This is an archive of the discontinued LLVM Phabricator instance.

Differential D26404

[asan/win] Add init hooks to .CRT$XLAB
ClosedPublic

Authored by rnk on Nov 8 2016, 9:38 AM.

Details

Reviewers
etienneb
Commits
rGd092107b0e07: [asan/win] Add init hooks to .CRT$XLAB
rCRT286290: [asan/win] Add init hooks to .CRT$XLAB
rL286290: [asan/win] Add init hooks to .CRT$XLAB
Summary

User applications may register hooks in the .CRT$XL* callback list,
which is called very early by the loader. This is very common in
Chromium:
https://cs.chromium.org/search/?q=CRT.XL&sq=package:chromium&type=cs

This has flown under the radar for a long time because the loader
appears to catch exceptions originating from these callbacks. It's a
real problem when you're debugging an asan application, though, since it
makes the program crash early.

The solution is to add our own callback to this list, and sort it very
early in the list like we do elsewhere. Also add a test with such an
instrumented callback, and test that it gets called with asan.

Diff Detail

Repository
rL LLVM

Event Timeline

rnk updated this revision to Diff 77206.Nov 8 2016, 9:38 AM
rnk retitled this revision from to [asan/win] Add init hooks to .CRT$XLAB.
rnk updated this object.
rnk added a reviewer: etienneb.
rnk added a subscriber: llvm-commits.
Herald added a subscriber: kubamracek. · View Herald TranscriptNov 8 2016, 9:38 AM
kubamracek added a comment.Nov 8 2016, 10:27 AM

Does this fix https://llvm.org/bugs/show_bug.cgi?id=30903 / https://reviews.llvm.org/D25946?

rnk added a comment.Nov 8 2016, 10:56 AM

No, but I'm working on that next

etienneb edited edge metadata.Nov 8 2016, 11:20 AM

I tried the patch and it's not solving the bug I was facing.

see: https://llvm.org/bugs/show_bug.cgi?id=30903

=================================================================
==8172==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x01bdb6529fd0 in thread T0
    #0 0x7ff63f667aa4  (C:\src\llvm\ninja64\projects\compiler-rt\lib\asan\tests\default\Asan-x86_64-inline-Noinst-Test.exe+0x140047aa4)
    #1 0x7ff8c3a2b7fb  (C:\Windows\System32\ucrtbase.dll+0x18000b7fb)
    #2 0x7ff8c6cc7ec7  (C:\Windows\SYSTEM32\ntdll.dll+0x180007ec7)
    #3 0x7ff8c6cc7fb5  (C:\Windows\SYSTEM32\ntdll.dll+0x180007fb5)
    #4 0x7ff8c6cc7d93  (C:\Windows\SYSTEM32\ntdll.dll+0x180007d93)
    #5 0x7ff8c68ece69  (C:\Windows\System32\KERNEL32.DLL+0x18001ce69)
    #6 0x7ff63f6f3143  (C:\src\llvm\ninja64\projects\compiler-rt\lib\asan\tests\default\Asan-x86_64-inline-Noinst-Test.exe+0x1400d3143)
    #7 0x7ff63f6f3083  (C:\src\llvm\ninja64\projects\compiler-rt\lib\asan\tests\default\Asan-x86_64-inline-Noinst-Test.exe+0x1400d3083)
    #8 0x7ff63f6a8242  (C:\src\llvm\ninja64\projects\compiler-rt\lib\asan\tests\default\Asan-x86_64-inline-Noinst-Test.exe+0x140088242)
    #9 0x7ff8c68d8363  (C:\Windows\System32\KERNEL32.DLL+0x180008363)
    #10 0x7ff8c6d25e90  (C:\Windows\SYSTEM32\ntdll.dll+0x180065e90)

Address 0x01bdb6529fd0 is a wild pointer.
SUMMARY: AddressSanitizer: bad-free (C:\src\llvm\ninja64\projects\compiler-rt\lib\asan\tests\default\Asan-x86_64-inline-Noinst-Test.exe+0x140047aa4)
==8172==ABORTING
lib/asan/asan_win.cc
358 ↗(On Diff #77206)

nit: to be consitant with line 346-347 should be indented that way:

declspec(allocate(".CRT$XLAB"))
void (NTAPI *asan_tls_init)( void *, unsigned long, void *) = asan_thread_init;

lib/asan/asan_win_dynamic_runtime_thunk.cc
74 ↗(On Diff #77206)

ditto

test/asan/TestCases/Windows/tls_init.cc
19 ↗(On Diff #77206)

this should be after line 24.
The behavior will be the same.

