This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
compiler-rt/lib/
-
lib/
-
msan/tests/
-
tests/
2/4
msan_test.cpp
-
sanitizer_common/
1/2
sanitizer_common_interceptors.inc
1
sanitizer_platform_limits_posix.h
1
sanitizer_platform_limits_posix.cpp

Differential D108646

[MSAN] Fix wordexp interception when WRDE_DOOFFS is used
ClosedPublic

Authored by justincady on Aug 24 2021, 10:32 AM.

Download Raw Diff

Details

Reviewers

vitalybuka

Commits

rGd568e5325c74: [MSAN] Fix wordexp interception when WRDE_DOOFFS is used

Summary

Handle the case of wordexp being invoked with WRDE_DOOFFS and
we.we_offs set to a positive value, which will result in NULL
entries prepended to the result. With this change the entire
result, containing both NULL and actual entries, is unpoisoned.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

justincady requested review of this revision.Aug 24 2021, 10:32 AM

justincady created this revision.

Herald added a project: Restricted Project. · View Herald TranscriptAug 24 2021, 10:32 AM

Herald added a subscriber: Restricted Project. · View Herald Transcript

Harbormaster completed remote builds in B120997: Diff 368392.Aug 24 2021, 11:20 AM

Thanks for the fix.
I assume you have no commit access, so I will resolve my comments and and land the patch.

compiler-rt/lib/sanitizer_common/sanitizer_platform_limits_posix.cpp
321	Please fix clang-format warnings.
compiler-rt/lib/sanitizer_common/sanitizer_platform_limits_posix.h
790	to match convention please rename: WORDEXP_WRDE_DOOFFS -> wordexp_wrde_dooffs

This revision is now accepted and ready to land.Aug 24 2021, 12:46 PM

Correct, I do not have commit access. Thanks for reviewing and landing the patch.

Apologies about the clang-format warnings. I saw clang-format report issues all over the file (beyond this change), so I did not automatically apply them. But in doing that, I missed the spacing reported in my patch.

vitalybuka added inline comments.Aug 24 2021, 12:58 PM

compiler-rt/lib/msan/tests/msan_test.cpp
3763	A new test does not fail without the fix, because it's copied from invalid test, I'll fix that in a separate patch.

justincady added inline comments.Aug 24 2021, 1:02 PM

compiler-rt/lib/msan/tests/msan_test.cpp
3763	This test does fail without the fix. I think there is actually a build dependency issue though. I found that if I: touch compiler-rt/lib/msan/tests/msan_test.cpp Then run without the fix, it will fail.

fix style issues

Herald added subscribers: s.egerton, simoncook. · View Herald TranscriptAug 24 2021, 1:03 PM

justincady added inline comments.Aug 24 2021, 1:21 PM

compiler-rt/lib/msan/tests/msan_test.cpp

3763

Here is an example snippet of the failures without the fix in place, running check-msan:

