[compiler-rt] r214711 - [asan] introduce __asan_poison_cxx_array_cookie. This is asan-rt part of PR19838 (Left OOB accesses on new[]-allocated arrays with array cookies are not detected). No tests yet. They will follow once I commit the clang part.

Kostya Serebryany kcc at google.com
Mon Aug 4 05:43:13 PDT 2014 

Author: kcc
Date: Mon Aug  4 07:43:13 2014
New Revision: 214711

URL: http://llvm.org/viewvc/llvm-project?rev=214711&view=rev
Log:
[asan] introduce __asan_poison_cxx_array_cookie. This is asan-rt part of PR19838 (Left OOB accesses on new[]-allocated arrays with array cookies are not detected). No tests yet. They will follow once I commit the clang part.

Modified:
    compiler-rt/trunk/lib/asan/asan_flags.h
    compiler-rt/trunk/lib/asan/asan_interface_internal.h
    compiler-rt/trunk/lib/asan/asan_internal.h
    compiler-rt/trunk/lib/asan/asan_poisoning.cc
    compiler-rt/trunk/lib/asan/asan_report.cc
    compiler-rt/trunk/lib/asan/asan_rtl.cc

Modified: compiler-rt/trunk/lib/asan/asan_flags.h
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/asan/asan_flags.h?rev=214711&r1=214710&r2=214711&view=diff
==============================================================================
--- compiler-rt/trunk/lib/asan/asan_flags.h (original)
+++ compiler-rt/trunk/lib/asan/asan_flags.h Mon Aug  4 07:43:13 2014
@@ -57,6 +57,7 @@ struct Flags {
   bool print_full_thread_history;
   bool poison_heap;
   bool poison_partial;
+  bool poison_array_cookie;
   bool alloc_dealloc_mismatch;
   bool new_delete_type_mismatch;
   bool strict_memcmp;

Modified: compiler-rt/trunk/lib/asan/asan_interface_internal.h
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/asan/asan_interface_internal.h?rev=214711&r1=214710&r2=214711&view=diff
==============================================================================
--- compiler-rt/trunk/lib/asan/asan_interface_internal.h (original)
+++ compiler-rt/trunk/lib/asan/asan_interface_internal.h Mon Aug  4 07:43:13 2014
@@ -162,6 +162,9 @@ extern "C" {
       void* __asan_memset(void *s, int c, uptr n);
   SANITIZER_INTERFACE_ATTRIBUTE
       void* __asan_memmove(void* dest, const void* src, uptr n);
+
+  SANITIZER_INTERFACE_ATTRIBUTE
+  void __asan_poison_cxx_array_cookie(uptr p);
 }  // extern "C"
 
 #endif  // ASAN_INTERFACE_INTERNAL_H

Modified: compiler-rt/trunk/lib/asan/asan_internal.h
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/asan/asan_internal.h?rev=214711&r1=214710&r2=214711&view=diff
==============================================================================
--- compiler-rt/trunk/lib/asan/asan_internal.h (original)
+++ compiler-rt/trunk/lib/asan/asan_internal.h Mon Aug  4 07:43:13 2014
@@ -136,6 +136,7 @@ const int kAsanContiguousContainerOOBMag
 const int kAsanStackUseAfterScopeMagic = 0xf8;
 const int kAsanGlobalRedzoneMagic = 0xf9;
 const int kAsanInternalHeapMagic = 0xfe;
+const int kAsanArrayCookieMagic = 0xac;
 
 static const uptr kCurrentStackFrameMagic = 0x41B58AB3;
 static const uptr kRetiredStackFrameMagic = 0x45E0360E;

Modified: compiler-rt/trunk/lib/asan/asan_poisoning.cc
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/asan/asan_poisoning.cc?rev=214711&r1=214710&r2=214711&view=diff
==============================================================================
--- compiler-rt/trunk/lib/asan/asan_poisoning.cc (original)
+++ compiler-rt/trunk/lib/asan/asan_poisoning.cc Mon Aug  4 07:43:13 2014
@@ -227,6 +227,13 @@ void __sanitizer_unaligned_store64(uu64
   *p = x;
 }
 
+extern "C" SANITIZER_INTERFACE_ATTRIBUTE
+void __asan_poison_cxx_array_cookie(uptr p) {
+  if (!flags()->poison_array_cookie) return;
+  uptr s = MEM_TO_SHADOW(p);
+  *reinterpret_cast<u8*>(s) = 0xac;
+}
+
 // This is a simplified version of __asan_(un)poison_memory_region, which
 // assumes that left border of region to be poisoned is properly aligned.
 static void PoisonAlignedStackMemory(uptr addr, uptr size, bool do_poison) {

Modified: compiler-rt/trunk/lib/asan/asan_report.cc
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/asan/asan_report.cc?rev=214711&r1=214710&r2=214711&view=diff
==============================================================================
--- compiler-rt/trunk/lib/asan/asan_report.cc (original)
+++ compiler-rt/trunk/lib/asan/asan_report.cc Mon Aug  4 07:43:13 2014
@@ -59,6 +59,7 @@ class Decorator: public __sanitizer::San
     switch (byte) {
       case kAsanHeapLeftRedzoneMagic:
       case kAsanHeapRightRedzoneMagic:
+      case kAsanArrayCookieMagic:
         return Red();
       case kAsanHeapFreeMagic:
         return Magenta();
@@ -143,6 +144,8 @@ static void PrintLegend(InternalScopedSt
                   kAsanUserPoisonedMemoryMagic);
   PrintShadowByte(str, "  Container overflow:      ",
                   kAsanContiguousContainerOOBMagic);
+  PrintShadowByte(str, "  Array cookie:            ",
+                  kAsanArrayCookieMagic);
   PrintShadowByte(str, "  ASan internal:           ", kAsanInternalHeapMagic);
 }
 
@@ -905,6 +908,7 @@ void __asan_report_error(uptr pc, uptr b
     switch (*shadow_addr) {
       case kAsanHeapLeftRedzoneMagic:
       case kAsanHeapRightRedzoneMagic:
+      case kAsanArrayCookieMagic:
         bug_descr = "heap-buffer-overflow";
         break;
       case kAsanHeapFreeMagic:

Modified: compiler-rt/trunk/lib/asan/asan_rtl.cc
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/asan/asan_rtl.cc?rev=214711&r1=214710&r2=214711&view=diff
==============================================================================
--- compiler-rt/trunk/lib/asan/asan_rtl.cc (original)
+++ compiler-rt/trunk/lib/asan/asan_rtl.cc Mon Aug  4 07:43:13 2014
@@ -191,6 +191,9 @@ static void ParseFlagsFromString(Flags *
       "Poison (or not) the heap memory on [de]allocation. Zero value is useful "
       "for benchmarking the allocator or instrumentator.");
 
+  ParseFlag(str, &f->poison_array_cookie, "poison_array_cookie",
+      "Poison (or not) the array cookie after operator new[].");
+
   ParseFlag(str, &f->poison_partial, "poison_partial",
       "If true, poison partially addressable 8-byte aligned words "
       "(default=true). This flag affects heap and global buffers, but not "
@@ -272,6 +275,7 @@ void InitializeFlags(Flags *f, const cha
   f->allow_reexec = true;
   f->print_full_thread_history = true;
   f->poison_heap = true;
+  f->poison_array_cookie = true;
   f->poison_partial = true;
   // Turn off alloc/dealloc mismatch checker on Mac and Windows for now.
   // https://code.google.com/p/address-sanitizer/issues/detail?id=131

More information about the llvm-commits mailing list