This is an archive of the discontinued LLVM Phabricator instance.

Differential D31457

[asan] Add strndup/__strndup interceptors if targeting linux.
ClosedPublic

Authored by pgousseau on Mar 29 2017, 3:57 AM.

Details

Reviewers
kcc
vitalybuka
filcab
eugenis
rnk
dvyukov
Commits
rG183d1368f311: [asan] Add strndup/__strndup interceptors.
rG0550581070ab: [asan] Recommit of r301904: Add strndup/__strndup interceptors
rGb7101479a899: [asan] Add strndup/__strndup interceptors if targeting linux.
rCRT304399: [asan] Add strndup/__strndup interceptors.
rCRT302781: [asan] Recommit of r301904: Add strndup/__strndup interceptors
rCRT301904: [asan] Add strndup/__strndup interceptors if targeting linux.
rL304399: [asan] Add strndup/__strndup interceptors.
rL302781: [asan] Recommit of r301904: Add strndup/__strndup interceptors
rL301904: [asan] Add strndup/__strndup interceptors if targeting linux.
Summary

This change adds the interceptors for strndup and strndup on linux as strndup get generated as strndup at -O3.

Diff Detail

Event Timeline

pgousseau created this revision.Mar 29 2017, 3:57 AM
Herald added subscribers: kubamracek, srhines. · View Herald TranscriptMar 29 2017, 3:57 AM
pgousseau updated this revision to Diff 93354.Mar 29 2017, 4:08 AM

Fix bad copy paste in lit test.

kcc added inline comments.Mar 29 2017, 4:53 PM
lib/asan/asan_interceptors.cc
574 ↗(On Diff #93354)

this needs to go to lib/sanitizer_common/sanitizer_common_interceptors.inc and removed from lib/msan/msan_interceptors.cc

filcab added inline comments.Mar 30 2017, 5:46 AM
lib/asan/asan_interceptors.h
77 ↗(On Diff #93354)

This one (the plain strdup) should be intercepted in all SANITIZER_POSIX platforms. And it seems Android might have it: https://android.googlesource.com/platform/bionic/+/donut-release/libc/string/strndup.c
https://android.googlesource.com/platform/bionic/+/android-7.1.1_r28/libc/include/string.h

pgousseau updated this revision to Diff 93675.Mar 31 2017, 9:52 AM

Thank you Kostya and Filipe for the comments, I have made the following changes:

  • Moved proposed interceptors into sanitizer_common_interceptors.inc
  • Moved existing strndup msan interceptor into sanitizer_common_interceptors.inc
  • Added common function COMMON_INTERCEPTOR_STRNDUP_IMPL
  • Added intercept_strndup flag true by default
  • Enabled strndup interceptor on POSIX
pgousseau added a comment.Apr 7 2017, 8:48 AM

Ping!

kcc added a reviewer: vitalybuka.Apr 11 2017, 10:26 AM
filcab added inline comments.Apr 11 2017, 10:40 AM
lib/sanitizer_common/sanitizer_common_interceptors.inc
340

Should the context be __strndup?
It's probably ok as it is if the __strndup function is not supposed to be user-visible.

lib/sanitizer_common/tests/sanitizer_test_utils.h
127

We should also enter here if defined(__APPLE__) and if defined(__FreeBSD__), I think.
Can't think of more OS we support that should be here.

I'm not sure we should be taking Android out of the picture, as it seems strndup is available, AFAICT. @kcc/@vitalybuka (or others who might be working on Android) can you confirm if we should expect strndup to be available?

test/asan/TestCases/strndup_oob_test.cc
9 ↗(On Diff #93675)

I don't think this should require Linux. It should have Windows as unsupported, but should work on all (?) POSIX.
Maybe just put it in TestCases/Posix?

eugenis added inline comments.Apr 11 2017, 1:51 PM
lib/msan/msan_interceptors.cc
1339

I don't like that the code tries to combine two very different implementations in one "common" interceptor - one that calls REAL(strlen) and one that uses malloc directly.

Common interceptor should implement the logic of strndup, and call individual sanitizers only to update their specific state - READ_RANGE at the start, and something like COPY_RANGE after.

I think the common implementation should use malloc directly.

lib/sanitizer_common/sanitizer_common_interceptors.inc
325

this should use strnlen, like the msan interceptor it is replacing

lib/sanitizer_common/tests/sanitizer_test_utils.h
127

Yes, strndup is available on Android.

pgousseau added a comment.Apr 12 2017, 10:46 AM

Thanks Filipe/Eugenis for the comments, one question I have is, since my change modifies the behaviour of msan strndup interceptor (cf. added msan/strndup.cc test), should I keep the msan change as part of this patch or do you prefer a separate review?

lib/msan/msan_interceptors.cc
1339

Makes sense. Will update patch.

lib/sanitizer_common/sanitizer_common_interceptors.inc
325

Makes sense thanks.

340

Yes I think strndup is preferred because this is also the case with strdup/strndup in asan_interceptors.cc

lib/sanitizer_common/tests/sanitizer_test_utils.h
127

Sounds good will do.

test/asan/TestCases/strndup_oob_test.cc
9 ↗(On Diff #93675)

Makes sense thanks!

eugenis edited edge metadata.Apr 12 2017, 11:46 AM

Keep it as one change.

pgousseau updated this revision to Diff 96921.Apr 27 2017, 8:04 AM

Hi Eugenis/Filipe,

I have implemented the requested changes:

  • Enabling strndup interceptor on all posix platforms including android
  • Unsupport test on win32
  • Implemented common logic of strndup in common interceptor and added COMMON_INTERCEPTOR_COPY_STRING

Let me know what you think!

Thanks,

Pierre

pgousseau marked 9 inline comments as done.Apr 27 2017, 8:06 AM
eugenis added a reviewer: dvyukov.Apr 27 2017, 2:38 PM
eugenis added inline comments.
lib/sanitizer_common/sanitizer_common_interceptors.inc
330

MSan needs COPY_STRING for correctness. Without out, the destination buffer would be left uninitialized (poisoned). It needs to happen regardless of intercept_strndup.

Please add a test for this.

345

Please avoid code duplication. Move the interceptor body to COMMON_INTERCEPTOR_STRNDUP_IMPL

349

Hmm I have a vague recollection of tsan having problems with interceptors calling other interceptors. On the other hand, tsan interceptor for strdup calls REAL(strdup), which ends up in the malloc interceptor. Dmitry?

