This is an archive of the discontinued LLVM Phabricator instance.

Differential D6353

[libcxxabi] Delay adjustment of pointer to prevent referencing invalid memory.
ClosedPublic

Authored by EricWF on Nov 20 2014, 10:14 PM.

Details

Reviewers
mclow.lists
danalbert
jroelofs
Commits
rG90c138ea6d47: [libcxxabi] Delay adjustment of pointer to prevent referencing invalid memory.
rCXXA222674: [libcxxabi] Delay adjustment of pointer to prevent referencing invalid memory.
rL222674: [libcxxabi] Delay adjustment of pointer to prevent referencing invalid memory.
Summary

This patch delays the dereference adjustment until we are sure the thrown type is a pointer type. It is possible the thrown type is not a pointer and is smaller than sizeof(void*). If the thrown type is is smaller than sizeof(void*) the deference adjustment will result in a heap buffer overflow.

I audited all the call sites of can_catch(...) and there are no places where adjustedPtr is used if can_catch(...) returns false. For this reason the patch should not introduce any functionality change.

This patch fixes the following tests when using ASAN:

  • unwind_01.cpp
  • unwind_02.cpp
  • unwind_04.cpp

Diff Detail

Event Timeline

EricWF updated this revision to Diff 16472.Nov 20 2014, 10:14 PM
EricWF retitled this revision from to [libcxxabi] Delay adjustment of pointer to prevent referencing invalid memory..
EricWF updated this object.
EricWF edited the test plan for this revision. (Show Details)
EricWF added reviewers: mclow.lists, danalbert, jroelofs.
EricWF added a subscriber: Unknown Object (MLST).
EricWF updated this object.Nov 21 2014, 1:14 AM
mclow.lists accepted this revision.Nov 24 2014, 8:26 AM
mclow.lists edited edge metadata.

LGTM

This revision is now accepted and ready to land.Nov 24 2014, 8:26 AM
EricWF closed this revision.Nov 24 2014, 10:46 AM

Revision Contents

PathSize
src/
18 lines

Diff 16472

src/private_typeinfo.cpp

Show First 20 LinesShow All 341 Lines▼ Show 20 Lines__vmi_class_type_info::has_unambiguous_public_base(__dynamic_cast_info* info,
} }
} }
// Handles bullets 1 and 4 for both pointers and member pointers // Handles bullets 1 and 4 for both pointers and member pointers
bool bool
__pbase_type_info::can_catch(const __shim_type_info* thrown_type, __pbase_type_info::can_catch(const __shim_type_info* thrown_type,
void*&) const void*&) const
{ {
if (is_equal(this, thrown_type, false)) return is_equal(this, thrown_type, false) ||
return true; is_equal(thrown_type, &typeid(std::nullptr_t), false);
return is_equal(thrown_type, &typeid(std::nullptr_t), false);
} }
#pragma clang diagnostic push #pragma clang diagnostic push
#pragma clang diagnostic ignored "-Wmissing-field-initializers" #pragma clang diagnostic ignored "-Wmissing-field-initializers"
// Handles bullets 1, 3 and 4 // Handles bullets 1, 3 and 4
// NOTE: It might not be safe to adjust the pointer if it is not not a pointer
// type. Only adjust the pointer after we know it is safe to do so.
bool bool
__pointer_type_info::can_catch(const __shim_type_info* thrown_type, __pointer_type_info::can_catch(const __shim_type_info* thrown_type,
void*& adjustedPtr) const void*& adjustedPtr) const
{ {
// Do the dereference adjustment // bullets 1 and 4
if (__pbase_type_info::can_catch(thrown_type, adjustedPtr)) {
if (adjustedPtr != NULL) if (adjustedPtr != NULL)
adjustedPtr = *static_cast<void**>(adjustedPtr); adjustedPtr = *static_cast<void**>(adjustedPtr);
// bullets 1 and 4
if (__pbase_type_info::can_catch(thrown_type, adjustedPtr))
return true; return true;
}
// bullet 3 // bullet 3
const __pointer_type_info* thrown_pointer_type = const __pointer_type_info* thrown_pointer_type =
dynamic_cast<const __pointer_type_info*>(thrown_type); dynamic_cast<const __pointer_type_info*>(thrown_type);
if (thrown_pointer_type == 0) if (thrown_pointer_type == 0)
return false; return false;
// Do the dereference adjustment
if (adjustedPtr != NULL)
adjustedPtr = *static_cast<void**>(adjustedPtr);
// bullet 3B // bullet 3B
if (thrown_pointer_type->__flags & ~__flags) if (thrown_pointer_type->__flags & ~__flags)
return false; return false;
if (is_equal(__pointee, thrown_pointer_type->__pointee, false)) if (is_equal(__pointee, thrown_pointer_type->__pointee, false))
return true; return true;
// bullet 3A // bullet 3A
if (is_equal(__pointee, &typeid(void), false)) if (is_equal(__pointee, &typeid(void), false))
return true; return true;
▲ Show 20 LinesShow All 785 LinesShow Last 20 Lines