This is an archive of the discontinued LLVM Phabricator instance.

Differential D27062

tsan: strerror_r interceptor incorrectly handles result pointers to immutable storage
ClosedPublic

Authored by vitalybuka on Nov 23 2016, 12:52 PM.

Details

Reviewers
eugenis
toddlipcon
dvyukov
Summary

This fixes sanitizer issue #696: when the GNU version of strerror_r returns a result pointer that doesn't match the input buffer, that result pointer is in fact a pointer to some immutable storage that is part of the library (namely sys_errlist). TSAN is currently recording a write to this location, which is incorrect.

Diff Detail

Event Timeline

toddlipcon updated this revision to Diff 79138.Nov 23 2016, 12:52 PM
toddlipcon retitled this revision from to tsan: strerror_r interceptor incorrectly handles result pointers to immutable storage.
toddlipcon updated this object.
toddlipcon added a reviewer: eugenis.
toddlipcon set the repository for this revision to rL LLVM.
Herald added a subscriber: kubamracek. · View Herald TranscriptNov 23 2016, 12:52 PM
toddlipcon added a comment.Nov 23 2016, 12:52 PM

As a drive-by contributor, I didn't really know how to write a test for this. But I verified in my application that this fixes a false positive.

eugenis edited edge metadata.Nov 23 2016, 2:21 PM

For a test, look at test/tsan/race_on_puts.cc
The same template with strerror_r called in two threads should do the trick.

lib/sanitizer_common/sanitizer_common_interceptors.inc
3230

else COMMON_INTERCEPTOR_INITIALIZE_RANGE ( same args )
This would count as an initializing write for MSan, but not for TSan.

eugenis added a comment.Nov 23 2016, 2:28 PM

test comment (the previous one went to the spam folder in gmail)

toddlipcon added a comment.Nov 28 2016, 9:05 AM

I have some other high priority work for the next couple weeks, so may be a while before I can get back to this patch and add a test. If someone else is interested in carrying it over the finish line in the meantime, please feel free, otherwise I'm likely to pick it up in mid December or January.

vitalybuka commandeered this revision.Jun 6 2017, 5:56 PM
vitalybuka added a reviewer: toddlipcon.
vitalybuka updated this revision to Diff 101653.Jun 6 2017, 5:58 PM

Add tests.

Herald added a subscriber: srhines. · View Herald TranscriptJun 6 2017, 5:58 PM
vitalybuka updated this revision to Diff 101655.Jun 6 2017, 5:59 PM

Clang-format

vitalybuka marked an inline comment as done.Jun 6 2017, 6:00 PM
vitalybuka added a reviewer: dvyukov.Jun 6 2017, 6:25 PM
eugenis added inline comments.Jun 6 2017, 6:30 PM
test/msan/Linux/strerror_r.c
15

I'd remove these pointer checks, they rely on libc implementation details.

test/tsan/strerror_r.cc
19

Is the barrier really needed?
Again, I'd remove the assert at line 20.

vitalybuka updated this revision to Diff 101660.Jun 6 2017, 6:37 PM

Remove barrier and pointers checks

vitalybuka marked 2 inline comments as done.Jun 6 2017, 6:37 PM
eugenis accepted this revision.Jun 6 2017, 6:42 PM

LGTM

This revision is now accepted and ready to land.Jun 6 2017, 6:42 PM
vitalybuka updated this revision to Diff 101661.Jun 6 2017, 6:45 PM

Remove "UNSUPPORTED: android" and _GNU_SOURCE

vitalybuka closed this revision.Jun 7 2017, 10:57 AM

Somehow I missed review URL in my patch description, so closing manually.
https://llvm.org/svn/llvm-project/compiler-rt/trunk@304858

Revision Contents

PathSize
lib/
sanitizer_common/
5 lines
tsan/
rtl/
1 line
test/
msan/
Linux/
21 lines
tsan/
32 lines

