This is an archive of the discontinued LLVM Phabricator instance.

Differential D40951

[ASan] Add interceptor for printf_chk
ClosedPublic

Authored by denis13 on Dec 7 2017, 5:20 AM.

Details

Reviewers
m.ostapenko
vitalybuka
eugenis
alekseyshl
ygribov
Commits
rGde74bdb3d2cf: [asan] Add interceptor for printf_chk
rL320990: [asan] Add interceptor for printf_chk
rCRT320990: [asan] Add interceptor for printf_chk
Summary

Could be a situation when a specific DSO was built with FORTIFY_SOURCE option. In case asan-ed binary link against that DSO, libasan can't handle the possible memory error because does not have interceptors for spinrtf_chk, snprintf_chk, vprintf_chk, vsnprintf_chk, __fprintf_chk functions.

Diff Detail

Event Timeline

denis13 created this revision.Dec 7 2017, 5:20 AM
Herald added subscribers: kubamracek, srhines. · View Herald TranscriptDec 7 2017, 5:20 AM
alekseyshl added inline comments.Dec 7 2017, 12:59 PM
lib/sanitizer_common/sanitizer_platform_interceptors.h
167

Why #ifndef here?

168

Shouldn't it be (SANITIZER_INTERCEPT_PRINTF && SI_LINUX_NOT_ANDROID)?

vitalybuka added inline comments.Dec 7 2017, 2:33 PM
test/asan/TestCases/Linux/printf-fortify-2.c
13

Maybe just:

char write_buffer[1];
snprintf(write_buffer, 2, "%s_%s", "one", "two");

denis13 added inline comments.Dec 8 2017, 3:06 AM
lib/sanitizer_common/sanitizer_platform_interceptors.h
168

Thanks, I've fixed that.

test/asan/TestCases/Linux/printf-fortify-2.c
13

IMHO, in this test case the DSO is building without ASan's instrumentation, therefore the memory on the stack could not be "poisoned" with "redzones", in this case ASan could not handle the error. Sorry if I miss something, please correct me if I'm wrong. Thanks.

denis13 updated this revision to Diff 126111.Dec 8 2017, 3:08 AM

Fixed the "define" issue

vitalybuka accepted this revision.Dec 8 2017, 3:55 PM
This revision is now accepted and ready to land.Dec 8 2017, 3:55 PM
Closed by commit rCRT320990: [asan] Add interceptor for printf_chk (authored by chefmax). · Explain WhyDec 18 2017, 7:32 AM
This revision was automatically updated to reflect the committed changes.
Herald added subscribers: Restricted Project, llvm-commits. · View Herald TranscriptDec 18 2017, 7:32 AM
m.ostapenko added a comment.Dec 18 2017, 7:34 AM

Hi, I've committed this on behalf of Denis. @denis13 Will ping you if some buildbots complain about this change.

Revision Contents

PathSize
lib/
sanitizer_common/
43 lines
3 lines
test/
asan/
TestCases/
Linux/
18 lines
18 lines
22 lines
22 lines
18 lines

