This is an archive of the discontinued LLVM Phabricator instance.

Differential D153775

[DFSAN] Add support for sscanf
ClosedPublic

Authored by tkuchta on Jun 26 2023, 8:06 AM.

Details

Reviewers
browneee
Commits
rG8dbcf8eba780: [DFSAN] Add support for sscanf.
Summary

Adding support for sscanf in DFSAN

Diff Detail

Event Timeline

tkuchta created this revision.Jun 26 2023, 8:06 AM
Herald added a project: Restricted Project. · View Herald TranscriptJun 26 2023, 8:06 AM
Herald added a subscriber: Enna1. · View Herald Transcript
tkuchta requested review of this revision.Jun 26 2023, 8:06 AM
Herald added a project: Restricted Project. · View Herald TranscriptJun 26 2023, 8:06 AM
Herald added a subscriber: Restricted Project. · View Herald Transcript
tkuchta added a parent revision: D153410: [DFSAN] Add support for _tolower.Jun 26 2023, 8:06 AM
Harbormaster completed remote builds in B241182: Diff 534564.Jun 26 2023, 8:37 AM
browneee added a comment.Jul 31 2023, 3:11 PM

Sorry for the long delay. I was on vacation.

compiler-rt/test/dfsan/custom.cpp
2110–2115

What is this testing, that is not tested with the labelled arg below?

2113

Should this also check the return value of sscanf?

2124

Should test with a label applied to padded_format, to show that it does not propagate.

2164–2168

dfsan_get_origin() calls here are on empty variables.

Is it intended to be called on some characters in s, like s_o does?

tkuchta marked an inline comment as done.Aug 11 2023, 9:49 AM

Thanks for the comments and sorry for the delay.

I would have the changes by now but I came across a strange issue. When doing ASSERT_INIT_ORIGINS I don't get the expected values. For example in the parsed string only the first 2 bytes have the right origin the others are 0. For the "m" variable even the first byte origin is incorrect. I was checking the implementation but it seems I am propagating the origins along with the labels. Could you please have a quick look, perhaps I'm missing something obvious here.

compiler-rt/test/dfsan/custom.cpp
2110–2115

right, I'll leave just the labelled version

2113

good point, I'll add it

2124

yes, I will add a label to the format

2164–2168

ah, right, good point, I'll fix this.

tkuchta marked an inline comment as done.Aug 11 2023, 12:05 PM

Specifically, I mean the following example from the test case:

strcpy(buf, "hello world, 2014/8/27 12345.678123 % 1000");
char *s = buf + 6; //starts with world

dfsan_origin s_o = dfsan_get_origin((long)(s[1]));
dfsan_set_label(i_label, (void *)(s + 12), 1);
dfsan_origin m_o = dfsan_get_origin((long)s[12]);

...

int r = sscanf(buf, "hello %s %d/%d/%d %f %% %n%d", buf_out, &y, &m, &d,
               &fval, &n, &val);
assert(r == 6);

assert(strcmp(buf_out, "world,") == 0);
ASSERT_INIT_ORIGINS(buf_out + 1, 2, s_o); // if we do 3 or more bytes, this fails
ASSERT_INIT_ORIGINS(&m, 1, m_o); // this fails even with a single byte
browneee added a comment.Aug 14 2023, 5:05 PM

I'm not sure what you expect to happen differently.

Origins work a bit differently to taint labels.

Each taint label is 1 byte. Each Origin ID is 4 bytes (aligned). Origin IDs are only propagated when more than 4 bytes of contiguous data is written to memory (and it has to be aligned).

e.g. string where each letter is a byte:

char* x = strdup("abcdef");

// Updates 6 bytes of corresponding taint labels to [0x01, 0x01, 0x01, 0x01, 0x01, 0x01].
// Also updates 6 bytes of corresponding origin data to [<4 byte origin id>, 0x00, 0x00].
dfsan_set_label(0x01, x, 6);

char* y = strdup("abcdefgh");

// Updates 8 bytes of corresponding taint labels to [0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02].
// Also updates 8 bytes of corresponding origin data to [<4 byte origin id>, <same 4 byte origin id>].
dfsan_set_label(0x02, y, 8);

If you expect to find non-zero origins, be careful that the bytes are copied together. A for loop copying one byte at a time could break the origin chain (or it might be optimized to a larger copy by the time the DFSan pass runs).

tkuchta updated this revision to Diff 551233.Aug 17 2023, 12:59 PM

Thank your for the comments. I addressed the comments from the review and fixed test cases.