355

internal_memcpy

pgousseau updated this revision to Diff 97107.Apr 28 2017, 8:32 AM

Thanks Eugeny for the comments,

I have made the requested changes:

  • call COPY_STRING regardless of intercept_strndup
  • modified msan test to check poisoning is preserved
  • Moved common implementation into COMMON_INTERCEPTOR_STRNDUP_IMPL
  • Use internal_memcpy
eugenis accepted this revision.May 1 2017, 2:23 PM

LGTM

lib/sanitizer_common/tests/sanitizer_test_utils.h
127

maybe simply #if !defined(_MSC_VER)

This revision is now accepted and ready to land.May 1 2017, 2:23 PM
Closed by commit rL301904: [asan] Add strndup/__strndup interceptors if targeting linux. (authored by pgousseau). · Explain WhyMay 2 2017, 2:14 AM
This revision was automatically updated to reflect the committed changes.
pgousseau marked 2 inline comments as done.
pgousseau reopened this revision.May 2 2017, 6:30 AM

Reverted the change in rL301909.
The change seems to cause 2 build failures.
Undeclared __interceptor_malloc in esan_interceptors.cc.
Undeclared strnlen on OSX buildbots.

This revision is now accepted and ready to land.May 2 2017, 6:30 AM
pgousseau updated this revision to Diff 97439.May 2 2017, 6:32 AM

Attempt to fix build failures:

  • add declaration of __interceptor_malloc in esan_interceptors.cc
  • replace REAL(strnlen) by internal_strnlen
pgousseau added a comment.May 10 2017, 8:57 AM

Ping! Is it ok to recommit?

eugenis added a comment.May 10 2017, 10:54 AM

Looks good.

Closed by commit rL302781: [asan] Recommit of r301904: Add strndup/__strndup interceptors (authored by pgousseau). · Explain WhyMay 11 2017, 2:06 AM
This revision was automatically updated to reflect the committed changes.
pgousseau added a comment.May 11 2017, 4:37 AM

One of the test I have added (strndup_oob_test.cc) is failing on the s390 linux bot (cf http://lab.llvm.org:8011/builders/clang-s390x-linux/builds/8096) .
I have marked the test as unsupported on s390 for now in rL302789 if that's ok?

pgousseau added a comment.May 11 2017, 9:43 AM

strndup_oob_test.cc also fails on armv7l-unknown-linux-gnueabihf (cf http://lab.llvm.org:8011/builders/clang-cmake-thumbv7-a15-full-sh/builds/1521).
I have marked it as unsupported in rL302807 as this is a known issue.

vitalybuka added inline comments.May 17 2017, 6:07 PM
compiler-rt/trunk/lib/sanitizer_common/sanitizer_common_interceptors.inc
230 ↗(On Diff #98598)

Min() is redundant here, as (internal_strnlen(s, size) <= size)

233 ↗(On Diff #98598)

must be "COMMON_INTERCEPTOR_READ_RANGE(ctx, s, Min(copy_length + 1, size)); "

(copy_length + 1) is a problem if "s" is not zero terminated

vitalybuka added inline comments.May 17 2017, 6:11 PM
compiler-rt/trunk/lib/sanitizer_common/sanitizer_common_interceptors.inc
233 ↗(On Diff #98598)

I am going to extend test and create a patch for this.

pgousseau added inline comments.May 18 2017, 2:37 AM
compiler-rt/trunk/lib/sanitizer_common/sanitizer_common_interceptors.inc
233 ↗(On Diff #98598)

Makes sense yes thanks! Now that this has been reverted in rL303324, do you still plan on making a patch for it?

pgousseau reopened this revision.May 18 2017, 8:07 AM

Reopening after issue was found and reverted in rL303339

This revision is now accepted and ready to land.May 18 2017, 8:07 AM
pgousseau updated this revision to Diff 99440.May 18 2017, 8:27 AM
  • Fix off by one issue using Vitaly's fix.
  • Expanded msan and asan unit tests to check for the correct handling of non zero terminated strings.
vitalybuka added inline comments.May 18 2017, 12:58 PM
lib/sanitizer_common/sanitizer_common_interceptors.inc
229

probably should be COMMON_INTERCEPTOR_READ_STRING(ctx, s, Min(size, copy_length + 1));

pgousseau updated this revision to Diff 99530.May 19 2017, 2:05 AM

Invert arguments positions in Min call.

lib/sanitizer_common/sanitizer_common_interceptors.inc
229

Sounds good, I have updated the patch.

pgousseau added a comment.May 30 2017, 8:57 AM

Ping! Latest comment has been addressed, ok to commit?

eugenis added a comment.May 30 2017, 11:45 AM
In D31457#759229, @pgousseau wrote:

Invert arguments positions in Min call.

I don't think the order of the arguments matters here. Vitaly's comment was about READ_STRING vs READ_RANGE.

pgousseau updated this revision to Diff 100836.May 31 2017, 1:49 AM

Replaced READ_RANGE by READ_STRING

pgousseau added a comment.May 31 2017, 1:52 AM
In D31457#767980, @eugenis wrote:
In D31457#759229, @pgousseau wrote:

Invert arguments positions in Min call.

I don't think the order of the arguments matters here. Vitaly's comment was about READ_STRING vs READ_RANGE.

Yes that makes more sense thanks, patch updated!

vitalybuka requested changes to this revision.May 31 2017, 10:55 AM

Looking.

This revision now requires changes to proceed.May 31 2017, 10:55 AM
vitalybuka accepted this revision.May 31 2017, 11:13 AM

LGTM

test/asan/TestCases/Posix/strndup_oob_test.cc
28

Maybe another simple test

// RUN: %clang_asan -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s
// RUN: %clang_asan -O1 %s -o %t && not %run %t 2>&1 | FileCheck %s
// RUN: %clang_asan -O2 %s -o %t && not %run %t 2>&1 | FileCheck %s
// RUN: %clang_asan -O3 %s -o %t && not %run %t 2>&1 | FileCheck %s

// When built as C on Linux, strndup is transformed to __strndup.
// RUN: %clang_asan -O3 -xc %s -o %t && not %run %t 2>&1 | FileCheck %s

// Unwind problem on arm: "main" is missing from the allocation stack trace.
// UNSUPPORTED: win32,s390,armv7l-unknown-linux-gnueabihf

#include <string.h>

char kChars[] = {'f', 'o', 'o'};

int main(int argc, char **argv) {
  char *copy = strndup(kChars, 3);
  copy = strndup(kChars, 10);
  // CHECK: AddressSanitizer: global-buffer-overflow
  // CHECK: {{.*}}main {{.*}}.cc:[[@LINE-2]]
  return *copy;
}
This revision is now accepted and ready to land.May 31 2017, 11:13 AM
Closed by commit rL304399: [asan] Add strndup/__strndup interceptors. (authored by pgousseau). · Explain WhyJun 1 2017, 2:37 AM
This revision was automatically updated to reflect the committed changes.
pgousseau added a comment.Jun 1 2017, 2:47 AM
In D31457#769039, @vitalybuka wrote:

LGTM

Thanks, patch committed with the extra test.

