This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
compiler-rt/trunk/
-
trunk/
-
lib/asan/
-
asan/
-
asan_interceptors.h
-
asan_interceptors.cc
-
test/asan/TestCases/Linux/
-
asan/
-
TestCases/
-
Linux/
-
longjmp_chk.c

Differential D32408

[ASAN] Add interceptor for __longjmp_chk
ClosedPublic

Authored by Lekensteyn on Apr 23 2017, 3:44 PM.

Download Raw Diff

Details

Reviewers

vitalybuka
ygribov
alekseyshl
eugenis

Commits

rGdbc4f7413c41: [ASAN] Add interceptor for __longjmp_chk
rCRT302152: [ASAN] Add interceptor for __longjmp_chk
rL302152: [ASAN] Add interceptor for __longjmp_chk

Summary

glibc on Linux calls __longjmp_chk instead of longjmp (or _longjmp) when
_FORTIFY_SOURCE is defined. Ensure that an ASAN-instrumented program intercepts
this function when a system library calls it, otherwise the stack might remain
poisoned and result in CHECK failures and false positives.

Fixes https://github.com/google/sanitizers/issues/721

Diff Detail

Repository: rL LLVM

Event Timeline

Lekensteyn created this revision.Apr 23 2017, 3:44 PM

Herald added a subscriber: kubamracek. · View Herald TranscriptApr 23 2017, 3:44 PM

dvyukov added reviewers: alekseyshl, vitalybuka.Apr 23 2017, 11:11 PM

LGTM

vitalybuka added a reviewer: eugenis.Apr 24 2017, 10:18 AM

eugenis added inline comments.Apr 26 2017, 1:41 PM

lib/asan/asan_interceptors.cc
442 ↗	(On Diff #96328)	Why not REAL(__longjmp_chk) ?
lib/asan/asan_interceptors.h
61 ↗	(On Diff #96328)	&& !SANITIZER_ANDROID
test/asan/TestCases/Linux/longjmp_chk.c
8 ↗	(On Diff #96328)	Why do you split the test in two translation units? If it is to prevent "msg" from being optimized out, a call to __asan_address_is_poisoned would have the same effect.

Lekensteyn added inline comments.Apr 26 2017, 1:50 PM

lib/asan/asan_interceptors.cc
442 ↗	(On Diff #96328)	I was concerned that this would result in linking issues since `__longjmp_chk` is not a standard symbol (it is specific to glib). Furthermore, if an external application somehow tries to use the `__longjmp_chk` symbol when available (while we don't have glibc as C library), then it would call into a nullptr. It is possible that this concern is invalid though, what do you think?
test/asan/TestCases/Linux/longjmp_chk.c
8 ↗	(On Diff #96328)	The essence is that one application is built with ASAN and another library is built without ASAN, but with `_FORTIFY_SOURCE`. Only this combination is causing issues, if both are built with ASAN or if both are built without FS, then there is no problem.

eugenis added inline comments.Apr 26 2017, 2:00 PM

lib/asan/asan_interceptors.cc
442 ↗	(On Diff #96328)	I think it is still better to call __longjmp_chk to avoid weakening _FORTIFY_SOURCE. We already have quite a few dependencies like this, for example see the obstack interceptor in sanitizer_common - it is glibc-specific and can not be realistically implemented without REAL(obstack).
test/asan/TestCases/Linux/longjmp_chk.c
8 ↗	(On Diff #96328)	Why is there no problem when both are built with fortify? I see that asan disables fortify on darwin, but probably not on linux.