Diff 127359

lib/sanitizer_common/sanitizer_common_interceptors.inc

Show First 20 LinesShow All 1,546 Lines▼ Show 20 Lines
INTERCEPTOR(int, vfprintf, __sanitizer_FILE *stream, const char *format, INTERCEPTOR(int, vfprintf, __sanitizer_FILE *stream, const char *format,
va_list ap) va_list ap)
VPRINTF_INTERCEPTOR_IMPL(vfprintf, stream, format, ap) VPRINTF_INTERCEPTOR_IMPL(vfprintf, stream, format, ap)
INTERCEPTOR(int, vsnprintf, char *str, SIZE_T size, const char *format, INTERCEPTOR(int, vsnprintf, char *str, SIZE_T size, const char *format,
va_list ap) va_list ap)
VSNPRINTF_INTERCEPTOR_IMPL(vsnprintf, str, size, format, ap) VSNPRINTF_INTERCEPTOR_IMPL(vsnprintf, str, size, format, ap)
#if SANITIZER_INTERCEPT___PRINTF_CHK
INTERCEPTOR(int, __vsnprintf_chk, char *str, SIZE_T size, int flag,
SIZE_T size_to, const char *format, va_list ap)
VSNPRINTF_INTERCEPTOR_IMPL(vsnprintf, str, size, format, ap)
#endif
#if SANITIZER_INTERCEPT_PRINTF_L #if SANITIZER_INTERCEPT_PRINTF_L
INTERCEPTOR(int, vsnprintf_l, char *str, SIZE_T size, void *loc, INTERCEPTOR(int, vsnprintf_l, char *str, SIZE_T size, void *loc,
const char *format, va_list ap) const char *format, va_list ap)
VSNPRINTF_INTERCEPTOR_IMPL(vsnprintf_l, str, size, loc, format, ap) VSNPRINTF_INTERCEPTOR_IMPL(vsnprintf_l, str, size, loc, format, ap)
INTERCEPTOR(int, snprintf_l, char *str, SIZE_T size, void *loc, INTERCEPTOR(int, snprintf_l, char *str, SIZE_T size, void *loc,
const char *format, ...) const char *format, ...)
FORMAT_INTERCEPTOR_IMPL(snprintf_l, vsnprintf_l, str, size, loc, format) FORMAT_INTERCEPTOR_IMPL(snprintf_l, vsnprintf_l, str, size, loc, format)
#endif // SANITIZER_INTERCEPT_PRINTF_L #endif // SANITIZER_INTERCEPT_PRINTF_L
INTERCEPTOR(int, vsprintf, char *str, const char *format, va_list ap) INTERCEPTOR(int, vsprintf, char *str, const char *format, va_list ap)
VSPRINTF_INTERCEPTOR_IMPL(vsprintf, str, format, ap) VSPRINTF_INTERCEPTOR_IMPL(vsprintf, str, format, ap)
#if SANITIZER_INTERCEPT___PRINTF_CHK
INTERCEPTOR(int, __vsprintf_chk, char *str, int flag, SIZE_T size_to,
const char *format, va_list ap)
VSPRINTF_INTERCEPTOR_IMPL(vsprintf, str, format, ap)
#endif
INTERCEPTOR(int, vasprintf, char **strp, const char *format, va_list ap) INTERCEPTOR(int, vasprintf, char **strp, const char *format, va_list ap)
VASPRINTF_INTERCEPTOR_IMPL(vasprintf, strp, format, ap) VASPRINTF_INTERCEPTOR_IMPL(vasprintf, strp, format, ap)
#if SANITIZER_INTERCEPT_ISOC99_PRINTF #if SANITIZER_INTERCEPT_ISOC99_PRINTF
INTERCEPTOR(int, __isoc99_vprintf, const char *format, va_list ap) INTERCEPTOR(int, __isoc99_vprintf, const char *format, va_list ap)
VPRINTF_INTERCEPTOR_IMPL(__isoc99_vprintf, format, ap) VPRINTF_INTERCEPTOR_IMPL(__isoc99_vprintf, format, ap)
INTERCEPTOR(int, __isoc99_vfprintf, __sanitizer_FILE *stream, INTERCEPTOR(int, __isoc99_vfprintf, __sanitizer_FILE *stream,
Show All 12 Lines
#endif // SANITIZER_INTERCEPT_ISOC99_PRINTF #endif // SANITIZER_INTERCEPT_ISOC99_PRINTF
INTERCEPTOR(int, printf, const char *format, ...) INTERCEPTOR(int, printf, const char *format, ...)
FORMAT_INTERCEPTOR_IMPL(printf, vprintf, format) FORMAT_INTERCEPTOR_IMPL(printf, vprintf, format)
INTERCEPTOR(int, fprintf, __sanitizer_FILE *stream, const char *format, ...) INTERCEPTOR(int, fprintf, __sanitizer_FILE *stream, const char *format, ...)
FORMAT_INTERCEPTOR_IMPL(fprintf, vfprintf, stream, format) FORMAT_INTERCEPTOR_IMPL(fprintf, vfprintf, stream, format)
#if SANITIZER_INTERCEPT___PRINTF_CHK
INTERCEPTOR(int, __fprintf_chk, __sanitizer_FILE *stream, SIZE_T size,