Revision Contents

PathSize
lib/
asan/
4 lines
tests/
21 lines
msan/
36 lines
tests/
6 lines
sanitizer_common/
43 lines
3 lines
14 lines
tests/
7 lines
test/
asan/
TestCases/
Posix/
26 lines
msan/
28 lines

Diff 97107

lib/asan/asan_flags.cc

Show First 20 LinesShow All 176 Lines▼ Show 20 Lines#endif
if (!f->replace_str && common_flags()->intercept_strlen) { if (!f->replace_str && common_flags()->intercept_strlen) {
Report("WARNING: strlen interceptor is enabled even though replace_str=0. " Report("WARNING: strlen interceptor is enabled even though replace_str=0. "
"Use intercept_strlen=0 to disable it."); "Use intercept_strlen=0 to disable it.");
} }
if (!f->replace_str && common_flags()->intercept_strchr) { if (!f->replace_str && common_flags()->intercept_strchr) {
Report("WARNING: strchr* interceptors are enabled even though " Report("WARNING: strchr* interceptors are enabled even though "
"replace_str=0. Use intercept_strchr=0 to disable them."); "replace_str=0. Use intercept_strchr=0 to disable them.");
} }
if (!f->replace_str && common_flags()->intercept_strndup) {
Report("WARNING: strndup* interceptors are enabled even though "
"replace_str=0. Use intercept_strndup=0 to disable them.");
}
} }
} // namespace __asan } // namespace __asan
SANITIZER_INTERFACE_WEAK_DEF(const char*, __asan_default_options, void) { SANITIZER_INTERFACE_WEAK_DEF(const char*, __asan_default_options, void) {
return ""; return "";
} }

lib/asan/tests/asan_str_test.cc

Show First 20 LinesShow All 148 Lines▼ Show 20 LinesTEST(AddressSanitizer, MAYBE_StrDupOOBTest) {
EXPECT_DEATH(Ident(strdup(str - 1)), LeftOOBReadMessage(1)); EXPECT_DEATH(Ident(strdup(str - 1)), LeftOOBReadMessage(1));
EXPECT_DEATH(Ident(strdup(str + size)), RightOOBReadMessage(0)); EXPECT_DEATH(Ident(strdup(str + size)), RightOOBReadMessage(0));
// Overwrite the terminating '\0' and hit unallocated memory. // Overwrite the terminating '\0' and hit unallocated memory.
str[size - 1] = 'z'; str[size - 1] = 'z';
EXPECT_DEATH(Ident(strdup(str)), RightOOBReadMessage(0)); EXPECT_DEATH(Ident(strdup(str)), RightOOBReadMessage(0));
free(str); free(str);
} }
#if SANITIZER_TEST_HAS_STRNDUP
TEST(AddressSanitizer, MAYBE_StrNDupOOBTest) {
size_t size = Ident(42);
char *str = MallocAndMemsetString(size);
char *new_str;
// Normal strndup calls.
str[size - 1] = '\0';
new_str = strndup(str, size - 13);
free(new_str);
new_str = strndup(str + size - 1, 13);
free(new_str);
// Argument points to not allocated memory.
EXPECT_DEATH(Ident(strndup(str - 1, 13)), LeftOOBReadMessage(1));
EXPECT_DEATH(Ident(strndup(str + size, 13)), RightOOBReadMessage(0));
// Overwrite the terminating '\0' and hit unallocated memory.
str[size - 1] = 'z';
EXPECT_DEATH(Ident(strndup(str, size + 13)), RightOOBReadMessage(0));
free(str);
}
#endif // SANITIZER_TEST_HAS_STRNDUP
TEST(AddressSanitizer, StrCpyOOBTest) { TEST(AddressSanitizer, StrCpyOOBTest) {
size_t to_size = Ident(30); size_t to_size = Ident(30);
size_t from_size = Ident(6); // less than to_size size_t from_size = Ident(6); // less than to_size
char *to = Ident((char*)malloc(to_size)); char *to = Ident((char*)malloc(to_size));
char *from = Ident((char*)malloc(from_size)); char *from = Ident((char*)malloc(from_size));
// Normal strcpy calls. // Normal strcpy calls.
strcpy(from, "hello"); strcpy(from, "hello");
strcpy(to, from); strcpy(to, from);
▲ Show 20 LinesShow All 442 LinesShow Last 20 Lines

