From d20ebd10fdafaae026ac550e17d17daff39608e7 Mon Sep 17 00:00:00 2001
From: Kostya Kortchinsky <kostyak@google.com>
Date: Wed, 2 Aug 2017 20:32:12 +0000
Subject: [msan] Check for pvalloc overflow

Summary:
CheckForPvallocOverflow was introduced with D35818 to detect when pvalloc
would wrap when rounding up to the next multiple of the page size.

Add this check to MSan's pvalloc implementation.

This time I made sure I was actually running (and writing) the correct tests,
and that they are passing...

Reviewers: alekseyshl

Reviewed By: alekseyshl

Subscribers: llvm-commits

Differential Revision: https://reviews.llvm.org/D36164

git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@309883 91177308-0d34-0410-b5e6-96231b3b80d8
---
 lib/msan/msan_allocator.cc  | 4 ++++
 lib/msan/tests/msan_test.cc | 6 ++++++
 2 files changed, 10 insertions(+)

(limited to 'lib/msan')

diff --git a/lib/msan/msan_allocator.cc b/lib/msan/msan_allocator.cc
index 8e9d4d397..1b134e15a 100644
--- a/lib/msan/msan_allocator.cc
+++ b/lib/msan/msan_allocator.cc
@@ -255,6 +255,10 @@ void *msan_valloc(uptr size, StackTrace *stack) {
 
 void *msan_pvalloc(uptr size, StackTrace *stack) {
   uptr PageSize = GetPageSizeCached();
+  if (UNLIKELY(CheckForPvallocOverflow(size, PageSize))) {
+    errno = errno_ENOMEM;
+    return Allocator::FailureHandler::OnBadRequest();
+  }
   // pvalloc(0) should allocate one page.
   size = size ? RoundUpTo(size, PageSize) : PageSize;
   return SetErrnoOnNull(MsanAllocate(stack, size, PageSize, false));
diff --git a/lib/msan/tests/msan_test.cc b/lib/msan/tests/msan_test.cc
index b2d5f7c60..0310656d1 100644
--- a/lib/msan/tests/msan_test.cc
+++ b/lib/msan/tests/msan_test.cc
@@ -3449,6 +3449,12 @@ TEST(MemorySanitizer, pvalloc) {
   EXPECT_EQ(0U, (uintptr_t)p % PageSize);
   EXPECT_EQ(PageSize, __sanitizer_get_allocated_size(p));
   free(p);
+
+  // Overflows should be caught.
+  EXPECT_DEATH(p = pvalloc((uintptr_t)-1),
+               "allocator is terminating the process instead of returning 0");
+  EXPECT_DEATH(p = pvalloc((uintptr_t)-(PageSize - 1)),
+               "allocator is terminating the process instead of returning 0");
 }
 #endif
 
-- 
cgit v1.2.3