Harbormaster completed remote builds in B253288: Diff 551233.Aug 17 2023, 1:21 PM
browneee accepted this revision.Aug 21 2023, 9:50 AM

One suggestion for checking the expected origins in the test are not zero, then LGTM.

compiler-rt/test/dfsan/custom.cpp
2172

If origin tracking is enabled, I suggest checking that the origins (e.g. s_o, m_o, d_o, f_o) are non-zero.

This revision is now accepted and ready to land.Aug 21 2023, 9:50 AM
tkuchta updated this revision to Diff 552303.Aug 22 2023, 3:46 AM

Thank you, I've added the asserts.

Harbormaster completed remote builds in B254051: Diff 552303.Aug 22 2023, 4:14 AM
tkuchta added a comment.Aug 23 2023, 9:10 AM

Please feel free to land the patch in case it's LGTM. Thank you for the reviews!

browneee added a comment.Sep 5 2023, 5:58 PM
/code/llvm-project/compiler-rt/lib/dfsan/dfsan_custom.cpp:2628:35: warning: comparison of integers of different signs: 'int' and 'size_t' (aka 'unsigned long') [-Wsign-compare]
            int size = scan_count > write_size ? write_size : scan_count;
                       ~~~~~~~~~~ ^ ~~~~~~~~~~
/code/llvm-project/compiler-rt/lib/dfsan/dfsan_custom.cpp:2663:35: warning: comparison of integers of different signs: 'int' and 'size_t' (aka 'unsigned long') [-Wsign-compare]
            int size = scan_count > write_size ? write_size : scan_count;
                       ~~~~~~~~~~ ^ ~~~~~~~~~~
/code/llvm-project/compiler-rt/lib/dfsan/dfsan_custom.cpp:2680:35: warning: comparison of integers of different signs: 'int' and 'size_t' (aka 'unsigned long') [-Wsign-compare]
            int size = scan_count > write_size ? write_size : scan_count;
                       ~~~~~~~~~~ ^ ~~~~~~~~~~
/code/llvm-project/compiler-rt/lib/dfsan/dfsan_custom.cpp:2718:35: warning: comparison of integers of different signs: 'int' and 'size_t' (aka 'unsigned long') [-Wsign-compare]
            int size = scan_count > write_size ? write_size : scan_count;
                       ~~~~~~~~~~ ^ ~~~~~~~~~~

I will fix these warnings with changes like this:

diff --git a/compiler-rt/lib/dfsan/dfsan_custom.cpp b/compiler-rt/lib/dfsan/dfsan_custom.cpp
index 8fe0c6e50f16..e903a99c97cc 100644
--- a/compiler-rt/lib/dfsan/dfsan_custom.cpp
+++ b/compiler-rt/lib/dfsan/dfsan_custom.cpp
@@ -2624,8 +2624,8 @@ static int scan_buffer(char *str, size_t size, const char *fmt,
             dfsan_set_label(l, dst_ptr, write_size);
           else {
             dfsan_set_label(l, dst_ptr, write_size);
-            int scan_count = formatter.num_written_bytes(retval);
-            int size = scan_count > write_size ? write_size : scan_count;
+            size_t scan_count = formatter.num_written_bytes(retval);
+            size_t size = scan_count > write_size ? write_size : scan_count;
             dfsan_mem_origin_transfer(dst_ptr, formatter.str_cur(), size);
           }
           end_fmt = true;
Closed by commit rG8dbcf8eba780: [DFSAN] Add support for sscanf. (authored by tkuchta, committed by browneee). · Explain WhySep 5 2023, 6:16 PM
This revision was automatically updated to reflect the committed changes.
browneee added a commit: rG8dbcf8eba780: [DFSAN] Add support for sscanf..
GitHub <noreply@github.com> mentioned this in rG368d74932efa: [DFSan] Fix sscanf wrapper handling %*d (the star skips capturing). (#67392).Sep 26 2023, 4:41 PM

