[compiler-rt] r277518 - [asan] Intercept RtlRaiseException instead of kernel32!RaiseException

Reid Kleckner via llvm-commits llvm-commits at lists.llvm.org
Tue Aug 2 13:36:30 PDT 2016 

Author: rnk
Date: Tue Aug  2 15:36:29 2016
New Revision: 277518

URL: http://llvm.org/viewvc/llvm-project?rev=277518&view=rev
Log:
[asan] Intercept RtlRaiseException instead of kernel32!RaiseException

Summary:
On my install of Windows 10, RaiseException is a tail call to
kernelbase!RaiseException. Obviously, we fail to intercept that.
Instead, try hooking at the ntdll!RtlRaiseException layer. It is
unlikely that this layer will contain control flow.

Intercepting at this level requires adding a decoding for
'LEA ESP, [ESP + 0xXXXXXXXX]', which is a really obscure way to write
'SUB ESP, 0xXXXXXXXX' that avoids clobbering EFLAGS.

Reviewers: etienneb

Subscribers: llvm-commits, kubabrecka

Differential Revision: https://reviews.llvm.org/D23046

Modified:
    compiler-rt/trunk/lib/asan/asan_win.cc
    compiler-rt/trunk/lib/interception/interception_win.cc
    compiler-rt/trunk/lib/interception/tests/interception_win_test.cc
    compiler-rt/trunk/test/asan/TestCases/Windows/dll_host.cc

Modified: compiler-rt/trunk/lib/asan/asan_win.cc
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/asan/asan_win.cc?rev=277518&r1=277517&r2=277518&view=diff
==============================================================================
--- compiler-rt/trunk/lib/asan/asan_win.cc (original)
+++ compiler-rt/trunk/lib/asan/asan_win.cc Tue Aug  2 15:36:29 2016
@@ -71,10 +71,10 @@ void __asan_default_on_error() {}
 }  // extern "C"
 
 // ---------------------- Windows-specific interceptors ---------------- {{{
-INTERCEPTOR_WINAPI(void, RaiseException, void *a, void *b, void *c, void *d) {
-  CHECK(REAL(RaiseException));
+INTERCEPTOR_WINAPI(void, RtlRaiseException, void *ExceptionRecord) {
+  CHECK(REAL(RtlRaiseException));
   __asan_handle_no_return();
-  REAL(RaiseException)(a, b, c, d);
+  REAL(RtlRaiseException)(ExceptionRecord);
 }
 
 
@@ -135,7 +135,10 @@ namespace __asan {
 
 void InitializePlatformInterceptors() {
   ASAN_INTERCEPT_FUNC(CreateThread);
-  ASAN_INTERCEPT_FUNC(RaiseException);
+  // RtlRaiseException is always linked dynamically.
+  CHECK(::__interception::OverrideFunction("RtlRaiseException",
+                                           (uptr)WRAP(RtlRaiseException),
+                                           (uptr *)&REAL(RtlRaiseException)));
 
 #ifdef _WIN64
   ASAN_INTERCEPT_FUNC(__C_specific_handler);

Modified: compiler-rt/trunk/lib/interception/interception_win.cc
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/interception/interception_win.cc?rev=277518&r1=277517&r2=277518&view=diff
==============================================================================
--- compiler-rt/trunk/lib/interception/interception_win.cc (original)
+++ compiler-rt/trunk/lib/interception/interception_win.cc Tue Aug  2 15:36:29 2016
@@ -565,6 +565,9 @@ static size_t GetInstructionSize(uptr ad
     case 0x24748B:  // 8B 74 24 XX : mov esi, dword ptr [esp + XX]
     case 0x247C8B:  // 8B 7C 24 XX : mov edi, dword ptr [esp + XX]
       return 4;
+
+    case 0x24A48D:  // 8D A4 24 XX XX XX XX : lea esp, [esp + XX XX XX XX]
+      return 7;
   }
 
   switch (*(u32*)address) {

Modified: compiler-rt/trunk/lib/interception/tests/interception_win_test.cc
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/interception/tests/interception_win_test.cc?rev=277518&r1=277517&r2=277518&view=diff
==============================================================================
--- compiler-rt/trunk/lib/interception/tests/interception_win_test.cc (original)
+++ compiler-rt/trunk/lib/interception/tests/interception_win_test.cc Tue Aug  2 15:36:29 2016
@@ -163,6 +163,13 @@ const u8 kPatchableCode4[] = {
     0x90, 0x90, 0x90, 0x90,
 };
 
+const u8 kPatchableCode5[] = {
+    0x55,                                      // push    ebp
+    0x8b, 0xec,                                // mov     ebp,esp
+    0x8d, 0xa4, 0x24, 0x30, 0xfd, 0xff, 0xff,  // lea     esp,[esp-2D0h]
+    0x54,                                      // push    esp
+};
+
 const u8 kUnpatchableCode1[] = {
     0xC3,                           // ret
 };
@@ -474,6 +481,7 @@ TEST(Interception, PatchableFunction) {
   EXPECT_TRUE(TestFunctionPatching(kPatchableCode3, override));
 #endif
   EXPECT_TRUE(TestFunctionPatching(kPatchableCode4, override));
+  EXPECT_TRUE(TestFunctionPatching(kPatchableCode5, override));
 
   EXPECT_FALSE(TestFunctionPatching(kUnpatchableCode1, override));
   EXPECT_FALSE(TestFunctionPatching(kUnpatchableCode2, override));

Modified: compiler-rt/trunk/test/asan/TestCases/Windows/dll_host.cc
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/test/asan/TestCases/Windows/dll_host.cc?rev=277518&r1=277517&r2=277518&view=diff
==============================================================================
--- compiler-rt/trunk/test/asan/TestCases/Windows/dll_host.cc (original)
+++ compiler-rt/trunk/test/asan/TestCases/Windows/dll_host.cc Tue Aug  2 15:36:29 2016
@@ -24,7 +24,7 @@
 // IMPORT: __asan_wrap_HeapReAlloc
 // IMPORT: __asan_wrap_HeapSize
 // IMPORT: __asan_wrap_CreateThread
-// IMPORT: __asan_wrap_RaiseException
+// IMPORT: __asan_wrap_RtlRaiseException
 //
 // The exception handlers differ in 32-bit and 64-bit, so we ignore them:
 // RUN: grep '[E]XPORT:' %s | sed -e 's/.*[E]XPORT: //' > %t.exported_wrappers3

More information about the llvm-commits mailing list