This is an archive of the discontinued LLVM Phabricator instance.

Differential D123312

[ASan] Removed code from unaligned case which was causing wrong reporting.
AbandonedPublic

Authored by kstoimenov on Apr 7 2022, 7:51 AM.

Details

Reviewers
eugenis
Summary

The instrumentUnusualSizeOrAlignment was originally refactored out in D8198. At that time callbacks probably handled the unaligned case properly? Now it is causing a wrong "unknown-crash" message instead of 'global-buffer-overflow' because it is looking at the wrong place in shadow memory.

Diff Detail

Unit TestsFailed

TimeTest
60,030 msx64 debian > libFuzzer.libFuzzer::fuzzer-leak.test
60,120 msx64 debian > libFuzzer.libFuzzer::large.test
60,050 msx64 debian > libFuzzer.libFuzzer::out-of-process-fuzz.test
60,030 msx64 debian > libFuzzer.libFuzzer::value-profile-load.test

Event Timeline

kstoimenov created this revision.Apr 7 2022, 7:51 AM
Herald added a project: Restricted Project. · View Herald TranscriptApr 7 2022, 7:51 AM
Herald added a subscriber: hiraditya. · View Herald Transcript
kstoimenov requested review of this revision.Apr 7 2022, 7:51 AM
Herald added projects: Restricted Project, Restricted Project. · View Herald TranscriptApr 7 2022, 7:51 AM
Herald added subscribers: llvm-commits, Restricted Project. · View Herald Transcript
kstoimenov edited the summary of this revision. (Show Details)Apr 7 2022, 7:55 AM
kstoimenov edited the summary of this revision. (Show Details)Apr 7 2022, 8:00 AM
kstoimenov added a reviewer: eugenis.
Harbormaster completed remote builds in B158492: Diff 421217.Apr 7 2022, 10:23 AM
eugenis added inline comments.Apr 7 2022, 2:13 PM
llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp
1874

I'm confused - AsanMemoryAccessCallbackSized callbacks go to __asan_loadN / __asan_storeN versions which should handle unaligned properly.

kstoimenov abandoned this revision.Apr 7 2022, 2:31 PM

Revision Contents

PathSize
compiler-rt/
lib/
asan/
tests/
4 lines
llvm/
lib/
Transforms/
Instrumentation/
19 lines
test/
Instrumentation/
AddressSanitizer/
4 lines
8 lines
HWAddressSanitizer/
4 lines

Diff 421217

compiler-rt/lib/asan/tests/asan_test.cpp

Show First 20 LinesShow All 197 Lines▼ Show 20 LinesTEST(AddressSanitizer, UAF_char) {
EXPECT_DEATH(uaf_test<U1>(10, 10), uaf_string); EXPECT_DEATH(uaf_test<U1>(10, 10), uaf_string);
EXPECT_DEATH(uaf_test<U1>(kLargeMalloc, 0), uaf_string); EXPECT_DEATH(uaf_test<U1>(kLargeMalloc, 0), uaf_string);
EXPECT_DEATH(uaf_test<U1>(kLargeMalloc, kLargeMalloc / 2), uaf_string); EXPECT_DEATH(uaf_test<U1>(kLargeMalloc, kLargeMalloc / 2), uaf_string);
} }
TEST(AddressSanitizer, UAF_long_double) { TEST(AddressSanitizer, UAF_long_double) {
if (sizeof(long double) == sizeof(double)) return; if (sizeof(long double) == sizeof(double)) return;
long double *p = Ident(new long double[10]); long double *p = Ident(new long double[10]);
EXPECT_DEATH(Ident(p)[12] = 0, "WRITE of size 1[026]"); EXPECT_DEATH(Ident(p)[12] = 0, "WRITE of size 1");
EXPECT_DEATH(Ident(p)[0] = Ident(p)[12], "READ of size 1[026]"); EXPECT_DEATH(Ident(p)[0] = Ident(p)[12], "READ of size 1");
delete [] Ident(p); delete [] Ident(p);
} }
#if !defined(_WIN32) #if !defined(_WIN32)
struct Packed5 { struct Packed5 {
int x; int x;
char c; char c;
} __attribute__((packed)); } __attribute__((packed));
▲ Show 20 LinesShow All 1,152 LinesShow Last 20 Lines

llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp

Show First 20 LinesShow All 1,863 Lines▼ Show 20 Lines
// and the last bytes. We call __asan_report_*_n(addr, real_size) to be able // and the last bytes. We call __asan_report_*_n(addr, real_size) to be able
// to report the actual access size. // to report the actual access size.
void AddressSanitizer::instrumentUnusualSizeOrAlignment( void AddressSanitizer::instrumentUnusualSizeOrAlignment(
Instruction *I, Instruction *InsertBefore, Value *Addr, uint32_t TypeSize, Instruction *I, Instruction *InsertBefore, Value *Addr, uint32_t TypeSize,
bool IsWrite, Value *SizeArgument, bool UseCalls, uint32_t Exp) { bool IsWrite, Value *SizeArgument, bool UseCalls, uint32_t Exp) {
IRBuilder<> IRB(InsertBefore); IRBuilder<> IRB(InsertBefore);
Value *Size = ConstantInt::get(IntptrTy, TypeSize / 8); Value *Size = ConstantInt::get(IntptrTy, TypeSize / 8);
Value *AddrLong = IRB.CreatePointerCast(Addr, IntptrTy); Value *AddrLong = IRB.CreatePointerCast(Addr, IntptrTy);
if (UseCalls) {
if (Exp == 0)
IRB.CreateCall(AsanMemoryAccessCallbackSized[IsWrite][0],
eugenisUnsubmitted
Not Done
ReplyInline Actions

I'm confused - AsanMemoryAccessCallbackSized callbacks go to __asan_loadN / __asan_storeN versions which should handle unaligned properly.

eugenis: I'm confused - AsanMemoryAccessCallbackSized callbacks go to `__asan_loadN` / `__asan_storeN`…
{AddrLong, Size});
else
IRB.CreateCall(AsanMemoryAccessCallbackSized[IsWrite][1],
{AddrLong, Size, ConstantInt::get(IRB.getInt32Ty(), Exp)});
} else {
Value *LastByte = IRB.CreateIntToPtr( Value *LastByte = IRB.CreateIntToPtr(
IRB.CreateAdd(AddrLong, ConstantInt::get(IntptrTy, TypeSize / 8 - 1)), IRB.CreateAdd(AddrLong, ConstantInt::get(IntptrTy, TypeSize / 8 - 1)),
Addr->getType()); Addr->getType());
instrumentAddress(I, InsertBefore, Addr, 8, IsWrite, Size, false, Exp); instrumentAddress(I, InsertBefore, Addr, 8, IsWrite, Size, UseCalls, Exp);
instrumentAddress(I, InsertBefore, LastByte, 8, IsWrite, Size, false, Exp); instrumentAddress(I, InsertBefore, LastByte, 8, IsWrite, Size, UseCalls, Exp);
}
} }
void ModuleAddressSanitizer::poisonOneInitializer(Function &GlobalInit, void ModuleAddressSanitizer::poisonOneInitializer(Function &GlobalInit,
GlobalValue *ModuleName) { GlobalValue *ModuleName) {
// Set up the arguments to our poison/unpoison functions. // Set up the arguments to our poison/unpoison functions.
IRBuilder<> IRB(&GlobalInit.front(), IRBuilder<> IRB(&GlobalInit.front(),
GlobalInit.front().getFirstInsertionPt()); GlobalInit.front().getFirstInsertionPt());
▲ Show 20 LinesShow All 1,773 LinesShow Last 20 Lines

