This is an archive of the discontinued LLVM Phabricator instance.

Differential D41243

[ASan] Add interceptros for fortified strcat, strncat, strcpy, strncpy.
AbandonedPublic

Authored by denis13 on Dec 14 2017, 8:03 AM.

Details

Reviewers
m.ostapenko
eugenis
kcc
ygribov
vitalybuka
Summary

There might be a situation when asan-ed binary links against DSO which were built with FORTIFY_SOURCE option, in case DSO has strcat, strncat, strcpy or strncpy functions, ASan should has interceptors for the "fortified" functions to be able to handle potential memory bugs.

GCC and clang produces different code with this functions:
in case compiler is gcc, it replaces strcat, strncat, strcpy or strncpy to "fortifed" functions, but clang generates code which does not have this functions at all.
So, to be able to test the interceptors, I've manually added strcat_chk, strncat_chk, strcpy_chk, strncpy_chk functions to the tests.

Diff Detail

Event Timeline

denis13 created this revision.Dec 14 2017, 8:03 AM
Herald added subscribers: kubamracek, srhines. · View Herald TranscriptDec 14 2017, 8:03 AM
denis13 added a reviewer: m.ostapenko.Dec 14 2017, 8:04 AM
denis13 added a subscriber: llvm-commits.Dec 19 2017, 8:52 AM
denis13 added reviewers: eugenis, vitalybuka, alekseyshl, kcc, ygribov.Dec 19 2017, 9:52 AM
kcc added a comment.Dec 19 2017, 10:52 AM

The discussion about asan+fortify has been going on for ages and I don't think we ever reached an agreement on how to proceed. Did we?

vitalybuka added inline comments.Dec 19 2017, 10:56 AM
lib/asan/asan_interceptors.cc
359

Interceptor should use to_size.

363

Look like all implementations are copy/paste from non _chk code. We need to extract and share common parts.

kcc added a comment.Dec 19 2017, 11:15 AM

I suggest to restart the discussion of this topic with the owners of fortify.
So far I am not convinced that we need/want this code in asan.

vitalybuka resigned from this revision.Jan 19 2018, 12:04 PM
alekseyshl removed a reviewer: alekseyshl.Jun 20 2018, 5:19 PM
denis13 abandoned this revision.Jan 16 2020, 8:16 AM

Revision Contents

PathSize
lib/
asan/
8 lines
98 lines
test/
asan/
TestCases/
Linux/
19 lines
19 lines
19 lines
18 lines

Diff 126961

lib/asan/asan_interceptors.h

Context not available.
#if SANITIZER_LINUX && !SANITIZER_ANDROID #if SANITIZER_LINUX && !SANITIZER_ANDROID
# define ASAN_INTERCEPT___LONGJMP_CHK 1 # define ASAN_INTERCEPT___LONGJMP_CHK 1
# define ASAN_INTERCEPT___STRCPY_CHK 1
# define ASAN_INTERCEPT___STRNCPY_CHK 1
# define ASAN_INTERCEPT___STRCAT_CHK 1
# define ASAN_INTERCEPT___STRNCAT_CHK 1
#else #else
# define ASAN_INTERCEPT___LONGJMP_CHK 0 # define ASAN_INTERCEPT___LONGJMP_CHK 0
# define ASAN_INTERCEPT___STRCPY_CHK 0
# define ASAN_INTERCEPT___STRNCPY_CHK 0
# define ASAN_INTERCEPT___STRCAT_CHK 0
# define ASAN_INTERCEPT___STRNCAT_CHK 0
#endif #endif
// Android bug: https://code.google.com/p/android/issues/detail?id=61799 // Android bug: https://code.google.com/p/android/issues/detail?id=61799
Context not available.

lib/asan/asan_interceptors.cc

Context not available.
return REAL(strcat)(to, from); // NOLINT return REAL(strcat)(to, from); // NOLINT
} }
#if ASAN_INTERCEPT___STRCAT_CHK
INTERCEPTOR(char*, __strcat_chk, char *to, const char *from, uptr to_size) {
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

Interceptor should use to_size.

vitalybuka: Interceptor should use to_size.
void *ctx;
ASAN_INTERCEPTOR_ENTER(ctx, __strcat_chk); // NOLINT
ENSURE_ASAN_INITED();
if (flags()->replace_str) {
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

Look like all implementations are copy/paste from non _chk code. We need to extract and share common parts.

