This is an archive of the discontinued LLVM Phabricator instance.

Differential D104948

[compiler-rt] change write order of frexpl & frexpf so it doesn't corrupt stack ids
ClosedPublic

Authored by aralisza on Jun 25 2021, 1:34 PM.

Details

Reviewers
delcypher
kubamracek
yln
vitalybuka
glider
dvyukov
eugenis
Commits
rGcfa4d112da8d: [compiler-rt] change write order of frexpl & frexpf so it doesn't corrupt stack…
Summary

This was fixed in the past for frexp, but was not made for frexpl & frexpf https://github.com/google/sanitizers/issues/321
This patch copies the fix over to frexpl because it caused frexp_interceptor.cpp test to fail on iPhone and frexpf for consistency.

rdar://79652161

Diff Detail

Event Timeline

aralisza created this revision.Jun 25 2021, 1:34 PM
Herald added a subscriber: dberris. · View Herald TranscriptJun 25 2021, 1:34 PM
aralisza requested review of this revision.Jun 25 2021, 1:34 PM
Herald added a project: Restricted Project. · View Herald TranscriptJun 25 2021, 1:34 PM
Herald added a subscriber: Restricted Project. · View Herald Transcript
aralisza updated this revision to Diff 354596.Jun 25 2021, 1:39 PM

remove comment

aralisza edited the summary of this revision. (Show Details)Jun 25 2021, 1:40 PM
aralisza added reviewers: delcypher, kubamracek, yln, vitalybuka, glider.
Harbormaster completed remote builds in B111069: Diff 354596.Jun 25 2021, 2:06 PM
kubamracek added reviewers: dvyukov, eugenis.Jun 25 2021, 3:59 PM
kubamracek added inline comments.
compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc
972–973

should this get the same fix too?

aralisza updated this revision to Diff 354621.Jun 25 2021, 4:07 PM

change order of frexp too

compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc
972–973

done~ I didn't do it originally because I figured there was a reason the original author didn't go ahead an make all these changes, but it probably makes sense to do it now anyway

aralisza retitled this revision from [compiler-rt] change write order of frexpl so it doesn't corrupt stack ids to [compiler-rt] change write order of frexpl & frexpf so it doesn't corrupt stack ids.Jun 25 2021, 4:09 PM
aralisza edited the summary of this revision. (Show Details)
Harbormaster completed remote builds in B111085: Diff 354621.Jun 25 2021, 4:41 PM
delcypher added a comment.Jul 1 2021, 10:27 AM

This seems reasonable to me. However, we are touching paths used by non-Apple platforms here so I'd like someone outside of Apple to approve too.

delcypher accepted this revision.Jul 1 2021, 10:27 AM
This revision is now accepted and ready to land.Jul 1 2021, 10:27 AM
aralisza added a comment.Jul 6 2021, 1:29 PM

Ping on this, would love to get an additional reviewer.

delcypher added a comment.Jul 8 2021, 11:29 AM

@vitalybuka ping

vitalybuka accepted this revision.Jul 8 2021, 12:23 PM

Can you please add trivial tests in /sanitizer_common?

compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc
976

Even if it does not fail could you also add COMMON_INTERCEPTOR_INITIALIZE_RANGE after the call
to make sure msan shadow is not corrupted by the calls internals

delcypher added inline comments.Jul 8 2021, 3:21 PM
compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc
976

I would expect COMMON_INTERCEPTOR_WRITE_RANGE(ctx, exp, sizeof(*exp)) before the call to initialize the range. Do we actually suspect that REAL(frexpf)(x, exp) could corrupt MSan's shadow? I'm not sure how that would happen.

vitalybuka added inline comments.Jul 8 2021, 3:34 PM
compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc
976

e.g. calculate on stack of non-instrumented function and then memcpy into output which will be intercepted and also copy "uninitialized" shadow

vitalybuka added inline comments.Jul 8 2021, 3:48 PM
compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc
976

With the current implementation of these function probably unnecessary.
But without assuming implementation details, COMMON_INTERCEPTOR_INITIALIZE_RANGE is right thing to do.