const char *format, ...)
FORMAT_INTERCEPTOR_IMPL(__fprintf_chk, vfprintf, stream, format)
#endif
INTERCEPTOR(int, sprintf, char *str, const char *format, ...) // NOLINT INTERCEPTOR(int, sprintf, char *str, const char *format, ...) // NOLINT
FORMAT_INTERCEPTOR_IMPL(sprintf, vsprintf, str, format) // NOLINT FORMAT_INTERCEPTOR_IMPL(sprintf, vsprintf, str, format) // NOLINT
#if SANITIZER_INTERCEPT___PRINTF_CHK
INTERCEPTOR(int, __sprintf_chk, char *str, int flag, SIZE_T size_to,
const char *format, ...) // NOLINT
FORMAT_INTERCEPTOR_IMPL(__sprintf_chk, vsprintf, str, format) // NOLINT
#endif
INTERCEPTOR(int, snprintf, char *str, SIZE_T size, const char *format, ...) INTERCEPTOR(int, snprintf, char *str, SIZE_T size, const char *format, ...)
FORMAT_INTERCEPTOR_IMPL(snprintf, vsnprintf, str, size, format) FORMAT_INTERCEPTOR_IMPL(snprintf, vsnprintf, str, size, format)
#if SANITIZER_INTERCEPT___PRINTF_CHK
INTERCEPTOR(int, __snprintf_chk, char *str, SIZE_T size, int flag,
SIZE_T size_to, const char *format, ...) // NOLINT
FORMAT_INTERCEPTOR_IMPL(__snprintf_chk, vsnprintf, str, size, format) // NOLINT
#endif
INTERCEPTOR(int, asprintf, char **strp, const char *format, ...) INTERCEPTOR(int, asprintf, char **strp, const char *format, ...)
FORMAT_INTERCEPTOR_IMPL(asprintf, vasprintf, strp, format) FORMAT_INTERCEPTOR_IMPL(asprintf, vasprintf, strp, format)
#if SANITIZER_INTERCEPT_ISOC99_PRINTF #if SANITIZER_INTERCEPT_ISOC99_PRINTF
INTERCEPTOR(int, __isoc99_printf, const char *format, ...) INTERCEPTOR(int, __isoc99_printf, const char *format, ...)
FORMAT_INTERCEPTOR_IMPL(__isoc99_printf, __isoc99_vprintf, format) FORMAT_INTERCEPTOR_IMPL(__isoc99_printf, __isoc99_vprintf, format)
INTERCEPTOR(int, __isoc99_fprintf, __sanitizer_FILE *stream, const char *format, INTERCEPTOR(int, __isoc99_fprintf, __sanitizer_FILE *stream, const char *format,
Show All 23 Lines#define INIT_PRINTF \
COMMON_INTERCEPT_FUNCTION_LDBL(vsprintf); \ COMMON_INTERCEPT_FUNCTION_LDBL(vsprintf); \
COMMON_INTERCEPT_FUNCTION_LDBL(vsnprintf); \ COMMON_INTERCEPT_FUNCTION_LDBL(vsnprintf); \
COMMON_INTERCEPT_FUNCTION_LDBL(vasprintf); \ COMMON_INTERCEPT_FUNCTION_LDBL(vasprintf); \
COMMON_INTERCEPT_FUNCTION_LDBL(vfprintf); COMMON_INTERCEPT_FUNCTION_LDBL(vfprintf);
#else #else
#define INIT_PRINTF #define INIT_PRINTF
#endif #endif
#if SANITIZER_INTERCEPT___PRINTF_CHK
#define INIT___PRINTF_CHK \
COMMON_INTERCEPT_FUNCTION(__sprintf_chk); \
COMMON_INTERCEPT_FUNCTION(__snprintf_chk); \
COMMON_INTERCEPT_FUNCTION(__vsprintf_chk); \
COMMON_INTERCEPT_FUNCTION(__vsnprintf_chk); \
COMMON_INTERCEPT_FUNCTION(__fprintf_chk);
#else
#define INIT___PRINTF_CHK
#endif
#if SANITIZER_INTERCEPT_PRINTF_L #if SANITIZER_INTERCEPT_PRINTF_L
#define INIT_PRINTF_L \ #define INIT_PRINTF_L \
COMMON_INTERCEPT_FUNCTION(snprintf_l); \ COMMON_INTERCEPT_FUNCTION(snprintf_l); \
COMMON_INTERCEPT_FUNCTION(vsnprintf_l); COMMON_INTERCEPT_FUNCTION(vsnprintf_l);
#else #else
#define INIT_PRINTF_L #define INIT_PRINTF_L
#endif #endif
▲ Show 20 LinesShow All 4,906 Lines▼ Show 20 Linesstatic void InitializeCommonInterceptors() {
INIT_WCSLEN; INIT_WCSLEN;
INIT_WCSCAT; INIT_WCSCAT;
#if SANITIZER_NETBSD #if SANITIZER_NETBSD
COMMON_INTERCEPT_FUNCTION(__libc_mutex_lock); COMMON_INTERCEPT_FUNCTION(__libc_mutex_lock);
COMMON_INTERCEPT_FUNCTION(__libc_mutex_unlock); COMMON_INTERCEPT_FUNCTION(__libc_mutex_unlock);
COMMON_INTERCEPT_FUNCTION(__libc_thr_setcancelstate); COMMON_INTERCEPT_FUNCTION(__libc_thr_setcancelstate);
#endif #endif
INIT___PRINTF_CHK;
} }

