This is an archive of the discontinued LLVM Phabricator instance.

Differential D105394

[Sanitizers][Darwin] Intercept CCRandomGenerateBytes
AbandonedPublic

Authored by devnexen on Jul 3 2021, 5:55 AM.

Details

Reviewers
yln
delcypher
aralisza
eugenis
vitalybuka
Summary
  • Intercept the native apple (both iOs and macOS) which is even allowed on App Store (contrary to getentropy for example), thus checking its proper usage in code consumers.

Diff Detail

Unit TestsFailed

TimeTest
510 msx64 debian > Clang.Driver::cuda-arch-translation.cu
250 msx64 debian > Clang.Driver::cuda-bad-arch.cu
310 msx64 debian > Clang.Driver::cuda-flush-denormals-to-zero.cu
7,780 msx64 windows > Clang.Driver::cuda-arch-translation.cu
2,920 msx64 windows > Clang.Driver::cuda-bad-arch.cu
View Full Test Results (6 Failed)

Event Timeline

devnexen requested review of this revision.Jul 3 2021, 5:55 AM
devnexen created this revision.
Herald added a project: Restricted Project. · View Herald TranscriptJul 3 2021, 5:55 AM
Herald added a subscriber: Restricted Project. · View Herald Transcript
Harbormaster completed remote builds in B112321: Diff 356338.Jul 3 2021, 6:32 AM
yln added a comment.Jul 12 2021, 3:46 PM

Hi David, thanks for the patch for this previously unintercepted API. I am happy with the interceptor implementation itself; it follows our "recipe" nicely! :)

I have two small asks:

  • In the commit message, can you explain which issue (crash, false positive) for which sanitizer this is addressing?
  • Can we write a test that shows this issue? I think the current test only shows that we don't crash, right?
compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc
7246

Nitpick: can we use the parameter names "bytes" and "count" from the header declaration?

CCRNGStatus CCRandomGenerateBytes(void *bytes, size_t count)
__OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_8_0);
compiler-rt/test/sanitizer_common/TestCases/Darwin/ccrandomgeneratebytes.c
2

Are we testing here simply that we don't crash in our interceptor? Can we add a comment what we intend to test here.

5

I don't think this will work as intended. We would try to compile and run an empty file.
However, I think no one is actually testing on macOS version < 10.10, so just omitting this guard should be fine.

13

I don't think we will ever return "false", i.e., failing the test here?

success -> n = 0
failure -> n = 1
return n <= 0   // n is never <= 0, right?!

Maybe just return the return value of CCRandomGenerateBytes() (assuming kCCSuccess is 0)?

yln added reviewers: delcypher, aralisza, eugenis, vitalybuka.Jul 12 2021, 3:48 PM
devnexen updated this revision to Diff 358328.Jul 13 2021, 10:19 AM

Update unit test case.

Harbormaster completed remote builds in B113779: Diff 358328.Jul 13 2021, 10:20 AM
devnexen edited the summary of this revision. (Show Details)Jul 13 2021, 10:21 AM
devnexen marked 3 inline comments as done.
vitalybuka added inline comments.Jul 13 2021, 11:29 AM
compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc
9836–9845

Why this renaming? As it it matches https://man7.org/linux/man-pages/man2/getrandom.2.html
Either way it looks unrelated to the patch.

vitalybuka added a comment.Jul 13 2021, 11:32 AM

It's titled "Intercept CCRandomGenerateBytes", but I don't see changes in interceptors, only new test.

devnexen added inline comments.Jul 13 2021, 11:42 AM
compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc
9836–9845

My bad wrong lines.

devnexen updated this revision to Diff 358377.Jul 13 2021, 11:48 AM
vitalybuka accepted this revision.Jul 13 2021, 11:51 AM
vitalybuka added 1 blocking reviewer(s): yln.
Harbormaster completed remote builds in B113811: Diff 358377.Jul 13 2021, 1:11 PM
yln added a comment.Jul 22 2021, 3:52 PM

Hi David,

Before I approve this can we do the following?

