, "==1\n");<br>
+<br>
+ sigset_t sig;<br>
+ if (T != 'B')<br>
+ sigemptyset(&sig);<br>
+ ppoll(nullptr, 0, &ts, &sig);<br>
+ // B: use-of-uninitialized-value<br>
+<br>
+ // B-NOT: ==2<br>
+ // CLEAN: ==2<br>
+ fprintf(stderr, "==2\n");<br>
+ return 0;<br>
+}<br>
<br>
Added: compiler-rt/trunk/test/msan/<wbr>sigaction.cc<br>
URL: <a href="http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/test/msan/sigaction.cc?rev=312576&view=auto" rel="noreferrer" target="_blank">http://llvm.org/viewvc/llvm-<wbr>project/compiler-rt/trunk/<wbr>test/msan/sigaction.cc?rev=<wbr>312576&view=auto</a><br>
==============================<wbr>==============================<wbr>==================<br>
--- compiler-rt/trunk/test/msan/<wbr>sigaction.cc (added)<br>
+++ compiler-rt/trunk/test/msan/<wbr>sigaction.cc Tue Sep 5 14:08:56 2017<br>
@@ -0,0 +1,47 @@<br>
+// RUN: %clangxx_msan -std=c++11 -O0 -g %s -o %t<br>
+// RUN: %run %t __<br>
+// RUN: not %run %t A_ 2>&1 | FileCheck %s<br>
+// RUN: not %run %t AH 2>&1 | FileCheck %s<br>
+// RUN: not %run %t B_ 2>&1 | FileCheck %s<br>
+// RUN: not %run %t BH 2>&1 | FileCheck %s<br>
+// RUN: not %run %t C_ 2>&1 | FileCheck %s<br>
+// RUN: not %run %t CH 2>&1 | FileCheck %s<br>
+<br>
+#include <assert.h><br>
+#include <signal.h><br>
+#include <string.h><br>
+#include <sys/time.h><br>
+#include <unistd.h><br>
+<br>
+#include <sanitizer/msan_interface.h><br>
+<br>
+void handler(int) {}<br>
+void action(int, siginfo_t *, void *) {}<br>
+<br>
+int main(int argc, char **argv) {<br>
+ char T = argv[1][0];<br>
+ char H = argv[1][1];<br>
+ struct sigaction sa;<br>
+ memset(&sa, 0, sizeof(sa));<br>
+ if (H == 'H') {<br>
+ sa.sa_handler = handler;<br>
+ } else {<br>
+ sa.sa_sigaction = action;<br>
+ sa.sa_flags = SA_SIGINFO;<br>
+ }<br>
+<br>
+ if (T == 'A') {<br>
+ if (H == 'H')<br>
+ __msan_poison(&sa.sa_handler, sizeof(sa.sa_handler));<br>
+ else<br>
+ __msan_poison(&sa.sa_<wbr>sigaction, sizeof(sa.sa_sigaction));<br>
+ }<br>
+ if (T == 'B')<br>
+ __msan_poison(&sa.sa_flags, sizeof(sa.sa_flags));<br>
+ if (T == 'C')<br>
+ __msan_poison(&sa.sa_mask, sizeof(sa.sa_mask));<br>
+ // CHECK: use-of-uninitialized-value<br>
+ int res = sigaction(SIGUSR1, &sa, nullptr);<br>
+ assert(res == 0);<br>
+ return 0;<br>
+}<br>
<br>
Modified: compiler-rt/trunk/test/msan/<wbr>sigwait.cc<br>
URL: <a href="http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/test/msan/sigwait.cc?rev=312576&r1=312575&r2=312576&view=diff" rel="noreferrer" target="_blank">http://llvm.org/viewvc/llvm-<wbr>project/compiler-rt/trunk/<wbr>test/msan/sigwait.cc?rev=<wbr>312576&r1=312575&r2=312576&<wbr>view=diff</a><br>
==============================<wbr>==============================<wbr>==================<br>
--- compiler-rt/trunk/test/msan/<wbr>sigwait.cc (original)<br>
+++ compiler-rt/trunk/test/msan/<wbr>sigwait.cc Tue Sep 5 14:08:56 2017<br>
@@ -1,16 +1,21 @@<br>
// RUN: %clangxx_msan -std=c++11 -O0 -g %s -o %t && %run %t<br>
+// RUN: %clangxx_msan -DPOSITIVE -std=c++11 -O0 -g %s -o %t && not %run %t 2>&1 | FileCheck %s<br>
<br>
#include <assert.h><br>
-#include <sanitizer/msan_interface.h><br>
#include <signal.h><br>
#include <sys/time.h><br>
#include <unistd.h><br>
<br>
+#include <sanitizer/msan_interface.h><br>
+<br>
void test_sigwait() {<br>
sigset_t s;<br>
+#ifndef POSITIVE<br>
sigemptyset(&s);<br>
sigaddset(&s, SIGUSR1);<br>
+#endif<br>
sigprocmask(SIG_BLOCK, &s, 0);<br>
+ // CHECK: MemorySanitizer: use-of-uninitialized-value<br>
<br>
if (pid_t pid = fork()) {<br>
kill(pid, SIGUSR1);<br>
<br>
<br>
______________________________<wbr>_________________<br>
llvm-commits mailing list<br>
<a href="mailto:llvm-commits@lists.llvm.org">llvm-commits@lists.llvm.org</a><br>
<a href="http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-commits" rel="noreferrer" target="_blank">http://lists.llvm.org/cgi-bin/<wbr>mailman/listinfo/llvm-commits</a><br>
</blockquote></div><br></div></div>