Closed by commit rL286290: [asan/win] Add init hooks to .CRT$XLAB (authored by rnk). · Explain WhyNov 8 2016, 12:55 PM
This revision was automatically updated to reflect the committed changes.
etienneb added a comment.Nov 8 2016, 12:56 PM

lg

Revision Contents

PathSize
compiler-rt/
trunk/
lib/
asan/
18 lines
15 lines
15 lines
test/
asan/
TestCases/
Windows/
51 lines

Diff 77243

compiler-rt/trunk/lib/asan/asan_win.cc

Show First 20 LinesShow All 337 Lines▼ Show 20 Lines
// - C initializers, from XIA to XIZ // - C initializers, from XIA to XIZ
// - C++ initializers, from XCA to XCZ // - C++ initializers, from XCA to XCZ
// Prior to 2015, the CRT set the unhandled exception filter at priority XIY, // Prior to 2015, the CRT set the unhandled exception filter at priority XIY,
// near the end of C initialization. Starting in 2015, it was moved to the // near the end of C initialization. Starting in 2015, it was moved to the
// beginning of C++ initialization. We set our priority to XCAB to run // beginning of C++ initialization. We set our priority to XCAB to run
// immediately after the CRT runs. This way, our exception filter is called // immediately after the CRT runs. This way, our exception filter is called
// first and we can delegate to their filter if appropriate. // first and we can delegate to their filter if appropriate.
#pragma section(".CRT$XCAB", long, read) // NOLINT #pragma section(".CRT$XCAB", long, read) // NOLINT
__declspec(allocate(".CRT$XCAB")) __declspec(allocate(".CRT$XCAB")) int (*__intercept_seh)() =
int (*__intercept_seh)() = __asan_set_seh_filter; __asan_set_seh_filter;
// Piggyback on the TLS initialization callback directory to initialize asan as
// early as possible. Initializers in .CRT$XL* are called directly by ntdll,
// which run before the CRT. Users also add code to .CRT$XLC, so it's important
// to run our initializers first.
static void NTAPI asan_thread_init(void *module, DWORD reason, void *reserved) {
if (reason == DLL_PROCESS_ATTACH) __asan_init();
}
#pragma section(".CRT$XLAB", long, read) // NOLINT
__declspec(allocate(".CRT$XLAB")) void (NTAPI *__asan_tls_init)(
void *, unsigned long, void *) = asan_thread_init;
#endif #endif
// }}} // }}}
} // namespace __asan } // namespace __asan
#endif // _WIN32 #endif // _WIN32

compiler-rt/trunk/lib/asan/asan_win_dll_thunk.cc

Show First 20 LinesShow All 450 Lines▼ Show 20 Lines
// otherwise CRT initialization fails. // otherwise CRT initialization fails.
static int call_asan_init() { static int call_asan_init() {
__asan_init(); __asan_init();
return 0; return 0;
} }
#pragma section(".CRT$XIB", long, read) // NOLINT #pragma section(".CRT$XIB", long, read) // NOLINT
__declspec(allocate(".CRT$XIB")) int (*__asan_preinit)() = call_asan_init; __declspec(allocate(".CRT$XIB")) int (*__asan_preinit)() = call_asan_init;
#ifdef _M_IX86
#define NTAPI __stdcall
#else
#define NTAPI
#endif
static void NTAPI asan_thread_init(void *mod, unsigned long reason,
void *reserved) {
if (reason == /*DLL_PROCESS_ATTACH=*/1) __asan_init();
}
#pragma section(".CRT$XLAB", long, read) // NOLINT
__declspec(allocate(".CRT$XLAB")) void (NTAPI *__asan_tls_init)(
void *, unsigned long, void *) = asan_thread_init;
#endif // ASAN_DLL_THUNK #endif // ASAN_DLL_THUNK

