[compiler-rt] r341007 - [hwasan] add a simple threaded UAF test, make it work on x86 (need to disable tagging in malloc with inside pthread_create)
Kostya Serebryany via llvm-commits
llvm-commits at lists.llvm.org
Wed Aug 29 17:44:55 PDT 2018
Author: kcc
Date: Wed Aug 29 17:44:55 2018
New Revision: 341007
URL: http://llvm.org/viewvc/llvm-project?rev=341007&view=rev
Log:
[hwasan] add a simple threaded UAF test, make it work on x86 (need to disable tagging in malloc with inside pthread_create)
Added:
compiler-rt/trunk/test/hwasan/TestCases/thread-uaf.c
Modified:
compiler-rt/trunk/lib/hwasan/hwasan.cc
compiler-rt/trunk/lib/hwasan/hwasan_allocator.cc
compiler-rt/trunk/lib/hwasan/hwasan_interceptors.cc
compiler-rt/trunk/lib/hwasan/hwasan_thread.h
Modified: compiler-rt/trunk/lib/hwasan/hwasan.cc
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/hwasan/hwasan.cc?rev=341007&r1=341006&r2=341007&view=diff
==============================================================================
--- compiler-rt/trunk/lib/hwasan/hwasan.cc (original)
+++ compiler-rt/trunk/lib/hwasan/hwasan.cc Wed Aug 29 17:44:55 2018
@@ -133,7 +133,12 @@ static void InitializeFlags() {
void GetStackTrace(BufferedStackTrace *stack, uptr max_s, uptr pc, uptr bp,
void *context, bool request_fast_unwind) {
Thread *t = GetCurrentThread();
- if (!t || !StackTrace::WillUseFastUnwind(request_fast_unwind)) {
+ if (!t) {
+ // the thread is still being created.
+ stack->size = 0;
+ return;
+ }
+ if (!StackTrace::WillUseFastUnwind(request_fast_unwind)) {
// Block reports from our interceptors during _Unwind_Backtrace.
SymbolizerScope sym_scope;
return stack->Unwind(max_s, pc, bp, context, 0, 0, request_fast_unwind);
Modified: compiler-rt/trunk/lib/hwasan/hwasan_allocator.cc
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/hwasan/hwasan_allocator.cc?rev=341007&r1=341006&r2=341007&view=diff
==============================================================================
--- compiler-rt/trunk/lib/hwasan/hwasan_allocator.cc (original)
+++ compiler-rt/trunk/lib/hwasan/hwasan_allocator.cc Wed Aug 29 17:44:55 2018
@@ -166,7 +166,8 @@ static void *HwasanAllocate(StackTrace *
void *user_ptr = allocated;
if (flags()->tag_in_malloc &&
- atomic_load_relaxed(&hwasan_allocator_tagging_enabled))
+ atomic_load_relaxed(&hwasan_allocator_tagging_enabled) &&
+ !t->TaggingIsDisabled())
user_ptr = (void *)TagMemoryAligned(
(uptr)user_ptr, size, t ? t->GenerateRandomTag() : kFallbackAllocTag);
Modified: compiler-rt/trunk/lib/hwasan/hwasan_interceptors.cc
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/hwasan/hwasan_interceptors.cc?rev=341007&r1=341006&r2=341007&view=diff
==============================================================================
--- compiler-rt/trunk/lib/hwasan/hwasan_interceptors.cc (original)
+++ compiler-rt/trunk/lib/hwasan/hwasan_interceptors.cc Wed Aug 29 17:44:55 2018
@@ -301,6 +301,7 @@ INTERCEPTOR(int, pthread_create, void *t
void * param) {
ENSURE_HWASAN_INITED(); // for GetTlsSize()
__sanitizer_pthread_attr_t myattr;
+ ScopedTaggingDisabler disabler;
if (!attr) {
pthread_attr_init(&myattr);
attr = &myattr;
@@ -309,8 +310,8 @@ INTERCEPTOR(int, pthread_create, void *t
AdjustStackSize(attr);
Thread *t = Thread::Create(callback, param);
-
- int res = REAL(pthread_create)(th, attr, HwasanThreadStartFunc, t);
+ int res = REAL(pthread_create)(UntagPtr(th), UntagPtr(attr),
+ HwasanThreadStartFunc, UntagPtr(t));
if (attr == &myattr)
pthread_attr_destroy(&myattr);
Modified: compiler-rt/trunk/lib/hwasan/hwasan_thread.h
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/hwasan/hwasan_thread.h?rev=341007&r1=341006&r2=341007&view=diff
==============================================================================
--- compiler-rt/trunk/lib/hwasan/hwasan_thread.h (original)
+++ compiler-rt/trunk/lib/hwasan/hwasan_thread.h Wed Aug 29 17:44:55 2018
@@ -81,6 +81,9 @@ class Thread {
tag_t GenerateRandomTag();
int destructor_iterations_;
+ void DisableTagging() { tagging_disabled_++; }
+ void EnableTagging() { tagging_disabled_--; }
+ bool TaggingIsDisabled() const { return tagging_disabled_; }
private:
// NOTE: There is no Thread constructor. It is allocated
@@ -106,6 +109,8 @@ class Thread {
u32 tid_;
ThreadContext *context_;
+
+ u32 tagging_disabled_; // if non-zero, malloc uses zero tag in this thread.
};
Thread *GetCurrentThread();
@@ -114,6 +119,11 @@ void SetCurrentThread(Thread *t);
// Returns the ThreadRegistry singleton.
ThreadRegistry &GetThreadRegistry();
+struct ScopedTaggingDisabler {
+ ScopedTaggingDisabler() { GetCurrentThread()->DisableTagging(); }
+ ~ScopedTaggingDisabler() { GetCurrentThread()->EnableTagging(); }
+};
+
// Returns the ThreadRegistry singleton.
} // namespace __hwasan
Added: compiler-rt/trunk/test/hwasan/TestCases/thread-uaf.c
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/test/hwasan/TestCases/thread-uaf.c?rev=341007&view=auto
==============================================================================
--- compiler-rt/trunk/test/hwasan/TestCases/thread-uaf.c (added)
+++ compiler-rt/trunk/test/hwasan/TestCases/thread-uaf.c Wed Aug 29 17:44:55 2018
@@ -0,0 +1,26 @@
+// RUN: %clang_hwasan %s -o %t && not %run %t 2>&1 | FileCheck %s
+// REQUIRES: stable-runtime
+
+#include <pthread.h>
+#include <stdlib.h>
+#include <stdio.h>
+
+#include <sanitizer/hwasan_interface.h>
+
+void *Thread(void *arg) {
+ char * volatile x = (char*)malloc(10);
+ fprintf(stderr, "ZZZ %p\n", x);
+ free(x);
+ x[5] = 42;
+ // CHECK: ERROR: HWAddressSanitizer: tag-mismatch on address
+ // CHECK: WRITE of size 1
+ // CHECK: thread-uaf.c:[[@LINE-3]]
+ return NULL;
+}
+
+int main() {
+ __hwasan_enable_allocator_tagging();
+ pthread_t t;
+ pthread_create(&t, NULL, Thread, NULL);
+ pthread_join(t, NULL);
+}
More information about the llvm-commits
mailing list