==209625==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x7364f8 in testing::internal::String::CStringEquals(char const*, char const*) /llvm-project-main/llvm/utils/unittest/googletest/src/gtest.cc:913:7
    #1 0x7364f8 in testing::internal::CmpHelperSTREQ(char const*, char const*, char const*, char const*) /llvm-project-main/llvm/utils/unittest/googletest/src/gtest.cc:1498:7
    #2 0x64a2f6 in MemorySanitizer_wordexp_initial_offset_Test::TestBody() /llvm-project-main/compiler-rt/lib/msan/tests/msan_test.cpp:3772:3
    #3 0x7ce80e in void testing::internal::HandleSehExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) /llvm-project-main/llvm/utils/unittest/googletest/src/gtest.cc:2433:10
    #4 0x7ce80e in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) /llvm-project-main/llvm/utils/unittest/googletest/src/gtest.cc:2469:14
    #5 0x7481a1 in testing::Test::Run() /llvm-project-main/llvm/utils/unittest/googletest/src/gtest.cc:2508:5
    #6 0x74ce72 in testing::TestInfo::Run() /llvm-project-main/llvm/utils/unittest/googletest/src/gtest.cc:2684:11
    #7 0x74f1fa in testing::TestSuite::Run() /llvm-project-main/llvm/utils/unittest/googletest/src/gtest.cc:2816:28
    #8 0x78d7e4 in testing::internal::UnitTestImpl::RunAllTests() /llvm-project-main/llvm/utils/unittest/googletest/src/gtest.cc:5338:44
    #9 0x7d14d8 in bool testing::internal::HandleSehExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) /llvm-project-main/llvm/utils/unittest/googletest/src/gtest.cc:2433:10
    #10 0x7d14d8 in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) /llvm-project-main/llvm/utils/unittest/googletest/src/gtest.cc:2469:14
    #11 0x78b86c in testing::UnitTest::Run() /llvm-project-main/llvm/utils/unittest/googletest/src/gtest.cc:4925:10
    #12 0x70ddb7 in RUN_ALL_TESTS() /llvm-project-main/llvm/utils/unittest/googletest/include/gtest/gtest.h:2473:46
    #13 0x70ddb7 in main /llvm-project-main/compiler-rt/lib/msan/tests/msan_test_main.cpp:19:10
    #14 0x7fbf017820b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #15 0x482b6d in _start (/llvm-project-main/build/projects/compiler-rt/lib/msan/tests/Msan-x86_64-with-call-Test+0x482b6d)

  Uninitialized value was stored to memory at
    #0 0x48ea30 in __interceptor_realloc /llvm-project-main/compiler-rt/lib/msan/msan_interceptors.cpp:879:3
    #1 0x7fbf01869c88 in wordexp (/lib/x86_64-linux-gnu/libc.so.6+0x10ec88)

  Uninitialized value was created by a heap allocation
    #0 0x48ea30 in __interceptor_realloc /llvm-project-main/compiler-rt/lib/msan/msan_interceptors.cpp:879:3
    #1 0x7fbf01869666 in wordexp (/lib/x86_64-linux-gnu/libc.so.6+0x10e666)
[...]
Failed Tests (2):
  MemorySanitizer-Unit :: ./Msan-x86_64-Test/MemorySanitizer.wordexp_initial_offset
  MemorySanitizer-Unit :: ./Msan-x86_64-with-call-Test/MemorySanitizer.wordexp_initial_offset

Harbormaster completed remote builds in B121034: Diff 368440.Aug 24 2021, 1:46 PM

This revision was landed with ongoing or failed builds.Aug 24 2021, 2:30 PM

Closed by commit rGd568e5325c74: [MSAN] Fix wordexp interception when WRDE_DOOFFS is used (authored by justincady, committed by vitalybuka). · Explain Why

This revision was automatically updated to reflect the committed changes.

vitalybuka added a commit: rGd568e5325c74: [MSAN] Fix wordexp interception when WRDE_DOOFFS is used.

vitalybuka added inline comments.Aug 24 2021, 2:30 PM

compiler-rt/lib/msan/tests/msan_test.cpp
3763	That's error on my side, I had no libcxx and unittests enabled.

justincady added inline comments.Aug 24 2021, 2:41 PM

compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc
4000	This adjustment to the initial patch is incorrect. Note that the original patch added `p->we_offs` (not another `p->we_wordc`) in the case of `wordexp_wrde_dooffs`: uptr we_wordc = (flags & WORDEXP_WRDE_DOOFFS) ? p->we_wordc + p->we_offs : p->we_wordc;

vitalybuka mentioned this in rG629411d79922: [msan] Fix wordexp after D108646.Aug 24 2021, 4:36 PM

vitalybuka added inline comments.Aug 24 2021, 4:37 PM

compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc
4000	Good catch!

ro mentioned this in D109193: [sanitizer_common] Define wordexp_wrde_dooffs for Solaris.Sep 2 2021, 1:53 PM

ro mentioned this in rG79d58b4d3017: [sanitizer_common] Define wordexp_wrde_dooffs for Solaris.Sep 3 2021, 1:03 AM

