[compiler-rt] r189806 - implement PR17059: more visible diagnostics for stack-buffer-overflow

Kostya Serebryany kcc at google.com
Tue Sep 3 06:58:04 PDT 2013 

Author: kcc
Date: Tue Sep  3 08:58:04 2013
New Revision: 189806

URL: http://llvm.org/viewvc/llvm-project?rev=189806&view=rev
Log:
implement PR17059: more visible diagnostics for stack-buffer-overflow

Added:
    compiler-rt/trunk/lib/asan/lit_tests/TestCases/stack-buffer-overflow-with-position.cc
Modified:
    compiler-rt/trunk/lib/asan/asan_report.cc
    compiler-rt/trunk/lib/asan/lit_tests/TestCases/stack-use-after-return.cc

Modified: compiler-rt/trunk/lib/asan/asan_report.cc
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/asan/asan_report.cc?rev=189806&r1=189805&r2=189806&view=diff
==============================================================================
--- compiler-rt/trunk/lib/asan/asan_report.cc (original)
+++ compiler-rt/trunk/lib/asan/asan_report.cc Tue Sep  3 08:58:04 2013
@@ -255,6 +255,49 @@ const char *ThreadNameWithParenthesis(u3
   return ThreadNameWithParenthesis(t, buff, buff_len);
 }
 
+void PrintAccessAndVarIntersection(const char *var_name,
+                                   uptr var_beg, uptr var_size,
+                                   uptr addr, uptr access_size,
+                                   uptr prev_var_end, uptr next_var_beg) {
+  uptr var_end = var_beg + var_size;
+  uptr addr_end = addr + access_size;
+  const char *pos_descr = 0;
+  // If the variable [var_beg, var_end) is the nearest variable to the
+  // current memory access, indicate it in the log.
+  if (addr >= var_beg) {
+    if (addr_end <= var_end)
+      pos_descr = "is inside";  // May happen if this is a use-after-return.
+    else if (addr < var_end)
+      pos_descr = "partially overflows";
+    else if (addr_end <= next_var_beg &&
+             next_var_beg - addr_end >= addr - var_end)
+      pos_descr = "overflows";
+  } else {
+    if (addr_end > var_beg)
+      pos_descr = "partially underflows";
+    else if (addr >= prev_var_end &&
+             addr - prev_var_end >= var_beg - addr_end)
+      pos_descr = "underflows";
+  }
+  Printf("    [%zd, %zd) '%s'", var_beg, var_beg + var_size, var_name);
+  if (pos_descr) {
+    Decorator d;
+    // FIXME: we may want to also print the size of the access here,
+    // but in case of accesses generated by memset it may be confusing.
+    Printf("%s <== Memory access at offset %zd %s this variable%s\n",
+           d.Location(), addr, pos_descr, d.EndLocation());
+  } else {
+    Printf("\n");
+  }
+}
+
+struct StackVarDescr {
+  uptr beg;
+  uptr size;
+  const char *name_pos;
+  s64 name_len;
+};
+
 bool DescribeAddressIfStack(uptr addr, uptr access_size) {
   AsanThread *t = FindThreadByStackAddress(addr);
   if (!t) return false;
@@ -300,7 +343,9 @@ bool DescribeAddressIfStack(uptr addr, u
   s64 n_objects = internal_simple_strtoll(frame_descr, &p, 10);
   CHECK_GT(n_objects, 0);
   Printf("  This frame has %zu object(s):\n", n_objects);
+
   // Report all objects in this frame.
+  InternalScopedBuffer<StackVarDescr> vars(n_objects);
   for (s64 i = 0; i < n_objects; i++) {
     s64 beg, size;
     s64 len;
@@ -313,10 +358,21 @@ bool DescribeAddressIfStack(uptr addr, u
       break;
     }
     p++;
-    buf[0] = 0;
-    internal_strncat(buf, p, static_cast<uptr>(Min(kBufSize, len)));
+    vars[i].beg = beg;
+    vars[i].size = size;
+    vars[i].name_pos = p;
+    vars[i].name_len = len;
     p += len;
-    Printf("    [%lld, %lld) '%s'\n", beg, beg + size, buf);
+  }
+  for (s64 i = 0; i < n_objects; i++) {
+    buf[0] = 0;
+    internal_strncat(buf, vars[i].name_pos,
+                     static_cast<uptr>(Min(kBufSize, vars[i].name_len)));
+    uptr prev_var_end = i ? vars[i - 1].beg + vars[i - 1].size : 0;
+    uptr next_var_beg = i < n_objects - 1 ? vars[i + 1].beg : ~(0UL);
+    PrintAccessAndVarIntersection(buf, vars[i].beg, vars[i].size,
+                                  offset, access_size,
+                                  prev_var_end, next_var_beg);
   }
   Printf("HINT: this may be a false positive if your program uses "
              "some custom stack unwind mechanism or swapcontext\n"