Revision Contents

PathSize
compiler-rt/
lib/
dfsan/
330 lines
4 lines
test/
dfsan/
149 lines

Diff 555958

compiler-rt/lib/dfsan/dfsan_custom.cpp

Show First 20 LinesShow All 2,234 Lines▼ Show 20 Lines
// Type used to extract a dfsan_label with va_arg() // Type used to extract a dfsan_label with va_arg()
typedef int dfsan_label_va; typedef int dfsan_label_va;
// Formats a chunk either a constant string or a single format directive (e.g., // Formats a chunk either a constant string or a single format directive (e.g.,
// '%.3f'). // '%.3f').
struct Formatter { struct Formatter {
Formatter(char *str_, const char *fmt_, size_t size_) Formatter(char *str_, const char *fmt_, size_t size_)
: str(str_), str_off(0), size(size_), fmt_start(fmt_), fmt_cur(fmt_), : str(str_),
width(-1) {} str_off(0),
size(size_),
fmt_start(fmt_),
fmt_cur(fmt_),
width(-1),
num_scanned(-1) {}
int format() { int format() {
char *tmp_fmt = build_format_string(); char *tmp_fmt = build_format_string();
int retval = int retval =
snprintf(str + str_off, str_off < size ? size - str_off : 0, tmp_fmt, snprintf(str + str_off, str_off < size ? size - str_off : 0, tmp_fmt,
0 /* used only to avoid warnings */); 0 /* used only to avoid warnings */);
free(tmp_fmt); free(tmp_fmt);
return retval; return retval;
} }
template <typename T> int format(T arg) { template <typename T> int format(T arg) {
char *tmp_fmt = build_format_string(); char *tmp_fmt = build_format_string();
int retval; int retval;
if (width >= 0) { if (width >= 0) {
retval = snprintf(str + str_off, str_off < size ? size - str_off : 0, retval = snprintf(str + str_off, str_off < size ? size - str_off : 0,
tmp_fmt, width, arg); tmp_fmt, width, arg);
} else { } else {
retval = snprintf(str + str_off, str_off < size ? size - str_off : 0, retval = snprintf(str + str_off, str_off < size ? size - str_off : 0,
tmp_fmt, arg); tmp_fmt, arg);
} }
free(tmp_fmt); free(tmp_fmt);
return retval; return retval;
} }
char *build_format_string() { int scan() {
char *tmp_fmt = build_format_string(true);
int read_count = 0;
int retval = sscanf(str + str_off, tmp_fmt, &read_count);
if (retval > 0) {
if (-1 == num_scanned)
num_scanned = 0;
num_scanned += retval;
}
free(tmp_fmt);
return read_count;
}
template <typename T>
int scan(T arg) {
char *tmp_fmt = build_format_string(true);
int read_count = 0;
int retval = sscanf(str + str_off, tmp_fmt, arg, &read_count);
if (retval > 0) {
if (-1 == num_scanned)
num_scanned = 0;
num_scanned += retval;
}
free(tmp_fmt);
return read_count;
}
// with_n -> toggles adding %n on/off; off by default
char *build_format_string(bool with_n = false) {
size_t fmt_size = fmt_cur - fmt_start + 1; size_t fmt_size = fmt_cur - fmt_start + 1;
char *new_fmt = (char *)malloc(fmt_size + 1); size_t add_size = 0;
if (with_n)
add_size = 2;
char *new_fmt = (char *)malloc(fmt_size + 1 + add_size);
assert(new_fmt); assert(new_fmt);
internal_memcpy(new_fmt, fmt_start, fmt_size); internal_memcpy(new_fmt, fmt_start, fmt_size);
if (!with_n) {
new_fmt[fmt_size] = '\0'; new_fmt[fmt_size] = '\0';
} else {
new_fmt[fmt_size] = '%';
new_fmt[fmt_size + 1] = 'n';
new_fmt[fmt_size + 2] = '\0';
}
return new_fmt; return new_fmt;
} }
char *str_cur() { return str + str_off; } char *str_cur() { return str + str_off; }
size_t num_written_bytes(int retval) { size_t num_written_bytes(int retval) {
if (retval < 0) { if (retval < 0) {
return 0; return 0;
Show All 15 Linesstruct Formatter {
} }
char *str; char *str;
size_t str_off; size_t str_off;
size_t size; size_t size;
const char *fmt_start; const char *fmt_start;
const char *fmt_cur; const char *fmt_cur;
int width; int width;
int num_scanned;
}; };
// Formats the input and propagates the input labels to the output. The output // Formats the input and propagates the input labels to the output. The output
// is stored in 'str'. 'size' bounds the number of output bytes. 'format' and // is stored in 'str'. 'size' bounds the number of output bytes. 'format' and
// 'ap' are the format string and the list of arguments for formatting. Returns // 'ap' are the format string and the list of arguments for formatting. Returns
// the return value vsnprintf would return. // the return value vsnprintf would return.
// //
// The function tokenizes the format string in chunks representing either a // The function tokenizes the format string in chunks representing either a
▲ Show 20 LinesShow All 176 Lines▼ Show 20 Linesstatic int format_buffer(char *str, size_t size, const char *fmt,
*ret_label = 0; *ret_label = 0;
if (ret_origin) if (ret_origin)