lib/msan/msan_interceptors.cc

Show First 20 LinesShow All 343 Lines▼ Show 20 LinesINTERCEPTOR(char *, __strdup, char *src) {
CopyShadowAndOrigin(res, src, n + 1, &stack); CopyShadowAndOrigin(res, src, n + 1, &stack);
return res; return res;
} }
#define MSAN_MAYBE_INTERCEPT___STRDUP INTERCEPT_FUNCTION(__strdup) #define MSAN_MAYBE_INTERCEPT___STRDUP INTERCEPT_FUNCTION(__strdup)
#else #else
#define MSAN_MAYBE_INTERCEPT___STRDUP #define MSAN_MAYBE_INTERCEPT___STRDUP
#endif #endif
INTERCEPTOR(char *, strndup, char *src, SIZE_T n) {
ENSURE_MSAN_INITED();
GET_STORE_STACK_TRACE;
// On FreeBSD strndup() leverages strnlen().
InterceptorScope interceptor_scope;
SIZE_T copy_size = REAL(strnlen)(src, n);
char *res = REAL(strndup)(src, n);
CopyShadowAndOrigin(res, src, copy_size, &stack);
__msan_unpoison(res + copy_size, 1); // \0
return res;
}
#if !SANITIZER_FREEBSD
INTERCEPTOR(char *, __strndup, char *src, SIZE_T n) {
ENSURE_MSAN_INITED();
GET_STORE_STACK_TRACE;
SIZE_T copy_size = REAL(strnlen)(src, n);
char *res = REAL(__strndup)(src, n);
CopyShadowAndOrigin(res, src, copy_size, &stack);
__msan_unpoison(res + copy_size, 1); // \0
return res;
}
#define MSAN_MAYBE_INTERCEPT___STRNDUP INTERCEPT_FUNCTION(__strndup)
#else
#define MSAN_MAYBE_INTERCEPT___STRNDUP
#endif
INTERCEPTOR(char *, gcvt, double number, SIZE_T ndigit, char *buf) { INTERCEPTOR(char *, gcvt, double number, SIZE_T ndigit, char *buf) {
ENSURE_MSAN_INITED(); ENSURE_MSAN_INITED();
char *res = REAL(gcvt)(number, ndigit, buf); char *res = REAL(gcvt)(number, ndigit, buf);
SIZE_T n = REAL(strlen)(buf); SIZE_T n = REAL(strlen)(buf);
__msan_unpoison(buf, n + 1); __msan_unpoison(buf, n + 1);
return res; return res;
} }
▲ Show 20 LinesShow All 968 Lines▼ Show 20 Lines#define COMMON_INTERCEPTOR_MEMMOVE_IMPL(ctx, to, from, size) \
return __msan_memmove(to, from, size); \ return __msan_memmove(to, from, size); \
} }
#define COMMON_INTERCEPTOR_MEMCPY_IMPL(ctx, to, from, size) \ #define COMMON_INTERCEPTOR_MEMCPY_IMPL(ctx, to, from, size) \
{ \ { \
(void)ctx; \ (void)ctx; \
return __msan_memcpy(to, from, size); \ return __msan_memcpy(to, from, size); \
} }
#define COMMON_INTERCEPTOR_COPY_STRING(ctx, to, from, size) \
do { \
GET_STORE_STACK_TRACE; \
CopyShadowAndOrigin(to, from, size, &stack); \
eugenisUnsubmitted
Done
ReplyInline Actions

I don't like that the code tries to combine two very different implementations in one "common" interceptor - one that calls REAL(strlen) and one that uses malloc directly.

Common interceptor should implement the logic of strndup, and call individual sanitizers only to update their specific state - READ_RANGE at the start, and something like COPY_RANGE after.

I think the common implementation should use malloc directly.

eugenis: I don't like that the code tries to combine two very different implementations in one "common"…
pgousseauAuthorUnsubmitted
Done
ReplyInline Actions

Makes sense. Will update patch.

pgousseau: Makes sense. Will update patch.
__msan_unpoison(to + size, 1); \
} while (false)
#include "sanitizer_common/sanitizer_platform_interceptors.h" #include "sanitizer_common/sanitizer_platform_interceptors.h"
#include "sanitizer_common/sanitizer_common_interceptors.inc" #include "sanitizer_common/sanitizer_common_interceptors.inc"
#define COMMON_SYSCALL_PRE_READ_RANGE(p, s) CHECK_UNPOISONED(p, s) #define COMMON_SYSCALL_PRE_READ_RANGE(p, s) CHECK_UNPOISONED(p, s)
#define COMMON_SYSCALL_PRE_WRITE_RANGE(p, s) \ #define COMMON_SYSCALL_PRE_WRITE_RANGE(p, s) \
do { \ do { \
} while (false) } while (false)
#define COMMON_SYSCALL_POST_READ_RANGE(p, s) \ #define COMMON_SYSCALL_POST_READ_RANGE(p, s) \
▲ Show 20 LinesShow All 151 Lines▼ Show 20 Linesvoid InitializeInterceptors() {
INTERCEPT_FUNCTION(wmemset); INTERCEPT_FUNCTION(wmemset);
INTERCEPT_FUNCTION(wmemcpy); INTERCEPT_FUNCTION(wmemcpy);
INTERCEPT_FUNCTION(wmempcpy); INTERCEPT_FUNCTION(wmempcpy);
INTERCEPT_FUNCTION(wmemmove); INTERCEPT_FUNCTION(wmemmove);
INTERCEPT_FUNCTION(strcpy); // NOLINT INTERCEPT_FUNCTION(strcpy); // NOLINT
INTERCEPT_FUNCTION(stpcpy); // NOLINT INTERCEPT_FUNCTION(stpcpy); // NOLINT
INTERCEPT_FUNCTION(strdup); INTERCEPT_FUNCTION(strdup);
MSAN_MAYBE_INTERCEPT___STRDUP; MSAN_MAYBE_INTERCEPT___STRDUP;
INTERCEPT_FUNCTION(strndup);
MSAN_MAYBE_INTERCEPT___STRNDUP;
INTERCEPT_FUNCTION(strncpy); // NOLINT INTERCEPT_FUNCTION(strncpy); // NOLINT
INTERCEPT_FUNCTION(gcvt); INTERCEPT_FUNCTION(gcvt);
INTERCEPT_FUNCTION(strcat); // NOLINT INTERCEPT_FUNCTION(strcat); // NOLINT
INTERCEPT_FUNCTION(strncat); // NOLINT INTERCEPT_FUNCTION(strncat); // NOLINT
INTERCEPT_STRTO(strtod); INTERCEPT_STRTO(strtod);
INTERCEPT_STRTO(strtof); INTERCEPT_STRTO(strtof);
INTERCEPT_STRTO(strtold); INTERCEPT_STRTO(strtold);
INTERCEPT_STRTO(strtol); INTERCEPT_STRTO(strtol);
▲ Show 20 LinesShow All 76 LinesShow Last 20 Lines

