[compiler-rt] [HWASan] Prevent same tag for adjacent heap objects (PR #69337)

[via llvm-commits]

================
@@ -345,13 +364,21 @@ static void HwasanDeallocate(StackTrace *stack, void *tagged_ptr) {
     // Always store full 8-bit tags on free to maximize UAF detection.
     tag_t tag;
     if (t) {
-      // Make sure we are not using a short granule tag as a poison tag. This
-      // would make us attempt to read the memory on a UaF.
-      // The tag can be zero if tagging is disabled on this thread.
-      do {
-        tag = t->GenerateRandomTag(/*num_bits=*/8);
-      } while (
-          UNLIKELY((tag < kShadowAlignment || tag == pointer_tag) && tag != 0));
+      if (t->TaggingDisabled()) {
+        tag = 0;
+      } else {
+        tag_t previous_tag = *(tag_t *)(MemToShadow((uptr)(aligned_ptr)-1));
+        tag_t following_tag = *(
+            tag_t *)(MemToShadow((uptr)(aligned_ptr) + TaggedSize(orig_size)));
+        // Make sure we are not using a short granule tag as a poison tag. This
+        // would make us attempt to read the memory on a UaF.
+        // The tag can be zero if tagging is disabled on this thread.
+        do {
+          tag = t->GenerateRandomTag(/*num_bits=*/8);
+        } while (UNLIKELY(tag < kShadowAlignment || tag == pointer_tag ||
+                          tag == previous_tag || tag == following_tag) &&
+                 tag != 0);
----------------
KonradHohentanner wrote:

Yes, I think I underestimated the additional logic needed to handle the TaggingDisabled case, since it didn't come up in my previous evaluation.
 
Thank you again for your time and for your feedback!

https://github.com/llvm/llvm-project/pull/69337