<div dir="ltr"><a class="gmail_plusreply" id="plusReplyChip-0" href="mailto:dokyungs@google.com" tabindex="-1">+Dokyung Song</a></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Jul 16, 2020 at 6:11 PM Richard Smith <<a href="mailto:richard@metafoo.co.uk">richard@metafoo.co.uk</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">I reverted this and the follow-up change 12d1124 in 8ef9e2b.<div><br></div><div>These interceptors will need to be protected against the possibility that they are re-entered during their own initialization. Calling dlsym can recursively invoke these functions. (The ASan interceptors already contain this kind of protection, at least for some of their interceptors.)</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, 16 Jul 2020 at 13:27, Matt Morehouse via llvm-commits <<a href="mailto:llvm-commits@lists.llvm.org" target="_blank">llvm-commits@lists.llvm.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
Author: Dokyung Song<br>
Date: 2020-07-16T20:26:35Z<br>
New Revision: f78d9fceea736d431e9e3cbca291e3909e3aa46d<br>
<br>
URL: <a href="https://github.com/llvm/llvm-project/commit/f78d9fceea736d431e9e3cbca291e3909e3aa46d" rel="noreferrer" target="_blank">https://github.com/llvm/llvm-project/commit/f78d9fceea736d431e9e3cbca291e3909e3aa46d</a><br>
DIFF: <a href="https://github.com/llvm/llvm-project/commit/f78d9fceea736d431e9e3cbca291e3909e3aa46d.diff" rel="noreferrer" target="_blank">https://github.com/llvm/llvm-project/commit/f78d9fceea736d431e9e3cbca291e3909e3aa46d.diff</a><br>
<br>
LOG: [libFuzzer] Link libFuzzer's own interceptors when other compiler runtimes are not linked.<br>
<br>
Summary: libFuzzer intercepts certain library functions such as memcmp/strcmp by defining weak hooks. Weak hooks, however, are called only when other runtimes such as ASan is linked. This patch defines libFuzzer's own interceptors, which is linked into the libFuzzer executable when other runtimes are not linked, i.e., when -fsanitize=fuzzer is given, but not others.<br>
<br>
Reviewers: kcc, morehouse, hctim<br>
<br>
Reviewed By: morehouse, hctim<br>
<br>
Subscribers: krytarowski, mgorny, cfe-commits, #sanitizers<br>
<br>
Tags: #clang, #sanitizers<br>
<br>
Differential Revision: <a href="https://reviews.llvm.org/D83494" rel="noreferrer" target="_blank">https://reviews.llvm.org/D83494</a><br>
<br>
Added: <br>
compiler-rt/lib/fuzzer/FuzzerInterceptors.cpp<br>
<br>
Modified: <br>
clang/include/clang/Driver/SanitizerArgs.h<br>
clang/lib/Driver/SanitizerArgs.cpp<br>
clang/lib/Driver/ToolChains/CommonArgs.cpp<br>
compiler-rt/lib/fuzzer/CMakeLists.txt<br>
compiler-rt/test/fuzzer/memcmp.test<br>
compiler-rt/test/fuzzer/memcmp64.test<br>
compiler-rt/test/fuzzer/strcmp.test<br>
compiler-rt/test/fuzzer/strncmp.test<br>
compiler-rt/test/fuzzer/strstr.test<br>
<br>
Removed: <br>
<br>
<br>
<br>