lib/msan/tests/msan_test.cc

Show First 20 LinesShow All 1,496 Lines▼ Show 20 LinesTEST(MemorySanitizer, strdup) {
EXPECT_POISONED(x[2]); EXPECT_POISONED(x[2]);
EXPECT_NOT_POISONED(x[3]); EXPECT_NOT_POISONED(x[3]);
free(x); free(x);
} }
TEST(MemorySanitizer, strndup) { TEST(MemorySanitizer, strndup) {
char buf[4] = "abc"; char buf[4] = "abc";
__msan_poison(buf + 2, sizeof(*buf)); __msan_poison(buf + 2, sizeof(*buf));
char *x = strndup(buf, 3); char *x;
EXPECT_UMR(x = strndup(buf, 3));
EXPECT_NOT_POISONED(x[0]); EXPECT_NOT_POISONED(x[0]);
EXPECT_NOT_POISONED(x[1]); EXPECT_NOT_POISONED(x[1]);
EXPECT_POISONED(x[2]); EXPECT_POISONED(x[2]);
EXPECT_NOT_POISONED(x[3]); EXPECT_NOT_POISONED(x[3]);
free(x); free(x);
} }
TEST(MemorySanitizer, strndup_short) { TEST(MemorySanitizer, strndup_short) {
char buf[4] = "abc"; char buf[4] = "abc";
__msan_poison(buf + 1, sizeof(*buf)); __msan_poison(buf + 1, sizeof(*buf));
__msan_poison(buf + 2, sizeof(*buf)); __msan_poison(buf + 2, sizeof(*buf));
char *x = strndup(buf, 2); char *x;
EXPECT_UMR(x = strndup(buf, 2));
EXPECT_NOT_POISONED(x[0]); EXPECT_NOT_POISONED(x[0]);
EXPECT_POISONED(x[1]); EXPECT_POISONED(x[1]);
EXPECT_NOT_POISONED(x[2]); EXPECT_NOT_POISONED(x[2]);
free(x); free(x);
} }
template<class T, int size> template<class T, int size>
▲ Show 20 LinesShow All 2,892 LinesShow Last 20 Lines

lib/sanitizer_common/sanitizer_common_interceptors.inc

Show All 27 Lines
// COMMON_INTERCEPTOR_MUTEX_UNLOCK // COMMON_INTERCEPTOR_MUTEX_UNLOCK
// COMMON_INTERCEPTOR_MUTEX_REPAIR // COMMON_INTERCEPTOR_MUTEX_REPAIR
// COMMON_INTERCEPTOR_SET_PTHREAD_NAME // COMMON_INTERCEPTOR_SET_PTHREAD_NAME
// COMMON_INTERCEPTOR_HANDLE_RECVMSG // COMMON_INTERCEPTOR_HANDLE_RECVMSG
// COMMON_INTERCEPTOR_NOTHING_IS_INITIALIZED // COMMON_INTERCEPTOR_NOTHING_IS_INITIALIZED
// COMMON_INTERCEPTOR_MEMSET_IMPL // COMMON_INTERCEPTOR_MEMSET_IMPL
// COMMON_INTERCEPTOR_MEMMOVE_IMPL // COMMON_INTERCEPTOR_MEMMOVE_IMPL
// COMMON_INTERCEPTOR_MEMCPY_IMPL // COMMON_INTERCEPTOR_MEMCPY_IMPL
// COMMON_INTERCEPTOR_COPY_STRING
// COMMON_INTERCEPTOR_STRNDUP_IMPL
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "interception/interception.h" #include "interception/interception.h"
#include "sanitizer_addrhashmap.h" #include "sanitizer_addrhashmap.h"
#include "sanitizer_placement_new.h" #include "sanitizer_placement_new.h"
#include "sanitizer_platform_interceptors.h" #include "sanitizer_platform_interceptors.h"
#include "sanitizer_tls_get_addr.h" #include "sanitizer_tls_get_addr.h"
▲ Show 20 LinesShow All 165 Lines▼ Show 20 Lines#define COMMON_INTERCEPTOR_MEMCPY_IMPL(ctx, dst, src, size) \
if (common_flags()->intercept_intrin) { \ if (common_flags()->intercept_intrin) { \
COMMON_INTERCEPTOR_WRITE_RANGE(ctx, dst, size); \ COMMON_INTERCEPTOR_WRITE_RANGE(ctx, dst, size); \
COMMON_INTERCEPTOR_READ_RANGE(ctx, src, size); \ COMMON_INTERCEPTOR_READ_RANGE(ctx, src, size); \
} \ } \
return REAL(memcpy)(dst, src, size); \ return REAL(memcpy)(dst, src, size); \
} }
#endif #endif
#ifndef COMMON_INTERCEPTOR_COPY_STRING
#define COMMON_INTERCEPTOR_COPY_STRING(ctx, to, from, size) {}
#endif
#ifndef COMMON_INTERCEPTOR_STRNDUP_IMPL
#define COMMON_INTERCEPTOR_STRNDUP_IMPL(ctx, s, size) \
COMMON_INTERCEPTOR_ENTER(ctx, strndup, s, size); \
uptr from_length = REAL(strnlen)(s, size); \
uptr copy_length = Min(size, from_length); \
char *new_mem = (char *)WRAP(malloc)(copy_length + 1); \
if (common_flags()->intercept_strndup) { \
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

probably should be COMMON_INTERCEPTOR_READ_STRING(ctx, s, Min(size, copy_length + 1));

vitalybuka: probably should be COMMON_INTERCEPTOR_READ_STRING(ctx, s, Min(size, copy_length + 1));
pgousseauAuthorUnsubmitted
Not Done
ReplyInline Actions

Sounds good, I have updated the patch.

pgousseau: Sounds good, I have updated the patch.
COMMON_INTERCEPTOR_READ_RANGE(ctx, s, copy_length + 1); \
} \
COMMON_INTERCEPTOR_COPY_STRING(ctx, new_mem, s, copy_length); \
internal_memcpy(new_mem, s, copy_length); \
new_mem[copy_length] = '\0'; \
return new_mem;
#endif
struct FileMetadata { struct FileMetadata {
// For open_memstream(). // For open_memstream().
char **addr; char **addr;
SIZE_T *size; SIZE_T *size;
}; };
struct CommonInterceptorMetadata { struct CommonInterceptorMetadata {
enum { enum {
▲ Show 20 LinesShow All 67 Lines▼ Show 20 Lines if (common_flags()->intercept_strlen)
COMMON_INTERCEPTOR_READ_RANGE(ctx, s, Min(length + 1, maxlen)); COMMON_INTERCEPTOR_READ_RANGE(ctx, s, Min(length + 1, maxlen));
return length; return length;
} }
#define INIT_STRNLEN COMMON_INTERCEPT_FUNCTION(strnlen) #define INIT_STRNLEN COMMON_INTERCEPT_FUNCTION(strnlen)
#else #else
#define INIT_STRNLEN #define INIT_STRNLEN
#endif #endif
#if SANITIZER_INTERCEPT_STRNDUP
INTERCEPTOR(char*, strndup, const char *s, uptr size) {
void *ctx;
COMMON_INTERCEPTOR_STRNDUP_IMPL(ctx, s, size);
}
eugenisUnsubmitted
Done
ReplyInline Actions

this should use strnlen, like the msan interceptor it is replacing

eugenis: this should use strnlen, like the msan interceptor it is replacing
pgousseauAuthorUnsubmitted
Done
ReplyInline Actions

Makes sense thanks.

pgousseau: Makes sense thanks.
#define INIT_STRNDUP COMMON_INTERCEPT_FUNCTION(strndup)
#else
#define INIT_STRNDUP
#endif // SANITIZER_INTERCEPT_STRNDUP
eugenisUnsubmitted
Done
ReplyInline Actions

MSan needs COPY_STRING for correctness. Without out, the destination buffer would be left uninitialized (poisoned). It needs to happen regardless of intercept_strndup.

