[compiler-rt] 433b2ea - [hwasan] Always untag short granule in shadow.

Mitch Phillips via llvm-commits llvm-commits at lists.llvm.org
Tue Aug 24 14:14:21 PDT 2021 

Author: Mitch Phillips
Date: 2021-08-24T14:10:04-07:00
New Revision: 433b2eaf91afa35006899da8fd7f9bde3df3507c

URL: https://github.com/llvm/llvm-project/commit/433b2eaf91afa35006899da8fd7f9bde3df3507c
DIFF: https://github.com/llvm/llvm-project/commit/433b2eaf91afa35006899da8fd7f9bde3df3507c.diff

LOG: [hwasan] Always untag short granule in shadow.

Fixes a regression when the allocator is disabled, and a dirty
allocation is re-used. This only occurs when the allocator is disabled,
so a test-only fix, but still necessary.

Reviewed By: eugenis

Differential Revision: https://reviews.llvm.org/D108650

Added: 
    compiler-rt/test/hwasan/TestCases/short-granule-disabled.cpp

Modified: 
    compiler-rt/lib/hwasan/hwasan_allocator.cpp

Removed: 
    


################################################################################
diff  --git a/compiler-rt/lib/hwasan/hwasan_allocator.cpp b/compiler-rt/lib/hwasan/hwasan_allocator.cpp
index 63d86cf99e582..78f66d6c8c394 100644
--- a/compiler-rt/lib/hwasan/hwasan_allocator.cpp
+++ b/compiler-rt/lib/hwasan/hwasan_allocator.cpp
@@ -162,8 +162,11 @@ static void *HwasanAllocate(StackTrace *stack, uptr orig_size, uptr alignment,
     internal_memset(allocated, flags()->malloc_fill_byte, fill_size);
   }
   if (size != orig_size) {
-    internal_memcpy(reinterpret_cast<u8 *>(allocated) + orig_size, tail_magic,
-                    size - orig_size - 1);
+    u8 *tail = reinterpret_cast<u8 *>(allocated) + orig_size;
+    uptr tail_length = size - orig_size;
+    internal_memcpy(tail, tail_magic, tail_length - 1);
+    // Short granule is excluded from magic tail, so we explicitly untag.
+    tail[tail_length - 1] = 0;
   }
 
   void *user_ptr = allocated;

diff  --git a/compiler-rt/test/hwasan/TestCases/short-granule-disabled.cpp b/compiler-rt/test/hwasan/TestCases/short-granule-disabled.cpp
new file mode 100644
index 0000000000000..2f35b10bd8dad
--- /dev/null
+++ b/compiler-rt/test/hwasan/TestCases/short-granule-disabled.cpp
@@ -0,0 +1,21 @@
+// RUN: %clangxx_hwasan %s -o %t && %run %t 2>&1
+
+#include <sanitizer/hwasan_interface.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+// Regression test for https://reviews.llvm.org/D107938#2961070, where, on
+// reusing an allocation, we forgot to reset the short granule tag if the
+// allocator was disabled. This lead to a false positive magic-string mismatch.
+
+int main() {
+  void *p = malloc(16);
+  memset(p, 0xff, 16);
+  free(p);
+
+  // Relies on the LRU cache immediately recycling the allocation above.
+  p = malloc(8);
+  free(p); // Regression was here, in the magic-string check in the runtime.
+  return 0;
+}

More information about the llvm-commits mailing list