Lekensteyn added inline comments.Apr 26 2017, 2:40 PM

lib/asan/asan_interceptors.cc
442 ↗	(On Diff #96328)	Ok, using `__longjmp_chk` seems to work, and if the symbol does not exist in the libc it still seems to build (I tried adding an interceptor for a non-existing `__longjmp_chk2`). Will fix this in the next revision.
test/asan/TestCases/Linux/longjmp_chk.c
8 ↗	(On Diff #96328)	There can still be a problem even if both are built with fortify. Most important is that the non-ASAN code does a `__longjmp_chk` through the stack frame of the ASAN code. That's why two builds are needed, one with ASAN and one without.

eugenis added inline comments.Apr 26 2017, 3:12 PM

test/asan/TestCases/Linux/longjmp_chk.c
8 ↗	(On Diff #96328)	Oh I get it, ASan instrumentation adds __asan_handle_no_return() before any call to longjmp, that's why the test needs to call longjmp from an uninstrumented code.

Changes:

Clarified why "msg" is passed in "callback"
Clarified why the "external library" is built without ASAN
Added !SANITIZER_ANDROID as suggested

Can I commit it now?

Herald added a subscriber: srhines. · View Herald TranscriptMay 1 2017, 10:10 AM

LGTM

This revision is now accepted and ready to land.May 1 2017, 10:52 AM

Closed by commit rL302152: [ASAN] Add interceptor for __longjmp_chk (authored by Lekensteyn). · Explain WhyMay 4 2017, 7:17 AM

This revision was automatically updated to reflect the committed changes.

Revision Contents

Path

Size

compiler-rt/

trunk/

lib/

asan/

asan_interceptors.h

6 lines

asan_interceptors.cc

10 lines

test/

asan/

TestCases/

Linux/

longjmp_chk.c

51 lines

Diff 97824

compiler-rt/trunk/lib/asan/asan_interceptors.h

	Show First 20 Lines • Show All 52 Lines • ▼ Show 20 Lines
	#endif			#endif

	#if !SANITIZER_WINDOWS			#if !SANITIZER_WINDOWS
	# define ASAN_INTERCEPT_SIGLONGJMP 1			# define ASAN_INTERCEPT_SIGLONGJMP 1
	#else			#else
	# define ASAN_INTERCEPT_SIGLONGJMP 0			# define ASAN_INTERCEPT_SIGLONGJMP 0
	#endif			#endif

				#if SANITIZER_LINUX && !SANITIZER_ANDROID
				# define ASAN_INTERCEPT___LONGJMP_CHK 1
				#else
				# define ASAN_INTERCEPT___LONGJMP_CHK 0
				#endif

	// Android bug: https://code.google.com/p/android/issues/detail?id=61799			// Android bug: https://code.google.com/p/android/issues/detail?id=61799
	#if ASAN_HAS_EXCEPTIONS && !SANITIZER_WINDOWS && \			#if ASAN_HAS_EXCEPTIONS && !SANITIZER_WINDOWS && \
	!(SANITIZER_ANDROID && defined(__i386))			!(SANITIZER_ANDROID && defined(__i386))
	# define ASAN_INTERCEPT___CXA_THROW 1			# define ASAN_INTERCEPT___CXA_THROW 1
	#else			#else
	# define ASAN_INTERCEPT___CXA_THROW 0			# define ASAN_INTERCEPT___CXA_THROW 0
	#endif			#endif

	▲ Show 20 Lines • Show All 56 Lines • Show Last 20 Lines

compiler-rt/trunk/lib/asan/asan_interceptors.cc

Show First 20 Lines • Show All 437 Lines • ▼ Show 20 Lines

#if ASAN_INTERCEPT__LONGJMP		#if ASAN_INTERCEPT__LONGJMP
INTERCEPTOR(void, _longjmp, void *env, int val) {		INTERCEPTOR(void, _longjmp, void *env, int val) {
__asan_handle_no_return();		__asan_handle_no_return();
REAL(_longjmp)(env, val);		REAL(_longjmp)(env, val);
}		}
#endif		#endif

		#if ASAN_INTERCEPT___LONGJMP_CHK
		INTERCEPTOR(void, __longjmp_chk, void *env, int val) {
		__asan_handle_no_return();
		REAL(__longjmp_chk)(env, val);
		}
		#endif

