This is an archive of the discontinued LLVM Phabricator instance.

Differential D105394

[Sanitizers][Darwin] Intercept CCRandomGenerateBytes
AbandonedPublic

Authored by devnexen on Jul 3 2021, 5:55 AM.

Details

Reviewers
yln
delcypher
aralisza
eugenis
vitalybuka
Summary
  • Intercept the native apple (both iOs and macOS) which is even allowed on App Store (contrary to getentropy for example), thus checking its proper usage in code consumers.

Diff Detail

Event Timeline

devnexen requested review of this revision.Jul 3 2021, 5:55 AM
devnexen created this revision.
Herald added a project: Restricted Project. · View Herald TranscriptJul 3 2021, 5:55 AM
Herald added a subscriber: Restricted Project. · View Herald Transcript
Harbormaster completed remote builds in B112321: Diff 356338.Jul 3 2021, 6:32 AM
yln added a comment.Jul 12 2021, 3:46 PM

Hi David, thanks for the patch for this previously unintercepted API. I am happy with the interceptor implementation itself; it follows our "recipe" nicely! :)

I have two small asks:

  • In the commit message, can you explain which issue (crash, false positive) for which sanitizer this is addressing?
  • Can we write a test that shows this issue? I think the current test only shows that we don't crash, right?
compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc
7246

Nitpick: can we use the parameter names "bytes" and "count" from the header declaration?

CCRNGStatus CCRandomGenerateBytes(void *bytes, size_t count)
__OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_8_0);
compiler-rt/test/sanitizer_common/TestCases/Darwin/ccrandomgeneratebytes.c
1

Are we testing here simply that we don't crash in our interceptor? Can we add a comment what we intend to test here.

4

I don't think this will work as intended. We would try to compile and run an empty file.
However, I think no one is actually testing on macOS version < 10.10, so just omitting this guard should be fine.

12

I don't think we will ever return "false", i.e., failing the test here?

success -> n = 0
failure -> n = 1
return n <= 0   // n is never <= 0, right?!

Maybe just return the return value of CCRandomGenerateBytes() (assuming kCCSuccess is 0)?

yln added reviewers: delcypher, aralisza, eugenis, vitalybuka.Jul 12 2021, 3:48 PM
devnexen updated this revision to Diff 358328.Jul 13 2021, 10:19 AM

Update unit test case.

Harbormaster completed remote builds in B113779: Diff 358328.Jul 13 2021, 10:20 AM
devnexen edited the summary of this revision. (Show Details)Jul 13 2021, 10:21 AM
devnexen marked 3 inline comments as done.
vitalybuka added inline comments.Jul 13 2021, 11:29 AM
compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc
9836–9845

Why this renaming? As it it matches https://man7.org/linux/man-pages/man2/getrandom.2.html
Either way it looks unrelated to the patch.

vitalybuka added a comment.Jul 13 2021, 11:32 AM

It's titled "Intercept CCRandomGenerateBytes", but I don't see changes in interceptors, only new test.

devnexen added inline comments.Jul 13 2021, 11:42 AM
compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc
9836–9845

My bad wrong lines.

devnexen updated this revision to Diff 358377.Jul 13 2021, 11:48 AM
vitalybuka accepted this revision.Jul 13 2021, 11:51 AM
vitalybuka added 1 blocking reviewer(s): yln.
Harbormaster completed remote builds in B113811: Diff 358377.Jul 13 2021, 1:11 PM
yln added a comment.Jul 22 2021, 3:52 PM

Hi David,

Before I approve this can we do the following?

  • In the commit message, can you explain which issue (crash, false positive) for which sanitizer this is addressing?
  • Can we write a test that shows this issue, i.e., a test that fails without the added interceptor? (Maybe this test needs to be for a specific sanitizer instead of sanitizer_common?)

Note: my understanding is that the added test is "green" even without the new interceptor. Ignore my second point if that is not the case.

devnexen abandoned this revision.Aug 16 2021, 1:43 AM

you re right after second thoughts it does not bring anything on the table.

