From d97da5b44c1d8c1fa5c23b8f16dc630105517993 Mon Sep 17 00:00:00 2001
From: Maxim Ostapenko <chefmax7@gmail.com>
Date: Mon, 18 Dec 2017 15:31:26 +0000
Subject: [asan] Add interceptor for printf_chk

There could be a situation when a specific DSO was built with FORTIFY_SOURCE option. In case asan-ed binary link against that DSO,
libasan can't handle the possible memory error because it does not have interceptors for spinrtf_chk, snprintf_chk, vprintf_chk,
vsnprintf_chk, __fprintf_chk functions. Let's interceptors for them.

Patch by Denis Khalikov.

Differential Revision: https://reviews.llvm.org/D40951


git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@320990 91177308-0d34-0410-b5e6-96231b3b80d8
---
 .../sanitizer_common_interceptors.inc              | 43 ++++++++++++++++++++++
 .../sanitizer_platform_interceptors.h              |  3 ++
 test/asan/TestCases/Linux/printf-fortify-1.c       | 18 +++++++++
 test/asan/TestCases/Linux/printf-fortify-2.c       | 18 +++++++++
 test/asan/TestCases/Linux/printf-fortify-3.c       | 22 +++++++++++
 test/asan/TestCases/Linux/printf-fortify-4.c       | 22 +++++++++++
 test/asan/TestCases/Linux/printf-fortify-5.c       | 18 +++++++++
 7 files changed, 144 insertions(+)
 create mode 100644 test/asan/TestCases/Linux/printf-fortify-1.c
 create mode 100644 test/asan/TestCases/Linux/printf-fortify-2.c
 create mode 100644 test/asan/TestCases/Linux/printf-fortify-3.c
 create mode 100644 test/asan/TestCases/Linux/printf-fortify-4.c
 create mode 100644 test/asan/TestCases/Linux/printf-fortify-5.c

diff --git a/lib/sanitizer_common/sanitizer_common_interceptors.inc b/lib/sanitizer_common/sanitizer_common_interceptors.inc
index 7606e7a9e..592a8c7b0 100644
--- a/lib/sanitizer_common/sanitizer_common_interceptors.inc
+++ b/lib/sanitizer_common/sanitizer_common_interceptors.inc
@@ -1552,6 +1552,12 @@ INTERCEPTOR(int, vsnprintf, char *str, SIZE_T size, const char *format,
             va_list ap)
 VSNPRINTF_INTERCEPTOR_IMPL(vsnprintf, str, size, format, ap)
 
+#if SANITIZER_INTERCEPT___PRINTF_CHK
+INTERCEPTOR(int, __vsnprintf_chk, char *str, SIZE_T size, int flag,
+            SIZE_T size_to, const char *format, va_list ap)
+VSNPRINTF_INTERCEPTOR_IMPL(vsnprintf, str, size, format, ap)
+#endif
+
 #if SANITIZER_INTERCEPT_PRINTF_L
 INTERCEPTOR(int, vsnprintf_l, char *str, SIZE_T size, void *loc,
             const char *format, va_list ap)
@@ -1565,6 +1571,12 @@ FORMAT_INTERCEPTOR_IMPL(snprintf_l, vsnprintf_l, str, size, loc, format)
 INTERCEPTOR(int, vsprintf, char *str, const char *format, va_list ap)
 VSPRINTF_INTERCEPTOR_IMPL(vsprintf, str, format, ap)
 
+#if SANITIZER_INTERCEPT___PRINTF_CHK
+INTERCEPTOR(int, __vsprintf_chk, char *str, int flag, SIZE_T size_to,
+            const char *format, va_list ap)
+VSPRINTF_INTERCEPTOR_IMPL(vsprintf, str, format, ap)
+#endif
+
 INTERCEPTOR(int, vasprintf, char **strp, const char *format, va_list ap)
 VASPRINTF_INTERCEPTOR_IMPL(vasprintf, strp, format, ap)
 
@@ -1593,12 +1605,30 @@ FORMAT_INTERCEPTOR_IMPL(printf, vprintf, format)
 INTERCEPTOR(int, fprintf, __sanitizer_FILE *stream, const char *format, ...)
 FORMAT_INTERCEPTOR_IMPL(fprintf, vfprintf, stream, format)
 