*ret_origin = 0; *ret_origin = 0;
// Number of bytes written in total. // Number of bytes written in total.
return formatter.str_off; return formatter.str_off;
} }
// This function is an inverse of format_buffer: we take the input buffer,
// scan it in search for format strings and store the results in the varargs.
// The labels are propagated from the input buffer to the varargs.
static int scan_buffer(char *str, size_t size, const char *fmt,
dfsan_label *va_labels, dfsan_label *ret_label,
dfsan_origin *str_origin, dfsan_origin *ret_origin,
va_list ap) {
Formatter formatter(str, fmt, size);
while (*formatter.fmt_cur) {
formatter.fmt_start = formatter.fmt_cur;
formatter.width = -1;
int retval = 0;
dfsan_label l = 0;
void *dst_ptr = 0;
size_t write_size = 0;
if (*formatter.fmt_cur != '%') {
// Ordinary character. Consume all the characters until a '%' or the end
// of the string.
for (; *(formatter.fmt_cur + 1) && *(formatter.fmt_cur + 1) != '%';
++formatter.fmt_cur) {
}
retval = formatter.scan();
dfsan_set_label(0, formatter.str_cur(),
formatter.num_written_bytes(retval));
} else {
// Conversion directive. Consume all the characters until a conversion
// specifier or the end of the string.
bool end_fmt = false;
for (; *formatter.fmt_cur && !end_fmt;) {
switch (*++formatter.fmt_cur) {
case 'd':
case 'i':
case 'o':
case 'u':
case 'x':
case 'X':
switch (*(formatter.fmt_cur - 1)) {
case 'h':
// Also covers the 'hh' case (since the size of the arg is still
// an int).
dst_ptr = va_arg(ap, int *);
retval = formatter.scan((int *)dst_ptr);
write_size = sizeof(int);
break;
case 'l':
if (formatter.fmt_cur - formatter.fmt_start >= 2 &&
*(formatter.fmt_cur - 2) == 'l') {
dst_ptr = va_arg(ap, long long int *);
retval = formatter.scan((long long int *)dst_ptr);
write_size = sizeof(long long int);
} else {
dst_ptr = va_arg(ap, long int *);
retval = formatter.scan((long int *)dst_ptr);
write_size = sizeof(long int);
}
break;
case 'q':
dst_ptr = va_arg(ap, long long int *);
retval = formatter.scan((long long int *)dst_ptr);
write_size = sizeof(long long int);
break;
case 'j':
dst_ptr = va_arg(ap, intmax_t *);
retval = formatter.scan((intmax_t *)dst_ptr);
write_size = sizeof(intmax_t);
break;
case 'z':
case 't':
dst_ptr = va_arg(ap, size_t *);
retval = formatter.scan((size_t *)dst_ptr);
write_size = sizeof(size_t);
break;
default:
dst_ptr = va_arg(ap, int *);
retval = formatter.scan((int *)dst_ptr);
write_size = sizeof(int);
}
// get the label associated with the string at the corresponding
// place
l = dfsan_read_label(formatter.str_cur(),
formatter.num_written_bytes(retval));
if (str_origin == nullptr)
dfsan_set_label(l, dst_ptr, write_size);
else {
dfsan_set_label(l, dst_ptr, write_size);
size_t scan_count = formatter.num_written_bytes(retval);
size_t size = scan_count > write_size ? write_size : scan_count;
dfsan_mem_origin_transfer(dst_ptr, formatter.str_cur(), size);
}
end_fmt = true;
break;
case 'a':
case 'A':
case 'e':
case 'E':
case 'f':
case 'F':
case 'g':
case 'G':
if (*(formatter.fmt_cur - 1) == 'L') {
dst_ptr = va_arg(ap, long double *);
retval = formatter.scan((long double *)dst_ptr);
write_size = sizeof(long double);
} else if (*(formatter.fmt_cur - 1) == 'l') {
dst_ptr = va_arg(ap, double *);
retval = formatter.scan((double *)dst_ptr);
write_size = sizeof(double);
} else {
dst_ptr = va_arg(ap, float *);
retval = formatter.scan((float *)dst_ptr);
write_size = sizeof(float);
}
l = dfsan_read_label(formatter.str_cur(),
formatter.num_written_bytes(retval));
if (str_origin == nullptr)
dfsan_set_label(l, dst_ptr, write_size);
else {
dfsan_set_label(l, dst_ptr, write_size);
size_t scan_count = formatter.num_written_bytes(retval);
size_t size = scan_count > write_size ? write_size : scan_count;
dfsan_mem_origin_transfer(dst_ptr, formatter.str_cur(), size);
}
end_fmt = true;
break;
case 'c':
dst_ptr = va_arg(ap, char *);
retval = formatter.scan((char *)dst_ptr);
write_size = sizeof(char);
l = dfsan_read_label(formatter.str_cur(),
formatter.num_written_bytes(retval));
if (str_origin == nullptr)
dfsan_set_label(l, dst_ptr, write_size);
else {
dfsan_set_label(l, dst_ptr, write_size);
size_t scan_count = formatter.num_written_bytes(retval);
size_t size = scan_count > write_size ? write_size : scan_count;
dfsan_mem_origin_transfer(dst_ptr, formatter.str_cur(), size);
}
end_fmt = true;
break;
case 's': {
dst_ptr = va_arg(ap, char *);
retval = formatter.scan((char *)dst_ptr);
if (1 == retval) {
// special case: we have parsed a single string and we need to
// update retval with the string size
retval = strlen((char *)dst_ptr);
