[compiler-rt] r357889 - [Sanitizer] Fix a possible write to freed memory in the wcrtomb interceptor

Pavel Labath via llvm-commits llvm-commits at lists.llvm.org
Mon Apr 8 01:39:51 PDT 2019 

Author: labath
Date: Mon Apr  8 01:39:50 2019
New Revision: 357889

URL: http://llvm.org/viewvc/llvm-project?rev=357889&view=rev
Log:
[Sanitizer] Fix a possible write to freed memory in the wcrtomb interceptor

Summary:
r357240 added an interceptor for wctomb, which uses a temporary local
buffer to make sure we don't write to unallocated memory. This patch
applies the same technique to wcrtomb, and adds some additional tests
for this function.

Reviewers: vitalybuka, eugenis

Subscribers: kubamracek, delcypher, llvm-commits, #sanitizers

Tags: #llvm, #sanitizers

Differential Revision: https://reviews.llvm.org/D59984

Added:
    compiler-rt/trunk/test/asan/TestCases/wcrtomb.c
    compiler-rt/trunk/test/sanitizer_common/TestCases/wcrtomb.c
Modified:
    compiler-rt/trunk/lib/sanitizer_common/sanitizer_common_interceptors.inc

Modified: compiler-rt/trunk/lib/sanitizer_common/sanitizer_common_interceptors.inc
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/sanitizer_common/sanitizer_common_interceptors.inc?rev=357889&r1=357888&r2=357889&view=diff
==============================================================================
--- compiler-rt/trunk/lib/sanitizer_common/sanitizer_common_interceptors.inc (original)
+++ compiler-rt/trunk/lib/sanitizer_common/sanitizer_common_interceptors.inc Mon Apr  8 01:39:50 2019
@@ -3524,13 +3524,16 @@ INTERCEPTOR(SIZE_T, wcrtomb, char *dest,
   void *ctx;
   COMMON_INTERCEPTOR_ENTER(ctx, wcrtomb, dest, src, ps);
   if (ps) COMMON_INTERCEPTOR_READ_RANGE(ctx, ps, mbstate_t_sz);
-  // FIXME: under ASan the call below may write to freed memory and corrupt
-  // its metadata. See
-  // https://github.com/google/sanitizers/issues/321.
-  SIZE_T res = REAL(wcrtomb)(dest, src, ps);
-  if (res != ((SIZE_T)-1) && dest) {
-    SIZE_T write_cnt = res;
-    COMMON_INTERCEPTOR_WRITE_RANGE(ctx, dest, write_cnt);
+
+  if (!dest)
+    return REAL(wcrtomb)(dest, src, ps);
+
+  char local_dest[32];
+  SIZE_T res = REAL(wcrtomb)(local_dest, src, ps);
+  if (res != ((SIZE_T)-1)) {
+    CHECK_LE(res, sizeof(local_dest));
+    COMMON_INTERCEPTOR_WRITE_RANGE(ctx, dest, res);
+    REAL(memcpy)(dest, local_dest, res);
   }
   return res;
 }

Added: compiler-rt/trunk/test/asan/TestCases/wcrtomb.c
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/test/asan/TestCases/wcrtomb.c?rev=357889&view=auto
==============================================================================
--- compiler-rt/trunk/test/asan/TestCases/wcrtomb.c (added)
+++ compiler-rt/trunk/test/asan/TestCases/wcrtomb.c Mon Apr  8 01:39:50 2019
@@ -0,0 +1,13 @@
+// RUN: %clangxx_asan -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s
+
+#include <stdlib.h>
+#include <wchar.h>
+
+int main() {
+  char *buff = (char*) malloc(MB_CUR_MAX);
+  free(buff);
+  wcrtomb(buff, L'a', NULL);
+  // CHECK: use-after-free
+  // CHECK: SUMMARY
+  return 0;
+}

Added: compiler-rt/trunk/test/sanitizer_common/TestCases/wcrtomb.c
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/test/sanitizer_common/TestCases/wcrtomb.c?rev=357889&view=auto
==============================================================================
--- compiler-rt/trunk/test/sanitizer_common/TestCases/wcrtomb.c (added)
+++ compiler-rt/trunk/test/sanitizer_common/TestCases/wcrtomb.c Mon Apr  8 01:39:50 2019
@@ -0,0 +1,36 @@
+// RUN: %clang %s -o %t && %run %t 2>&1
+
+#include <assert.h>
+#include <stdlib.h>
+#include <string.h>
+#include <wchar.h>
+
+int main(int argc, char **argv) {
+  mbstate_t state;
+  memset(&state, 0, sizeof(state));
+
+  char buff[10];
+  size_t res = wcrtomb(buff, L'a', &state);
+  assert(res == 1);
+  assert(buff[0] == 'a');
+
+  res = wcrtomb(buff, L'\0', &state);
+  assert(res == 1);
+  assert(buff[0] == '\0');
+
+  res = wcrtomb(NULL, L'\0', &state);
+  assert(res == 1);
+
+  res = wcrtomb(buff, L'a', NULL);
+  assert(res == 1);
+  assert(buff[0] == 'a');
+
+  res = wcrtomb(buff, L'\0', NULL);
+  assert(res == 1);
+  assert(buff[0] == '\0');
+
+  res = wcrtomb(NULL, L'\0', NULL);
+  assert(res == 1);
+
+  return 0;
+}

More information about the llvm-commits mailing list