This is an archive of the discontinued LLVM Phabricator instance.

compiler-rt/lib/hwasan/hwasan_report.cpp
438–439	I'd rather check AddrIsInStack instead of num_descriptions_printed, or record the result of the stack check in a bool variable and look at that. Otherwise this depends on the order of the checks and will become confusing later if the code is moved.
439–440	rename ShowCandidate to ShowHeapOrGlobalCandidate

This revision is now accepted and ready to land.Jun 30 2021, 12:54 PM

Address comments.

Harbormaster completed remote builds in B112570: Diff 356664.Jul 6 2021, 3:57 AM

Closed by commit rG745758acf3c2: [hwasan] Fix incorrect candidate matching for stack OOB. (authored by fmayer). · Explain WhyJul 6 2021, 4:24 AM

This revision was automatically updated to reflect the committed changes.

fmayer added a commit: rG745758acf3c2: [hwasan] Fix incorrect candidate matching for stack OOB..

Revision Contents

Path

Size

compiler-rt/

lib/

hwasan/

hwasan_report.cpp

57 lines

test/

hwasan/

TestCases/

stack-oob.c

2 lines

Diff 356675

compiler-rt/lib/hwasan/hwasan_report.cpp

Show First 20 Lines • Show All 290 Lines • ▼ Show 20 Lines	static uptr GetGlobalSizeFromDescriptor(uptr ptr) {
for (const hwasan_global &global :		for (const hwasan_global &global :
HwasanGlobalsFor(load_bias, phdr_begin, ehdr->e_phnum))		HwasanGlobalsFor(load_bias, phdr_begin, ehdr->e_phnum))
if (global.addr() <= ptr && ptr < global.addr() + global.size())		if (global.addr() <= ptr && ptr < global.addr() + global.size())
return global.size();		return global.size();

return 0;		return 0;
}		}

static void ShowCandidate(uptr untagged_addr, tag_t candidate, tag_t left,		static void ShowHeapOrGlobalCandidate(uptr untagged_addr, tag_t *candidate,
tag_t *right) {		tag_t left, tag_t right) {
Decorator d;		Decorator d;
uptr mem = ShadowToMem(reinterpret_cast<uptr>(candidate));		uptr mem = ShadowToMem(reinterpret_cast<uptr>(candidate));
HwasanChunkView chunk = FindHeapChunkByAddress(mem);		HwasanChunkView chunk = FindHeapChunkByAddress(mem);
if (chunk.IsAllocated()) {		if (chunk.IsAllocated()) {
uptr offset;		uptr offset;
const char *whence;		const char *whence;
if (untagged_addr < chunk.End() && untagged_addr >= chunk.Beg()) {		if (untagged_addr < chunk.End() && untagged_addr >= chunk.Beg()) {
offset = untagged_addr - chunk.Beg();		offset = untagged_addr - chunk.Beg();
▲ Show 20 Lines • Show All 72 Lines • ▼ Show 20 Lines	Printf("%s[%p,%p) is a %s %s heap chunk; "
d.Location(),		d.Location(),
beg, beg + size,		beg, beg + size,
chunk.FromSmallHeap() ? "small" : "large",		chunk.FromSmallHeap() ? "small" : "large",
chunk.IsAllocated() ? "allocated" : "unallocated",		chunk.IsAllocated() ? "allocated" : "unallocated",
size, untagged_addr - beg,		size, untagged_addr - beg,
d.Default());		d.Default());
}		}

		tag_t addr_tag = GetTagFromPointer(tagged_addr);

		bool on_stack = false;
		// Check stack first. If the address is on the stack of a live thread, we
		// know it cannot be a heap / global overflow.
		hwasanThreadList().VisitAllLiveThreads([&](Thread *t) {
		if (t->AddrIsInStack(untagged_addr)) {
		on_stack = true;
		// TODO(fmayer): figure out how to distinguish use-after-return and
		// stack-buffer-overflow.
		Printf("%s", d.Error());
		Printf("\nCause: stack tag-mismatch\n");
		Printf("%s", d.Location());
		Printf("Address %p is located in stack of thread T%zd\n", untagged_addr,
		t->unique_id());
		Printf("%s", d.Default());
		t->Announce();

		auto *sa = (t == GetCurrentThread() && current_stack_allocations)
		? current_stack_allocations
		: t->stack_allocations();
		PrintStackAllocations(sa, addr_tag, untagged_addr);
		num_descriptions_printed++;
		}
		});

// Check if this looks like a heap buffer overflow by scanning		// Check if this looks like a heap buffer overflow by scanning
// the shadow left and right and looking for the first adjacent		// the shadow left and right and looking for the first adjacent
// object with a different memory tag. If that tag matches addr_tag,		// object with a different memory tag. If that tag matches addr_tag,
// check the allocator if it has a live chunk there.		// check the allocator if it has a live chunk there.
tag_t addr_tag = GetTagFromPointer(tagged_addr);
tag_t tag_ptr = reinterpret_cast<tag_t>(MemToShadow(untagged_addr));		tag_t tag_ptr = reinterpret_cast<tag_t>(MemToShadow(untagged_addr));
tag_t candidate = nullptr, left = tag_ptr, *right = tag_ptr;		tag_t candidate = nullptr, left = tag_ptr, *right = tag_ptr;
uptr candidate_distance = 0;		uptr candidate_distance = 0;
for (; candidate_distance < 1000; candidate_distance++) {		for (; candidate_distance < 1000; candidate_distance++) {
if (MemIsShadow(reinterpret_cast<uptr>(left)) &&		if (MemIsShadow(reinterpret_cast<uptr>(left)) &&
TagsEqual(addr_tag, left)) {		TagsEqual(addr_tag, left)) {
candidate = left;		candidate = left;
break;		break;
}		}
--left;		--left;
if (MemIsShadow(reinterpret_cast<uptr>(right)) &&		if (MemIsShadow(reinterpret_cast<uptr>(right)) &&
TagsEqual(addr_tag, right)) {		TagsEqual(addr_tag, right)) {
candidate = right;		candidate = right;
break;		break;
}		}
++right;		++right;
}		}