################################################################################<br>
diff --git a/clang/include/clang/Driver/SanitizerArgs.h b/clang/include/clang/Driver/SanitizerArgs.h<br>
index 934dab808e82..563d6c3ff9de 100644<br>
--- a/clang/include/clang/Driver/SanitizerArgs.h<br>
+++ b/clang/include/clang/Driver/SanitizerArgs.h<br>
@@ -74,6 +74,7 @@ class SanitizerArgs {<br>
!Sanitizers.has(SanitizerKind::Address) &&<br>
!Sanitizers.has(SanitizerKind::HWAddress);<br>
}<br>
+ bool needsFuzzerInterceptors() const;<br>
bool needsUbsanRt() const;<br>
bool requiresMinimalRuntime() const { return MinimalRuntime; }<br>
bool needsDfsanRt() const { return Sanitizers.has(SanitizerKind::DataFlow); }<br>
<br>
diff --git a/clang/lib/Driver/SanitizerArgs.cpp b/clang/lib/Driver/SanitizerArgs.cpp<br>
index bcc9ffc7ff8f..e4fda752c041 100644<br>
--- a/clang/lib/Driver/SanitizerArgs.cpp<br>
+++ b/clang/lib/Driver/SanitizerArgs.cpp<br>
@@ -240,6 +240,10 @@ static SanitizerMask parseSanitizeTrapArgs(const Driver &D,<br>
return TrappingKinds;<br>
}<br>
<br>
+bool SanitizerArgs::needsFuzzerInterceptors() const {<br>
+ return needsFuzzer() && !needsAsanRt() && !needsTsanRt() && !needsMsanRt();<br>
+}<br>
+<br>
bool SanitizerArgs::needsUbsanRt() const {<br>
// All of these include ubsan.<br>
if (needsAsanRt() || needsMsanRt() || needsHwasanRt() || needsTsanRt() ||<br>
<br>
diff --git a/clang/lib/Driver/ToolChains/CommonArgs.cpp b/clang/lib/Driver/ToolChains/CommonArgs.cpp<br>
index 6b6e276b8ce7..acde6d9e2111 100644<br>
--- a/clang/lib/Driver/ToolChains/CommonArgs.cpp<br>
+++ b/clang/lib/Driver/ToolChains/CommonArgs.cpp<br>
@@ -784,6 +784,9 @@ bool tools::addSanitizerRuntimes(const ToolChain &TC, const ArgList &Args,<br>
!Args.hasArg(options::OPT_shared)) {<br>
<br>
addSanitizerRuntime(TC, Args, CmdArgs, "fuzzer", false, true);<br>
+ if (SanArgs.needsFuzzerInterceptors())<br>
+ addSanitizerRuntime(TC, Args, CmdArgs, "fuzzer_interceptors", false,<br>
+ true);<br>
if (!Args.hasArg(clang::driver::options::OPT_nostdlibxx))<br>
TC.AddCXXStdlibLibArgs(Args, CmdArgs);<br>
}<br>
<br>
diff --git a/compiler-rt/lib/fuzzer/CMakeLists.txt b/compiler-rt/lib/fuzzer/CMakeLists.txt<br>
index b5be6b89452e..02be89cb70a5 100644<br>
--- a/compiler-rt/lib/fuzzer/CMakeLists.txt<br>
+++ b/compiler-rt/lib/fuzzer/CMakeLists.txt<br>
@@ -99,6 +99,13 @@ add_compiler_rt_object_libraries(RTfuzzer_main<br>
CFLAGS ${LIBFUZZER_CFLAGS}<br>
DEPS ${LIBFUZZER_DEPS})<br>
<br>
+add_compiler_rt_object_libraries(RTfuzzer_interceptors<br>
+ OS ${FUZZER_SUPPORTED_OS}<br>
+ ARCHS ${FUZZER_SUPPORTED_ARCH}<br>
+ SOURCES FuzzerInterceptors.cpp<br>
+ CFLAGS ${LIBFUZZER_CFLAGS}<br>
+ DEPS ${LIBFUZZER_DEPS})<br>
+<br>
add_compiler_rt_runtime(clang_rt.fuzzer<br>
STATIC<br>
OS ${FUZZER_SUPPORTED_OS}<br>
@@ -115,6 +122,14 @@ add_compiler_rt_runtime(clang_rt.fuzzer_no_main<br>
CFLAGS ${LIBFUZZER_CFLAGS}<br>
PARENT_TARGET fuzzer)<br>