Revision Contents

Path

Size

compiler-rt/

lib/

msan/

tests/

msan_test.cpp

12 lines

sanitizer_common/

sanitizer_common_interceptors.inc

8 lines

sanitizer_platform_limits_posix.h

4 lines

sanitizer_platform_limits_posix.cpp

4 lines

Diff 368470

compiler-rt/lib/msan/tests/msan_test.cpp

Show First 20 Lines • Show All 3,754 Lines • ▼ Show 20 Lines	TEST(MemorySanitizer, wordexp) {
int res = wordexp("a b c", &w, 0);		int res = wordexp("a b c", &w, 0);
ASSERT_EQ(0, res);		ASSERT_EQ(0, res);
ASSERT_EQ(3U, w.we_wordc);		ASSERT_EQ(3U, w.we_wordc);
ASSERT_STREQ("a", w.we_wordv[0]);		ASSERT_STREQ("a", w.we_wordv[0]);
ASSERT_STREQ("b", w.we_wordv[1]);		ASSERT_STREQ("b", w.we_wordv[1]);
ASSERT_STREQ("c", w.we_wordv[2]);		ASSERT_STREQ("c", w.we_wordv[2]);
}		}

		TEST(MemorySanitizer, wordexp_initial_offset) {
		vitalybukaUnsubmitted Not Done Reply Inline Actions A new test does not fail without the fix, because it's copied from invalid test, I'll fix that in a separate patch. vitalybuka: A new test does not fail without the fix, because it's copied from invalid test, I'll fix that…
		justincadyAuthorUnsubmitted Done Reply Inline Actions This test does fail without the fix. I think there is actually a build dependency issue though. I found that if I: touch compiler-rt/lib/msan/tests/msan_test.cpp Then run without the fix, it will fail. justincady: This test does fail without the fix. I think there is actually a build dependency issue though.
		vitalybukaUnsubmitted Not Done Reply Inline Actions That's error on my side, I had no libcxx and unittests enabled. vitalybuka: That's error on my side, I had no libcxx and unittests enabled.
		justincadyAuthorUnsubmitted Done Reply Inline Actions Here is an example snippet of the failures without the fix in place, running check-msan: ==209625==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x7364f8 in testing::internal::String::CStringEquals(char const, char const) /llvm-project-main/llvm/utils/unittest/googletest/src/gtest.cc:913:7 #1 0x7364f8 in testing::internal::CmpHelperSTREQ(char const, char const, char const, char const) /llvm-project-main/llvm/utils/unittest/googletest/src/gtest.cc:1498:7 #2 0x64a2f6 in MemorySanitizer_wordexp_initial_offset_Test::TestBody() /llvm-project-main/compiler-rt/lib/msan/tests/msan_test.cpp:3772:3 #3 0x7ce80e in void testing::internal::HandleSehExceptionsInMethodIfSupported<testing::Test, void>(testing::Test, void (testing::Test::)(), char const) /llvm-project-main/llvm/utils/unittest/googletest/src/gtest.cc:2433:10 #4 0x7ce80e