[compiler-rt] r183390 - [ASan] One more fix for realloc: check that reallocated chunk is valid before calling memcpy

Alexey Samsonov samsonov at google.com
Thu Jun 6 01:25:31 PDT 2013 

Author: samsonov
Date: Thu Jun  6 03:25:31 2013
New Revision: 183390

URL: http://llvm.org/viewvc/llvm-project?rev=183390&view=rev
Log:
[ASan] One more fix for realloc: check that reallocated chunk is valid before calling memcpy

Modified:
    compiler-rt/trunk/lib/asan/asan_allocator2.cc

Modified: compiler-rt/trunk/lib/asan/asan_allocator2.cc
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/asan/asan_allocator2.cc?rev=183390&r1=183389&r2=183390&view=diff
==============================================================================
--- compiler-rt/trunk/lib/asan/asan_allocator2.cc (original)
+++ compiler-rt/trunk/lib/asan/asan_allocator2.cc Thu Jun  6 03:25:31 2013
@@ -432,17 +432,20 @@ static void *Allocate(uptr size, uptr al
   return res;
 }
 
+static void ReportInvalidFree(void *ptr, u8 chunk_state, StackTrace *stack) {
+  if (chunk_state == CHUNK_QUARANTINE)
+    ReportDoubleFree((uptr)ptr, stack);
+  else
+    ReportFreeNotMalloced((uptr)ptr, stack);
+}
+
 static void AtomicallySetQuarantineFlag(AsanChunk *m,
                                         void *ptr, StackTrace *stack) {
   u8 old_chunk_state = CHUNK_ALLOCATED;
   // Flip the chunk_state atomically to avoid race on double-free.
   if (!atomic_compare_exchange_strong((atomic_uint8_t*)m, &old_chunk_state,
-                                      CHUNK_QUARANTINE, memory_order_acquire)) {
-    if (old_chunk_state == CHUNK_QUARANTINE)
-      ReportDoubleFree((uptr)ptr, stack);
-    else
-      ReportFreeNotMalloced((uptr)ptr, stack);
-  }
+                                      CHUNK_QUARANTINE, memory_order_acquire))
+    ReportInvalidFree(ptr, old_chunk_state, stack);
   CHECK_EQ(CHUNK_ALLOCATED, old_chunk_state);
 }
 
@@ -514,6 +517,9 @@ static void *Reallocate(void *old_ptr, u
 
   void *new_ptr = Allocate(new_size, 8, stack, FROM_MALLOC, true);
   if (new_ptr) {
+    u8 chunk_state = m->chunk_state;
+    if (chunk_state != CHUNK_ALLOCATED)
+      ReportInvalidFree(old_ptr, chunk_state, stack);
     CHECK_NE(REAL(memcpy), (void*)0);
     uptr memcpy_size = Min(new_size, m->UsedSize());
     // If realloc() races with free(), we may start copying freed memory.

More information about the llvm-commits mailing list