aralisza updated this revision to Diff 359170.Jul 15 2021, 4:52 PM

add tests for frexpl and frexpf and call COMMON_INTERCEPTOR_INITIALIZE_RANGE

aralisza added inline comments.Jul 15 2021, 4:54 PM
compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc
976

Is this what you are looking for? By "after the call" do you mean after the call to REAL(... or COMMON_INTERCEPTOR_WRITE_RANGE?

aralisza updated this revision to Diff 359171.Jul 15 2021, 4:55 PM

make ordering more consistent

vitalybuka accepted this revision.Jul 15 2021, 5:10 PM
vitalybuka added inline comments.
compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc
976

COMMON_INTERCEPTOR_INITIALIZE_RANGE

Harbormaster completed remote builds in B114386: Diff 359171.Jul 15 2021, 6:08 PM
This revision was landed with ongoing or failed builds.Jul 16 2021, 10:58 AM
Closed by commit rGcfa4d112da8d: [compiler-rt] change write order of frexpl & frexpf so it doesn't corrupt stack… (authored by aralisza). · Explain Why
This revision was automatically updated to reflect the committed changes.
aralisza added a commit: rGcfa4d112da8d: [compiler-rt] change write order of frexpl & frexpf so it doesn't corrupt stack….

Revision Contents

PathSize
compiler-rt/
lib/
sanitizer_common/
13 lines
test/
asan/
TestCases/
16 lines
16 lines

Diff 359387

compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 951 Lines▼ Show 20 Lines
#if SANITIZER_INTERCEPT_FREXP #if SANITIZER_INTERCEPT_FREXP
INTERCEPTOR(double, frexp, double x, int *exp) { INTERCEPTOR(double, frexp, double x, int *exp) {
void *ctx; void *ctx;
COMMON_INTERCEPTOR_ENTER(ctx, frexp, x, exp); COMMON_INTERCEPTOR_ENTER(ctx, frexp, x, exp);
// Assuming frexp() always writes to |exp|. // Assuming frexp() always writes to |exp|.
COMMON_INTERCEPTOR_WRITE_RANGE(ctx, exp, sizeof(*exp)); COMMON_INTERCEPTOR_WRITE_RANGE(ctx, exp, sizeof(*exp));
double res = REAL(frexp)(x, exp); double res = REAL(frexp)(x, exp);
COMMON_INTERCEPTOR_INITIALIZE_RANGE(exp, sizeof(*exp));
return res; return res;
} }
#define INIT_FREXP COMMON_INTERCEPT_FUNCTION(frexp); #define INIT_FREXP COMMON_INTERCEPT_FUNCTION(frexp);
#else #else
#define INIT_FREXP #define INIT_FREXP
#endif // SANITIZER_INTERCEPT_FREXP #endif // SANITIZER_INTERCEPT_FREXP
#if SANITIZER_INTERCEPT_FREXPF_FREXPL #if SANITIZER_INTERCEPT_FREXPF_FREXPL
INTERCEPTOR(float, frexpf, float x, int *exp) { INTERCEPTOR(float, frexpf, float x, int *exp) {
void *ctx; void *ctx;
COMMON_INTERCEPTOR_ENTER(ctx, frexpf, x, exp); COMMON_INTERCEPTOR_ENTER(ctx, frexpf, x, exp);
// FIXME: under ASan the call below may write to freed memory and corrupt
// its metadata. See
// https://github.com/google/sanitizers/issues/321.
float res = REAL(frexpf)(x, exp);
COMMON_INTERCEPTOR_WRITE_RANGE(ctx, exp, sizeof(*exp)); COMMON_INTERCEPTOR_WRITE_RANGE(ctx, exp, sizeof(*exp));
kubamracekUnsubmitted
Not Done
ReplyInline Actions

should this get the same fix too?

kubamracek: should this get the same fix too?
araliszaAuthorUnsubmitted
Done
ReplyInline Actions

done~ I didn't do it originally because I figured there was a reason the original author didn't go ahead an make all these changes, but it probably makes sense to do it now anyway

aralisza: done~ I didn't do it originally because I figured there was a reason the original author didn't…
float res = REAL(frexpf)(x, exp);
COMMON_INTERCEPTOR_INITIALIZE_RANGE(exp, sizeof(*exp));
return res; return res;
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