in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test, void (testing::Test::)(), char const) /llvm-project-main/llvm/utils/unittest/googletest/src/gtest.cc:2469:14 #5 0x7481a1 in testing::Test::Run() /llvm-project-main/llvm/utils/unittest/googletest/src/gtest.cc:2508:5 #6 0x74ce72 in testing::TestInfo::Run() /llvm-project-main/llvm/utils/unittest/googletest/src/gtest.cc:2684:11 #7 0x74f1fa in testing::TestSuite::Run() /llvm-project-main/llvm/utils/unittest/googletest/src/gtest.cc:2816:28 #8 0x78d7e4 in testing::internal::UnitTestImpl::RunAllTests() /llvm-project-main/llvm/utils/unittest/googletest/src/gtest.cc:5338:44 #9 0x7d14d8 in bool testing::internal::HandleSehExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl, bool (testing::internal::UnitTestImpl::)(), char const) /llvm-project-main/llvm/utils/unittest/googletest/src/gtest.cc:2433:10 #10 0x7d14d8 in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl, bool (testing::internal::UnitTestImpl::)(), char const) /llvm-project-main/llvm/utils/unittest/googletest/src/gtest.cc:2469:14 #11 0x78b86c in testing::UnitTest::Run() /llvm-project-main/llvm/utils/unittest/googletest/src/gtest.cc:4925:10 #12 0x70ddb7 in RUN_ALL_TESTS() /llvm-project-main/llvm/utils/unittest/googletest/include/gtest/gtest.h:2473:46 #13 0x70ddb7 in main /llvm-project-main/compiler-rt/lib/msan/tests/msan_test_main.cpp:19:10 #14 0x7fbf017820b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) #15 0x482b6d in _start (/llvm-project-main/build/projects/compiler-rt/lib/msan/tests/Msan-x86_64-with-call-Test+0x482b6d) Uninitialized value was stored to memory at #0 0x48ea30 in __interceptor_realloc /llvm-project-main/compiler-rt/lib/msan/msan_interceptors.cpp:879:3 #1 0x7fbf01869c88 in wordexp (/lib/x86_64-linux-gnu/libc.so.6+0x10ec88) Uninitialized value was created by a heap allocation #0 0x48ea30 in __interceptor_realloc /llvm-project-main/compiler-rt/lib/msan/msan_interceptors.cpp:879:3 #1 0x7fbf01869666 in wordexp (/lib/x86_64-linux-gnu/libc.so.6+0x10e666) [...] Failed Tests (2): MemorySanitizer-Unit :: ./Msan-x86_64-Test/MemorySanitizer.wordexp_initial_offset MemorySanitizer-Unit :: ./Msan-x86_64-with-call-Test/MemorySanitizer.wordexp_initial_offset justincady: Here is an example snippet of the failures without the fix in place, running check-msan: ```…
		wordexp_t w;
		w.we_offs = 1;
		int res = wordexp("a b c", &w, WRDE_DOOFFS);
		ASSERT_EQ(0, res);
		ASSERT_EQ(3U, w.we_wordc);
		ASSERT_EQ(nullptr, w.we_wordv[0]);
		ASSERT_STREQ("a", w.we_wordv[1]);
		ASSERT_STREQ("b", w.we_wordv[2]);
		ASSERT_STREQ("c", w.we_wordv[3]);
		}

