[libcxx-commits] [PATCH] D136765: [ASan][libcxx] Annotating std::vector with all allocators

Tacet via Phabricator via libcxx-commits libcxx-commits at lists.llvm.org
Wed Oct 26 06:27:48 PDT 2022 

AdvenamTacet created this revision.
Herald added a project: All.
AdvenamTacet requested review of this revision.
Herald added a project: libc++.
Herald added a subscriber: libcxx-commits.
Herald added a reviewer: libc++.

This revision is a part of a series of patches extending
AddressSanitizer C++ container overflow detection
capabilities by adding annotations, similar to those existing
in std::vector, to std::string and std::deque collections.
These changes allow ASan to detect cases when the instrumented
program accesses memory which is internally allocated by
the collection but is still not in-use (accesses before or
after the stored elements for std::deque, or between the size and
capacity bounds for std::string).

The motivation for the research and those changes was a bug,
found by Trail of Bits, in a real code where an out-of-bounds read
could happen as two strings were compared via a std::equals function
that took iter1_begin, iter1_end, iter2_begin iterators
(with a custom comparison function).
When object iter1 was longer than iter2, read out-of-bounds on iter2
could happen. Container sanitization would detect it.

In revision D132522 <https://reviews.llvm.org/D132522>, support for non-aligned memory buffers (sharing
first/last granule with other objects) was added, therefore the
check for standard allocator is not necessary anymore.
This patch removes the check in std::vector annotation member
function (__annotate_contiguous_container) to support
different allocators.

If you have any questions, please email:

- advenam.tacet at trailofbits.com
- disconnect3d at trailofbits.com


Repository:
  rG LLVM Github Monorepo

https://reviews.llvm.org/D136765

Files:
  libcxx/include/vector
  libcxx/test/libcxx/containers/sequences/vector/asan.pass.cpp


Index: libcxx/test/libcxx/containers/sequences/vector/asan.pass.cpp
===================================================================
--- libcxx/test/libcxx/containers/sequences/vector/asan.pass.cpp
+++ libcxx/test/libcxx/containers/sequences/vector/asan.pass.cpp
@@ -36,7 +36,7 @@
         const T t[] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9};
         C c(std::begin(t), std::end(t));
         c.reserve(2*c.size());
-        volatile T foo = c[c.size()];    // bad, but not caught by ASAN
+        volatile T foo = c[c.size() - 1];
         ((void)foo);
     }
 #endif
Index: libcxx/include/vector
===================================================================
--- libcxx/include/vector
+++ libcxx/include/vector
@@ -745,7 +745,7 @@
                                          const void *__new_mid) const
     {
 
-      if (!__libcpp_is_constant_evaluated() && __beg && is_same<allocator_type, __default_allocator_type>::value)
+      if (!__libcpp_is_constant_evaluated() && __beg)
         __sanitizer_annotate_contiguous_container(__beg, __end, __old_mid, __new_mid);
     }
 #else


-------------- next part --------------
A non-text attachment was scrubbed...
Name: D136765.470803.patch
Type: text/x-patch
Size: 1087 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/libcxx-commits/attachments/20221026/7c35e627/attachment.bin>

More information about the libcxx-commits mailing list