+#if SANITIZER_INTERCEPT___PRINTF_CHK
+INTERCEPTOR(int, __fprintf_chk, __sanitizer_FILE *stream, SIZE_T size,
+            const char *format, ...)
+FORMAT_INTERCEPTOR_IMPL(__fprintf_chk, vfprintf, stream, format)
+#endif
+
 INTERCEPTOR(int, sprintf, char *str, const char *format, ...) // NOLINT
 FORMAT_INTERCEPTOR_IMPL(sprintf, vsprintf, str, format) // NOLINT
 
+#if SANITIZER_INTERCEPT___PRINTF_CHK
+INTERCEPTOR(int, __sprintf_chk, char *str, int flag, SIZE_T size_to,
+            const char *format, ...) // NOLINT
+FORMAT_INTERCEPTOR_IMPL(__sprintf_chk, vsprintf, str, format) // NOLINT
+#endif
+
 INTERCEPTOR(int, snprintf, char *str, SIZE_T size, const char *format, ...)
 FORMAT_INTERCEPTOR_IMPL(snprintf, vsnprintf, str, size, format)
 
+#if SANITIZER_INTERCEPT___PRINTF_CHK
+INTERCEPTOR(int, __snprintf_chk, char *str, SIZE_T size, int flag,
+            SIZE_T size_to, const char *format, ...) // NOLINT
+FORMAT_INTERCEPTOR_IMPL(__snprintf_chk, vsnprintf, str, size, format) // NOLINT
+#endif
+
 INTERCEPTOR(int, asprintf, char **strp, const char *format, ...)
 FORMAT_INTERCEPTOR_IMPL(asprintf, vasprintf, strp, format)
 
@@ -1638,6 +1668,17 @@ FORMAT_INTERCEPTOR_IMPL(__isoc99_snprintf, __isoc99_vsnprintf, str, size,
 #define INIT_PRINTF
 #endif
 
+#if SANITIZER_INTERCEPT___PRINTF_CHK
+#define INIT___PRINTF_CHK                     \
+  COMMON_INTERCEPT_FUNCTION(__sprintf_chk);   \
+  COMMON_INTERCEPT_FUNCTION(__snprintf_chk);  \
+  COMMON_INTERCEPT_FUNCTION(__vsprintf_chk);  \
+  COMMON_INTERCEPT_FUNCTION(__vsnprintf_chk); \
+  COMMON_INTERCEPT_FUNCTION(__fprintf_chk);
+#else
+#define INIT___PRINTF_CHK
+#endif
+
 #if SANITIZER_INTERCEPT_PRINTF_L
 #define INIT_PRINTF_L                     \
   COMMON_INTERCEPT_FUNCTION(snprintf_l);  \
@@ -6560,4 +6601,6 @@ static void InitializeCommonInterceptors() {
   COMMON_INTERCEPT_FUNCTION(__libc_mutex_unlock);
   COMMON_INTERCEPT_FUNCTION(__libc_thr_setcancelstate);
 #endif
+
+  INIT___PRINTF_CHK;
 }
diff --git a/lib/sanitizer_common/sanitizer_platform_interceptors.h b/lib/sanitizer_common/sanitizer_platform_interceptors.h
index 008709aa1..7e33fa59b 100644
--- a/lib/sanitizer_common/sanitizer_platform_interceptors.h
+++ b/lib/sanitizer_common/sanitizer_platform_interceptors.h
@@ -177,6 +177,9 @@
 # define SANITIZER_INTERCEPT_ISOC99_PRINTF SI_LINUX_NOT_ANDROID
 #endif
 
+#define SANITIZER_INTERCEPT___PRINTF_CHK \
+  (SANITIZER_INTERCEPT_PRINTF && SI_LINUX_NOT_ANDROID)
+
 #define SANITIZER_INTERCEPT_FREXP SI_NOT_FUCHSIA
 #define SANITIZER_INTERCEPT_FREXPF_FREXPL SI_POSIX
 
