[compiler-rt] [msan] Detect dereferencing zero-alloc as use-of-uninitialized-memory (PR #155944)

[via llvm-commits]

llvmbot wrote:


<!--LLVM PR SUMMARY COMMENT-->

@llvm/pr-subscribers-compiler-rt-sanitizer

Author: Thurston Dang (thurstond)

<details>
<summary>Changes</summary>

When a zero-byte allocation is requested, MSan actually allocates 1-byte for compatibility. This change poisons that byte, to detect dereferences.

Also updates the test from #<!-- -->155934

---
Full diff: https://github.com/llvm/llvm-project/pull/155944.diff


2 Files Affected:

- (modified) compiler-rt/lib/msan/msan_allocator.cpp (+6) 
- (modified) compiler-rt/test/msan/zero_alloc.cpp (-4) 


``````````diff
diff --git a/compiler-rt/lib/msan/msan_allocator.cpp b/compiler-rt/lib/msan/msan_allocator.cpp
index 2b543db49d36e..64df863839c06 100644
--- a/compiler-rt/lib/msan/msan_allocator.cpp
+++ b/compiler-rt/lib/msan/msan_allocator.cpp
@@ -230,6 +230,12 @@ static void *MsanAllocate(BufferedStackTrace *stack, uptr size, uptr alignment,
       __msan_set_origin(allocated, size, o.raw_id());
     }
   }
+
+  uptr actually_allocated_size = allocator.GetActuallyAllocatedSize(allocated);
+  // For compatibility, the allocator converted 0-sized allocations into 1 byte
+  if (size == 0 && actually_allocated_size > 0 && flags()->poison_in_malloc)
+    __msan_poison(allocated, 1);
+
   UnpoisonParam(2);
   RunMallocHooks(allocated, size);
   return allocated;
diff --git a/compiler-rt/test/msan/zero_alloc.cpp b/compiler-rt/test/msan/zero_alloc.cpp
index e60051872eba2..6e38ce4c0a8f8 100644
--- a/compiler-rt/test/msan/zero_alloc.cpp
+++ b/compiler-rt/test/msan/zero_alloc.cpp
@@ -1,9 +1,5 @@
 // RUN: %clang_msan -Wno-alloc-size -fsanitize-recover=memory %s -o %t && not %run %t 2>&1 | FileCheck %s
 
-// MSan doesn't catch this because internally it translates 0-byte allocations
-// into 1-byte
-// XFAIL: *
-
 #include <malloc.h>
 #include <stdio.h>
 

``````````

</details>


https://github.com/llvm/llvm-project/pull/155944