[compiler-rt] r192581 - [ASan] Don't die with internal ASan error on large buffer overflows

Alexey Samsonov samsonov at google.com
Mon Oct 14 04:13:55 PDT 2013 

Author: samsonov
Date: Mon Oct 14 06:13:54 2013
New Revision: 192581

URL: http://llvm.org/viewvc/llvm-project?rev=192581&view=rev
Log:
[ASan] Don't die with internal ASan error on large buffer overflows

Summary:
Out-of-bound access may touch not-yet allocated or already freed
and recycled from quarantine chunks. We should treat this situation as
a "free-range memory access" and avoid printing any data about that
irrelevant chunk (which may be inconsistent).

This should fix https://code.google.com/p/address-sanitizer/issues/detail?id=183

Reviewers: kcc

Reviewed By: kcc

CC: timurrrr, llvm-commits

Differential Revision: http://llvm-reviews.chandlerc.com/D1893

Added:
    compiler-rt/trunk/lib/asan/lit_tests/TestCases/heap-overflow-large.cc
Modified:
    compiler-rt/trunk/lib/asan/asan_allocator.h
    compiler-rt/trunk/lib/asan/asan_allocator2.cc
    compiler-rt/trunk/lib/asan/asan_report.cc
    compiler-rt/trunk/lib/asan/lit_tests/TestCases/null_deref.cc

Modified: compiler-rt/trunk/lib/asan/asan_allocator.h
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/asan/asan_allocator.h?rev=192581&r1=192580&r2=192581&view=diff
==============================================================================
--- compiler-rt/trunk/lib/asan/asan_allocator.h (original)
+++ compiler-rt/trunk/lib/asan/asan_allocator.h Mon Oct 14 06:13:54 2013
@@ -35,10 +35,11 @@ void InitializeAllocator();
 class AsanChunkView {
  public:
   explicit AsanChunkView(AsanChunk *chunk) : chunk_(chunk) {}
-  bool IsValid() { return chunk_ != 0; }
-  uptr Beg();       // first byte of user memory.
-  uptr End();       // last byte of user memory.
-  uptr UsedSize();  // size requested by the user.
+  bool IsValid();   // Checks if AsanChunkView points to a valid allocated
+                    // or quarantined chunk.
+  uptr Beg();       // First byte of user memory.
+  uptr End();       // Last byte of user memory.
+  uptr UsedSize();  // Size requested by the user.
   uptr AllocTid();
   uptr FreeTid();
   void GetAllocStack(StackTrace *stack);

Modified: compiler-rt/trunk/lib/asan/asan_allocator2.cc
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/asan/asan_allocator2.cc?rev=192581&r1=192580&r2=192581&view=diff
==============================================================================
--- compiler-rt/trunk/lib/asan/asan_allocator2.cc (original)
+++ compiler-rt/trunk/lib/asan/asan_allocator2.cc Mon Oct 14 06:13:54 2013
@@ -218,6 +218,9 @@ struct AsanChunk: ChunkBase {
   }
 };
 
+bool AsanChunkView::IsValid() {
+  return chunk_ != 0 && chunk_->chunk_state != CHUNK_AVAILABLE;
+}
 uptr AsanChunkView::Beg() { return chunk_->Beg(); }
 uptr AsanChunkView::End() { return Beg() + UsedSize(); }
 uptr AsanChunkView::UsedSize() { return chunk_->UsedSize(); }
@@ -228,9 +231,8 @@ static void GetStackTraceFromId(u32 id,
   CHECK(id);
   uptr size = 0;
   const uptr *trace = StackDepotGet(id, &size);
-  CHECK_LT(size, kStackTraceMax);
-  internal_memcpy(stack->trace, trace, sizeof(uptr) * size);
-  stack->size = size;
+  CHECK(trace);
+  stack->CopyFrom(trace, size);
 }
 
 void AsanChunkView::GetAllocStack(StackTrace *stack) {

Modified: compiler-rt/trunk/lib/asan/asan_report.cc
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/asan/asan_report.cc?rev=192581&r1=192580&r2=192581&view=diff
==============================================================================
--- compiler-rt/trunk/lib/asan/asan_report.cc (original)
+++ compiler-rt/trunk/lib/asan/asan_report.cc Mon Oct 14 06:13:54 2013
@@ -414,7 +414,11 @@ static void DescribeAccessToHeapChunk(As
 