<br>
+add_compiler_rt_runtime(clang_rt.fuzzer_interceptors<br>
+ STATIC<br>
+ OS ${FUZZER_SUPPORTED_OS}<br>
+ ARCHS ${FUZZER_SUPPORTED_ARCH}<br>
+ OBJECT_LIBS RTfuzzer_interceptors<br>
+ CFLAGS ${LIBFUZZER_CFLAGS}<br>
+ PARENT_TARGET fuzzer)<br>
+<br>
if(OS_NAME MATCHES "Linux|Fuchsia" AND<br>
COMPILER_RT_LIBCXX_PATH AND<br>
COMPILER_RT_LIBCXXABI_PATH)<br>
@@ -148,7 +163,10 @@ if(OS_NAME MATCHES "Linux|Fuchsia" AND<br>
add_dependencies(RTfuzzer.${arch} libcxx_fuzzer_${arch}-build)<br>
target_compile_options(RTfuzzer_main.${arch} PRIVATE -isystem ${LIBCXX_${arch}_PREFIX}/include/c++/v1)<br>
add_dependencies(RTfuzzer_main.${arch} libcxx_fuzzer_${arch}-build)<br>
+ target_compile_options(RTfuzzer_interceptors.${arch} PRIVATE -isystem ${LIBCXX_${arch}_PREFIX}/include/c++/v1)<br>
+ add_dependencies(RTfuzzer_interceptors.${arch} libcxx_fuzzer_${arch}-build)<br>
partially_link_libcxx(fuzzer_no_main ${LIBCXX_${arch}_PREFIX} ${arch})<br>
+ partially_link_libcxx(fuzzer_interceptors ${LIBCXX_${arch}_PREFIX} ${arch})<br>
partially_link_libcxx(fuzzer ${LIBCXX_${arch}_PREFIX} ${arch})<br>
endforeach()<br>
endif()<br>
<br>
diff --git a/compiler-rt/lib/fuzzer/FuzzerInterceptors.cpp b/compiler-rt/lib/fuzzer/FuzzerInterceptors.cpp<br>
new file mode 100644<br>
index 000000000000..cb55b4af38fa<br>
--- /dev/null<br>
+++ b/compiler-rt/lib/fuzzer/FuzzerInterceptors.cpp<br>
@@ -0,0 +1,170 @@<br>
+//===-- FuzzerInterceptors.cpp --------------------------------------------===//<br>
+//<br>
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.<br>
+// See <a href="https://llvm.org/LICENSE.txt" rel="noreferrer" target="_blank">https://llvm.org/LICENSE.txt</a> for license information.<br>
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception<br>
+//<br>
+//===----------------------------------------------------------------------===//<br>
+// Intercept certain libc functions to aid fuzzing.<br>
+// Linked only when other RTs that define their own interceptors are not linked.<br>
+//===----------------------------------------------------------------------===//<br>
+<br>
+#include "FuzzerPlatform.h"<br>
+<br>
+#if LIBFUZZER_LINUX<br>
+<br>
+#define GET_CALLER_PC() __builtin_return_address(0)<br>
+<br>
+#define PTR_TO_REAL(x) real_##x<br>
+#define REAL(x) __interception::PTR_TO_REAL(x)<br>
+#define FUNC_TYPE(x) x##_type<br>
+#define DEFINE_REAL(ret_type, func, ...) \<br>
+ typedef ret_type (*FUNC_TYPE(func))(__VA_ARGS__); \<br>
+ namespace __interception { \<br>
+ FUNC_TYPE(func) PTR_TO_REAL(func); \<br>
+ }<br>
+<br>
+#include <cassert><br>
+#include <cstdint><br>
+#include <dlfcn.h> // for dlsym()<br>
+#include <sanitizer/common_interface_defs.h><br>
+<br>
+static void *getFuncAddr(const char *name, uintptr_t wrapper_addr) {<br>
+ void *addr = dlsym(RTLD_NEXT, name);<br>
+ if (!addr) {<br>
+ // If the lookup using RTLD_NEXT failed, the sanitizer runtime library is<br>
