Index: lib/sanitizer_common/sanitizer_common_interceptors.inc =================================================================== --- lib/sanitizer_common/sanitizer_common_interceptors.inc +++ lib/sanitizer_common/sanitizer_common_interceptors.inc @@ -1552,6 +1552,12 @@ va_list ap) VSNPRINTF_INTERCEPTOR_IMPL(vsnprintf, str, size, format, ap) +#if SANITIZER_INTERCEPT___PRINTF_CHK +INTERCEPTOR(int, __vsnprintf_chk, char *str, SIZE_T size, int flag, + SIZE_T size_to, const char *format, va_list ap) +VSNPRINTF_INTERCEPTOR_IMPL(vsnprintf, str, size, format, ap) +#endif + #if SANITIZER_INTERCEPT_PRINTF_L INTERCEPTOR(int, vsnprintf_l, char *str, SIZE_T size, void *loc, const char *format, va_list ap) @@ -1565,6 +1571,12 @@ INTERCEPTOR(int, vsprintf, char *str, const char *format, va_list ap) VSPRINTF_INTERCEPTOR_IMPL(vsprintf, str, format, ap) +#if SANITIZER_INTERCEPT___PRINTF_CHK +INTERCEPTOR(int, __vsprintf_chk, char *str, int flag, SIZE_T size_to, + const char *format, va_list ap) +VSPRINTF_INTERCEPTOR_IMPL(vsprintf, str, format, ap) +#endif + INTERCEPTOR(int, vasprintf, char **strp, const char *format, va_list ap) VASPRINTF_INTERCEPTOR_IMPL(vasprintf, strp, format, ap) @@ -1593,12 +1605,30 @@ INTERCEPTOR(int, fprintf, __sanitizer_FILE *stream, const char *format, ...) FORMAT_INTERCEPTOR_IMPL(fprintf, vfprintf, stream, format) +#if SANITIZER_INTERCEPT___PRINTF_CHK +INTERCEPTOR(int, __fprintf_chk, __sanitizer_FILE *stream, SIZE_T size, + const char *format, ...) +FORMAT_INTERCEPTOR_IMPL(__fprintf_chk, vfprintf, stream, format) +#endif + INTERCEPTOR(int, sprintf, char *str, const char *format, ...) // NOLINT FORMAT_INTERCEPTOR_IMPL(sprintf, vsprintf, str, format) // NOLINT +#if SANITIZER_INTERCEPT___PRINTF_CHK +INTERCEPTOR(int, __sprintf_chk, char *str, int flag, SIZE_T size_to, + const char *format, ...) // NOLINT +FORMAT_INTERCEPTOR_IMPL(__sprintf_chk, vsprintf, str, format) // NOLINT +#endif + INTERCEPTOR(int, snprintf, char *str, SIZE_T size, const char *format, ...) FORMAT_INTERCEPTOR_IMPL(snprintf, vsnprintf, str, size, format) +#if SANITIZER_INTERCEPT___PRINTF_CHK +INTERCEPTOR(int, __snprintf_chk, char *str, SIZE_T size, int flag, + SIZE_T size_to, const char *format, ...) // NOLINT +FORMAT_INTERCEPTOR_IMPL(__snprintf_chk, vsnprintf, str, size, format) // NOLINT +#endif + INTERCEPTOR(int, asprintf, char **strp, const char *format, ...) FORMAT_INTERCEPTOR_IMPL(asprintf, vasprintf, strp, format) @@ -1638,6 +1668,17 @@ #define INIT_PRINTF #endif +#if SANITIZER_INTERCEPT___PRINTF_CHK +#define INIT___PRINTF_CHK \ + COMMON_INTERCEPT_FUNCTION(__sprintf_chk); \ + COMMON_INTERCEPT_FUNCTION(__snprintf_chk); \ + COMMON_INTERCEPT_FUNCTION(__vsprintf_chk); \ + COMMON_INTERCEPT_FUNCTION(__vsnprintf_chk); \ + COMMON_INTERCEPT_FUNCTION(__fprintf_chk); +#else +#define INIT___PRINTF_CHK +#endif + #if SANITIZER_INTERCEPT_PRINTF_L #define INIT_PRINTF_L \ COMMON_INTERCEPT_FUNCTION(snprintf_l); \ @@ -6560,4 +6601,6 @@ COMMON_INTERCEPT_FUNCTION(__libc_mutex_unlock); COMMON_INTERCEPT_FUNCTION(__libc_thr_setcancelstate); #endif + + INIT___PRINTF_CHK; } Index: lib/sanitizer_common/sanitizer_platform_interceptors.h =================================================================== --- lib/sanitizer_common/sanitizer_platform_interceptors.h +++ lib/sanitizer_common/sanitizer_platform_interceptors.h @@ -177,6 +177,9 @@ # define SANITIZER_INTERCEPT_ISOC99_PRINTF SI_LINUX_NOT_ANDROID #endif +#define SANITIZER_INTERCEPT___PRINTF_CHK \ + (SANITIZER_INTERCEPT_PRINTF && SI_LINUX_NOT_ANDROID) + #define SANITIZER_INTERCEPT_FREXP SI_NOT_FUCHSIA #define SANITIZER_INTERCEPT_FREXPF_FREXPL SI_POSIX Index: test/asan/TestCases/Linux/printf-fortify-1.c =================================================================== --- test/asan/TestCases/Linux/printf-fortify-1.c +++ test/asan/TestCases/Linux/printf-fortify-1.c @@ -0,0 +1,18 @@ +// RUN: %clang -fPIC -shared -O2 -D_FORTIFY_SOURCE=2 -D_DSO %s -o %t.so +// RUN: %clang_asan -o %t %t.so %s +// RUN: not %run %t 2>&1 | FileCheck %s +// UNSUPPORTED: android +#ifdef _DSO +#include +#include +#include +__attribute__((noinline)) int foo() { + char *write_buffer = (char *)malloc(1); + // CHECK: AddressSanitizer: heap-buffer-overflow + sprintf(write_buffer, "%s_%s", "one", "two"); + return write_buffer[0]; +} +#else +extern int foo(); +int main() { return foo(); } +#endif Index: test/asan/TestCases/Linux/printf-fortify-2.c =================================================================== --- test/asan/TestCases/Linux/printf-fortify-2.c +++ test/asan/TestCases/Linux/printf-fortify-2.c @@ -0,0 +1,18 @@ +// RUN: %clang -fPIC -shared -O2 -D_FORTIFY_SOURCE=2 -D_DSO %s -o %t.so +// RUN: %clang_asan %s -o %t %t.so +// RUN: not %run %t 2>&1 | FileCheck %s +// UNSUPPORTED: android +#ifdef _DSO +#include +#include +#include +__attribute__((noinline)) int foo() { + char *write_buffer = (char *)malloc(1); + // CHECK: AddressSanitizer: heap-buffer-overflow + snprintf(write_buffer, 4096, "%s_%s", "one", "two"); + return write_buffer[0]; +} +#else +extern int foo(); +int main() { return foo(); } +#endif Index: test/asan/TestCases/Linux/printf-fortify-3.c =================================================================== --- test/asan/TestCases/Linux/printf-fortify-3.c +++ test/asan/TestCases/Linux/printf-fortify-3.c @@ -0,0 +1,22 @@ +// RUN: %clang -shared -fPIC -D_DSO -O2 -D_FORTIFY_SOURCE=2 %s -o %t.so +// RUN: %clang_asan %s -o %t %t.so +// RUN: not %run %t 2>&1 | FileCheck %s +// UNSUPPORTED: android +#ifdef _DSO +#include +#include +#include +#include +__attribute__((noinline)) char foo(const char *format, ...) { + char *write_buffer = (char *)malloc(1); + va_list ap; + va_start(ap, format); + // CHECK: AddressSanitizer: heap-buffer-overflow + vsprintf(write_buffer, format, ap); + va_end(ap); + return write_buffer[0]; +} +#else +extern int foo(const char *format, ...); +int main() { return foo("%s_%s", "one", "two"); } +#endif Index: test/asan/TestCases/Linux/printf-fortify-4.c =================================================================== --- test/asan/TestCases/Linux/printf-fortify-4.c +++ test/asan/TestCases/Linux/printf-fortify-4.c @@ -0,0 +1,22 @@ +// RUN: %clang -fPIC -shared -O2 -D_FORTIFY_SOURCE=2 -D_DSO %s -o %t.so +// RUN: %clang_asan %s -o %t %t.so +// RUN: not %run %t 2>&1 | FileCheck %s +// UNSUPPORTED: android +#ifdef _DSO +#include +#include +#include +#include +__attribute__((noinline)) char foo(const char *format, ...) { + char *write_buffer = (char *)malloc(1); + va_list ap; + va_start(ap, format); + // CHECK: AddressSanitizer: heap-buffer-overflow + vsnprintf(write_buffer, 4096, format, ap); + va_end(ap); + return write_buffer[0]; +} +#else +extern int foo(const char *format, ...); +int main() { return foo("%s_%s", "one", "two"); } +#endif Index: test/asan/TestCases/Linux/printf-fortify-5.c =================================================================== --- test/asan/TestCases/Linux/printf-fortify-5.c +++ test/asan/TestCases/Linux/printf-fortify-5.c @@ -0,0 +1,18 @@ +// RUN: %clang -fPIC -shared -O2 -D_FORTIFY_SOURCE=2 -D_DSO %s -o %t.so +// RUN: %clang_asan -o %t %t.so %s +// RUN: not %run %t 2>&1 | FileCheck %s +// UNSUPPORTED: android +#ifdef _DSO +#include +#include +#include +__attribute__((noinline)) int foo() { + char *read_buffer = (char *)malloc(1); + // CHECK: AddressSanitizer: heap-buffer-overflow + fprintf(stderr, read_buffer, 4096); + return read_buffer[0]; +} +#else +extern int foo(); +int main() { return foo(); } +#endif