  • In the commit message, can you explain which issue (crash, false positive) for which sanitizer this is addressing?
  • Can we write a test that shows this issue, i.e., a test that fails without the added interceptor? (Maybe this test needs to be for a specific sanitizer instead of sanitizer_common?)

Note: my understanding is that the added test is "green" even without the new interceptor. Ignore my second point if that is not the case.

devnexen abandoned this revision.Aug 16 2021, 1:43 AM

you re right after second thoughts it does not bring anything on the table.

Revision Contents

PathSize
compiler-rt/
lib/
sanitizer_common/
16 lines
2 lines
test/
sanitizer_common/
TestCases/
Darwin/
21 lines

Diff 358377

compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc

Show First 20 LinesShow All 991 Lines▼ Show 20 Lines
return res; return res;
} }
#define INIT_READLINKAT COMMON_INTERCEPT_FUNCTION(readlinkat) #define INIT_READLINKAT COMMON_INTERCEPT_FUNCTION(readlinkat)
#else #else
#define INIT_READLINKAT #define INIT_READLINKAT
#endif #endif
#if SANITIZER_INTERCEPT_CCRANDOM_GENERATE_BYTES
INTERCEPTOR(int, CCRandomGenerateBytes, void *bytes, SIZE_T count) {
ylnUnsubmitted
Not Done
ReplyInline Actions

Nitpick: can we use the parameter names "bytes" and "count" from the header declaration?

CCRNGStatus CCRandomGenerateBytes(void *bytes, size_t count)
__OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_8_0);
yln: Nitpick: can we use the parameter names "bytes" and "count" from the header declaration? ```…
void *ctx;
COMMON_INTERCEPTOR_ENTER(ctx, CCRandomGenerateBytes, bytes, count);
int ret = REAL(CCRandomGenerateBytes)(bytes, count);
if (ret == 0) {
COMMON_INTERCEPTOR_WRITE_RANGE(ctx, bytes, count);
}
return ret;
}
#define INIT_CCRANDOM_GENERATE_BYTES COMMON_INTERCEPT_FUNCTION(CCRandomGenerateBytes);
#else
#define INIT_CCRANDOM_GENERATE_BYTES
#endif
#if SANITIZER_INTERCEPT_NAME_TO_HANDLE_AT #if SANITIZER_INTERCEPT_NAME_TO_HANDLE_AT
INTERCEPTOR(int, name_to_handle_at, int dirfd, const char *pathname, INTERCEPTOR(int, name_to_handle_at, int dirfd, const char *pathname,
struct file_handle *handle, int *mount_id, int flags) { struct file_handle *handle, int *mount_id, int flags) {
void* ctx; void* ctx;
COMMON_INTERCEPTOR_ENTER(ctx, name_to_handle_at, dirfd, pathname, handle, COMMON_INTERCEPTOR_ENTER(ctx, name_to_handle_at, dirfd, pathname, handle,
mount_id, flags); mount_id, flags);
COMMON_INTERCEPTOR_READ_RANGE(ctx, pathname, REAL(strlen)(pathname) + 1); COMMON_INTERCEPTOR_READ_RANGE(ctx, pathname, REAL(strlen)(pathname) + 1);
▲ Show 20 LinesShow All 1,492 Lines▼ Show 20 Lines
COMMON_INTERCEPT_FUNCTION(sl_init); \ COMMON_INTERCEPT_FUNCTION(sl_init); \
COMMON_INTERCEPT_FUNCTION(sl_add); \ COMMON_INTERCEPT_FUNCTION(sl_add); \
COMMON_INTERCEPT_FUNCTION(sl_find); \ COMMON_INTERCEPT_FUNCTION(sl_find); \
COMMON_INTERCEPT_FUNCTION(sl_free); COMMON_INTERCEPT_FUNCTION(sl_free);
#else #else
#define INIT_SL_INIT #define INIT_SL_INIT
#endif #endif
#if SANITIZER_INTERCEPT_GETRANDOM #if SANITIZER_INTERCEPT_GETRANDOM
INTERCEPTOR(SSIZE_T, getrandom, void *buf, SIZE_T buflen, unsigned int flags) { INTERCEPTOR(SSIZE_T, getrandom, void *buf, SIZE_T buflen, unsigned int flags) {
void *ctx; void *ctx;
COMMON_INTERCEPTOR_ENTER(ctx, getrandom, buf, buflen, flags); COMMON_INTERCEPTOR_ENTER(ctx, getrandom, buf, buflen, flags);
SSIZE_T n = REAL(getrandom)(buf, buflen, flags); SSIZE_T n = REAL(getrandom)(buf, buflen, flags);
if (n > 0) { if (n > 0) {
COMMON_INTERCEPTOR_WRITE_RANGE(ctx, buf, n); COMMON_INTERCEPTOR_WRITE_RANGE(ctx, buf, n);
} }
return n; return n;
} }
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