}
if (str_origin)
dfsan_mem_origin_transfer(dst_ptr, formatter.str_cur(),
formatter.num_written_bytes(retval));
va_labels++;
dfsan_mem_shadow_transfer(dst_ptr, formatter.str_cur(),
formatter.num_written_bytes(retval));
end_fmt = true;
break;
}
case 'p':
dst_ptr = va_arg(ap, void *);
retval =
formatter.scan((int *)dst_ptr); // note: changing void* to int*
// since we need to call sizeof
write_size = sizeof(int);
l = dfsan_read_label(formatter.str_cur(),
formatter.num_written_bytes(retval));
if (str_origin == nullptr)
dfsan_set_label(l, dst_ptr, write_size);
else {
dfsan_set_label(l, dst_ptr, write_size);
size_t scan_count = formatter.num_written_bytes(retval);
size_t size = scan_count > write_size ? write_size : scan_count;
dfsan_mem_origin_transfer(dst_ptr, formatter.str_cur(), size);
}
end_fmt = true;
break;
case 'n': {
int *ptr = va_arg(ap, int *);
*ptr = (int)formatter.str_off;
va_labels++;
dfsan_set_label(0, ptr, sizeof(*ptr));
end_fmt = true;
break;
}
case '%':
retval = formatter.scan();
end_fmt = true;
break;
case '*':
formatter.width = va_arg(ap, int);
va_labels++;
break;
default:
break;
}
}
}
if (retval < 0) {
return retval;
}
formatter.fmt_cur++;
formatter.str_off += retval;
}
*ret_label = 0;
if (ret_origin)
*ret_origin = 0;
// Number of items scanned in total.
return formatter.num_scanned;
}
extern "C" { extern "C" {
SANITIZER_INTERFACE_ATTRIBUTE SANITIZER_INTERFACE_ATTRIBUTE
int __dfsw_sprintf(char *str, const char *format, dfsan_label str_label, int __dfsw_sprintf(char *str, const char *format, dfsan_label str_label,
dfsan_label format_label, dfsan_label *va_labels, dfsan_label format_label, dfsan_label *va_labels,
dfsan_label *ret_label, ...) { dfsan_label *ret_label, ...) {
va_list ap; va_list ap;
va_start(ap, ret_label); va_start(ap, ret_label);
int ret = format_buffer(str, ~0ul, format, va_labels, ret_label, nullptr, int ret = format_buffer(str, ~0ul, format, va_labels, ret_label, nullptr,
nullptr, ap); nullptr, ap);
va_end(ap); va_end(ap);
return ret; return ret;
} }
SANITIZER_INTERFACE_ATTRIBUTE SANITIZER_INTERFACE_ATTRIBUTE
int __dfso_sprintf(char *str, const char *format, dfsan_label str_label, int __dfso_sprintf(char *str, const char *format, dfsan_label str_label,
Show All 32 Linesint __dfso_snprintf(char *str, size_t size, const char *format,
va_list ap; va_list ap;
va_start(ap, ret_origin); va_start(ap, ret_origin);
int ret = format_buffer(str, size, format, va_labels, ret_label, va_origins, int ret = format_buffer(str, size, format, va_labels, ret_label, va_origins,
ret_origin, ap); ret_origin, ap);
va_end(ap); va_end(ap);
return ret; return ret;
} }
SANITIZER_INTERFACE_ATTRIBUTE
int __dfsw_sscanf(char *str, const char *format, dfsan_label str_label,
dfsan_label format_label, dfsan_label *va_labels,
dfsan_label *ret_label, ...) {
va_list ap;
va_start(ap, ret_label);
int ret = scan_buffer(str, ~0ul, format, va_labels, ret_label, nullptr,
nullptr, ap);
va_end(ap);
return ret;
}
SANITIZER_INTERFACE_ATTRIBUTE
int __dfso_sscanf(char *str, const char *format, dfsan_label str_label,
dfsan_label format_label, dfsan_label *va_labels,
dfsan_label *ret_label, dfsan_origin str_origin,
dfsan_origin format_origin, dfsan_origin *va_origins,
dfsan_origin *ret_origin, ...) {
va_list ap;
va_start(ap, ret_origin);
int ret = scan_buffer(str, ~0ul, format, va_labels, ret_label, &str_origin,
ret_origin, ap);
va_end(ap);
return ret;
}
SANITIZER_INTERFACE_ATTRIBUTE
int __dfsw___isoc99_sscanf(char *str, const char *format, dfsan_label str_label,
dfsan_label format_label, dfsan_label *va_labels,
dfsan_label *ret_label, ...) {
va_list ap;
va_start(ap, ret_label);
int ret = scan_buffer(str, ~0ul, format, va_labels, ret_label, nullptr,
nullptr, ap);
va_end(ap);
return ret;
}
SANITIZER_INTERFACE_ATTRIBUTE
int __dfso___isoc99_sscanf(char *str, const char *format, dfsan_label str_label,
dfsan_label format_label, dfsan_label *va_labels,
dfsan_label *ret_label, dfsan_origin str_origin,
dfsan_origin format_origin, dfsan_origin *va_origins,
dfsan_origin *ret_origin, ...) {
va_list ap;
va_start(ap, ret_origin);
int ret = scan_buffer(str, ~0ul, format, va_labels, ret_label, &str_origin,
ret_origin, ap);
va_end(ap);
return ret;
}
static void BeforeFork() { static void BeforeFork() {
StackDepotLockAll(); StackDepotLockAll();
GetChainedOriginDepot()->LockAll(); GetChainedOriginDepot()->LockAll();
} }
static void AfterFork() { static void AfterFork() {
GetChainedOriginDepot()->UnlockAll(); GetChainedOriginDepot()->UnlockAll();
StackDepotUnlockAll(); StackDepotUnlockAll();
Show All 40 Lines