 void DescribeHeapAddress(uptr addr, uptr access_size) {
   AsanChunkView chunk = FindHeapChunkByAddress(addr);
-  if (!chunk.IsValid()) return;
+  if (!chunk.IsValid()) {
+    Printf("AddressSanitizer can not describe address in more detail "
+           "(wild memory access suspected).\n");
+    return;
+  }
   DescribeAccessToHeapChunk(chunk, addr, access_size);
   CHECK(chunk.AllocTid() != kInvalidTid);
   asanThreadRegistry().CheckLocked();
@@ -564,9 +568,9 @@ void ReportSIGSEGV(uptr pc, uptr sp, upt
              (void*)addr, (void*)pc, (void*)sp, (void*)bp,
              GetCurrentTidOrInvalid());
   Printf("%s", d.EndWarning());
-  Printf("AddressSanitizer can not provide additional info.\n");
   GET_STACK_TRACE_FATAL(pc, bp);
   PrintStack(&stack);
+  Printf("AddressSanitizer can not provide additional info.\n");
   ReportSummary("SEGV", &stack);
 }
 

Added: compiler-rt/trunk/lib/asan/lit_tests/TestCases/heap-overflow-large.cc
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/asan/lit_tests/TestCases/heap-overflow-large.cc?rev=192581&view=auto
==============================================================================
--- compiler-rt/trunk/lib/asan/lit_tests/TestCases/heap-overflow-large.cc (added)
+++ compiler-rt/trunk/lib/asan/lit_tests/TestCases/heap-overflow-large.cc Mon Oct 14 06:13:54 2013
@@ -0,0 +1,23 @@
+// Regression test for
+// https://code.google.com/p/address-sanitizer/issues/detail?id=183
+
+// RUN: %clangxx_asan -O2 %s -o %t
+// RUN: not %t 12 2>&1 | FileCheck %s
+// RUN: not %t 100 2>&1 | FileCheck %s
+// RUN: not %t 10000 2>&1 | FileCheck %s
+
+#include <stdlib.h>
+#include <string.h>
+
+int main(int argc, char *argv[]) {
+  int *x = new int[5];
+  memset(x, 0, sizeof(x[0]) * 5);
+  int index = atoi(argv[1]);
+  int res = x[index];
+  // CHECK: AddressSanitizer: {{(heap-buffer-overflow|SEGV)}}
+  // CHECK: #0 0x{{.*}} in main {{.*}}heap-overflow-large.cc:[[@LINE-2]]
+  // CHECK: AddressSanitizer can not {{(provide additional info|describe address in more detail \(wild memory access suspected\))}}
+  // CHECK: SUMMARY: AddressSanitizer: {{(heap-buffer-overflow|SEGV)}}
+  delete[] x;
+  return res;
+}

Modified: compiler-rt/trunk/lib/asan/lit_tests/TestCases/null_deref.cc
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/asan/lit_tests/TestCases/null_deref.cc?rev=192581&r1=192580&r2=192581&view=diff
==============================================================================
--- compiler-rt/trunk/lib/asan/lit_tests/TestCases/null_deref.cc (original)
+++ compiler-rt/trunk/lib/asan/lit_tests/TestCases/null_deref.cc Mon Oct 14 06:13:54 2013
@@ -11,7 +11,6 @@ __attribute__((noinline))
 static void NullDeref(int *ptr) {
   // CHECK: ERROR: AddressSanitizer: SEGV on unknown address
   // CHECK:   {{0x0*00028 .*pc 0x.*}}
-  // CHECK: {{AddressSanitizer can not provide additional info.}}
   ptr[10]++;  // BOOM
   // atos on Mac cannot extract the symbol name correctly.
   // CHECK-Linux: {{    #0 0x.* in NullDeref.*null_deref.cc:}}[[@LINE-2]]
@@ -20,4 +19,5 @@ static void NullDeref(int *ptr) {
 int main() {
   NullDeref((int*)0);
   // CHECK: {{    #1 0x.* in main.*null_deref.cc:}}[[@LINE-1]]
+  // CHECK: {{AddressSanitizer can not provide additional info.}}
 }

More information about the llvm-commits mailing list