Please add a test for this.

eugenis: MSan needs COPY_STRING for correctness. Without out, the destination buffer would be left…
#if SANITIZER_INTERCEPT___STRNDUP
INTERCEPTOR(char*, __strndup, const char *s, uptr size) {
void *ctx;
COMMON_INTERCEPTOR_STRNDUP_IMPL(ctx, s, size);
}
#define INIT___STRNDUP COMMON_INTERCEPT_FUNCTION(__strndup)
#else
#define INIT___STRNDUP
#endif // SANITIZER_INTERCEPT___STRNDUP
filcabUnsubmitted
Done
ReplyInline Actions

Should the context be __strndup?
It's probably ok as it is if the __strndup function is not supposed to be user-visible.

filcab: Should the context be `__strndup`? It's probably ok as it is if the `__strndup` function is not…
pgousseauAuthorUnsubmitted
Done
ReplyInline Actions

Yes I think strndup is preferred because this is also the case with strdup/strndup in asan_interceptors.cc

pgousseau: Yes I think strndup is preferred because this is also the case with strdup/strndup in…
#if SANITIZER_INTERCEPT_TEXTDOMAIN #if SANITIZER_INTERCEPT_TEXTDOMAIN
INTERCEPTOR(char*, textdomain, const char *domainname) { INTERCEPTOR(char*, textdomain, const char *domainname) {
void *ctx; void *ctx;
COMMON_INTERCEPTOR_ENTER(ctx, textdomain, domainname); COMMON_INTERCEPTOR_ENTER(ctx, textdomain, domainname);
COMMON_INTERCEPTOR_READ_STRING(ctx, domainname, 0); COMMON_INTERCEPTOR_READ_STRING(ctx, domainname, 0);
eugenisUnsubmitted
Done
ReplyInline Actions

Please avoid code duplication. Move the interceptor body to COMMON_INTERCEPTOR_STRNDUP_IMPL

eugenis: Please avoid code duplication. Move the interceptor body to COMMON_INTERCEPTOR_STRNDUP_IMPL
char *domain = REAL(textdomain)(domainname); char *domain = REAL(textdomain)(domainname);
if (domain) { if (domain) {
COMMON_INTERCEPTOR_INITIALIZE_RANGE(domain, REAL(strlen)(domain) + 1); COMMON_INTERCEPTOR_INITIALIZE_RANGE(domain, REAL(strlen)(domain) + 1);
} }
eugenisUnsubmitted
Not Done
ReplyInline Actions

Hmm I have a vague recollection of tsan having problems with interceptors calling other interceptors. On the other hand, tsan interceptor for strdup calls REAL(strdup), which ends up in the malloc interceptor. Dmitry?

eugenis: Hmm I have a vague recollection of tsan having problems with interceptors calling other…
return domain; return domain;
} }
#define INIT_TEXTDOMAIN COMMON_INTERCEPT_FUNCTION(textdomain) #define INIT_TEXTDOMAIN COMMON_INTERCEPT_FUNCTION(textdomain)
#else #else
#define INIT_TEXTDOMAIN #define INIT_TEXTDOMAIN
#endif #endif
eugenisUnsubmitted
Not Done
ReplyInline Actions

internal_memcpy

eugenis: internal_memcpy
#if SANITIZER_INTERCEPT_STRCMP #if SANITIZER_INTERCEPT_STRCMP
static inline int CharCmpX(unsigned char c1, unsigned char c2) { static inline int CharCmpX(unsigned char c1, unsigned char c2) {
return (c1 == c2) ? 0 : (c1 < c2) ? -1 : 1; return (c1 == c2) ? 0 : (c1 < c2) ? -1 : 1;
} }
DECLARE_WEAK_INTERCEPTOR_HOOK(__sanitizer_weak_hook_strcmp, uptr called_pc, DECLARE_WEAK_INTERCEPTOR_HOOK(__sanitizer_weak_hook_strcmp, uptr called_pc,
const char *s1, const char *s2, int result) const char *s1, const char *s2, int result)
▲ Show 20 LinesShow All 5,714 Lines▼ Show 20 Lines
static void InitializeCommonInterceptors() { static void InitializeCommonInterceptors() {
static u64 metadata_mem[sizeof(MetadataHashMap) / sizeof(u64) + 1]; static u64 metadata_mem[sizeof(MetadataHashMap) / sizeof(u64) + 1];
interceptor_metadata_map = new((void *)&metadata_mem) MetadataHashMap(); interceptor_metadata_map = new((void *)&metadata_mem) MetadataHashMap();
INIT_TEXTDOMAIN; INIT_TEXTDOMAIN;
INIT_STRLEN; INIT_STRLEN;
INIT_STRNLEN; INIT_STRNLEN;
INIT_STRNDUP;
INIT___STRNDUP;
INIT_STRCMP; INIT_STRCMP;
INIT_STRNCMP; INIT_STRNCMP;
INIT_STRCASECMP; INIT_STRCASECMP;
INIT_STRNCASECMP; INIT_STRNCASECMP;
INIT_STRSTR; INIT_STRSTR;
INIT_STRCASESTR; INIT_STRCASESTR;
INIT_STRCHR; INIT_STRCHR;
INIT_STRCHRNUL; INIT_STRCHRNUL;
▲ Show 20 LinesShow All 184 LinesShow Last 20 Lines