compiler-rt/lib/dfsan/done_abilist.txt

Show First 20 LinesShow All 302 Lines▼ Show 20 Lines
fun:sigaction=custom fun:sigaction=custom
fun:signal=custom fun:signal=custom
fun:gettimeofday=custom fun:gettimeofday=custom
# sprintf-like # sprintf-like
fun:sprintf=custom fun:sprintf=custom
fun:snprintf=custom fun:snprintf=custom
# scanf-like
fun:sscanf=custom
fun:__isoc99_sscanf=custom
# TODO: custom # TODO: custom
fun:asprintf=discard fun:asprintf=discard
fun:qsort=discard fun:qsort=discard
# fork # fork
fun:fork=custom fun:fork=custom
############################################################################### ###############################################################################
▲ Show 20 LinesShow All 162 LinesShow Last 20 Lines

compiler-rt/test/dfsan/custom.cpp

Show First 20 LinesShow All 2,089 Lines▼ Show 20 Lines#endif
ASSERT_INIT_ORIGINS(buf + 7, 2, s_o); ASSERT_INIT_ORIGINS(buf + 7, 2, s_o);
ASSERT_READ_LABEL(buf + 9, 4, 0); ASSERT_READ_LABEL(buf + 9, 4, 0);
ASSERT_READ_LABEL(buf + 13, 4, i_label); ASSERT_READ_LABEL(buf + 13, 4, i_label);
ASSERT_INIT_ORIGINS(buf + 13, 4, y_o); ASSERT_INIT_ORIGINS(buf + 13, 4, y_o);
ASSERT_READ_LABEL(buf + 17, 2, 0); ASSERT_READ_LABEL(buf + 17, 2, 0);
ASSERT_LABEL(r, 0); ASSERT_LABEL(r, 0);
} }
template <class T>
void test_sscanf_chunk(T expected, const char *format, char *input,
int items_num) {
char padded_input[512];
strcpy(padded_input, "foo ");
strcat(padded_input, input);
strcat(padded_input, " bar");
char padded_format[512];
strcpy(padded_format, "foo ");
strcat(padded_format, format);
strcat(padded_format, " bar");
char *s = padded_input + 4;
T arg;
memset(&arg, 0, sizeof(arg));
browneeeUnsubmitted
Not Done
ReplyInline Actions

Should this also check the return value of sscanf?