lib/sanitizer_common/sanitizer_platform_interceptors.h

Show First 20 LinesShow All 158 Lines▼ Show 20 Lines
#define SANITIZER_INTERCEPT_PREADV \ #define SANITIZER_INTERCEPT_PREADV \
(SI_FREEBSD || SI_NETBSD || SI_LINUX_NOT_ANDROID) (SI_FREEBSD || SI_NETBSD || SI_LINUX_NOT_ANDROID)
#define SANITIZER_INTERCEPT_PWRITEV SI_LINUX_NOT_ANDROID #define SANITIZER_INTERCEPT_PWRITEV SI_LINUX_NOT_ANDROID
#define SANITIZER_INTERCEPT_PREADV64 SI_LINUX_NOT_ANDROID #define SANITIZER_INTERCEPT_PREADV64 SI_LINUX_NOT_ANDROID
#define SANITIZER_INTERCEPT_PWRITEV64 SI_LINUX_NOT_ANDROID #define SANITIZER_INTERCEPT_PWRITEV64 SI_LINUX_NOT_ANDROID
#define SANITIZER_INTERCEPT_PRCTL SI_LINUX #define SANITIZER_INTERCEPT_PRCTL SI_LINUX
alekseyshlUnsubmitted
Not Done
ReplyInline Actions

Why #ifndef here?

alekseyshl: Why #ifndef here?
#define SANITIZER_INTERCEPT_LOCALTIME_AND_FRIENDS SI_POSIX #define SANITIZER_INTERCEPT_LOCALTIME_AND_FRIENDS SI_POSIX
alekseyshlUnsubmitted
Not Done
ReplyInline Actions

Shouldn't it be (SANITIZER_INTERCEPT_PRINTF && SI_LINUX_NOT_ANDROID)?

alekseyshl: Shouldn't it be (SANITIZER_INTERCEPT_PRINTF && SI_LINUX_NOT_ANDROID)?
denis13AuthorUnsubmitted
Not Done
ReplyInline Actions

Thanks, I've fixed that.

denis13: Thanks, I've fixed that.
#define SANITIZER_INTERCEPT_STRPTIME SI_POSIX #define SANITIZER_INTERCEPT_STRPTIME SI_POSIX
#define SANITIZER_INTERCEPT_SCANF SI_POSIX #define SANITIZER_INTERCEPT_SCANF SI_POSIX
#define SANITIZER_INTERCEPT_ISOC99_SCANF SI_LINUX_NOT_ANDROID #define SANITIZER_INTERCEPT_ISOC99_SCANF SI_LINUX_NOT_ANDROID
#ifndef SANITIZER_INTERCEPT_PRINTF #ifndef SANITIZER_INTERCEPT_PRINTF
# define SANITIZER_INTERCEPT_PRINTF SI_POSIX # define SANITIZER_INTERCEPT_PRINTF SI_POSIX
# define SANITIZER_INTERCEPT_PRINTF_L (SI_FREEBSD || SI_NETBSD) # define SANITIZER_INTERCEPT_PRINTF_L (SI_FREEBSD || SI_NETBSD)
# define SANITIZER_INTERCEPT_ISOC99_PRINTF SI_LINUX_NOT_ANDROID # define SANITIZER_INTERCEPT_ISOC99_PRINTF SI_LINUX_NOT_ANDROID
#endif #endif
#define SANITIZER_INTERCEPT___PRINTF_CHK \
(SANITIZER_INTERCEPT_PRINTF && SI_LINUX_NOT_ANDROID)
#define SANITIZER_INTERCEPT_FREXP SI_NOT_FUCHSIA #define SANITIZER_INTERCEPT_FREXP SI_NOT_FUCHSIA
#define SANITIZER_INTERCEPT_FREXPF_FREXPL SI_POSIX #define SANITIZER_INTERCEPT_FREXPF_FREXPL SI_POSIX
#define SANITIZER_INTERCEPT_GETPWNAM_AND_FRIENDS SI_POSIX #define SANITIZER_INTERCEPT_GETPWNAM_AND_FRIENDS SI_POSIX
#define SANITIZER_INTERCEPT_GETPWNAM_R_AND_FRIENDS \ #define SANITIZER_INTERCEPT_GETPWNAM_R_AND_FRIENDS \
(SI_FREEBSD || SI_NETBSD || SI_MAC || SI_LINUX_NOT_ANDROID || SI_SOLARIS) (SI_FREEBSD || SI_NETBSD || SI_MAC || SI_LINUX_NOT_ANDROID || SI_SOLARIS)
#define SANITIZER_INTERCEPT_GETPWENT \ #define SANITIZER_INTERCEPT_GETPWENT \
(SI_FREEBSD || SI_NETBSD || SI_MAC || SI_LINUX_NOT_ANDROID || SI_SOLARIS) (SI_FREEBSD || SI_NETBSD || SI_MAC || SI_LINUX_NOT_ANDROID || SI_SOLARIS)
▲ Show 20 LinesShow All 241 LinesShow Last 20 Lines