template<class T>		template<class T>
static bool applySlt(T value, T shadow) {		static bool applySlt(T value, T shadow) {
__msan_partial_poison(&value, &shadow, sizeof(T));		__msan_partial_poison(&value, &shadow, sizeof(T));
volatile bool zzz = true;		volatile bool zzz = true;
// This "\|\| zzz" trick somehow makes LLVM emit "icmp slt" instead of		// This "\|\| zzz" trick somehow makes LLVM emit "icmp slt" instead of
// a shift-and-trunc to get at the highest bit.		// a shift-and-trunc to get at the highest bit.
volatile bool v = value < 0 \|\| zzz;		volatile bool v = value < 0 \|\| zzz;
return v;		return v;
▲ Show 20 Lines • Show All 1,071 Lines • Show Last 20 Lines

compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc

This file is larger than 256 KB, so syntax highlighting is disabled by default.

Show First 20 Lines • Show All 3,990 Lines • ▼ Show 20 Lines	INTERCEPTOR(int, wordexp, char s, __sanitizer_wordexp_t p, int flags) {
COMMON_INTERCEPTOR_ENTER(ctx, wordexp, s, p, flags);		COMMON_INTERCEPTOR_ENTER(ctx, wordexp, s, p, flags);
if (s) COMMON_INTERCEPTOR_READ_RANGE(ctx, s, internal_strlen(s) + 1);		if (s) COMMON_INTERCEPTOR_READ_RANGE(ctx, s, internal_strlen(s) + 1);
// FIXME: under ASan the call below may write to freed memory and corrupt		// FIXME: under ASan the call below may write to freed memory and corrupt
// its metadata. See		// its metadata. See
// https://github.com/google/sanitizers/issues/321.		// https://github.com/google/sanitizers/issues/321.
int res = REAL(wordexp)(s, p, flags);		int res = REAL(wordexp)(s, p, flags);
if (!res && p) {		if (!res && p) {
COMMON_INTERCEPTOR_WRITE_RANGE(ctx, p, sizeof(*p));		COMMON_INTERCEPTOR_WRITE_RANGE(ctx, p, sizeof(*p));
if (p->we_wordc)		uptr we_wordc =
		((flags & wordexp_wrde_dooffs) ? p->we_wordc : 0) + p->we_wordc;
		justincadyAuthorUnsubmitted Done Reply Inline Actions This adjustment to the initial patch is incorrect. Note that the original patch added `p->we_offs` (not another `p->we_wordc`) in the case of `wordexp_wrde_dooffs`: uptr we_wordc = (flags & WORDEXP_WRDE_DOOFFS) ? p->we_wordc + p->we_offs : p->we_wordc; justincady: This adjustment to the initial patch is incorrect. Note that the original patch added `p…
		vitalybukaUnsubmitted Not Done Reply Inline Actions Good catch! vitalybuka: Good catch!
		if (we_wordc)
COMMON_INTERCEPTOR_WRITE_RANGE(ctx, p->we_wordv,		COMMON_INTERCEPTOR_WRITE_RANGE(ctx, p->we_wordv,
sizeof(p->we_wordv) p->we_wordc);		sizeof(p->we_wordv) we_wordc);
for (uptr i = 0; i < p->we_wordc; ++i) {		for (uptr i = 0; i < we_wordc; ++i) {
char *w = p->we_wordv[i];		char *w = p->we_wordv[i];
if (w) COMMON_INTERCEPTOR_WRITE_RANGE(ctx, w, internal_strlen(w) + 1);		if (w) COMMON_INTERCEPTOR_WRITE_RANGE(ctx, w, internal_strlen(w) + 1);
}		}
}		}
return res;		return res;
}		}
#define INIT_WORDEXP COMMON_INTERCEPT_FUNCTION(wordexp);		#define INIT_WORDEXP COMMON_INTERCEPT_FUNCTION(wordexp);
#else		#else
▲ Show 20 Lines • Show All 6,439 Lines • Show Last 20 Lines

compiler-rt/lib/sanitizer_common/sanitizer_platform_limits_posix.h

	Show First 20 Lines • Show All 770 Lines • ▼ Show 20 Lines
	# if SANITIZER_LINUX			# if SANITIZER_LINUX
	extern int glob_nomatch;			extern int glob_nomatch;
	extern int glob_altdirfunc;			extern int glob_altdirfunc;
	# endif			# endif
	#endif // !SANITIZER_ANDROID			#endif // !SANITIZER_ANDROID

	extern unsigned path_max;			extern unsigned path_max;

				# if !SANITIZER_ANDROID
				extern const int wordexp_wrde_dooffs;
				# endif // !SANITIZER_ANDROID

	struct __sanitizer_wordexp_t {			struct __sanitizer_wordexp_t {
	uptr we_wordc;			uptr we_wordc;
	char **we_wordv;			char **we_wordv;
	uptr we_offs;			uptr we_offs;
	};			};