constexpr auto kCloseCandidateDistance = 1;		constexpr auto kCloseCandidateDistance = 1;

if (candidate && candidate_distance <= kCloseCandidateDistance) {		if (!on_stack && candidate && candidate_distance <= kCloseCandidateDistance) {
		eugenisUnsubmitted Done Reply Inline Actions I'd rather check AddrIsInStack instead of num_descriptions_printed, or record the result of the stack check in a bool variable and look at that. Otherwise this depends on the order of the checks and will become confusing later if the code is moved. eugenis: I'd rather check AddrIsInStack instead of num_descriptions_printed, or record the result of the…
ShowCandidate(untagged_addr, candidate, left, right);		ShowHeapOrGlobalCandidate(untagged_addr, candidate, left, right);
		eugenisUnsubmitted Done Reply Inline Actions rename ShowCandidate to ShowHeapOrGlobalCandidate eugenis: rename ShowCandidate to ShowHeapOrGlobalCandidate
num_descriptions_printed++;		num_descriptions_printed++;
}		}

hwasanThreadList().VisitAllLiveThreads([&](Thread *t) {		hwasanThreadList().VisitAllLiveThreads([&](Thread *t) {
if (t->AddrIsInStack(untagged_addr)) {
// TODO(fmayer): figure out how to distinguish use-after-return and
// stack-buffer-overflow.
Printf("%s", d.Error());
Printf("\nCause: stack tag-mismatch\n");
Printf("%s", d.Location());
Printf("Address %p is located in stack of thread T%zd\n", untagged_addr,
t->unique_id());
Printf("%s", d.Default());
t->Announce();

auto *sa = (t == GetCurrentThread() && current_stack_allocations)
? current_stack_allocations
: t->stack_allocations();
PrintStackAllocations(sa, addr_tag, untagged_addr);
num_descriptions_printed++;
}
});

hwasanThreadList().VisitAllLiveThreads([&](Thread *t) {
// Scan all threads' ring buffers to find if it's a heap-use-after-free.		// Scan all threads' ring buffers to find if it's a heap-use-after-free.
HeapAllocationRecord har;		HeapAllocationRecord har;
uptr ring_index, num_matching_addrs, num_matching_addrs_4b;		uptr ring_index, num_matching_addrs, num_matching_addrs_4b;
if (FindHeapAllocation(t->heap_allocations(), tagged_addr, &har,		if (FindHeapAllocation(t->heap_allocations(), tagged_addr, &har,
&ring_index, &num_matching_addrs,		&ring_index, &num_matching_addrs,
&num_matching_addrs_4b)) {		&num_matching_addrs_4b)) {
Printf("%s", d.Error());		Printf("%s", d.Error());
Printf("\nCause: use-after-free\n");		Printf("\nCause: use-after-free\n");
Show All 21 Lines	if (FindHeapAllocation(t->heap_allocations(), tagged_addr, &har,
num_matching_addrs_4b);		num_matching_addrs_4b);

t->Announce();		t->Announce();
num_descriptions_printed++;		num_descriptions_printed++;
}		}
});		});

if (candidate && num_descriptions_printed == 0) {		if (candidate && num_descriptions_printed == 0) {
ShowCandidate(untagged_addr, candidate, left, right);		ShowHeapOrGlobalCandidate(untagged_addr, candidate, left, right);
num_descriptions_printed++;		num_descriptions_printed++;
}		}

// Print the remaining threads, as an extra information, 1 line per thread.		// Print the remaining threads, as an extra information, 1 line per thread.
hwasanThreadList().VisitAllLiveThreads([&](Thread *t) { t->Announce(); });		hwasanThreadList().VisitAllLiveThreads([&](Thread *t) { t->Announce(); });

if (!num_descriptions_printed)		if (!num_descriptions_printed)
// We exhausted our possibilities. Bail out.		// We exhausted our possibilities. Bail out.
▲ Show 20 Lines • Show All 234 Lines • Show Last 20 Lines

compiler-rt/test/hwasan/TestCases/stack-oob.c

Show All 21 Lines	int f() {
return p[SIZE];		return p[SIZE];
}		}

int main() {		int main() {
f();		f();
// CHECK: READ of size 1 at		// CHECK: READ of size 1 at
// CHECK: #0 {{.}} in f{{.}}stack-oob.c:[[@LINE-6]]		// CHECK: #0 {{.}} in f{{.}}stack-oob.c:[[@LINE-6]]

		// CHECK-NOT: Cause: global-overflow
// CHECK: Cause: stack tag-mismatch		// CHECK: Cause: stack tag-mismatch
// CHECK: is located in stack of threa		// CHECK: is located in stack of threa
		// CHECK-NOT: Cause: global-overflow

// CHECK: SUMMARY: HWAddressSanitizer: tag-mismatch {{.*}} in f		// CHECK: SUMMARY: HWAddressSanitizer: tag-mismatch {{.*}} in f
}		}

This is an archive of the discontinued LLVM Phabricator instance.

[hwasan] Fix incorrect candidate matching for stack OOB.ClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 356675

compiler-rt/lib/hwasan/hwasan_report.cpp

compiler-rt/test/hwasan/TestCases/stack-oob.c

[hwasan] Fix incorrect candidate matching for stack OOB.
ClosedPublic