[PATCH] D23616: [asan] Add __asan_memset_real to allow poisoning shadow directly from instrumented code
Filipe Cabecinhas via llvm-commits
llvm-commits at lists.llvm.org
Thu Aug 18 05:46:21 PDT 2016
Hi Vitaly,
Can you add a test for this?
Something like this would probably work:
////////////////////////////////////////////
// RUN: %run %t 0x00 | FileCheck %s -check-prefix=X00
// RUN: %run %t 0xf1 | FileCheck %s -check-prefix=XF1
// RUN: %run %t 0xf2 | FileCheck %s -check-prefix=XF2
// RUN: %run %t 0xf3 | FileCheck %s -check-prefix=XF3
// RUN: %run %t 0xf5 | FileCheck %s -check-prefix=XF5
// RUN: %run %t 0xf8 | FileCheck %s -check-prefix=XF8
#include <assert.h>
#include <stdlib.h>
#include <stddef.h>
#include <sanitizer/asan_interface.h>
size_t shadow_offset;
size_t shadow_scale;
#define MEM_TO_SHADOW(addr) ((addr >> shadow_scale) + shadow_offset)
extern "C" {
void __asan_set_shadow_00(size_t addr, size_t size);
void __asan_set_shadow_f1(size_t addr, size_t size);
void __asan_set_shadow_f2(size_t addr, size_t size);
void __asan_set_shadow_f3(size_t addr, size_t size);
void __asan_set_shadow_f5(size_t addr, size_t size);
void __asan_set_shadow_f8(size_t addr, size_t size);
}
char f(char *a) {
return *a;
}
long g(long arg) {
char arr[1] __attribute__((aligned(8)));
size_t iarr = (size_t)arr;
switch (arg) {
#define CASE(xx) case 0x##xx: \
__asan_set_shadow_##xx(MEM_TO_SHADOW(iarr), 1); \
return *arr;
// X00-NOT: AddressSanitizer
CASE(00);
// XF1: AddressSanitizer: stack-buffer-underflow
// XF1: [f1]
CASE(f1);
// XF2: AddressSanitizer: stack-buffer-overflow
// XF2: [f2]
CASE(f2);
// XF3: AddressSanitizer: stack-buffer-overflow
// XF3: [f3]
CASE(f3);
// XF5: AddressSanitizer: stack-use-after-return
// XF5: [f5]
CASE(f5);
// XF8: AddressSanitizer: stack-use-after-scope
// XF8: [f8]
CASE(f8);
#undef CASE
}
assert(false);
}
int main(int argc, char **argv) {
assert(argc > 1);
__asan_get_shadow_mapping(&shadow_scale, &shadow_offset);
long arg = strtol(argv[1], nullptr, 16);
g(arg);
puts("Done"); // Otherwise we get: FileCheck error: '-' is empty
return 0;
}
////////////////////////////////////////////
That way, you end up testing that the shadow address does get
poisoned/unpoisoned with the value you want.
Thank you,
Filipe
More information about the llvm-commits
mailing list