Added: compiler-rt/trunk/lib/asan/lit_tests/TestCases/stack-buffer-overflow-with-position.cc
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/asan/lit_tests/TestCases/stack-buffer-overflow-with-position.cc?rev=189806&view=auto
==============================================================================
--- compiler-rt/trunk/lib/asan/lit_tests/TestCases/stack-buffer-overflow-with-position.cc (added)
+++ compiler-rt/trunk/lib/asan/lit_tests/TestCases/stack-buffer-overflow-with-position.cc Tue Sep  3 08:58:04 2013
@@ -0,0 +1,45 @@
+// RUN: %clangxx_asan -O2 %s -o %t
+// RUN: not %t -2 2>&1 | FileCheck --check-prefix=CHECK-m2 %s
+// RUN: not %t -1 2>&1 | FileCheck --check-prefix=CHECK-m1 %s
+// RUN: %t 0
+// RUN: %t 8
+// RUN: not %t 9  2>&1 | FileCheck --check-prefix=CHECK-9  %s
+// RUN: not %t 10 2>&1 | FileCheck --check-prefix=CHECK-10 %s
+// RUN: not %t 62 2>&1 | FileCheck --check-prefix=CHECK-62 %s
+// RUN: not %t 63 2>&1 | FileCheck --check-prefix=CHECK-63 %s
+// RUN: not %t 63 2>&1 | FileCheck --check-prefix=CHECK-63 %s
+// RUN: not %t 73 2>&1 | FileCheck --check-prefix=CHECK-73 %s
+// RUN: not %t 74 2>&1 | FileCheck --check-prefix=CHECK-74 %s
+// RUN: not %t 126 2>&1 | FileCheck --check-prefix=CHECK-126 %s
+// RUN: not %t 127 2>&1 | FileCheck --check-prefix=CHECK-127 %s
+// RUN: not %t 137 2>&1 | FileCheck --check-prefix=CHECK-137 %s
+// RUN: not %t 138 2>&1 | FileCheck --check-prefix=CHECK-138 %s
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <assert.h>
+int main(int argc, char **argv) {
+  assert(argc >= 2);
+  int idx = atoi(argv[1]);
+  char AAA[10], BBB[10], CCC[10];
+  memset(AAA, 0, sizeof(AAA));
+  memset(BBB, 0, sizeof(BBB));
+  memset(CCC, 0, sizeof(CCC));
+  int res = 0;
+  char *p = AAA + idx;
+  printf("AAA: %p\ny: %p\nz: %p\np: %p\n", AAA, BBB, CCC, p);
+  // make sure BBB and CCC are not removed;
+  return *(short*)(p) + BBB[argc % 2] + CCC[argc % 2];
+}
+// CHECK-m2:  'AAA' <== Memory access at offset 30 underflows this variable
+// CHECK-m1:  'AAA' <== Memory access at offset 31 partially underflows this variable
+// CHECK-9:   'AAA' <== Memory access at offset 41 partially overflows this variable
+// CHECK-10:  'AAA' <== Memory access at offset 42 overflows this variable
+// CHECK-62:  'BBB' <== Memory access at offset 94 underflows this variable
+// CHECK-63:  'BBB' <== Memory access at offset 95 partially underflows this variable
+// CHECK-73:  'BBB' <== Memory access at offset 105 partially overflows this variable
+// CHECK-74:  'BBB' <== Memory access at offset 106 overflows this variable
+// CHECK-126: 'CCC' <== Memory access at offset 158 underflows this variable
+// CHECK-127: 'CCC' <== Memory access at offset 159 partially underflows this variable
+// CHECK-137: 'CCC' <== Memory access at offset 169 partially overflows this variable
+// CHECK-138: 'CCC' <== Memory access at offset 170 overflows this variable

Modified: compiler-rt/trunk/lib/asan/lit_tests/TestCases/stack-use-after-return.cc
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/asan/lit_tests/TestCases/stack-use-after-return.cc?rev=189806&r1=189805&r2=189806&view=diff
==============================================================================
--- compiler-rt/trunk/lib/asan/lit_tests/TestCases/stack-use-after-return.cc (original)
+++ compiler-rt/trunk/lib/asan/lit_tests/TestCases/stack-use-after-return.cc Tue Sep  3 08:58:04 2013
@@ -35,6 +35,7 @@ void Func2(char *x) {
   // CHECK: WRITE of size 1 {{.*}} thread T0
   // CHECK:     #0{{.*}}Func2{{.*}}stack-use-after-return.cc:[[@LINE-2]]
   // CHECK: is located in stack of thread T0 at offset
+  // CHECK: 'local' <== Memory access at offset 32 is inside this variable
 }
 
 int main(int argc, char **argv) {

More information about the llvm-commits mailing list