test/asan/TestCases/Linux/printf-fortify-1.c

// RUN: %clang -fPIC -shared -O2 -D_FORTIFY_SOURCE=2 -D_DSO %s -o %t.so
// RUN: %clang_asan -o %t %t.so %s
// RUN: not %run %t 2>&1 | FileCheck %s
// UNSUPPORTED: android
#ifdef _DSO
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
__attribute__((noinline)) int foo() {
char *write_buffer = (char *)malloc(1);
// CHECK: AddressSanitizer: heap-buffer-overflow
sprintf(write_buffer, "%s_%s", "one", "two");
return write_buffer[0];
}
#else
extern int foo();
int main() { return foo(); }
#endif

test/asan/TestCases/Linux/printf-fortify-2.c

// RUN: %clang -fPIC -shared -O2 -D_FORTIFY_SOURCE=2 -D_DSO %s -o %t.so
// RUN: %clang_asan %s -o %t %t.so
// RUN: not %run %t 2>&1 | FileCheck %s
// UNSUPPORTED: android
#ifdef _DSO
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
__attribute__((noinline)) int foo() {
char *write_buffer = (char *)malloc(1);
// CHECK: AddressSanitizer: heap-buffer-overflow
snprintf(write_buffer, 4096, "%s_%s", "one", "two");
return write_buffer[0];
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

Maybe just:

char write_buffer[1];
snprintf(write_buffer, 2, "%s_%s", "one", "two");

vitalybuka: Maybe just: char write_buffer[1]; snprintf(write_buffer, 2, "%s_%s", "one", "two");
denis13AuthorUnsubmitted
Not Done
ReplyInline Actions

IMHO, in this test case the DSO is building without ASan's instrumentation, therefore the memory on the stack could not be "poisoned" with "redzones", in this case ASan could not handle the error. Sorry if I miss something, please correct me if I'm wrong. Thanks.

denis13: IMHO, in this test case the DSO is building without ASan's instrumentation, therefore the…
}
#else
extern int foo();
int main() { return foo(); }
#endif

test/asan/TestCases/Linux/printf-fortify-3.c

// RUN: %clang -shared -fPIC -D_DSO -O2 -D_FORTIFY_SOURCE=2 %s -o %t.so
// RUN: %clang_asan %s -o %t %t.so
// RUN: not %run %t 2>&1 | FileCheck %s
// UNSUPPORTED: android
#ifdef _DSO
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
__attribute__((noinline)) char foo(const char *format, ...) {
char *write_buffer = (char *)malloc(1);
va_list ap;
va_start(ap, format);
// CHECK: AddressSanitizer: heap-buffer-overflow
vsprintf(write_buffer, format, ap);
va_end(ap);
return write_buffer[0];
}
#else
extern int foo(const char *format, ...);
int main() { return foo("%s_%s", "one", "two"); }
#endif

test/asan/TestCases/Linux/printf-fortify-4.c

// RUN: %clang -fPIC -shared -O2 -D_FORTIFY_SOURCE=2 -D_DSO %s -o %t.so
// RUN: %clang_asan %s -o %t %t.so
// RUN: not %run %t 2>&1 | FileCheck %s
// UNSUPPORTED: android
#ifdef _DSO
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
__attribute__((noinline)) char foo(const char *format, ...) {
char *write_buffer = (char *)malloc(1);
va_list ap;
va_start(ap, format);
// CHECK: AddressSanitizer: heap-buffer-overflow
vsnprintf(write_buffer, 4096, format, ap);
va_end(ap);
return write_buffer[0];
}
#else
extern int foo(const char *format, ...);
int main() { return foo("%s_%s", "one", "two"); }
#endif

test/asan/TestCases/Linux/printf-fortify-5.c

// RUN: %clang -fPIC -shared -O2 -D_FORTIFY_SOURCE=2 -D_DSO %s -o %t.so
// RUN: %clang_asan -o %t %t.so %s
// RUN: not %run %t 2>&1 | FileCheck %s
// UNSUPPORTED: android
#ifdef _DSO
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
__attribute__((noinline)) int foo() {
char *read_buffer = (char *)malloc(1);
// CHECK: AddressSanitizer: heap-buffer-overflow
fprintf(stderr, read_buffer, 4096);
return read_buffer[0];
}
#else
extern int foo();
int main() { return foo(); }
#endif