diff options
author | Kostya Serebryany <kcc@google.com> | 2014-10-17 01:22:37 +0000 |
---|---|---|
committer | Kostya Serebryany <kcc@google.com> | 2014-10-17 01:22:37 +0000 |
commit | d97858de5d17a669dcdf6c0b3c0eaf9d6e4fef75 (patch) | |
tree | dd4948b70d5261f4d8b0d27b96f3ad289d5c9f17 | |
parent | 1365cf2482bfea7cdfb2edfe90dcb1c911d550e4 (diff) |
[asan] the run-time part of intra-object-overflow detector (-fsanitize-address-field-padding=1). Note that all of this is still experimental; don't use unless you are brave.
git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@220013 91177308-0d34-0410-b5e6-96231b3b80d8
-rw-r--r-- | lib/asan/asan_interface_internal.h | 4 | ||||
-rw-r--r-- | lib/asan/asan_internal.h | 1 | ||||
-rw-r--r-- | lib/asan/asan_poisoning.cc | 32 | ||||
-rw-r--r-- | lib/asan/asan_report.cc | 7 | ||||
-rw-r--r-- | test/asan/TestCases/intra-object-overflow.cc | 31 |
5 files changed, 75 insertions, 0 deletions
diff --git a/lib/asan/asan_interface_internal.h b/lib/asan/asan_interface_internal.h index a8399754a..edaf44d78 100644 --- a/lib/asan/asan_interface_internal.h +++ b/lib/asan/asan_interface_internal.h @@ -173,6 +173,10 @@ extern "C" { void __asan_poison_cxx_array_cookie(uptr p); SANITIZER_INTERFACE_ATTRIBUTE uptr __asan_load_cxx_array_cookie(uptr *p); + SANITIZER_INTERFACE_ATTRIBUTE + void __asan_poison_intra_object_redzone(uptr p, uptr size); + SANITIZER_INTERFACE_ATTRIBUTE + void __asan_unpoison_intra_object_redzone(uptr p, uptr size); } // extern "C" #endif // ASAN_INTERFACE_INTERNAL_H diff --git a/lib/asan/asan_internal.h b/lib/asan/asan_internal.h index 798d687b8..f9f924308 100644 --- a/lib/asan/asan_internal.h +++ b/lib/asan/asan_internal.h @@ -135,6 +135,7 @@ const int kAsanStackUseAfterScopeMagic = 0xf8; const int kAsanGlobalRedzoneMagic = 0xf9; const int kAsanInternalHeapMagic = 0xfe; const int kAsanArrayCookieMagic = 0xac; +const int kAsanIntraObjectRedzone = 0xbb; static const uptr kCurrentStackFrameMagic = 0x41B58AB3; static const uptr kRetiredStackFrameMagic = 0x45E0360E; diff --git a/lib/asan/asan_poisoning.cc b/lib/asan/asan_poisoning.cc index f7f715d5d..1c6e92f69 100644 --- a/lib/asan/asan_poisoning.cc +++ b/lib/asan/asan_poisoning.cc @@ -61,6 +61,27 @@ void FlushUnneededASanShadowMemory(uptr p, uptr size) { FlushUnneededShadowMemory(shadow_beg, shadow_end - shadow_beg); } +void AsanPoisonOrUnpoisonIntraObjectRedzone(uptr ptr, uptr size, bool poison) { + uptr end = ptr + size; + if (common_flags()->verbosity) { + Printf("__asan_%spoison_intra_object_redzone [%p,%p) %zd\n", + poison ? "" : "un", ptr, end, size); + if (common_flags()->verbosity >= 2) + PRINT_CURRENT_STACK(); + } + CHECK(size); + CHECK_LE(size, 4096); + CHECK(IsAligned(end, SHADOW_GRANULARITY)); + if (!IsAligned(ptr, SHADOW_GRANULARITY)) { + *(u8 *)MemToShadow(ptr) = + poison ? static_cast<u8>(ptr % SHADOW_GRANULARITY) : 0; + ptr |= SHADOW_GRANULARITY - 1; + ptr++; + } + for (; ptr < end; ptr += SHADOW_GRANULARITY) + *(u8*)MemToShadow(ptr) = poison ? kAsanIntraObjectRedzone : 0; +} + } // namespace __asan // ---------------------- Interface ---------------- {{{1 @@ -375,6 +396,17 @@ int __sanitizer_verify_contiguous_container(const void *beg_p, return 0; return 1; } + +extern "C" SANITIZER_INTERFACE_ATTRIBUTE +void __asan_poison_intra_object_redzone(uptr ptr, uptr size) { + AsanPoisonOrUnpoisonIntraObjectRedzone(ptr, size, true); +} + +extern "C" SANITIZER_INTERFACE_ATTRIBUTE +void __asan_unpoison_intra_object_redzone(uptr ptr, uptr size) { + AsanPoisonOrUnpoisonIntraObjectRedzone(ptr, size, false); +} + // --- Implementation of LSan-specific functions --- {{{1 namespace __lsan { bool WordIsPoisoned(uptr addr) { diff --git a/lib/asan/asan_report.cc b/lib/asan/asan_report.cc index 7e79adb70..27f1d346a 100644 --- a/lib/asan/asan_report.cc +++ b/lib/asan/asan_report.cc @@ -94,6 +94,8 @@ class Decorator: public __sanitizer::SanitizerCommonDecorator { return Red(); case kAsanInternalHeapMagic: return Yellow(); + case kAsanIntraObjectRedzone: + return Yellow(); default: return Default(); } @@ -168,6 +170,8 @@ static void PrintLegend(InternalScopedString *str) { kAsanContiguousContainerOOBMagic); PrintShadowByte(str, " Array cookie: ", kAsanArrayCookieMagic); + PrintShadowByte(str, " Intra object redzone: ", + kAsanIntraObjectRedzone); PrintShadowByte(str, " ASan internal: ", kAsanInternalHeapMagic); } @@ -981,6 +985,9 @@ void __asan_report_error(uptr pc, uptr bp, uptr sp, uptr addr, int is_write, case kAsanGlobalRedzoneMagic: bug_descr = "global-buffer-overflow"; break; + case kAsanIntraObjectRedzone: + bug_descr = "intra-object-overflow"; + break; } } diff --git a/test/asan/TestCases/intra-object-overflow.cc b/test/asan/TestCases/intra-object-overflow.cc new file mode 100644 index 000000000..e48a261f5 --- /dev/null +++ b/test/asan/TestCases/intra-object-overflow.cc @@ -0,0 +1,31 @@ +// RUN: %clangxx_asan -O0 -fsanitize-address-field-padding=1 %s -o %t +// RUN: not %run %t 11 2>&1 | FileCheck %s +// RUN: %run %t 10 +// +// FIXME: fix 32-bits. +// REQUIRES: asan-64-bits +#include <stdio.h> +#include <stdlib.h> +class Foo { + public: + Foo() : pre1(1), pre2(2), post1(3), post2(4) { + } + virtual ~Foo() { + } + void set(int i, int val) { a[i] = val; } +// CHECK: ERROR: AddressSanitizer: intra-object-overflow +// CHECK: #0 {{.*}}Foo::set{{.*}}intra-object-overflow.cc:[[@LINE-2]] + private: + int pre1, pre2; + int a[11]; + int post1, post2; +}; + +int main(int argc, char **argv) { + int idx = argc == 2 ? atoi(argv[1]) : 0; + Foo *foo = new Foo; + foo->set(idx, 42); +// CHECK: #1 {{.*}}main{{.*}}intra-object-overflow.cc:[[@LINE-1]] +// CHECK: is located 84 bytes inside of 128-byte region + delete foo; +} |