+ // later in the library search order than the DSO that we are trying to<br>
+ // intercept, which means that we cannot intercept this function. We still<br>
+ // want the address of the real definition, though, so look it up using<br>
+ // RTLD_DEFAULT.<br>
+ addr = dlsym(RTLD_DEFAULT, name);<br>
+<br>
+ // In case `name' is not loaded, dlsym ends up finding the actual wrapper.<br>
+ // We don't want to intercept the wrapper and have it point to itself.<br>
+ if (reinterpret_cast<uintptr_t>(addr) == wrapper_addr)<br>
+ addr = nullptr;<br>
+ }<br>
+ return addr;<br>
+}<br>
+<br>
+static int FuzzerInited = 0;<br>
+static bool FuzzerInitIsRunning;<br>
+<br>
+static void fuzzerInit();<br>
+<br>
+static void ensureFuzzerInited() {<br>
+ assert(!FuzzerInitIsRunning);<br>
+ if (!FuzzerInited) {<br>
+ fuzzerInit();<br>
+ }<br>
+}<br>
+<br>
+extern "C" {<br>
+<br>
+DEFINE_REAL(int, memcmp, const void *, const void *, size_t)<br>
+DEFINE_REAL(int, strncmp, const char *, const char *, size_t)<br>
+DEFINE_REAL(int, strcmp, const char *, const char *)<br>
+DEFINE_REAL(int, strncasecmp, const char *, const char *, size_t)<br>
+DEFINE_REAL(int, strcasecmp, const char *, const char *)<br>
+DEFINE_REAL(char *, strstr, const char *, const char *)<br>
+DEFINE_REAL(char *, strcasestr, const char *, const char *)<br>
+DEFINE_REAL(void *, memmem, const void *, size_t, const void *, size_t)<br>
+<br>
+ATTRIBUTE_INTERFACE int memcmp(const void *s1, const void *s2, size_t n) {<br>
+ ensureFuzzerInited();<br>
+ int result = REAL(memcmp)(s1, s2, n);<br>
+ __sanitizer_weak_hook_memcmp(GET_CALLER_PC(), s1, s2, n, result);<br>
+<br>
+ return result;<br>
+}<br>
+<br>
+ATTRIBUTE_INTERFACE int strncmp(const char *s1, const char *s2, size_t n) {<br>
+ ensureFuzzerInited();<br>
+ int result = REAL(strncmp)(s1, s2, n);<br>
+ __sanitizer_weak_hook_strncmp(GET_CALLER_PC(), s1, s2, n, result);<br>
+<br>
+ return result;<br>
+}<br>
+<br>
+ATTRIBUTE_INTERFACE int strcmp(const char *s1, const char *s2) {<br>
+ ensureFuzzerInited();<br>
+ int result = REAL(strcmp)(s1, s2);<br>
+ __sanitizer_weak_hook_strcmp(GET_CALLER_PC(), s1, s2, result);<br>
+<br>
+ return result;<br>
+}<br>
+<br>
+ATTRIBUTE_INTERFACE int strncasecmp(const char *s1, const char *s2, size_t n) {<br>
+ ensureFuzzerInited();<br>
+ int result = REAL(strncasecmp)(s1, s2, n);<br>
+ __sanitizer_weak_hook_strncasecmp(GET_CALLER_PC(), s1, s2, n, result);<br>
+<br>
+ return result;<br>
+}<br>
+<br>
+ATTRIBUTE_INTERFACE int strcasecmp(const char *s1, const char *s2) {<br>
+ ensureFuzzerInited();<br>
+ int result = REAL(strcasecmp)(s1, s2);<br>
+ __sanitizer_weak_hook_strcasecmp(GET_CALLER_PC(), s1, s2, result);<br>
+<br>
+ return result;<br>
+}<br>
+<br>
+ATTRIBUTE_INTERFACE char *strstr(const char *s1, const char *s2) {<br>
+ ensureFuzzerInited();<br>
