[llvm-branch-commits] [compiler-rt] [HWASan] use unused tags for uaf tag, if possible (PR #191914)
Florian Mayer via llvm-branch-commits
llvm-branch-commits at lists.llvm.org
Mon Apr 13 17:56:37 PDT 2026
https://github.com/fmayer updated https://github.com/llvm/llvm-project/pull/191914
>From 8e9a4534f766af359f8109673ccaebc37f082817 Mon Sep 17 00:00:00 2001
From: Florian Mayer <fmayer at google.com>
Date: Mon, 13 Apr 2026 17:07:25 -0700
Subject: [PATCH 1/2] upda
Created using spr 1.3.7
---
compiler-rt/lib/hwasan/hwasan_allocator.cpp | 8 +++++---
compiler-rt/lib/hwasan/hwasan_poisoning.cpp | 4 +---
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/compiler-rt/lib/hwasan/hwasan_allocator.cpp b/compiler-rt/lib/hwasan/hwasan_allocator.cpp
index eb25102c7d824..dc84423455900 100644
--- a/compiler-rt/lib/hwasan/hwasan_allocator.cpp
+++ b/compiler-rt/lib/hwasan/hwasan_allocator.cpp
@@ -364,18 +364,20 @@ static void HwasanDeallocate(StackTrace *stack, void *tagged_ptr) {
allocator.FromPrimary(untagged_ptr) /* Secondary 0-tag and unmap.*/) {
// Always store full 8-bit tags on free to maximize UAF detection.
tag_t tag;
- if (t) {
+ if (free_bits) {
+ tag = free_bits;
+ } else if (t) {
// Make sure we are not using a short granule tag as a poison tag. This
// would make us attempt to read the memory on a UaF.
// The tag can be zero if tagging is disabled on this thread.
do {
- tag = t->GenerateRandomTag(/*num_bits=*/8) | free_bits;
+ tag = t->GenerateRandomTag(/*num_bits=*/8);
} while (
UNLIKELY((tag < kShadowAlignment || tag == pointer_tag) && tag != 0));
} else {
static_assert(kFallbackFreeTag >= kShadowAlignment,
"fallback tag must not be a short granule tag.");
- tag = kFallbackFreeTag | free_bits;
+ tag = kFallbackFreeTag;
}
TagMemoryAligned(reinterpret_cast<uptr>(aligned_ptr), TaggedSize(orig_size),
tag);
diff --git a/compiler-rt/lib/hwasan/hwasan_poisoning.cpp b/compiler-rt/lib/hwasan/hwasan_poisoning.cpp
index 5e9eeef68714d..40f761590bf6c 100644
--- a/compiler-rt/lib/hwasan/hwasan_poisoning.cpp
+++ b/compiler-rt/lib/hwasan/hwasan_poisoning.cpp
@@ -32,8 +32,6 @@ uptr TagMemory(uptr p, uptr size, tag_t tag) {
namespace __lsan {
bool WordIsPoisoned(uptr addr) {
tag_t Tag = GetTagFromPointer(addr);
- return Tag >= (1 << __hwasan::HwasanTagBits());
- // Fixme: implement actual tag checking.
- return false;
+ return Tag >= (1U << __hwasan::HwasanTagBits());
}
} // namespace __lsan
>From 36e93612456dc78b12403697efa6166159dd52b5 Mon Sep 17 00:00:00 2001
From: Florian Mayer <fmayer at google.com>
Date: Mon, 13 Apr 2026 17:56:24 -0700
Subject: [PATCH 2/2] fix
Created using spr 1.3.7
---
compiler-rt/lib/hwasan/hwasan_poisoning.cpp | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/compiler-rt/lib/hwasan/hwasan_poisoning.cpp b/compiler-rt/lib/hwasan/hwasan_poisoning.cpp
index 40f761590bf6c..be93ed4cb92be 100644
--- a/compiler-rt/lib/hwasan/hwasan_poisoning.cpp
+++ b/compiler-rt/lib/hwasan/hwasan_poisoning.cpp
@@ -31,7 +31,9 @@ uptr TagMemory(uptr p, uptr size, tag_t tag) {
// --- Implementation of LSan-specific functions --- {{{1
namespace __lsan {
bool WordIsPoisoned(uptr addr) {
- tag_t Tag = GetTagFromPointer(addr);
+ if (!InTaggableRegion(addr))
+ return false;
+ tag_t Tag = *reinterpret_cast<tag_t *>(__hwasan::MemToShadow(addr))
return Tag >= (1U << __hwasan::HwasanTagBits());
}
} // namespace __lsan
More information about the llvm-branch-commits
mailing list