diff --git a/test/asan/TestCases/Linux/printf-fortify-1.c b/test/asan/TestCases/Linux/printf-fortify-1.c
new file mode 100644
index 000000000..2e0c70c1e
--- /dev/null
+++ b/test/asan/TestCases/Linux/printf-fortify-1.c
@@ -0,0 +1,18 @@
+// RUN: %clang -fPIC -shared -O2 -D_FORTIFY_SOURCE=2 -D_DSO %s -o %t.so
+// RUN: %clang_asan -o %t %t.so %s
+// RUN: not %run %t 2>&1 | FileCheck %s
+// UNSUPPORTED: android
+#ifdef _DSO
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+__attribute__((noinline)) int foo() {
+  char *write_buffer = (char *)malloc(1);
+  // CHECK: AddressSanitizer: heap-buffer-overflow
+  sprintf(write_buffer, "%s_%s", "one", "two");
+  return write_buffer[0];
+}
+#else
+extern int foo();
+int main() { return foo(); }
+#endif
diff --git a/test/asan/TestCases/Linux/printf-fortify-2.c b/test/asan/TestCases/Linux/printf-fortify-2.c
new file mode 100644
index 000000000..6ea1e00e4
--- /dev/null
+++ b/test/asan/TestCases/Linux/printf-fortify-2.c
@@ -0,0 +1,18 @@
+// RUN: %clang -fPIC -shared -O2 -D_FORTIFY_SOURCE=2 -D_DSO %s -o %t.so
+// RUN: %clang_asan %s -o %t %t.so
+// RUN: not %run %t 2>&1 | FileCheck %s
+// UNSUPPORTED: android
+#ifdef _DSO
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+__attribute__((noinline)) int foo() {
+  char *write_buffer = (char *)malloc(1);
+  // CHECK: AddressSanitizer: heap-buffer-overflow
+  snprintf(write_buffer, 4096, "%s_%s", "one", "two");
+  return write_buffer[0];
+}
+#else
+extern int foo();
+int main() { return foo(); }
+#endif
diff --git a/test/asan/TestCases/Linux/printf-fortify-3.c b/test/asan/TestCases/Linux/printf-fortify-3.c
new file mode 100644
index 000000000..a4b49dc98
--- /dev/null
+++ b/test/asan/TestCases/Linux/printf-fortify-3.c
@@ -0,0 +1,22 @@
+// RUN: %clang -shared -fPIC -D_DSO -O2 -D_FORTIFY_SOURCE=2 %s -o %t.so
+// RUN: %clang_asan %s -o %t %t.so
+// RUN: not %run %t 2>&1 | FileCheck %s
+// UNSUPPORTED: android
+#ifdef _DSO
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+__attribute__((noinline)) char foo(const char *format, ...) {
+  char *write_buffer = (char *)malloc(1);
+  va_list ap;
+  va_start(ap, format);
+  // CHECK: AddressSanitizer: heap-buffer-overflow
+  vsprintf(write_buffer, format, ap);
+  va_end(ap);
+  return write_buffer[0];
+}
+#else
+extern int foo(const char *format, ...);
+int main() { return foo("%s_%s", "one", "two"); }
+#endif
diff --git a/test/asan/TestCases/Linux/printf-fortify-4.c b/test/asan/TestCases/Linux/printf-fortify-4.c
new file mode 100644
index 000000000..57ec42f38
--- /dev/null
+++ b/test/asan/TestCases/Linux/printf-fortify-4.c
@@ -0,0 +1,22 @@
+// RUN: %clang -fPIC -shared -O2 -D_FORTIFY_SOURCE=2 -D_DSO %s -o %t.so
+// RUN: %clang_asan %s -o %t %t.so
+// RUN: not %run %t 2>&1 | FileCheck %s
+// UNSUPPORTED: android
+#ifdef _DSO
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+__attribute__((noinline)) char foo(const char *format, ...) {
+  char *write_buffer = (char *)malloc(1);
+  va_list ap;
+  va_start(ap, format);
+  // CHECK: AddressSanitizer: heap-buffer-overflow
+  vsnprintf(write_buffer, 4096, format, ap);
+  va_end(ap);
+  return write_buffer[0];
+}
+#else
+extern int foo(const char *format, ...);
+int main() { return foo("%s_%s", "one", "two"); }
+#endif
diff --git a/test/asan/TestCases/Linux/printf-fortify-5.c b/test/asan/TestCases/Linux/printf-fortify-5.c
new file mode 100644
index 000000000..487457a90
--- /dev/null
+++ b/test/asan/TestCases/Linux/printf-fortify-5.c
@@ -0,0 +1,18 @@
+// RUN: %clang -fPIC -shared -O2 -D_FORTIFY_SOURCE=2 -D_DSO %s -o %t.so
+// RUN: %clang_asan -o %t %t.so %s
+// RUN: not %run %t 2>&1 | FileCheck %s
+// UNSUPPORTED: android
+#ifdef _DSO
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+__attribute__((noinline)) int foo() {
+  char *read_buffer = (char *)malloc(1);
+  // CHECK: AddressSanitizer: heap-buffer-overflow
+  fprintf(stderr, read_buffer, 4096);
+  return read_buffer[0];
+}
+#else
+extern int foo();
+int main() { return foo(); }
+#endif
-- 
cgit v1.2.3