#if ASAN_INTERCEPT_SIGLONGJMP		#if ASAN_INTERCEPT_SIGLONGJMP
INTERCEPTOR(void, siglongjmp, void *env, int val) {		INTERCEPTOR(void, siglongjmp, void *env, int val) {
__asan_handle_no_return();		__asan_handle_no_return();
REAL(siglongjmp)(env, val);		REAL(siglongjmp)(env, val);
}		}
#endif		#endif

#if ASAN_INTERCEPT___CXA_THROW		#if ASAN_INTERCEPT___CXA_THROW
▲ Show 20 Lines • Show All 299 Lines • ▼ Show 20 Lines	#endif
ASAN_INTERCEPT_FUNC(signal);		ASAN_INTERCEPT_FUNC(signal);
#endif		#endif
#if ASAN_INTERCEPT_SWAPCONTEXT		#if ASAN_INTERCEPT_SWAPCONTEXT
ASAN_INTERCEPT_FUNC(swapcontext);		ASAN_INTERCEPT_FUNC(swapcontext);
#endif		#endif
#if ASAN_INTERCEPT__LONGJMP		#if ASAN_INTERCEPT__LONGJMP
ASAN_INTERCEPT_FUNC(_longjmp);		ASAN_INTERCEPT_FUNC(_longjmp);
#endif		#endif
		#if ASAN_INTERCEPT___LONGJMP_CHK
		ASAN_INTERCEPT_FUNC(__longjmp_chk);
		#endif
#if ASAN_INTERCEPT_SIGLONGJMP		#if ASAN_INTERCEPT_SIGLONGJMP
ASAN_INTERCEPT_FUNC(siglongjmp);		ASAN_INTERCEPT_FUNC(siglongjmp);
#endif		#endif

// Intercept exception handling functions.		// Intercept exception handling functions.
#if ASAN_INTERCEPT___CXA_THROW		#if ASAN_INTERCEPT___CXA_THROW
ASAN_INTERCEPT_FUNC(__cxa_throw);		ASAN_INTERCEPT_FUNC(__cxa_throw);
#endif		#endif
Show All 26 Lines

compiler-rt/trunk/test/asan/TestCases/Linux/longjmp_chk.c

Property	Old Value	New Value
svn:eol-style	null	native

				// Verify that use of longjmp() in a _FORTIFY_SOURCE'd library (without ASAN)
				// is correctly intercepted such that the stack is unpoisoned.
				// Note: it is essential that the external library is not built with ASAN,
				// otherwise it would be able to unpoison the stack before use.
				//
				// RUN: %clang -DIS_LIBRARY -D_FORTIFY_SOURCE=2 -O2 %s -c -o %t.o
				// RUN: %clang_asan -O2 %s %t.o -o %t
				// RUN: %run %t

				#ifdef IS_LIBRARY
				/* the library */
				#include <setjmp.h>
				#include <assert.h>
				#include <sanitizer/asan_interface.h>

				static jmp_buf jenv;

				void external_callme(void (*callback)(void)) {
				if (setjmp(jenv) == 0) {
				callback();
				}
				}

				void external_longjmp(char *msg) {
				longjmp(jenv, 1);
				}

				void external_check_stack(void) {
				char buf[256] = "";
				for (int i = 0; i < 256; i++) {
				assert(!__asan_address_is_poisoned(buf + i));
				}
				}
				#else
				/* main program */
				extern void external_callme(void (*callback)(void));
				extern void external_longjmp(char *msg);
				extern void external_check_stack(void);

				static void callback(void) {
				char msg[16]; /* Note: this triggers addition of a redzone. */
				/* Note: msg is passed to prevent compiler optimization from removing it. */
				external_longjmp(msg);
				}

				int main() {
				external_callme(callback);
				external_check_stack();
				return 0;
				}
				#endif