Why this renaming? As it it matches https://man7.org/linux/man-pages/man2/getrandom.2.html
Either way it looks unrelated to the patch.

vitalybuka: Why this renaming? As it it matches https://man7.org/linux/man-pages/man2/getrandom.2.html…
devnexenAuthorUnsubmitted
Done
ReplyInline Actions

My bad wrong lines.

devnexen: My bad wrong lines.
#define INIT_GETRANDOM COMMON_INTERCEPT_FUNCTION(getrandom) #define INIT_GETRANDOM COMMON_INTERCEPT_FUNCTION(getrandom)
#else #else
#define INIT_GETRANDOM #define INIT_GETRANDOM
#endif #endif
#if SANITIZER_INTERCEPT_CRYPT #if SANITIZER_INTERCEPT_CRYPT
INTERCEPTOR(char *, crypt, char *key, char *salt) { INTERCEPTOR(char *, crypt, char *key, char *salt) {
void *ctx; void *ctx;
▲ Show 20 LinesShow All 464 Lines▼ Show 20 Lines
INIT_GROUP_FROM_GID; INIT_GROUP_FROM_GID;
INIT_GID_FROM_GROUP; INIT_GID_FROM_GROUP;
INIT_ACCESS; INIT_ACCESS;
INIT_FACCESSAT; INIT_FACCESSAT;
INIT_GETGROUPLIST; INIT_GETGROUPLIST;
INIT_GETGROUPMEMBERSHIP; INIT_GETGROUPMEMBERSHIP;
INIT_READLINK; INIT_READLINK;
INIT_READLINKAT; INIT_READLINKAT;
INIT_CCRANDOM_GENERATE_BYTES;
INIT_NAME_TO_HANDLE_AT; INIT_NAME_TO_HANDLE_AT;
INIT_OPEN_BY_HANDLE_AT; INIT_OPEN_BY_HANDLE_AT;
INIT_STRLCPY; INIT_STRLCPY;
INIT_DEVNAME; INIT_DEVNAME;
INIT_DEVNAME_R; INIT_DEVNAME_R;
INIT_FGETLN; INIT_FGETLN;
INIT_STRMODE; INIT_STRMODE;
INIT_TTYENT; INIT_TTYENT;
▲ Show 20 LinesShow All 51 LinesShow Last 20 Lines