Even if it does not fail could you also add COMMON_INTERCEPTOR_INITIALIZE_RANGE after the call
to make sure msan shadow is not corrupted by the calls internals

vitalybuka: Even if it does not fail could you also add COMMON_INTERCEPTOR_INITIALIZE_RANGE after the call…
delcypherUnsubmitted
Not Done
ReplyInline Actions

I would expect COMMON_INTERCEPTOR_WRITE_RANGE(ctx, exp, sizeof(*exp)) before the call to initialize the range. Do we actually suspect that REAL(frexpf)(x, exp) could corrupt MSan's shadow? I'm not sure how that would happen.

delcypher: I would expect `COMMON_INTERCEPTOR_WRITE_RANGE(ctx, exp, sizeof(*exp))` before the call to…
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

e.g. calculate on stack of non-instrumented function and then memcpy into output which will be intercepted and also copy "uninitialized" shadow

vitalybuka: e.g. calculate on stack of non-instrumented function and then memcpy into output which will be…
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

With the current implementation of these function probably unnecessary.
But without assuming implementation details, COMMON_INTERCEPTOR_INITIALIZE_RANGE is right thing to do.

vitalybuka: With the current implementation of these function probably unnecessary. But without assuming…
araliszaAuthorUnsubmitted
Done
ReplyInline Actions

Is this what you are looking for? By "after the call" do you mean after the call to REAL(... or COMMON_INTERCEPTOR_WRITE_RANGE?

aralisza: Is this what you are looking for? By "after the call" do you mean after the call to `REAL(...`…
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

COMMON_INTERCEPTOR_INITIALIZE_RANGE

vitalybuka: COMMON_INTERCEPTOR_INITIALIZE_RANGE
} }
INTERCEPTOR(long double, frexpl, long double x, int *exp) { INTERCEPTOR(long double, frexpl, long double x, int *exp) {
void *ctx; void *ctx;
COMMON_INTERCEPTOR_ENTER(ctx, frexpl, x, exp); COMMON_INTERCEPTOR_ENTER(ctx, frexpl, x, exp);
// FIXME: under ASan the call below may write to freed memory and corrupt
// its metadata. See
// https://github.com/google/sanitizers/issues/321.
long double res = REAL(frexpl)(x, exp);
COMMON_INTERCEPTOR_WRITE_RANGE(ctx, exp, sizeof(*exp)); COMMON_INTERCEPTOR_WRITE_RANGE(ctx, exp, sizeof(*exp));
long double res = REAL(frexpl)(x, exp);
COMMON_INTERCEPTOR_INITIALIZE_RANGE(exp, sizeof(*exp));
return res; return res;
} }
#define INIT_FREXPF_FREXPL \ #define INIT_FREXPF_FREXPL \
COMMON_INTERCEPT_FUNCTION(frexpf); \ COMMON_INTERCEPT_FUNCTION(frexpf); \
COMMON_INTERCEPT_FUNCTION_LDBL(frexpl) COMMON_INTERCEPT_FUNCTION_LDBL(frexpl)
#else #else
#define INIT_FREXPF_FREXPL #define INIT_FREXPF_FREXPL
▲ Show 20 LinesShow All 9,382 LinesShow Last 20 Lines

compiler-rt/test/asan/TestCases/frexpf_interceptor.cpp

  • This file was added.
// RUN: %clangxx_asan -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s
// Test the frexpf() interceptor.
#include <math.h>
#include <stdio.h>
#include <stdlib.h>
int main() {
float x = 3.14;
int *exp = (int *)malloc(sizeof(int));
free(exp);
double y = frexpf(x, exp);
// CHECK: use-after-free
// CHECK: SUMMARY
return 0;
}

compiler-rt/test/asan/TestCases/frexpl_interceptor.cpp

  • This file was added.
// RUN: %clangxx_asan -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s
// Test the frexpl() interceptor.
#include <math.h>
#include <stdio.h>
#include <stdlib.h>
int main() {
long double x = 3.14;
int *exp = (int *)malloc(sizeof(int));
free(exp);
double y = frexpl(x, exp);
// CHECK: use-after-free
// CHECK: SUMMARY
return 0;
}