diff options
author | Vedant Kumar <vsk@apple.com> | 2017-06-15 18:23:16 +0000 |
---|---|---|
committer | Vedant Kumar <vsk@apple.com> | 2017-06-15 18:23:16 +0000 |
commit | 6f8de12f02063d5900c639d46dd34788e4c0fd82 (patch) | |
tree | f1f8c91a05566d0b3aa14638972778bf18541c1e /test/ubsan | |
parent | 435e37653c947127ede69a90981d1fc609721555 (diff) |
[ubsan] Fix a faulty memory accessibility check
The dynamic type check needs to inspect vtables, but could crash if it
encounters a vtable pointer to inaccessible memory. In the first attempt
to fix the issue (r304437), we performed a memory accessibility check on
the wrong range of memory. This should *really* fix the problem.
Patch by Max Moroz!
Differential Revision: https://reviews.llvm.org/D34215
git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@305489 91177308-0d34-0410-b5e6-96231b3b80d8
Diffstat (limited to 'test/ubsan')
-rw-r--r-- | test/ubsan/TestCases/TypeCheck/Linux/PR33221.cpp | 50 | ||||
-rw-r--r-- | test/ubsan/TestCases/TypeCheck/Linux/lit.local.cfg | 9 | ||||
-rw-r--r-- | test/ubsan/TestCases/TypeCheck/PR33221.cpp | 2 |
3 files changed, 60 insertions, 1 deletions
diff --git a/test/ubsan/TestCases/TypeCheck/Linux/PR33221.cpp b/test/ubsan/TestCases/TypeCheck/Linux/PR33221.cpp new file mode 100644 index 000000000..e026e8d05 --- /dev/null +++ b/test/ubsan/TestCases/TypeCheck/Linux/PR33221.cpp @@ -0,0 +1,50 @@ +// RUN: %clangxx -std=c++11 -frtti -fsanitize=vptr -g %s -O3 -o %t +// RUN: %run %t &> %t.log +// RUN: cat %t.log | not count 0 && FileCheck --input-file %t.log %s || cat %t.log | count 0 + +// REQUIRES: cxxabi + +#include <sys/mman.h> +#include <unistd.h> + +class Base { +public: + int i; + virtual void print() {} +}; + +class Derived : public Base { +public: + void print() {} +}; + + +int main() { + int page_size = getpagesize(); + + void *non_accessible = mmap(nullptr, page_size, PROT_NONE, + MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); + + if (non_accessible == MAP_FAILED) + return 0; + + void *accessible = mmap((char*)non_accessible + page_size, page_size, + PROT_READ | PROT_WRITE, + MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); + if (accessible == MAP_FAILED) + return 0; + + char *c = new char[sizeof(Derived)]; + + // The goal is to trigger a condition when Vptr points to accessible memory, + // but VptrPrefix does not. That has been triggering SIGSEGV in UBSan code. + void **vtable_ptr = reinterpret_cast<void **>(c); + *vtable_ptr = (void*)accessible; + + Derived *list = (Derived *)c; + +// CHECK: PR33221.cpp:[[@LINE+2]]:19: runtime error: member access within address {{.*}} which does not point to an object of type 'Base' +// CHECK-NEXT: invalid vptr + int foo = list->i; + return 0; +} diff --git a/test/ubsan/TestCases/TypeCheck/Linux/lit.local.cfg b/test/ubsan/TestCases/TypeCheck/Linux/lit.local.cfg new file mode 100644 index 000000000..57271b807 --- /dev/null +++ b/test/ubsan/TestCases/TypeCheck/Linux/lit.local.cfg @@ -0,0 +1,9 @@ +def getRoot(config): + if not config.parent: + return config + return getRoot(config.parent) + +root = getRoot(config) + +if root.host_os not in ['Linux']: + config.unsupported = True diff --git a/test/ubsan/TestCases/TypeCheck/PR33221.cpp b/test/ubsan/TestCases/TypeCheck/PR33221.cpp index 09411aa50..c691e5fb2 100644 --- a/test/ubsan/TestCases/TypeCheck/PR33221.cpp +++ b/test/ubsan/TestCases/TypeCheck/PR33221.cpp @@ -18,7 +18,7 @@ public: int main() { char *c = new char[sizeof(Derived)]; - memset((void *)c, 0, sizeof(Derived)); + memset((void *)c, 0xFF, sizeof(Derived)); Derived *list = (Derived *)c; // CHECK: PR33221.cpp:[[@LINE+2]]:19: runtime error: member access within address {{.*}} which does not point to an object of type 'Base' |