browneee: Should this also check the return value of sscanf?
tkuchtaAuthorUnsubmitted
Done
ReplyInline Actions

good point, I'll add it

tkuchta: good point, I'll add it
dfsan_set_label(i_label, (void *)(s), strlen(input));
dfsan_set_label(j_label, (void *)(padded_format + 4), strlen(format));
browneeeUnsubmitted
Not Done
ReplyInline Actions

What is this testing, that is not tested with the labelled arg below?

browneee: What is this testing, that is not tested with the labelled arg below?
tkuchtaAuthorUnsubmitted
Done
ReplyInline Actions

right, I'll leave just the labelled version

tkuchta: right, I'll leave just the labelled version
dfsan_origin a_o = dfsan_get_origin((long)(*s));
#ifndef ORIGIN_TRACKING
(void)a_o;
#else
assert(a_o != 0);
#endif
int rv = sscanf(padded_input, padded_format, &arg);
assert(rv == items_num);
assert(arg == expected);
browneeeUnsubmitted
Done
ReplyInline Actions

Should test with a label applied to padded_format, to show that it does not propagate.

browneee: Should test with a label applied to padded_format, to show that it does not propagate.
tkuchtaAuthorUnsubmitted
Done
ReplyInline Actions

yes, I will add a label to the format

tkuchta: yes, I will add a label to the format
ASSERT_READ_LABEL(&arg, sizeof(arg), i_label);
ASSERT_INIT_ORIGINS(&arg, 1, a_o);
}
void test_sscanf() {
char buf[2048];
char buf_out[2048];
memset(buf, 'a', sizeof(buf));
memset(buf_out, 'a', sizeof(buf_out));
// Test formatting
strcpy(buf, "Hello world!");
assert(sscanf(buf, "%s", buf_out) == 1);
assert(strcmp(buf, "Hello world!") == 0);
assert(strcmp(buf_out, "Hello") == 0);
ASSERT_READ_LABEL(buf, sizeof(buf), 0);
ASSERT_READ_LABEL(buf_out, sizeof(buf_out), 0);
// Test for extra arguments.
assert(sscanf(buf, "%s", buf_out, 42, "hello") == 1);
assert(strcmp(buf, "Hello world!") == 0);
assert(strcmp(buf_out, "Hello") == 0);
ASSERT_READ_LABEL(buf, sizeof(buf), 0);
ASSERT_READ_LABEL(buf_out, sizeof(buf_out), 0);
// Test formatting & label propagation (multiple conversion specifiers): %s,
// %d, %n, %f, and %%.
int n;
strcpy(buf, "hello world, 2014/8/27 12345.678123 % 1000");
char *s = buf + 6; //starts with world
int y = 0;
int m = 0;
int d = 0;
float fval;
int val = 0;
dfsan_set_label(k_label, (void *)(s + 1), 2); // buf[7]-b[9]
dfsan_origin s_o = dfsan_get_origin((long)(s[1]));
dfsan_set_label(i_label, (void *)(s + 12), 1);
dfsan_origin m_o = dfsan_get_origin((long)s[12]); // buf[18]
dfsan_set_label(j_label, (void *)(s + 14), 2); // buf[20]
dfsan_origin d_o = dfsan_get_origin((long)s[14]);
dfsan_set_label(m_label, (void *)(s + 18), 4); //buf[24]
dfsan_origin f_o = dfsan_get_origin((long)s[18]);
browneeeUnsubmitted
Not Done
ReplyInline Actions

dfsan_get_origin() calls here are on empty variables.

Is it intended to be called on some characters in s, like s_o does?

browneee: dfsan_get_origin() calls here are on empty variables. Is it intended to be called on some…
tkuchtaAuthorUnsubmitted
Done
ReplyInline Actions

ah, right, good point, I'll fix this.

tkuchta: ah, right, good point, I'll fix this.
#ifndef ORIGIN_TRACKING
(void)s_o;
(void)m_o;
(void)d_o;
browneeeUnsubmitted
Not Done
ReplyInline Actions

If origin tracking is enabled, I suggest checking that the origins (e.g. s_o, m_o, d_o, f_o) are non-zero.