+ char *result = REAL(strstr)(s1, s2);<br>
+ __sanitizer_weak_hook_strstr(GET_CALLER_PC(), s1, s2, result);<br>
+<br>
+ return result;<br>
+}<br>
+<br>
+ATTRIBUTE_INTERFACE char *strcasestr(const char *s1, const char *s2) {<br>
+ ensureFuzzerInited();<br>
+ char *result = REAL(strcasestr)(s1, s2);<br>
+ __sanitizer_weak_hook_strcasestr(GET_CALLER_PC(), s1, s2, result);<br>
+<br>
+ return result;<br>
+}<br>
+<br>
+ATTRIBUTE_INTERFACE<br>
+void *memmem(const void *s1, size_t len1, const void *s2, size_t len2) {<br>
+ ensureFuzzerInited();<br>
+ void *result = REAL(memmem)(s1, len1, s2, len2);<br>
+ __sanitizer_weak_hook_memmem(GET_CALLER_PC(), s1, len1, s2, len2, result);<br>
+<br>
+ return result;<br>
+}<br>
+<br>
+__attribute__((section(".preinit_array"),<br>
+ used)) static void (*__local_fuzzer_preinit)(void) = fuzzerInit;<br>
+<br>
+} // extern "C"<br>
+<br>
+static void fuzzerInit() {<br>
+ assert(!FuzzerInitIsRunning);<br>
+ if (FuzzerInited)<br>
+ return;<br>
+ FuzzerInitIsRunning = true;<br>
+<br>
+ REAL(memcmp) = reinterpret_cast<memcmp_type>(<br>
+ getFuncAddr("memcmp", reinterpret_cast<uintptr_t>(&memcmp)));<br>
+ REAL(strncmp) = reinterpret_cast<strncmp_type>(<br>
+ getFuncAddr("strncmp", reinterpret_cast<uintptr_t>(&strncmp)));<br>
+ REAL(strcmp) = reinterpret_cast<strcmp_type>(<br>
+ getFuncAddr("strcmp", reinterpret_cast<uintptr_t>(&strcmp)));<br>
+ REAL(strncasecmp) = reinterpret_cast<strncasecmp_type>(<br>
+ getFuncAddr("strncasecmp", reinterpret_cast<uintptr_t>(&strncasecmp)));<br>
+ REAL(strcasecmp) = reinterpret_cast<strcasecmp_type>(<br>
+ getFuncAddr("strcasecmp", reinterpret_cast<uintptr_t>(&strcasecmp)));<br>
+ REAL(strstr) = reinterpret_cast<strstr_type>(<br>
+ getFuncAddr("strstr", reinterpret_cast<uintptr_t>(&strstr)));<br>
+ REAL(strcasestr) = reinterpret_cast<strcasestr_type>(<br>
+ getFuncAddr("strcasestr", reinterpret_cast<uintptr_t>(&strcasestr)));<br>
+ REAL(memmem) = reinterpret_cast<memmem_type>(<br>
+ getFuncAddr("memmem", reinterpret_cast<uintptr_t>(&memmem)));<br>
+<br>
+ FuzzerInitIsRunning = false;<br>
+ FuzzerInited = 1;<br>
+}<br>
+<br>
+#endif<br>
<br>
diff --git a/compiler-rt/test/fuzzer/memcmp.test b/compiler-rt/test/fuzzer/memcmp.test<br>
index 5657cab41dfc..8859afbe8a97 100644<br>
--- a/compiler-rt/test/fuzzer/memcmp.test<br>
+++ b/compiler-rt/test/fuzzer/memcmp.test<br>
@@ -1,4 +1,8 @@<br>
UNSUPPORTED: freebsd<br>
RUN: %cpp_compiler %S/MemcmpTest.cpp -o %t-MemcmpTest<br>
RUN: not %run %t-MemcmpTest -seed=1 -runs=10000000 2>&1 | FileCheck %s<br>
+<br>
+RUN: %cpp_compiler -fno-sanitize=address -fno-builtin-memcmp %S/MemcmpTest.cpp -o %t-NoAsanMemcmpTest<br>
+RUN: not %run %t-MemcmpTest -seed=1 -runs=10000000 2>&1 | FileCheck %s<br>
+<br>
CHECK: BINGO<br>
<br>
diff --git a/compiler-rt/test/fuzzer/memcmp64.test b/compiler-rt/test/fuzzer/memcmp64.test<br>
index 24d14bf73bbf..fc9d02324373 100644<br>