Revision Contents

PathSize
compiler-rt/
lib/
sanitizer_common/
8 lines
test/
sanitizer_common/
TestCases/
Darwin/
21 lines

Diff 358328

compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc

Show First 20 LinesShow All 990 Lines▼ Show 20 Lines
COMMON_INTERCEPT_FUNCTION(sl_init); \ COMMON_INTERCEPT_FUNCTION(sl_init); \
COMMON_INTERCEPT_FUNCTION(sl_add); \ COMMON_INTERCEPT_FUNCTION(sl_add); \
COMMON_INTERCEPT_FUNCTION(sl_find); \ COMMON_INTERCEPT_FUNCTION(sl_find); \
COMMON_INTERCEPT_FUNCTION(sl_free); COMMON_INTERCEPT_FUNCTION(sl_free);
#else #else
#define INIT_SL_INIT #define INIT_SL_INIT
#endif #endif
#if SANITIZER_INTERCEPT_GETRANDOM #if SANITIZER_INTERCEPT_GETRANDOM
INTERCEPTOR(SSIZE_T, getrandom, void *buf, SIZE_T buflen, unsigned int flags) { INTERCEPTOR(SSIZE_T, getrandom, void *bytes, SIZE_T count, unsigned int flags) {
void *ctx; void *ctx;
COMMON_INTERCEPTOR_ENTER(ctx, getrandom, buf, buflen, flags); COMMON_INTERCEPTOR_ENTER(ctx, getrandom, bytes, count, flags);
SSIZE_T n = REAL(getrandom)(buf, buflen, flags); SSIZE_T n = REAL(getrandom)(bytes, count, flags);
if (n > 0) { if (n > 0) {
COMMON_INTERCEPTOR_WRITE_RANGE(ctx, buf, n); COMMON_INTERCEPTOR_WRITE_RANGE(ctx, bytes, n);
} }
return n; return n;
} }
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

Why this renaming? As it it matches https://man7.org/linux/man-pages/man2/getrandom.2.html
Either way it looks unrelated to the patch.

vitalybuka: Why this renaming? As it it matches https://man7.org/linux/man-pages/man2/getrandom.2.html…
devnexenAuthorUnsubmitted
Done
ReplyInline Actions

My bad wrong lines.

devnexen: My bad wrong lines.
#define INIT_GETRANDOM COMMON_INTERCEPT_FUNCTION(getrandom) #define INIT_GETRANDOM COMMON_INTERCEPT_FUNCTION(getrandom)
#else #else
#define INIT_GETRANDOM #define INIT_GETRANDOM
#endif #endif
#if SANITIZER_INTERCEPT_CRYPT #if SANITIZER_INTERCEPT_CRYPT
INTERCEPTOR(char *, crypt, char *key, char *salt) { INTERCEPTOR(char *, crypt, char *key, char *salt) {
void *ctx; void *ctx;
▲ Show 20 LinesShow All 532 LinesShow Last 20 Lines

compiler-rt/test/sanitizer_common/TestCases/Darwin/ccrandomgeneratebytes.c

// We try to ensure the api interceptor functions properly.
ylnUnsubmitted
Done
ReplyInline Actions

Are we testing here simply that we don't crash in our interceptor? Can we add a comment what we intend to test here.

yln: Are we testing here simply that we don't crash in our interceptor? Can we add a comment what…
//
// RUN: %clang -O2 %s -o %t && %run %t // RUN: %clang -O2 %s -o %t && %run %t
ylnUnsubmitted
Done
ReplyInline Actions

I don't think this will work as intended. We would try to compile and run an empty file.
However, I think no one is actually testing on macOS version < 10.10, so just omitting this guard should be fine.

yln: I don't think this will work as intended. We would try to compile and run an empty file.
#include <Availability.h>
#if __ENVIRONMENT_MAC_OS_X_VERSION_MIN_REQUIRED__ > 101000
#include <CommonCrypto/CommonRandom.h> #include <CommonCrypto/CommonRandom.h>
#include <stdio.h>
#include <inttypes.h>
int main() { int main() {
char buf[16]; char buf[16];
int n = 0; int n = !(CCRandomGenerateBytes(buf, sizeof(buf)) == kCCSuccess);
if (CCRandomGenerateBytes(buf, sizeof(buf)) != kCCSuccess) if (n == 0) {
ylnUnsubmitted
Done
ReplyInline Actions

I don't think we will ever return "false", i.e., failing the test here?

success -> n = 0
failure -> n = 1
return n <= 0   // n is never <= 0, right?!

Maybe just return the return value of CCRandomGenerateBytes() (assuming kCCSuccess is 0)?

yln: I don't think we will ever return "false", i.e., failing the test here? ``` success -> n = 0…
n = 1; printf("CCRandomGenerateBytes\n");
return n <= 0; for (int i = 0; i <sizeof(buf); i++)
printf("%" PRIx8, buf[i]);
printf("\n");
}
return n;
// CHECK: CCRandomGenerateBytes
// CHECK: '{{.*}}'
} }
#endif