llvm/test/Instrumentation/AddressSanitizer/experiment-call.ll

Show First 20 LinesShow All 48 Lines▼ Show 20 Lines
; CHECK: ret void ; CHECK: ret void
} }
define void @loadN(i48* %p) sanitize_address { define void @loadN(i48* %p) sanitize_address {
entry: entry:
%t = load i48, i48* %p, align 1 %t = load i48, i48* %p, align 1
ret void ret void
; CHECK-LABEL: define void @loadN ; CHECK-LABEL: define void @loadN
; CHECK: __asan_exp_loadN{{.*}} i32 42 ; CHECK: __asan_exp_load1{{.*}} i32 42
; CHECK: ret void ; CHECK: ret void
} }
define void @store1(i8* %p) sanitize_address { define void @store1(i8* %p) sanitize_address {
entry: entry:
store i8 1, i8* %p, align 1 store i8 1, i8* %p, align 1
ret void ret void
; CHECK-LABEL: define void @store1 ; CHECK-LABEL: define void @store1
Show All 37 Lines
; CHECK: ret void ; CHECK: ret void
} }
define void @storeN(i48* %p) sanitize_address { define void @storeN(i48* %p) sanitize_address {
entry: entry:
store i48 1, i48* %p, align 1 store i48 1, i48* %p, align 1
ret void ret void
; CHECK-LABEL: define void @storeN ; CHECK-LABEL: define void @storeN
; CHECK: __asan_exp_storeN{{.*}} i32 42 ; CHECK: __asan_exp_store1{{.*}} i32 42
; CHECK: ret void ; CHECK: ret void
} }

llvm/test/Instrumentation/AddressSanitizer/instrumentation-with-call-threshold.ll

; Test asan internal compiler flags: ; Test asan internal compiler flags:
; -asan-instrumentation-with-call-threshold ; -asan-instrumentation-with-call-threshold
; -asan-memory-access-callback-prefix ; -asan-memory-access-callback-prefix
; RUN: opt < %s -passes='asan-pipeline' -asan-instrumentation-with-call-threshold=1 -S | FileCheck %s --check-prefix=CHECK-CALL ; RUN: opt < %s -passes='asan-pipeline' -asan-instrumentation-with-call-threshold=1 -S | FileCheck %s --check-prefix=CHECK-CALL
; RUN: opt < %s -passes='asan-pipeline' -asan-instrumentation-with-call-threshold=0 -S | FileCheck %s --check-prefix=CHECK-CALL ; RUN: opt < %s -passes='asan-pipeline' -asan-instrumentation-with-call-threshold=0 -S | FileCheck %s --check-prefix=CHECK-CALL
; RUN: opt < %s -passes='asan-pipeline' -asan-instrumentation-with-call-threshold=0 -asan-memory-access-callback-prefix=__foo_ -S | FileCheck %s --check-prefix=CHECK-CUSTOM-PREFIX ; RUN: opt < %s -passes='asan-pipeline' -asan-instrumentation-with-call-threshold=0 -asan-memory-access-callback-prefix=__foo_ -S | FileCheck %s --check-prefix=CHECK-CUSTOM-PREFIX
; RUN: opt < %s -passes='asan-pipeline' -asan-instrumentation-with-call-threshold=5 -S | FileCheck %s --check-prefix=CHECK-INLINE ; RUN: opt < %s -passes='asan-pipeline' -asan-instrumentation-with-call-threshold=5 -S | FileCheck %s --check-prefix=CHECK-INLINE
; RUN: opt < %s -passes='asan-pipeline' -S | FileCheck %s --check-prefix=CHECK-INLINE ; RUN: opt < %s -passes='asan-pipeline' -S | FileCheck %s --check-prefix=CHECK-INLINE
target datalayout = "e-p:64:64:64-i1:8:8-i8:8:8-i16:16:16-i32:32:32-i64:64:64-f32:32:32-f64:64:64-v64:64:64-v128:128:128-a0:0:64-s0:64:64-f80:128:128-n8:16:32:64" target datalayout = "e-p:64:64:64-i1:8:8-i8:8:8-i16:16:16-i32:32:32-i64:64:64-f32:32:32-f64:64:64-v64:64:64-v128:128:128-a0:0:64-s0:64:64-f80:128:128-n8:16:32:64"
target triple = "x86_64-unknown-linux-gnu" target triple = "x86_64-unknown-linux-gnu"
define void @test_load(i32* %a, i64* %b, i512* %c, i80* %d) sanitize_address { define void @test_load(i32* %a, i64* %b, i512* %c, i80* %d) sanitize_address {
entry: entry:
; CHECK-CALL: call void @__asan_load4 ; CHECK-CALL: call void @__asan_load4
; CHECK-CALL: call void @__asan_load8 ; CHECK-CALL: call void @__asan_load8
; CHECK-CALL: call void @__asan_loadN{{.*}}i64 64) ; CHECK-CALL: call void @__asan_load1
; CHECK-CALL: call void @__asan_loadN{{.*}}i64 10) ; CHECK-CALL: call void @__asan_load1
; CHECK-CALL: call void @__asan_load1
; CHECK-CALL: call void @__asan_load1
; CHECK-CUSTOM-PREFIX: call void @__foo_load4 ; CHECK-CUSTOM-PREFIX: call void @__foo_load4
; CHECK-CUSTOM-PREFIX: call void @__foo_load8 ; CHECK-CUSTOM-PREFIX: call void @__foo_load8
; CHECK-CUSTOM-PREFIX: call void @__foo_loadN ; CHECK-CUSTOM-PREFIX: call void @__foo_load1
; CHECK-INLINE-NOT: call void @__asan_load ; CHECK-INLINE-NOT: call void @__asan_load
%tmp1 = load i32, i32* %a, align 4 %tmp1 = load i32, i32* %a, align 4
%tmp2 = load i64, i64* %b, align 8 %tmp2 = load i64, i64* %b, align 8
%tmp3 = load i512, i512* %c, align 32 %tmp3 = load i512, i512* %c, align 32
%tmp4 = load i80, i80* %d, align 8 %tmp4 = load i80, i80* %d, align 8
ret void ret void
} }