lib/sanitizer_common/sanitizer_flags.inc

Show First 20 LinesShow All 191 Lines▼ Show 20 LinesCOMMON_FLAG(bool, intercept_strspn, true,
"If set, uses custom wrappers for strspn and strcspn function " "If set, uses custom wrappers for strspn and strcspn function "
"to find more errors.") "to find more errors.")
COMMON_FLAG(bool, intercept_strpbrk, true, COMMON_FLAG(bool, intercept_strpbrk, true,
"If set, uses custom wrappers for strpbrk function " "If set, uses custom wrappers for strpbrk function "
"to find more errors.") "to find more errors.")
COMMON_FLAG(bool, intercept_strlen, true, COMMON_FLAG(bool, intercept_strlen, true,
"If set, uses custom wrappers for strlen and strnlen functions " "If set, uses custom wrappers for strlen and strnlen functions "
"to find more errors.") "to find more errors.")
COMMON_FLAG(bool, intercept_strndup, true,
"If set, uses custom wrappers for strndup functions "
"to find more errors.")
COMMON_FLAG(bool, intercept_strchr, true, COMMON_FLAG(bool, intercept_strchr, true,
"If set, uses custom wrappers for strchr, strchrnul, and strrchr " "If set, uses custom wrappers for strchr, strchrnul, and strrchr "
"functions to find more errors.") "functions to find more errors.")
COMMON_FLAG(bool, intercept_memcmp, true, COMMON_FLAG(bool, intercept_memcmp, true,
"If set, uses custom wrappers for memcmp function " "If set, uses custom wrappers for memcmp function "
"to find more errors.") "to find more errors.")
COMMON_FLAG(bool, strict_memcmp, true, COMMON_FLAG(bool, strict_memcmp, true,
"If true, assume that memcmp(p1, p2, n) always reads n bytes before " "If true, assume that memcmp(p1, p2, n) always reads n bytes before "
Show All 28 Lines

lib/sanitizer_common/sanitizer_platform_interceptors.h

Show All 19 Lines
# define SI_WINDOWS 0 # define SI_WINDOWS 0
# define SI_NOT_WINDOWS 1 # define SI_NOT_WINDOWS 1
# include "sanitizer_platform_limits_posix.h" # include "sanitizer_platform_limits_posix.h"
#else #else
# define SI_WINDOWS 1 # define SI_WINDOWS 1
# define SI_NOT_WINDOWS 0 # define SI_NOT_WINDOWS 0
#endif #endif
#if SANITIZER_POSIX
# define SI_POSIX 1
#else
# define SI_POSIX 0
#endif
#if SANITIZER_LINUX && !SANITIZER_ANDROID #if SANITIZER_LINUX && !SANITIZER_ANDROID
# define SI_LINUX_NOT_ANDROID 1 # define SI_LINUX_NOT_ANDROID 1
#else #else
# define SI_LINUX_NOT_ANDROID 0 # define SI_LINUX_NOT_ANDROID 0
#endif #endif
#if SANITIZER_ANDROID #if SANITIZER_ANDROID
# define SI_ANDROID 1 # define SI_ANDROID 1
Show All 28 Lines
#endif #endif
#if !SANITIZER_WINDOWS && !SANITIZER_MAC #if !SANITIZER_WINDOWS && !SANITIZER_MAC
# define SI_UNIX_NOT_MAC 1 # define SI_UNIX_NOT_MAC 1
#else #else
# define SI_UNIX_NOT_MAC 0 # define SI_UNIX_NOT_MAC 0
#endif #endif
#if SANITIZER_LINUX && !SANITIZER_FREEBSD
# define SI_LINUX_NOT_FREEBSD 1
# else
# define SI_LINUX_NOT_FREEBSD 0
#endif
#define SANITIZER_INTERCEPT_STRLEN 1 #define SANITIZER_INTERCEPT_STRLEN 1
#define SANITIZER_INTERCEPT_STRNLEN SI_NOT_MAC #define SANITIZER_INTERCEPT_STRNLEN SI_NOT_MAC
#define SANITIZER_INTERCEPT_STRCMP 1 #define SANITIZER_INTERCEPT_STRCMP 1
#define SANITIZER_INTERCEPT_STRSTR 1 #define SANITIZER_INTERCEPT_STRSTR 1
#define SANITIZER_INTERCEPT_STRCASESTR SI_NOT_WINDOWS #define SANITIZER_INTERCEPT_STRCASESTR SI_NOT_WINDOWS
#define SANITIZER_INTERCEPT_STRCHR 1 #define SANITIZER_INTERCEPT_STRCHR 1
#define SANITIZER_INTERCEPT_STRCHRNUL SI_UNIX_NOT_MAC #define SANITIZER_INTERCEPT_STRCHRNUL SI_UNIX_NOT_MAC
#define SANITIZER_INTERCEPT_STRRCHR 1 #define SANITIZER_INTERCEPT_STRRCHR 1
#define SANITIZER_INTERCEPT_STRSPN 1 #define SANITIZER_INTERCEPT_STRSPN 1
#define SANITIZER_INTERCEPT_STRPBRK 1 #define SANITIZER_INTERCEPT_STRPBRK 1
#define SANITIZER_INTERCEPT_TEXTDOMAIN SI_LINUX_NOT_ANDROID #define SANITIZER_INTERCEPT_TEXTDOMAIN SI_LINUX_NOT_ANDROID
#define SANITIZER_INTERCEPT_STRCASECMP SI_NOT_WINDOWS #define SANITIZER_INTERCEPT_STRCASECMP SI_NOT_WINDOWS
#define SANITIZER_INTERCEPT_MEMSET 1 #define SANITIZER_INTERCEPT_MEMSET 1
#define SANITIZER_INTERCEPT_MEMMOVE 1 #define SANITIZER_INTERCEPT_MEMMOVE 1
#define SANITIZER_INTERCEPT_MEMCPY 1 #define SANITIZER_INTERCEPT_MEMCPY 1
#define SANITIZER_INTERCEPT_MEMCMP 1 #define SANITIZER_INTERCEPT_MEMCMP 1
#define SANITIZER_INTERCEPT_STRNDUP SI_POSIX
#define SANITIZER_INTERCEPT___STRNDUP SI_LINUX_NOT_FREEBSD
#if defined(__ENVIRONMENT_MAC_OS_X_VERSION_MIN_REQUIRED__) && \ #if defined(__ENVIRONMENT_MAC_OS_X_VERSION_MIN_REQUIRED__) && \
__ENVIRONMENT_MAC_OS_X_VERSION_MIN_REQUIRED__ < 1070 __ENVIRONMENT_MAC_OS_X_VERSION_MIN_REQUIRED__ < 1070
# define SI_MAC_DEPLOYMENT_BELOW_10_7 1 # define SI_MAC_DEPLOYMENT_BELOW_10_7 1
#else #else
# define SI_MAC_DEPLOYMENT_BELOW_10_7 0 # define SI_MAC_DEPLOYMENT_BELOW_10_7 0
#endif #endif
// memmem on Darwin doesn't exist on 10.6 // memmem on Darwin doesn't exist on 10.6
// FIXME: enable memmem on Windows. // FIXME: enable memmem on Windows.
▲ Show 20 LinesShow All 241 LinesShow Last 20 Lines

