[compiler-rt] r314365 - ASan allocates a global data initialization array at the tail end of each
Dmitry Mikulin via llvm-commits
llvm-commits at lists.llvm.org
Wed Sep 27 16:32:01 PDT 2017
Author: dmikulin
Date: Wed Sep 27 16:32:01 2017
New Revision: 314365
URL: http://llvm.org/viewvc/llvm-project?rev=314365&view=rev
Log:
ASan allocates a global data initialization array at the tail end of each
compunit's .data section. This vector is not poisoned. Because of this the
first symbol of the following section has no left red zone. As a result, ASan
cannot detect underflow for such symbols.
Poison ASan allocated metadata, it should not be accessible to user code.
This fix does not eliminate the problem with missing left red zones but it
reduces the set of vulnerable symbols from first symbols in each input data
section to first symbols in the output section of the binary.
Differential Revision: https://reviews.llvm.org/D38056
Added:
compiler-rt/trunk/test/asan/TestCases/Helpers/underflow.cc
compiler-rt/trunk/test/asan/TestCases/global-underflow.cc
Modified:
compiler-rt/trunk/lib/asan/asan_globals.cc
Modified: compiler-rt/trunk/lib/asan/asan_globals.cc
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/asan/asan_globals.cc?rev=314365&r1=314364&r2=314365&view=diff
==============================================================================
--- compiler-rt/trunk/lib/asan/asan_globals.cc (original)
+++ compiler-rt/trunk/lib/asan/asan_globals.cc Wed Sep 27 16:32:01 2017
@@ -384,6 +384,10 @@ void __asan_register_globals(__asan_glob
}
RegisterGlobal(&globals[i]);
}
+
+ // Poison the metadata. It should not be accessible to user code.
+ PoisonShadow(reinterpret_cast<uptr>(globals), n * sizeof(__asan_global),
+ kAsanGlobalRedzoneMagic);
}
// Unregister an array of globals.
Added: compiler-rt/trunk/test/asan/TestCases/Helpers/underflow.cc
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/test/asan/TestCases/Helpers/underflow.cc?rev=314365&view=auto
==============================================================================
--- compiler-rt/trunk/test/asan/TestCases/Helpers/underflow.cc (added)
+++ compiler-rt/trunk/test/asan/TestCases/Helpers/underflow.cc Wed Sep 27 16:32:01 2017
@@ -0,0 +1 @@
+int YYY[3]={1,2,3};
Added: compiler-rt/trunk/test/asan/TestCases/global-underflow.cc
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/test/asan/TestCases/global-underflow.cc?rev=314365&view=auto
==============================================================================
--- compiler-rt/trunk/test/asan/TestCases/global-underflow.cc (added)
+++ compiler-rt/trunk/test/asan/TestCases/global-underflow.cc Wed Sep 27 16:32:01 2017
@@ -0,0 +1,17 @@
+// RUN: %clangxx_asan -O0 %s %p/Helpers/underflow.cc -o %t && not %run %t 2>&1 | FileCheck %s
+// RUN: %clangxx_asan -O1 %s %p/Helpers/underflow.cc -o %t && not %run %t 2>&1 | FileCheck %s
+// RUN: %clangxx_asan -O2 %s %p/Helpers/underflow.cc -o %t && not %run %t 2>&1 | FileCheck %s
+// RUN: %clangxx_asan -O3 %s %p/Helpers/underflow.cc -o %t && not %run %t 2>&1 | FileCheck %s
+
+int XXX[2] = {2, 3};
+extern int YYY[];
+#include <string.h>
+int main(int argc, char **argv) {
+ memset(XXX, 0, 2*sizeof(int));
+ // CHECK: {{READ of size 4 at 0x.* thread T0}}
+ // CHECK: {{ #0 0x.* in main .*global-underflow.cc:}}[[@LINE+3]]
+ // CHECK: {{0x.* is located 4 bytes to the left of global variable}}
+ // CHECK: {{.*YYY.* of size 12}}
+ int res = YYY[-1];
+ return res;
+}
More information about the llvm-commits
mailing list