vitalybuka: Look like all implementations are copy/paste from non _chk code. We need to extract and share…
uptr from_length = REAL(strlen)(from);
ASAN_READ_RANGE(ctx, from, from_length + 1);
uptr to_length = REAL(strlen)(to);
ASAN_READ_STRING_OF_LEN(ctx, to, to_length, to_length);
ASAN_WRITE_RANGE(ctx, to + to_length, from_length + 1);
// If the copying actually happens, the |from| string should not overlap
// with the resulting string starting at |to|, which has a length of
// to_length + from_length + 1.
if (from_length > 0) {
CHECK_RANGES_OVERLAP("__strcat_chk", to, from_length + to_length + 1,
from, from_length + 1);
}
}
return REAL(strcat)(to, from); // NOLINT
}
#endif
INTERCEPTOR(char*, strncat, char *to, const char *from, uptr size) { INTERCEPTOR(char*, strncat, char *to, const char *from, uptr size) {
void *ctx; void *ctx;
ASAN_INTERCEPTOR_ENTER(ctx, strncat); ASAN_INTERCEPTOR_ENTER(ctx, strncat);
Context not available.
return REAL(strncat)(to, from, size); return REAL(strncat)(to, from, size);
} }
#if ASAN_INTERCEPT___STRNCAT_CHK
INTERCEPTOR(char*, __strncat_chk, char *to, const char *from, uptr size,
uptr to_size) {
void *ctx;
ASAN_INTERCEPTOR_ENTER(ctx, __strncat_chk);
ENSURE_ASAN_INITED();
if (flags()->replace_str) {
uptr from_length = MaybeRealStrnlen(from, size);
uptr copy_length = Min(size, from_length + 1);
ASAN_READ_RANGE(ctx, from, copy_length);
uptr to_length = REAL(strlen)(to);
ASAN_READ_STRING_OF_LEN(ctx, to, to_length, to_length);
ASAN_WRITE_RANGE(ctx, to + to_length, from_length + 1);
if (from_length > 0) {
CHECK_RANGES_OVERLAP("__strncat_chk", to, to_length + copy_length + 1,
from, copy_length);
}
}
return REAL(strncat)(to, from, size);
}
#endif
INTERCEPTOR(char*, strcpy, char *to, const char *from) { // NOLINT INTERCEPTOR(char*, strcpy, char *to, const char *from) { // NOLINT
void *ctx; void *ctx;
ASAN_INTERCEPTOR_ENTER(ctx, strcpy); // NOLINT ASAN_INTERCEPTOR_ENTER(ctx, strcpy); // NOLINT
Context not available.
return REAL(strcpy)(to, from); // NOLINT return REAL(strcpy)(to, from); // NOLINT
} }
#if ASAN_INTERCEPT___STRCPY_CHK
INTERCEPTOR(char*, __strcpy_chk, char *to, const char *from,
uptr to_size) { // NOLINT
void *ctx;
ASAN_INTERCEPTOR_ENTER(ctx, __strcpy_chk); // NOLINT
#if SANITIZER_MAC
if (UNLIKELY(!asan_inited)) return REAL(strcpy)(to, from); // NOLINT
#endif
// strcpy is called from malloc_default_purgeable_zone()
// in __asan::ReplaceSystemAlloc() on Mac.
if (asan_init_is_running) {
return REAL(strcpy)(to, from); // NOLINT
}
ENSURE_ASAN_INITED();
if (flags()->replace_str) {
uptr from_size = REAL(strlen)(from) + 1;
CHECK_RANGES_OVERLAP("__strcpy_chk", to, from_size, from, from_size);
ASAN_READ_RANGE(ctx, from, from_size);
ASAN_WRITE_RANGE(ctx, to, from_size);
}
return REAL(strcpy)(to, from); // NOLINT
}
#endif
INTERCEPTOR(char*, strdup, const char *s) { INTERCEPTOR(char*, strdup, const char *s) {
void *ctx; void *ctx;
ASAN_INTERCEPTOR_ENTER(ctx, strdup); ASAN_INTERCEPTOR_ENTER(ctx, strdup);
Context not available.
return REAL(strncpy)(to, from, size); return REAL(strncpy)(to, from, size);
} }
#if ASAN_INTERCEPT___STRNCPY_CHK
INTERCEPTOR(char*, __strncpy_chk, char *to, const char *from, uptr size,
uptr to_size) {
void *ctx;
ASAN_INTERCEPTOR_ENTER(ctx, __strncpy_chk);
ENSURE_ASAN_INITED();
if (flags()->replace_str) {
uptr from_size = Min(size, MaybeRealStrnlen(from, size) + 1);
CHECK_RANGES_OVERLAP("__strncpy_chk", to, from_size, from, from_size);
ASAN_READ_RANGE(ctx, from, from_size);
ASAN_WRITE_RANGE(ctx, to, size);
}
return REAL(strncpy)(to, from, size);
}
#endif
INTERCEPTOR(long, strtol, const char *nptr, // NOLINT INTERCEPTOR(long, strtol, const char *nptr, // NOLINT
char **endptr, int base) { char **endptr, int base) {
void *ctx; void *ctx;
Context not available.
ASAN_INTERCEPT_FUNC(fork); ASAN_INTERCEPT_FUNC(fork);
#endif #endif
#if ASAN_INTERCEPT___STRCPY_CHK
ASAN_INTERCEPT_FUNC(__strcpy_chk);
#endif
#if ASAN_INTERCEPT___STRNCPY_CHK
ASAN_INTERCEPT_FUNC(__strncpy_chk);
#endif
#if ASAN_INTERCEPT___STRCAT_CHK
ASAN_INTERCEPT_FUNC(__strcat_chk);
#endif
#if ASAN_INTERCEPT___STRNCAT_CHK
ASAN_INTERCEPT_FUNC(__strncat_chk);
#endif
InitializePlatformInterceptors(); InitializePlatformInterceptors();
VReport(1, "AddressSanitizer: libc interceptors initialized\n"); VReport(1, "AddressSanitizer: libc interceptors initialized\n");
Context not available.