browneee: If origin tracking is enabled, I suggest checking that the origins (e.g. s_o, m_o, d_o, f_o)…
(void)f_o;
#else
assert(s_o != 0);
assert(m_o != 0);
assert(d_o != 0);
assert(f_o != 0);
#endif
int r = sscanf(buf, "hello %s %d/%d/%d %f %% %n%d", buf_out, &y, &m, &d,
&fval, &n, &val);
assert(r == 6);
assert(strcmp(buf_out, "world,") == 0);
ASSERT_READ_LABEL(buf_out, 1, 0);
ASSERT_READ_LABEL(buf_out + 1, 2, k_label);
ASSERT_INIT_ORIGINS(buf_out + 1, 2, s_o);
ASSERT_READ_LABEL(buf + 9, 9, 0);
ASSERT_READ_LABEL(&m, 1, i_label);
ASSERT_INIT_ORIGINS(&m, 1, m_o);
ASSERT_READ_LABEL(&d, 4, j_label);
ASSERT_INIT_ORIGINS(&d, 2, d_o);
ASSERT_READ_LABEL(&fval, sizeof(fval), m_label);
ASSERT_INIT_ORIGINS(&fval, sizeof(fval), f_o);
ASSERT_READ_LABEL(&val, 4, 0);
ASSERT_LABEL(r, 0);
assert(n == 38);
assert(val == 1000);
// Test formatting & label propagation (single conversion specifier, with
// additional length and precision modifiers).
char input_buf[512];
char *input_ptr = input_buf;
strcpy(input_buf, "-559038737");
test_sscanf_chunk(-559038737, "%d", input_ptr, 1);
strcpy(input_buf, "3735928559");
test_sscanf_chunk(3735928559, "%u", input_ptr, 1);
strcpy(input_buf, "12345");
test_sscanf_chunk(12345, "%i", input_ptr, 1);
strcpy(input_buf, "0751");
test_sscanf_chunk(489, "%o", input_ptr, 1);
strcpy(input_buf, "0xbabe");
test_sscanf_chunk(47806, "%x", input_ptr, 1);
strcpy(input_buf, "0x0000BABE");
test_sscanf_chunk(47806, "%10X", input_ptr, 1);
strcpy(input_buf, "3735928559");
test_sscanf_chunk((char)-17, "%hhd", input_ptr, 1);
strcpy(input_buf, "3735928559");
test_sscanf_chunk((short)-16657, "%hd", input_ptr, 1);
strcpy(input_buf, "0xdeadbeefdeadbeef");
test_sscanf_chunk(0xdeadbeefdeadbeefL, "%lx", input_buf, 1);
test_sscanf_chunk((void *)0xdeadbeefdeadbeefL, "%p", input_buf, 1);
intmax_t _x = (intmax_t)-1;
char _buf[256];
memset(_buf, 0, sizeof(_buf));
sprintf(_buf, "%ju", _x);
test_sscanf_chunk((intmax_t)18446744073709551615, "%ju", _buf, 1);
memset(_buf, 0, sizeof(_buf));
size_t _y = (size_t)-1;
sprintf(_buf, "%zu", _y);
test_sscanf_chunk((size_t)18446744073709551615, "%zu", _buf, 1);
memset(_buf, 0, sizeof(_buf));
ptrdiff_t _z = (size_t)-1;
sprintf(_buf, "%tu", _z);
test_sscanf_chunk((ptrdiff_t)18446744073709551615, "%tu", _buf, 1);
strcpy(input_buf, "0.123456");
test_sscanf_chunk((float)0.123456, "%8f", input_ptr, 1);
test_sscanf_chunk((float)0.123456, "%g", input_ptr, 1);
test_sscanf_chunk((float)1.234560e-01, "%e", input_ptr, 1);
test_sscanf_chunk((char)'z', "%c", "z", 1);
// %n, %s, %d, %f, and %% already tested
}
// Tested by a seperate source file. This empty function is here to appease the // Tested by a seperate source file. This empty function is here to appease the
// check-wrappers script. // check-wrappers script.
void test_fork() {} void test_fork() {}
int main(void) { int main(void) {
i_label = 1; i_label = 1;
j_label = 2; j_label = 2;
k_label = 4; k_label = 4;
▲ Show 20 LinesShow All 43 Lines▼ Show 20 Linesint main(void) {
test_recvmsg(); test_recvmsg();
test_sched_getaffinity(); test_sched_getaffinity();
test_select(); test_select();
test_sigaction(); test_sigaction();
test_signal(); test_signal();
test_sigaltstack(); test_sigaltstack();
test_sigemptyset(); test_sigemptyset();
test_snprintf(); test_snprintf();
test_sscanf();
test_socketpair(); test_socketpair();
test_sprintf(); test_sprintf();
test_stat(); test_stat();
test_strcasecmp(); test_strcasecmp();
test_strchr(); test_strchr();
test_strcmp(); test_strcmp();
test_strcat(); test_strcat();
test_strncat(5); test_strncat(5);
Show All 20 Lines