[all-commits] [llvm/llvm-project] 16d3c0: [test][asan] Limit scope of the var

Tacet via All-commits all-commits at lists.llvm.org
Mon Nov 21 16:46:03 PST 2022 

  Branch: refs/heads/main
  Home:   https://github.com/llvm/llvm-project
  Commit: 16d3c0c7a427a76a3886f4e93f796d81d536c27f
      https://github.com/llvm/llvm-project/commit/16d3c0c7a427a76a3886f4e93f796d81d536c27f
  Author: Vitaly Buka <vitalybuka at google.com>
  Date:   2022-11-21 (Mon, 21 Nov 2022)

  Changed paths:
    M compiler-rt/test/asan/TestCases/contiguous_container.cpp

  Log Message:
  -----------
  [test][asan] Limit scope of the var


  Commit: 6c87deaa07e0660ecd227414c0bc1ec0e5cbe5b0
      https://github.com/llvm/llvm-project/commit/6c87deaa07e0660ecd227414c0bc1ec0e5cbe5b0
  Author: Vitaly Buka <vitalybuka at google.com>
  Date:   2022-11-21 (Mon, 21 Nov 2022)

  Changed paths:
    M compiler-rt/test/asan/TestCases/Linux/interface_symbols_linux.cpp

  Log Message:
  -----------
  [test][asan] Ignore new lines in header


  Commit: 1c5ad6d2c01294a0decde43a88e9c27d7437d157
      https://github.com/llvm/llvm-project/commit/1c5ad6d2c01294a0decde43a88e9c27d7437d157
  Author: Advenam Tacet <advenam.tacet at trailofbits.com>
  Date:   2022-11-21 (Mon, 21 Nov 2022)

  Changed paths:
    M compiler-rt/include/sanitizer/common_interface_defs.h
    M compiler-rt/lib/asan/asan_errors.cpp
    M compiler-rt/lib/asan/asan_errors.h
    M compiler-rt/lib/asan/asan_poisoning.cpp
    M compiler-rt/lib/asan/asan_report.cpp
    M compiler-rt/lib/asan/asan_report.h
    M compiler-rt/lib/sanitizer_common/sanitizer_common_interface.inc
    M compiler-rt/lib/sanitizer_common/sanitizer_interface_internal.h
    M compiler-rt/test/asan/TestCases/contiguous_container.cpp

  Log Message:
  -----------
  [1a/3][ASan][compiler-rt] API for double ended containers

This revision is a part of a series of patches extending
AddressSanitizer C++ container overflow detection capabilities by adding
annotations, similar to those existing in std::vector, to std::string
and std::deque collections. These changes allow ASan to detect cases
when the instrumented program accesses memory which is internally
allocated by the collection but is still not in-use (accesses before or
after the stored elements for std::deque, or between the size and
capacity bounds for std::string).

The motivation for the research and those changes was a bug, found by
Trail of Bits, in a real code where an out-of-bounds read could happen
as two strings were compared via a std::equals function that took
iter1_begin, iter1_end, iter2_begin iterators (with a custom comparison
function). When object iter1 was longer than iter2, read out-of-bounds
on iter2 could happen. Container sanitization would detect it.

This revision adds a new compiler-rt ASan sanitization API function
sanitizer_annotate_double_ended_contiguous_container necessary to
sanitize/annotate double ended contiguous containers. Note that that
function annotates a single contiguous memory buffer (for example the
std::deque's internal chunk). Such containers have the beginning of
allocated memory block, beginning of the container in-use data, end of
the container's in-use data and the end of the allocated memory block.
This also adds a new API function to verify if a double ended contiguous
container is correctly annotated
(__sanitizer_verify_double_ended_contiguous_container).

Since we do not modify the ASan's shadow memory encoding values, the
capability of sanitizing/annotating a prefix of the internal contiguous
memory buffer is limited – up to SHADOW_GRANULARITY-1 bytes may not be
poisoned before the container's in-use data. This can cause false
negatives (situations when ASan will not detect memory corruption in
those areas).

On the other hand, API function interfaces are designed to work even if
this caveat would not exist. Therefore implementations using those
functions will poison every byte correctly, if only ASan (and
compiler-rt) is extended to support it. In other words, if ASan was
modified to support annotating/poisoning of objects lying on addresses
unaligned to SHADOW_GRANULARITY (so e.g. prefixes of those blocks),
which would require changing its shadow memory encoding, this would not
require any changes in the libcxx std::string/deque code which is added
in further commits of this patch series.

If you have any questions, please email:
advenam.tacet at trailofbits.com
disconnect3d at trailofbits.com

Differential Revision: https://reviews.llvm.org/D132090


Compare: https://github.com/llvm/llvm-project/compare/e8ce5f1ec9f3...1c5ad6d2c012

More information about the All-commits mailing list