Diff 101660

lib/sanitizer_common/sanitizer_common_interceptors.inc

Show First 20 LinesShow All 3,221 Lines▼ Show 20 Lines
#define INIT_WCSNRTOMBS COMMON_INTERCEPT_FUNCTION(wcsnrtombs); #define INIT_WCSNRTOMBS COMMON_INTERCEPT_FUNCTION(wcsnrtombs);
#else #else
#define INIT_WCSNRTOMBS #define INIT_WCSNRTOMBS
#endif #endif
#if SANITIZER_INTERCEPT_WCRTOMB #if SANITIZER_INTERCEPT_WCRTOMB
INTERCEPTOR(SIZE_T, wcrtomb, char *dest, wchar_t src, void *ps) { INTERCEPTOR(SIZE_T, wcrtomb, char *dest, wchar_t src, void *ps) {
eugenisUnsubmitted
Done
ReplyInline Actions

else COMMON_INTERCEPTOR_INITIALIZE_RANGE ( same args )
This would count as an initializing write for MSan, but not for TSan.

eugenis: else COMMON_INTERCEPTOR_INITIALIZE_RANGE ( same args ) This would count as an initializing…
void *ctx; void *ctx;
COMMON_INTERCEPTOR_ENTER(ctx, wcrtomb, dest, src, ps); COMMON_INTERCEPTOR_ENTER(ctx, wcrtomb, dest, src, ps);
if (ps) COMMON_INTERCEPTOR_READ_RANGE(ctx, ps, mbstate_t_sz); if (ps) COMMON_INTERCEPTOR_READ_RANGE(ctx, ps, mbstate_t_sz);
// FIXME: under ASan the call below may write to freed memory and corrupt // FIXME: under ASan the call below may write to freed memory and corrupt
// its metadata. See // its metadata. See
// https://github.com/google/sanitizers/issues/321. // https://github.com/google/sanitizers/issues/321.
SIZE_T res = REAL(wcrtomb)(dest, src, ps); SIZE_T res = REAL(wcrtomb)(dest, src, ps);
if (res != ((SIZE_T)-1) && dest) { if (res != ((SIZE_T)-1) && dest) {
▲ Show 20 LinesShow All 151 Lines▼ Show 20 Lines
// GNU version. // GNU version.
INTERCEPTOR(char *, strerror_r, int errnum, char *buf, SIZE_T buflen) { INTERCEPTOR(char *, strerror_r, int errnum, char *buf, SIZE_T buflen) {
void *ctx; void *ctx;
COMMON_INTERCEPTOR_ENTER(ctx, strerror_r, errnum, buf, buflen); COMMON_INTERCEPTOR_ENTER(ctx, strerror_r, errnum, buf, buflen);
// FIXME: under ASan the call below may write to freed memory and corrupt // FIXME: under ASan the call below may write to freed memory and corrupt
// its metadata. See // its metadata. See
// https://github.com/google/sanitizers/issues/321. // https://github.com/google/sanitizers/issues/321.
char *res = REAL(strerror_r)(errnum, buf, buflen); char *res = REAL(strerror_r)(errnum, buf, buflen);
if (res == buf)
COMMON_INTERCEPTOR_WRITE_RANGE(ctx, res, REAL(strlen)(res) + 1); COMMON_INTERCEPTOR_WRITE_RANGE(ctx, res, REAL(strlen)(res) + 1);
else
COMMON_INTERCEPTOR_INITIALIZE_RANGE(res, REAL(strlen)(res) + 1);
return res; return res;
} }
#endif //(_POSIX_C_SOURCE >= 200112L || _XOPEN_SOURCE >= 600) && !_GNU_SOURCE || #endif //(_POSIX_C_SOURCE >= 200112L || _XOPEN_SOURCE >= 600) && !_GNU_SOURCE ||
//SANITIZER_MAC //SANITIZER_MAC
#define INIT_STRERROR_R COMMON_INTERCEPT_FUNCTION(strerror_r); #define INIT_STRERROR_R COMMON_INTERCEPT_FUNCTION(strerror_r);
#else #else
#define INIT_STRERROR_R #define INIT_STRERROR_R
#endif #endif
▲ Show 20 LinesShow All 2,997 LinesShow Last 20 Lines