--- a/compiler-rt/test/fuzzer/memcmp64.test<br>
+++ b/compiler-rt/test/fuzzer/memcmp64.test<br>
@@ -1,4 +1,8 @@<br>
UNSUPPORTED: freebsd<br>
RUN: %cpp_compiler %S/Memcmp64BytesTest.cpp -o %t-Memcmp64BytesTest<br>
RUN: not %run %t-Memcmp64BytesTest -seed=1 -runs=1000000 2>&1 | FileCheck %s<br>
+<br>
+RUN: %cpp_compiler -fno-sanitize=address -fno-builtin-memcmp %S/Memcmp64BytesTest.cpp -o %t-NoAsanMemcmp64BytesTest<br>
+RUN: not %run %t-Memcmp64BytesTest -seed=1 -runs=1000000 2>&1 | FileCheck %s<br>
+<br>
CHECK: BINGO<br>
<br>
diff --git a/compiler-rt/test/fuzzer/strcmp.test b/compiler-rt/test/fuzzer/strcmp.test<br>
index bd917bba6b69..eebcf8ef5c70 100644<br>
--- a/compiler-rt/test/fuzzer/strcmp.test<br>
+++ b/compiler-rt/test/fuzzer/strcmp.test<br>
@@ -1,5 +1,8 @@<br>
UNSUPPORTED: freebsd<br>
RUN: %cpp_compiler %S/StrcmpTest.cpp -o %t-StrcmpTest<br>
RUN: not %run %t-StrcmpTest -seed=1 -runs=2000000 2>&1 | FileCheck %s<br>
-CHECK: BINGO<br>
<br>
+RUN: %cpp_compiler -fno-sanitize=address -fno-builtin-strcmp %S/StrcmpTest.cpp -o %t-NoAsanStrcmpTest<br>
+RUN: not %run %t-StrcmpTest -seed=1 -runs=2000000 2>&1 | FileCheck %s<br>
+<br>
+CHECK: BINGO<br>
<br>
diff --git a/compiler-rt/test/fuzzer/strncmp.test b/compiler-rt/test/fuzzer/strncmp.test<br>
index 50189445b102..f8ff9299a1d9 100644<br>
--- a/compiler-rt/test/fuzzer/strncmp.test<br>
+++ b/compiler-rt/test/fuzzer/strncmp.test<br>
@@ -1,5 +1,8 @@<br>
UNSUPPORTED: freebsd<br>
RUN: %cpp_compiler %S/StrncmpTest.cpp -o %t-StrncmpTest<br>
RUN: not %run %t-StrncmpTest -seed=2 -runs=10000000 2>&1 | FileCheck %s<br>
-CHECK: BINGO<br>
<br>
+RUN: %cpp_compiler -fno-sanitize=address -fno-builtin-strncmp %S/StrncmpTest.cpp -o %t-NoAsanStrncmpTest<br>
+RUN: not %run %t-StrncmpTest -seed=2 -runs=10000000 2>&1 | FileCheck %s<br>
+<br>
+CHECK: BINGO<br>
<br>
diff --git a/compiler-rt/test/fuzzer/strstr.test b/compiler-rt/test/fuzzer/strstr.test<br>
index f1fb210b47c7..54a5abe8a414 100644<br>
--- a/compiler-rt/test/fuzzer/strstr.test<br>
+++ b/compiler-rt/test/fuzzer/strstr.test<br>
@@ -1,5 +1,8 @@<br>
UNSUPPORTED: freebsd<br>
RUN: %cpp_compiler %S/StrstrTest.cpp -o %t-StrstrTest<br>
RUN: not %run %t-StrstrTest -seed=1 -runs=2000000 2>&1 | FileCheck %s<br>
-CHECK: BINGO<br>
<br>
+RUN: %cpp_compiler -fno-sanitize=address -fno-builtin-strstr %S/StrstrTest.cpp -o %t-NoAsanStrstrTest<br>
+RUN: not %run %t-StrstrTest -seed=1 -runs=2000000 2>&1 | FileCheck %s<br>
+<br>
+CHECK: BINGO<br>
<br>
<br>
<br>
_______________________________________________<br>
llvm-commits mailing list<br>
<a href="mailto:llvm-commits@lists.llvm.org" target="_blank">llvm-commits@lists.llvm.org</a><br>
<a href="https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-commits" rel="noreferrer" target="_blank">https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-commits</a><br>
</blockquote></div>
</blockquote></div>