[all-commits] [llvm/llvm-project] dd1b7b: [1b/3][ASan][compiler-rt] API for annotating objec...

Tacet via All-commits all-commits at lists.llvm.org
Thu Oct 27 23:30:03 PDT 2022


  Branch: refs/heads/main
  Home:   https://github.com/llvm/llvm-project
  Commit: dd1b7b797a116eed588fd752fbe61d34deeb24e4
      https://github.com/llvm/llvm-project/commit/dd1b7b797a116eed588fd752fbe61d34deeb24e4
  Author: Advenam Tacet <advenam.tacet at trailofbits.com>
  Date:   2022-10-27 (Thu, 27 Oct 2022)

  Changed paths:
    M compiler-rt/lib/asan/asan_poisoning.cpp
    M compiler-rt/test/asan/TestCases/contiguous_container.cpp
    M compiler-rt/test/asan/TestCases/contiguous_container_crash.cpp

  Log Message:
  -----------
  [1b/3][ASan][compiler-rt] API for annotating objects memory

This revision is a part of a series of patches extending AddressSanitizer C++ container overflow detection capabilities by adding annotations, similar to those existing in std::vector, to std::string and std::deque collections. These changes allow ASan to detect cases when the instrumented program accesses memory which is internally allocated by the collection but is still not in-use (accesses before or after the stored elements for std::deque, or between the size and capacity bounds for std::string).

The motivation for the research and those changes was a bug, found by Trail of Bits, in a real code where an out-of-bounds read could happen as two strings were compared via a std::equals function that took iter1_begin, iter1_end, iter2_begin iterators (with a custom comparison function). When object iter1 was longer than iter2, read out-of-bounds on iter2 could happen. Container sanitization would detect it.

This revision extends a compiler-rt ASan sanitization API function sanitizer_annotate_contiguous_container used to sanitize/annotate containers like std::vector to support different allocators and situations when granules are shared between objects. Those changes are necessary to support annotating objects' self memory (in contrast to annotating memory allocated by an object) like short std::basic_string (with short string optimization). That also allows use of non-standard memory allocators, as alignment requirement is no longer necessary.

This also updates an API function to verify if a double ended contiguous container is correctly annotated (__sanitizer_verify_contiguous_container).

If you have any questions, please email:
advenam.tacet at trailofbits.com
disconnect3d at trailofbits.com

Reviewed By: #sanitizers, vitalybuka

Differential Revision: https://reviews.llvm.org/D132522




More information about the All-commits mailing list