lib/tsan/rtl/tsan_rtl_thread.cc

Show First 20 LinesShow All 339 Lines▼ Show 20 Lines Printf("Bad shadow addr %p (%zx)\n",
shadow_mem + size * kShadowCnt / 8 - 1, addr + size - 1); shadow_mem + size * kShadowCnt / 8 - 1, addr + size - 1);
DCHECK(IsShadowMem((uptr)(shadow_mem + size * kShadowCnt / 8 - 1))); DCHECK(IsShadowMem((uptr)(shadow_mem + size * kShadowCnt / 8 - 1)));
} }
#endif #endif
StatInc(thr, StatMopRange); StatInc(thr, StatMopRange);
if (*shadow_mem == kShadowRodata) { if (*shadow_mem == kShadowRodata) {
DCHECK(!is_write);
// Access to .rodata section, no races here. // Access to .rodata section, no races here.
// Measurements show that it can be 10-20% of all memory accesses. // Measurements show that it can be 10-20% of all memory accesses.
StatInc(thr, StatMopRangeRodata); StatInc(thr, StatMopRangeRodata);
return; return;
} }
FastState fast_state = thr->fast_state; FastState fast_state = thr->fast_state;
if (fast_state.GetIgnoreBit()) if (fast_state.GetIgnoreBit())
▲ Show 20 LinesShow All 41 LinesShow Last 20 Lines

test/msan/Linux/strerror_r.c

  • This file was added.
// RUN: %clang_msan -O0 -g %s -o %t && %run %t
// UNSUPPORTED: android
#define _GNU_SOURCE 1
#include <assert.h>
#include <errno.h>
#include <string.h>
int main() {
char buf[1000];
char *res = strerror_r(EINVAL, buf, sizeof(buf));
assert(res);
volatile int z = strlen(res);
eugenisUnsubmitted
Done
ReplyInline Actions

I'd remove these pointer checks, they rely on libc implementation details.

eugenis: I'd remove these pointer checks, they rely on libc implementation details.
res = strerror_r(-1, buf, sizeof(buf));
assert(res);
z = strlen(res);
return 0;
}

test/tsan/strerror_r.cc

  • This file was added.
// RUN: %clangxx_tsan -O1 -DTEST_ERROR=ERANGE %s -o %t && %run %t 2>&1 | FileCheck --check-prefixes=CHECK,CHECK-SYS %s
// RUN: %clangxx_tsan -O1 -DTEST_ERROR=-1 %s -o %t && not %run %t 2>&1 | FileCheck --check-prefixes=CHECK,CHECK-USER %s
// UNSUPPORTED: android
#define _GNU_SOURCE 1
#include <assert.h>
#include <errno.h>
#include <pthread.h>
#include <stdio.h>
#include <string.h>
char buffer[1000];
void *Thread(void *p) {
return strerror_r(TEST_ERROR, buffer, sizeof(buffer));
}
eugenisUnsubmitted
Done
ReplyInline Actions

Is the barrier really needed?
Again, I'd remove the assert at line 20.

eugenis: Is the barrier really needed? Again, I'd remove the assert at line 20.
int main() {
pthread_t th[2];
pthread_create(&th[0], 0, Thread, 0);
pthread_create(&th[1], 0, Thread, 0);
pthread_join(th[0], 0);
pthread_join(th[1], 0);
fprintf(stderr, "DONE\n");
}
// CHECK-USER: WARNING: ThreadSanitizer: data race
// CHECK-SYS-NOT: WARNING: ThreadSanitizer: data race
// CHECK: DONE