[PATCH] D46545: [sanitizer] Add fgets, fputs and puts into sanitizer_common

[Peter Wu via Phabricator via llvm-commits]

Lekensteyn marked 2 inline comments as done.
Lekensteyn added inline comments.


================
Comment at: lib/sanitizer_common/sanitizer_common_interceptors.inc:1197
+  COMMON_INTERCEPTOR_ENTER(ctx, fgets, s, size, file);
+  // FIXME: under ASan the call below may write to freed memory and corrupt
+  // its metadata. See
----------------
krytarowski wrote:
> Is this bug still valid? Is it Linux specific?
It seems still valid, `COMMON_INTERCEPTOR_ENTER` does not check the parameters, so `REAL(fgets)` below can overwrite invalid memory.

Reproducer with `fread` (which has the same issue):
```
#include <stdio.h>
#include <stdlib.h>

int main() {
    FILE *fp = fopen("/proc/cpuinfo", "r");
    if (!fp)
        return 1;
    void *p = malloc(4096);
    if (!p)
        return 1;
    free(p);
    if (!fread(p, 4096, 1, fp))
        perror("fread");
    fclose(fp);
    return 0;
}
```

Trace:
```
==4458==ERROR: AddressSanitizer: heap-use-after-free on address 0x621000000100 at pc 0x00000048f8c0 bp 0x7ffe28520fa0 sp 0x7ffe28520750
WRITE of size 4096 at 0x621000000100 thread T0
    #0 0x48f8bf in __interceptor_fread.part.52 projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:991:16
    #1 0x5274eb in main fread.c:12:10
    #2 0x7f6a35eb106a in __libc_start_main (/usr/lib/libc.so.6+0x2306a)
    #3 0x41d039 in _start (fread+0x41d039)

0x621000000100 is located 0 bytes inside of 4096-byte region [0x621000000100,0x621000001100)
freed by thread T0 here:
==4458==AddressSanitizer CHECK failed: projects/compiler-rt/lib/asan/asan_descriptions.cc:179 "((res.trace)) != (0)" (0x0, 0x0)
    #0 0x4f9575 in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) projects/compiler-rt/lib/asan/asan_rtl.cc:70:3
    #1 0x512009 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) projects/compiler-rt/lib/sanitizer_common/sanitizer_termination.cc:79:24
    #2 0x42b264 in GetStackTraceFromId projects/compiler-rt/lib/asan/asan_descriptions.cc:179:3
    #3 0x42b264 in __asan::HeapAddressDescription::Print() const projects/compiler-rt/lib/asan/asan_descriptions.cc:420:62
    #4 0x42ea03 in __asan::AddressDescription::Print(char const*) const projects/compiler-rt/lib/asan/asan_descriptions.h:224:31
    #5 0x42ea03 in __asan::ErrorGeneric::Print() projects/compiler-rt/lib/asan/asan_errors.cc:597:25
    #6 0x4f9086 in __asan::ErrorDescription::Print() projects/compiler-rt/lib/asan/asan_errors.h:422:7
    #7 0x4f9086 in __asan::ScopedInErrorReport::~ScopedInErrorReport() projects/compiler-rt/lib/asan/asan_report.cc:142:55
    #8 0x4f9086 in __asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) projects/compiler-rt/lib/asan/asan_report.cc:460:38
    #9 0x48f8e1 in __interceptor_fread.part.52 projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:991:16
    #10 0x5274eb in main fread.c:12:10
    #11 0x7f6a35eb106a in __libc_start_main (/usr/lib/libc.so.6+0x2306a)
    #12 0x41d039 in _start (fread+0x41d039)

```


https://reviews.llvm.org/D46545