test/asan/TestCases/Linux/strcat-fortify.c

  • This file was added.
// RUN: %clang -fPIC -shared -D_DSO %s -o %t.so
// RUN: %clang_asan %s -o %t %t.so
// RUN: not %run %t 2>&1 | FileCheck %s
// UNSUPPORTED: android
#ifdef _DSO
#include <stdlib.h>
extern char *__strcat_chk(char *, const char *, size_t);
int foo() {
char *write_buffer = (char *)malloc(2);
const char *read_buffer = "abcdeabcde";
write_buffer[1] = '\0';
// CHECK: AddressSanitizer: heap-buffer-overflow
__strcat_chk(write_buffer, read_buffer, 2);
return write_buffer[0];
}
#else
extern int foo ();
int main() { return foo(); }
#endif

test/asan/TestCases/Linux/strcpy-fortify.c

  • This file was added.
// RUN: %clang -fPIC -shared -D_DSO %s -o %t.so
// RUN: %clang_asan %s -o %t %t.so
// RUN: not %run %t 2>&1 | FileCheck %s
// UNSUPPORTED: android
#ifdef _DSO
#include <stdlib.h>
extern char *__strcpy_chk(char *, const char *, size_t);
int foo() {
char *write_buffer = (char *)malloc(1);
const char *read_buffer = "abcdeabcde";
// CHECK: AddressSanitizer: heap-buffer-overflow
__strcpy_chk(write_buffer, read_buffer, 10);
return write_buffer[0];
}
#else
extern int foo();
int main() { return foo(); }
#endif

test/asan/TestCases/Linux/strncat-fortify.c

  • This file was added.
// RUN: %clang -fPIC -shared -O0 -D_DSO %s -o %t.so
// RUN: %clang_asan %s -o %t %t.so
// RUN: not %run %t 2>&1 | FileCheck %s
// UNSUPPORTED: android
#ifdef _DSO
#include <stdlib.h>
extern char *__strncat_chk(char *, const char *, size_t, size_t);
int foo() {
char *write_buffer = (char *)malloc(2);
const char *read_buffer = "abcdeabcde";
write_buffer[1] = '\0';
// CHECK: AddressSanitizer: heap-buffer-overflow
__strncat_chk(write_buffer, read_buffer, 10, 2);
return write_buffer[0];
}
#else
extern int foo();
int main() { return foo(); }
#endif

test/asan/TestCases/Linux/strncpy-fortify.c

  • This file was added.
// RUN: %clang -fPIC -shared -D_DSO %s -o %t.so
// RUN: %clang_asan %s -o %t %t.so
// RUN: not %run %t 2>&1 | FileCheck %s
// UNSUPPORTED: android
#ifdef _DSO
#include <stdlib.h>
extern char *__strncpy_chk(char *, const char *, size_t, size_t);
int foo() {
char *write_buffer = (char *)malloc(1);
const char *read_buffer = "abcdeabcde";
// CHECK: AddressSanitizer: heap-buffer-overflow
__strncpy_chk(write_buffer, read_buffer, 10, 1);
return write_buffer[0];
}
#else
extern int foo();
int main() { return foo(); }
#endif