compiler-rt/trunk/lib/asan/asan_win_dynamic_runtime_thunk.cc

Show All 27 Lines
#include <windows.h> #include <windows.h>
// First, declare CRT sections we'll be using in this file // First, declare CRT sections we'll be using in this file
#pragma section(".CRT$XIB", long, read) // NOLINT #pragma section(".CRT$XIB", long, read) // NOLINT
#pragma section(".CRT$XID", long, read) // NOLINT #pragma section(".CRT$XID", long, read) // NOLINT
#pragma section(".CRT$XCAB", long, read) // NOLINT #pragma section(".CRT$XCAB", long, read) // NOLINT
#pragma section(".CRT$XTW", long, read) // NOLINT #pragma section(".CRT$XTW", long, read) // NOLINT
#pragma section(".CRT$XTY", long, read) // NOLINT #pragma section(".CRT$XTY", long, read) // NOLINT
#pragma section(".CRT$XLAB", long, read) // NOLINT
//////////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////////
// Define a copy of __asan_option_detect_stack_use_after_return that should be // Define a copy of __asan_option_detect_stack_use_after_return that should be
// used when linking an MD runtime with a set of object files on Windows. // used when linking an MD runtime with a set of object files on Windows.
// //
// The ASan MD runtime dllexports '__asan_option_detect_stack_use_after_return', // The ASan MD runtime dllexports '__asan_option_detect_stack_use_after_return',
// so normally we would just dllimport it. Unfortunately, the dllimport // so normally we would just dllimport it. Unfortunately, the dllimport
// attribute adds __imp_ prefix to the symbol name of a variable. // attribute adds __imp_ prefix to the symbol name of a variable.
Show All 12 Lines
static int InitializeClonedVariables() { static int InitializeClonedVariables() {
__asan_option_detect_stack_use_after_return = __asan_option_detect_stack_use_after_return =
__asan_should_detect_stack_use_after_return(); __asan_should_detect_stack_use_after_return();
__asan_shadow_memory_dynamic_address = __asan_shadow_memory_dynamic_address =
__asan_get_shadow_memory_dynamic_address(); __asan_get_shadow_memory_dynamic_address();
return 0; return 0;
} }
// Our cloned variables must be initialized before C/C++ constructors. static void NTAPI asan_thread_init(void *mod, unsigned long reason, void *reserved) {
__declspec(allocate(".CRT$XIB")) if (reason == DLL_PROCESS_ATTACH) InitializeClonedVariables();
int (*__asan_initialize_cloned_variables)() = InitializeClonedVariables; }
// Our cloned variables must be initialized before C/C++ constructors. If TLS
// is used, our .CRT$XLAB initializer will run first. If not, our .CRT$XIB
// initializer is needed as a backup.
__declspec(allocate(".CRT$XIB")) int (*__asan_initialize_cloned_variables)() =
InitializeClonedVariables;
__declspec(allocate(".CRT$XLAB")) void (NTAPI *__asan_tls_init)(
void *, unsigned long, void *) = asan_thread_init;
//////////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////////
// For some reason, the MD CRT doesn't call the C/C++ terminators during on DLL // For some reason, the MD CRT doesn't call the C/C++ terminators during on DLL
// unload or on exit. ASan relies on LLVM global_dtors to call // unload or on exit. ASan relies on LLVM global_dtors to call
// __asan_unregister_globals on these events, which unfortunately doesn't work // __asan_unregister_globals on these events, which unfortunately doesn't work
// with the MD runtime, see PR22545 for the details. // with the MD runtime, see PR22545 for the details.
// To work around this, for each DLL we schedule a call to UnregisterGlobals // To work around this, for each DLL we schedule a call to UnregisterGlobals
// using atexit() that calls a small subset of C terminators // using atexit() that calls a small subset of C terminators
Show All 40 Lines

compiler-rt/trunk/test/asan/TestCases/Windows/tls_init.cc

// RUN: %clang_cl_asan %s -Fe%t.exe
// RUN: %run %t.exe | FileCheck %s
// CHECK: my_thread_callback
// CHECK: ran_before_main: 1
#include <windows.h>
#include <stdio.h>
#include <string.h>
#pragma comment (lib, "dbghelp")
static bool ran_before_main = false;
extern "C" void __asan_init(void);
static void NTAPI /*__attribute__((no_sanitize_address))*/
my_thread_callback(PVOID module, DWORD reason, PVOID reserved) {
ran_before_main = true;
static const char str[] = "my_thread_callback\n";
// Fail the test if we aren't called for the expected reason or we can't write
// stdout.
if (reason != DLL_PROCESS_ATTACH)
return;
HANDLE out = GetStdHandle(STD_OUTPUT_HANDLE);
if (!out || out == INVALID_HANDLE_VALUE)
return;
DWORD written = 0;
WriteFile(out, &str[0], sizeof(str), &written, NULL);
}
extern "C" {
#pragma const_seg(".CRT$XLC")
extern const PIMAGE_TLS_CALLBACK p_thread_callback;
const PIMAGE_TLS_CALLBACK p_thread_callback = my_thread_callback;
#pragma const_seg()
}
#ifdef _WIN64
#pragma comment(linker, "/INCLUDE:_tls_used")
#pragma comment(linker, "/INCLUDE:p_thread_callback")
#else
#pragma comment(linker, "/INCLUDE:__tls_used")
#pragma comment(linker, "/INCLUDE:_p_thread_callback")
#endif
int main() {
printf("ran_before_main: %d\n", ran_before_main);
}