compiler-rt/lib/sanitizer_common/sanitizer_platform_interceptors.h

Show First 20 LinesShow All 506 Lines▼ Show 20 Lines
#if defined(__ENVIRONMENT_MAC_OS_X_VERSION_MIN_REQUIRED__) && \ #if defined(__ENVIRONMENT_MAC_OS_X_VERSION_MIN_REQUIRED__) && \
__ENVIRONMENT_MAC_OS_X_VERSION_MIN_REQUIRED__ < 101000 __ENVIRONMENT_MAC_OS_X_VERSION_MIN_REQUIRED__ < 101000
#define SI_MAC_DEPLOYMENT_BELOW_10_10 1 #define SI_MAC_DEPLOYMENT_BELOW_10_10 1
#else #else
#define SI_MAC_DEPLOYMENT_BELOW_10_10 0 #define SI_MAC_DEPLOYMENT_BELOW_10_10 0
#endif #endif
#define SANITIZER_INTERCEPT_READLINKAT \ #define SANITIZER_INTERCEPT_READLINKAT \
(SI_POSIX && !SI_MAC_DEPLOYMENT_BELOW_10_10) (SI_POSIX && !SI_MAC_DEPLOYMENT_BELOW_10_10)
#define SANITIZER_INTERCEPT_CCRANDOM_GENERATE_BYTES \
(SI_MAC && !SI_MAC_DEPLOYMENT_BELOW_10_10)
#define SANITIZER_INTERCEPT_DEVNAME (SI_NETBSD || SI_FREEBSD) #define SANITIZER_INTERCEPT_DEVNAME (SI_NETBSD || SI_FREEBSD)
#define SANITIZER_INTERCEPT_DEVNAME_R (SI_NETBSD || SI_FREEBSD) #define SANITIZER_INTERCEPT_DEVNAME_R (SI_NETBSD || SI_FREEBSD)
#define SANITIZER_INTERCEPT_FGETLN (SI_NETBSD || SI_FREEBSD) #define SANITIZER_INTERCEPT_FGETLN (SI_NETBSD || SI_FREEBSD)
#define SANITIZER_INTERCEPT_STRMODE (SI_NETBSD || SI_FREEBSD) #define SANITIZER_INTERCEPT_STRMODE (SI_NETBSD || SI_FREEBSD)
#define SANITIZER_INTERCEPT_TTYENT SI_NETBSD #define SANITIZER_INTERCEPT_TTYENT SI_NETBSD
#define SANITIZER_INTERCEPT_PROTOENT (SI_NETBSD || SI_LINUX) #define SANITIZER_INTERCEPT_PROTOENT (SI_NETBSD || SI_LINUX)
#define SANITIZER_INTERCEPT_PROTOENT_R SI_GLIBC #define SANITIZER_INTERCEPT_PROTOENT_R SI_GLIBC
▲ Show 20 LinesShow All 80 LinesShow Last 20 Lines

compiler-rt/test/sanitizer_common/TestCases/Darwin/ccrandomgeneratebytes.c

  • This file was added.
// We try to ensure the api interceptor functions properly.
//
ylnUnsubmitted
Done
ReplyInline Actions

Are we testing here simply that we don't crash in our interceptor? Can we add a comment what we intend to test here.

yln: Are we testing here simply that we don't crash in our interceptor? Can we add a comment what…
// RUN: %clang -O2 %s -o %t && %run %t
#include <CommonCrypto/CommonRandom.h>
ylnUnsubmitted
Done
ReplyInline Actions

I don't think this will work as intended. We would try to compile and run an empty file.
However, I think no one is actually testing on macOS version < 10.10, so just omitting this guard should be fine.

yln: I don't think this will work as intended. We would try to compile and run an empty file.
#include <stdio.h>
#include <inttypes.h>
int main() {
char buf[16];
int n = !(CCRandomGenerateBytes(buf, sizeof(buf)) == kCCSuccess);
if (n == 0) {
printf("CCRandomGenerateBytes\n");
ylnUnsubmitted
Done
ReplyInline Actions

I don't think we will ever return "false", i.e., failing the test here?

success -> n = 0
failure -> n = 1
return n <= 0   // n is never <= 0, right?!

Maybe just return the return value of CCRandomGenerateBytes() (assuming kCCSuccess is 0)?

yln: I don't think we will ever return "false", i.e., failing the test here? ``` success -> n = 0…
for (int i = 0; i <sizeof(buf); i++)
printf("%" PRIx8, buf[i]);
printf("\n");
}
return n;
// CHECK: CCRandomGenerateBytes
// CHECK: '{{.*}}'
}