	#if SANITIZER_LINUX && !SANITIZER_ANDROID			#if SANITIZER_LINUX && !SANITIZER_ANDROID
	struct __sanitizer_FILE {			struct __sanitizer_FILE {
				vitalybukaUnsubmitted Not Done Reply Inline Actions to match convention please rename: WORDEXP_WRDE_DOOFFS -> wordexp_wrde_dooffs vitalybuka: to match convention please rename: WORDEXP_WRDE_DOOFFS -> wordexp_wrde_dooffs
	int _flags;			int _flags;
	char *_IO_read_ptr;			char *_IO_read_ptr;
	char *_IO_read_end;			char *_IO_read_end;
	char *_IO_read_base;			char *_IO_read_base;
	char *_IO_write_base;			char *_IO_write_base;
	char *_IO_write_ptr;			char *_IO_write_ptr;
	char *_IO_write_end;			char *_IO_write_end;
	char *_IO_buf_base;			char *_IO_buf_base;
	▲ Show 20 Lines • Show All 654 Lines • Show Last 20 Lines

compiler-rt/lib/sanitizer_common/sanitizer_platform_limits_posix.cpp

	Show First 20 Lines • Show All 307 Lines • ▼ Show 20 Lines
	unsigned struct_ElfW_Phdr_sz = sizeof(Elf_Phdr);			unsigned struct_ElfW_Phdr_sz = sizeof(Elf_Phdr);
	#endif			#endif

	#if SANITIZER_GLIBC			#if SANITIZER_GLIBC
	int glob_nomatch = GLOB_NOMATCH;			int glob_nomatch = GLOB_NOMATCH;
	int glob_altdirfunc = GLOB_ALTDIRFUNC;			int glob_altdirfunc = GLOB_ALTDIRFUNC;
	#endif			#endif

				# if !SANITIZER_ANDROID
				const int wordexp_wrde_dooffs = WRDE_DOOFFS;
				# endif // !SANITIZER_ANDROID

	#if SANITIZER_LINUX && !SANITIZER_ANDROID && \			#if SANITIZER_LINUX && !SANITIZER_ANDROID && \
	(defined(__i386) \|\| defined(__x86_64) \|\| defined(__mips64) \|\| \			(defined(__i386) \|\| defined(__x86_64) \|\| defined(__mips64) \|\| \
				vitalybukaUnsubmitted Not Done Reply Inline Actions Please fix clang-format warnings. vitalybuka: Please fix clang-format warnings.
	defined(__powerpc64__) \|\| defined(__aarch64__) \|\| defined(__arm__) \|\| \			defined(__powerpc64__) \|\| defined(__aarch64__) \|\| defined(__arm__) \|\| \
	defined(__s390__) \|\| SANITIZER_RISCV64)			defined(__s390__) \|\| SANITIZER_RISCV64)
	#if defined(__mips64) \|\| defined(__powerpc64__) \|\| defined(__arm__)			#if defined(__mips64) \|\| defined(__powerpc64__) \|\| defined(__arm__)
	unsigned struct_user_regs_struct_sz = sizeof(struct pt_regs);			unsigned struct_user_regs_struct_sz = sizeof(struct pt_regs);
	unsigned struct_user_fpregs_struct_sz = sizeof(elf_fpregset_t);			unsigned struct_user_fpregs_struct_sz = sizeof(elf_fpregset_t);
	#elif SANITIZER_RISCV64			#elif SANITIZER_RISCV64
	unsigned struct_user_regs_struct_sz = sizeof(struct user_regs_struct);			unsigned struct_user_regs_struct_sz = sizeof(struct user_regs_struct);
	unsigned struct_user_fpregs_struct_sz = sizeof(struct __riscv_q_ext_state);			unsigned struct_user_fpregs_struct_sz = sizeof(struct __riscv_q_ext_state);
	▲ Show 20 Lines • Show All 964 Lines • Show Last 20 Lines

This is an archive of the discontinued LLVM Phabricator instance.

[MSAN] Fix wordexp interception when WRDE_DOOFFS is usedClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 368470

compiler-rt/lib/msan/tests/msan_test.cpp

compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc

compiler-rt/lib/sanitizer_common/sanitizer_platform_limits_posix.h

compiler-rt/lib/sanitizer_common/sanitizer_platform_limits_posix.cpp

[MSAN] Fix wordexp interception when WRDE_DOOFFS is used
ClosedPublic