lib/sanitizer_common/tests/sanitizer_test_utils.h

Show First 20 LinesShow All 118 Lines▼ Show 20 Lines
#endif #endif
#if defined(__FreeBSD__) #if defined(__FreeBSD__)
# define SANITIZER_TEST_HAS_PRINTF_L 1 # define SANITIZER_TEST_HAS_PRINTF_L 1
#else #else
# define SANITIZER_TEST_HAS_PRINTF_L 0 # define SANITIZER_TEST_HAS_PRINTF_L 0
#endif #endif
#if defined(__linux__) || defined(__APPLE__) || defined(__FreeBSD__) || \
filcabUnsubmitted
Done
ReplyInline Actions

We should also enter here if defined(__APPLE__) and if defined(__FreeBSD__), I think.
Can't think of more OS we support that should be here.

I'm not sure we should be taking Android out of the picture, as it seems strndup is available, AFAICT. @kcc/@vitalybuka (or others who might be working on Android) can you confirm if we should expect strndup to be available?

filcab: We should also enter here if `defined(__APPLE__)` and if `defined(__FreeBSD__)`, I think. Can't…
eugenisUnsubmitted
Done
ReplyInline Actions

Yes, strndup is available on Android.

eugenis: Yes, strndup is available on Android.
pgousseauAuthorUnsubmitted
Done
ReplyInline Actions

Sounds good will do.

pgousseau: Sounds good will do.
eugenisUnsubmitted
Not Done
ReplyInline Actions

maybe simply #if !defined(_MSC_VER)

eugenis: maybe simply #if !defined(_MSC_VER)
defined(__ANDROID__)
# define SANITIZER_TEST_HAS_STRNDUP 1
#else
# define SANITIZER_TEST_HAS_STRNDUP 0
#endif
#endif // SANITIZER_TEST_UTILS_H #endif // SANITIZER_TEST_UTILS_H

test/asan/TestCases/Posix/strndup_oob_test.cc

  • This file was added.
// RUN: %clangxx_asan -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s
// RUN: %clangxx_asan -O1 %s -o %t && not %run %t 2>&1 | FileCheck %s
// RUN: %clangxx_asan -O2 %s -o %t && not %run %t 2>&1 | FileCheck %s
// RUN: %clangxx_asan -O3 %s -o %t && not %run %t 2>&1 | FileCheck %s
// When built as C on Linux, strndup is transformed to __strndup.
// RUN: %clangxx_asan -O3 -xc %s -o %t && not %run %t 2>&1 | FileCheck %s
// UNSUPPORTED: win32
#include <string.h>
char kString[] = "foo";
int main(int argc, char **argv) {
char *copy = strndup(kString, 2);
int x = copy[2 + argc]; // BOOM
// CHECK: AddressSanitizer: heap-buffer-overflow
// CHECK: #0 {{.*}}main {{.*}}strndup_oob_test.cc:[[@LINE-2]]
// CHECK-LABEL: allocated by thread T{{.*}} here:
// CHECK: #{{[01]}} {{.*}}strndup
// CHECK: #{{.*}}main {{.*}}strndup_oob_test.cc:[[@LINE-6]]
// CHECK-LABEL: SUMMARY
// CHECK: strndup_oob_test.cc:[[@LINE-7]]
return x;
}
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

Maybe another simple test

// RUN: %clang_asan -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s
// RUN: %clang_asan -O1 %s -o %t && not %run %t 2>&1 | FileCheck %s
// RUN: %clang_asan -O2 %s -o %t && not %run %t 2>&1 | FileCheck %s
// RUN: %clang_asan -O3 %s -o %t && not %run %t 2>&1 | FileCheck %s

// When built as C on Linux, strndup is transformed to __strndup.
// RUN: %clang_asan -O3 -xc %s -o %t && not %run %t 2>&1 | FileCheck %s

// Unwind problem on arm: "main" is missing from the allocation stack trace.
// UNSUPPORTED: win32,s390,armv7l-unknown-linux-gnueabihf

#include <string.h>

char kChars[] = {'f', 'o', 'o'};

int main(int argc, char **argv) {
  char *copy = strndup(kChars, 3);
  copy = strndup(kChars, 10);
  // CHECK: AddressSanitizer: global-buffer-overflow
  // CHECK: {{.*}}main {{.*}}.cc:[[@LINE-2]]
  return *copy;
}
vitalybuka: Maybe another simple test ``` // RUN: %clang_asan -O0 %s -o %t && not %run %t 2>&1 | FileCheck…

test/msan/strndup.cc

  • This file was added.
// RUN: %clangxx_msan %s -o %t && not %run %t 2>&1 | FileCheck --check-prefix=ON %s
// RUN: %clangxx_msan %s -o %t && MSAN_OPTIONS=intercept_strndup=0 %run %t 2>&1 | FileCheck --check-prefix=OFF --allow-empty %s
// When built as C on Linux, strndup is transformed to __strndup.
// RUN: %clangxx_msan -O3 -xc %s -o %t && not %run %t 2>&1 | FileCheck --check-prefix=ON %s
// UNSUPPORTED: win32
#include <assert.h>
#include <stdlib.h>
#include <string.h>
#include <sanitizer/msan_interface.h>
int main(int argc, char **argv) {
char kString[4] = "abc";
__msan_poison(kString + 2, 1);
char *copy = strndup(kString, 4); // BOOM
assert(__msan_test_shadow(copy, 4) == 2); // Poisoning is preserved.
free(copy);
return 0;
// ON: Uninitialized bytes in __interceptor_{{(__)?}}strndup at offset 2 inside [{{.*}}, 4)
// ON: MemorySanitizer: use-of-uninitialized-value
// ON: #0 {{.*}}main {{.*}}strndup.cc:[[@LINE-6]]
// ON-LABEL: SUMMARY
// ON: {{.*}}strndup.cc:[[@LINE-8]]
// OFF-NOT: MemorySanitizer
}