[compiler-rt] r264481 - [asan] bump the scariness score of read-after-frees (based on feedback from the Chrome security team)
Kostya Serebryany via llvm-commits
llvm-commits at lists.llvm.org
Fri Mar 25 17:00:19 PDT 2016
Author: kcc
Date: Fri Mar 25 19:00:19 2016
New Revision: 264481
URL: http://llvm.org/viewvc/llvm-project?rev=264481&view=rev
Log:
[asan] bump the scariness score of read-after-frees (based on feedback from the Chrome security team)
Modified:
compiler-rt/trunk/lib/asan/asan_report.cc
compiler-rt/trunk/test/asan/TestCases/Linux/scariness_score_test.cc
Modified: compiler-rt/trunk/lib/asan/asan_report.cc
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/asan/asan_report.cc?rev=264481&r1=264480&r2=264481&view=diff
==============================================================================
--- compiler-rt/trunk/lib/asan/asan_report.cc (original)
+++ compiler-rt/trunk/lib/asan/asan_report.cc Fri Mar 25 19:00:19 2016
@@ -1098,6 +1098,8 @@ void ReportGenericError(uptr pc, uptr bp
bool far_from_bounds = false;
shadow_val = *shadow_addr;
int bug_type_score = 0;
+ // For use-after-frees reads are almost as bad as writes.
+ int read_after_free_bonus = 0;
switch (shadow_val) {
case kAsanHeapLeftRedzoneMagic:
case kAsanHeapRightRedzoneMagic:
@@ -1109,6 +1111,7 @@ void ReportGenericError(uptr pc, uptr bp
case kAsanHeapFreeMagic:
bug_descr = "heap-use-after-free";
bug_type_score = 20;
+ if (!is_write) read_after_free_bonus = 18;
break;
case kAsanStackLeftRedzoneMagic:
bug_descr = "stack-buffer-underflow";
@@ -1129,6 +1132,7 @@ void ReportGenericError(uptr pc, uptr bp
case kAsanStackAfterReturnMagic:
bug_descr = "stack-use-after-return";
bug_type_score = 30;
+ if (!is_write) read_after_free_bonus = 18;
break;
case kAsanUserPoisonedMemoryMagic:
bug_descr = "use-after-poison";
@@ -1158,7 +1162,7 @@ void ReportGenericError(uptr pc, uptr bp
far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr);
break;
}
- SS.Scare(bug_type_score, bug_descr);
+ SS.Scare(bug_type_score + read_after_free_bonus, bug_descr);
if (far_from_bounds)
SS.Scare(10, "far-from-bounds");
}
Modified: compiler-rt/trunk/test/asan/TestCases/Linux/scariness_score_test.cc
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/test/asan/TestCases/Linux/scariness_score_test.cc?rev=264481&r1=264480&r2=264481&view=diff
==============================================================================
--- compiler-rt/trunk/test/asan/TestCases/Linux/scariness_score_test.cc (original)
+++ compiler-rt/trunk/test/asan/TestCases/Linux/scariness_score_test.cc Fri Mar 25 19:00:19 2016
@@ -166,14 +166,14 @@ int main(int argc, char **argv) {
// CHECK3: SCARINESS: 33 (2-byte-write-heap-buffer-overflow)
// CHECK4: SCARINESS: 52 (8-byte-write-heap-buffer-overflow-far-from-bounds)
// CHECK5: SCARINESS: 55 (multi-byte-write-heap-buffer-overflow-far-from-bounds)
- // CHECK6: SCARINESS: 22 (1-byte-read-heap-use-after-free)
+ // CHECK6: SCARINESS: 40 (1-byte-read-heap-use-after-free)
// CHECK7: SCARINESS: 46 (4-byte-write-heap-use-after-free)
- // CHECK8: SCARINESS: 33 (8-byte-read-heap-use-after-free)
+ // CHECK8: SCARINESS: 51 (8-byte-read-heap-use-after-free)
// CHECK9: SCARINESS: 55 (multi-byte-write-heap-use-after-free)
// CHECK10: SCARINESS: 46 (1-byte-write-stack-buffer-overflow)
// CHECK11: SCARINESS: 38 (8-byte-read-stack-buffer-overflow)
// CHECK12: SCARINESS: 61 (4-byte-write-stack-buffer-overflow-far-from-bounds)
- // CHECK13: SCARINESS: 32 (1-byte-read-stack-use-after-return)
+ // CHECK13: SCARINESS: 50 (1-byte-read-stack-use-after-return)
// CHECK14: SCARINESS: 65 (multi-byte-write-stack-use-after-return)
// CHECK15: SCARINESS: 31 (1-byte-write-global-buffer-overflow)
// CHECK16: SCARINESS: 36 (multi-byte-read-global-buffer-overflow-far-from-bounds)
More information about the llvm-commits
mailing list