llvm/test/Instrumentation/HWAddressSanitizer/kernel-inline.ll

Show All 13 Linesentry:
%tmp4 = load i80, i80* %d, align 8 %tmp4 = load i80, i80* %d, align 8
ret void ret void
} }
; CHECK-INLINE: call void @__asan_report_load4_noabort ; CHECK-INLINE: call void @__asan_report_load4_noabort
; CHECK-INLINE: call void @__asan_report_load8_noabort ; CHECK-INLINE: call void @__asan_report_load8_noabort
; CHECK-INLINE: call void @__asan_report_load_n_noabort ; CHECK-INLINE: call void @__asan_report_load_n_noabort
; CHECK-INLINE-NOT: call void @__asan_load4_noabort ; CHECK-INLINE-NOT: call void @__asan_load4_noabort
; CHECK-INLINE-NOT: call void @__asan_load8_noabort ; CHECK-INLINE-NOT: call void @__asan_load8_noabort
; CHECK-INLINE-NOT: call void @__asan_loadN_noabort ; CHECK-INLINE-NOT: call void @__asan_load1_noabort
; CHECK-CALLBACK: call void @__asan_load4_noabort ; CHECK-CALLBACK: call void @__asan_load4_noabort
; CHECK-CALLBACK: call void @__asan_load8_noabort ; CHECK-CALLBACK: call void @__asan_load8_noabort
; CHECK-CALLBACK: call void @__asan_loadN_noabort ; CHECK-CALLBACK: call void @__asan_load1_noabort
; CHECK-CALLBACK-NOT: call void @__asan_report_load4_noabort ; CHECK-CALLBACK-NOT: call void @__asan_report_load4_noabort
; CHECK-CALLBACK-NOT: call void @__asan_report_load8_noabort ; CHECK-CALLBACK-NOT: call void @__asan_report_load8_noabort
; CHECK-CALLBACK-NOT: call void @__asan_report_load_n_noabort ; CHECK-CALLBACK-NOT: call void @__asan_report_load_n_noabort