[compiler-rt] r268243 - [sanitizer] Fix a crash in SizeClassAllocator32 with an out-of-range pointer

Kuba Brecka via llvm-commits llvm-commits at lists.llvm.org
Mon May 2 08:23:01 PDT 2016 

Author: kuba.brecka
Date: Mon May  2 10:23:01 2016
New Revision: 268243

URL: http://llvm.org/viewvc/llvm-project?rev=268243&view=rev
Log:
[sanitizer] Fix a crash in SizeClassAllocator32 with an out-of-range pointer

This happens on a 64-bit platform that uses SizeClassAllocator32 (e.g. ASan on AArch64). When querying a large invalid pointer, `__sanitizer_get_allocated_size(0xdeadbeefdeadbeef)`, an assertion will fail.  This patch changes PointerIsMine to return false if the pointer is outside of [kSpaceBeg, kSpaceBeg + kSpaceSize).

Differential Revision: http://reviews.llvm.org/D15008


Added:
    compiler-rt/trunk/test/asan/TestCases/Darwin/malloc_size_crash.mm
Modified:
    compiler-rt/trunk/lib/sanitizer_common/sanitizer_allocator.h

Modified: compiler-rt/trunk/lib/sanitizer_common/sanitizer_allocator.h
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/sanitizer_common/sanitizer_allocator.h?rev=268243&r1=268242&r2=268243&view=diff
==============================================================================
--- compiler-rt/trunk/lib/sanitizer_common/sanitizer_allocator.h (original)
+++ compiler-rt/trunk/lib/sanitizer_common/sanitizer_allocator.h Mon May  2 10:23:01 2016
@@ -769,6 +769,9 @@ class SizeClassAllocator32 {
   }
 
   bool PointerIsMine(const void *p) {
+    uptr mem = reinterpret_cast<uptr>(p);
+    if (mem < kSpaceBeg || mem >= kSpaceBeg + kSpaceSize)
+      return false;
     return GetSizeClass(p) != 0;
   }
 

Added: compiler-rt/trunk/test/asan/TestCases/Darwin/malloc_size_crash.mm
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/test/asan/TestCases/Darwin/malloc_size_crash.mm?rev=268243&view=auto
==============================================================================
--- compiler-rt/trunk/test/asan/TestCases/Darwin/malloc_size_crash.mm (added)
+++ compiler-rt/trunk/test/asan/TestCases/Darwin/malloc_size_crash.mm Mon May  2 10:23:01 2016
@@ -0,0 +1,15 @@
+// RUN: %clang_asan %s -o %t -framework Foundation
+// RUN: %run %t 2>&1 | FileCheck %s
+
+#import <Foundation/Foundation.h>
+#include <malloc/malloc.h>
+
+int main(int argc, char *argv[]) {
+  id obj = @0;
+  fprintf(stderr, "obj = %p\n", obj);
+  size_t size = malloc_size(obj);
+  fprintf(stderr, "size = 0x%zx\n", size);
+  fprintf(stderr, "Done.\n");
+  // CHECK: Done.
+  return 0;
+}

More information about the llvm-commits mailing list