This is an archive of the discontinued LLVM Phabricator instance.

ASan+operator new[]: Fix operator new[] cookie poisoning
ClosedPublic

Authored by filcab on Dec 15 2017, 9:59 AM.

Download Raw Diff

Details

Reviewers

rjmccall
kcc
rsmith

Commits

rG016860cf2fa9: ASan+operator new[]: Fix operator new[] cookie poisoning
rC321645: ASan+operator new[]: Fix operator new[] cookie poisoning
rL321645: ASan+operator new[]: Fix operator new[] cookie poisoning

Summary

The C++ Itanium ABI says:
No cookie is required if the new operator being used is ::operator new[](size_t, void*).

We should only avoid poisoning the cookie if we're calling this
operator, not others. This is dealt with before the call to
InitializeArrayCookie.

Diff Detail

Repository: rL LLVM

Event Timeline

filcab created this revision.Dec 15 2017, 9:59 AM

LGTM.

This revision is now accepted and ready to land.Dec 15 2017, 6:51 PM

Closed by commit rL321645: ASan+operator new[]: Fix operator new[] cookie poisoning (authored by filcab). · Explain WhyJan 2 2018, 5:22 AM

This revision was automatically updated to reflect the committed changes.

filcab mentioned this in D41664: Remove test which assumed array cookies can't be poisoned when using an operator new defined in a class.Jan 2 2018, 8:12 AM

Revision Contents

Path

Size

cfe/

trunk/

lib/

CodeGen/

ItaniumCXXABI.cpp

3 lines

test/

CodeGen/

address-sanitizer-and-array-cookie.cpp

10 lines

Diff 128412

cfe/trunk/lib/CodeGen/ItaniumCXXABI.cpp

Show First 20 Lines • Show All 1,841 Lines • ▼ Show 20 Lines	if (!CookieOffset.isZero())
CookiePtr = CGF.Builder.CreateConstInBoundsByteGEP(CookiePtr, CookieOffset);		CookiePtr = CGF.Builder.CreateConstInBoundsByteGEP(CookiePtr, CookieOffset);

// Write the number of elements into the appropriate slot.		// Write the number of elements into the appropriate slot.
Address NumElementsPtr =		Address NumElementsPtr =
CGF.Builder.CreateElementBitCast(CookiePtr, CGF.SizeTy);		CGF.Builder.CreateElementBitCast(CookiePtr, CGF.SizeTy);
llvm::Instruction *SI = CGF.Builder.CreateStore(NumElements, NumElementsPtr);		llvm::Instruction *SI = CGF.Builder.CreateStore(NumElements, NumElementsPtr);

// Handle the array cookie specially in ASan.		// Handle the array cookie specially in ASan.
if (CGM.getLangOpts().Sanitize.has(SanitizerKind::Address) && AS == 0 &&		if (CGM.getLangOpts().Sanitize.has(SanitizerKind::Address) && AS == 0) {
expr->getOperatorNew()->isReplaceableGlobalAllocationFunction()) {
// The store to the CookiePtr does not need to be instrumented.		// The store to the CookiePtr does not need to be instrumented.
CGM.getSanitizerMetadata()->disableSanitizerForInstruction(SI);		CGM.getSanitizerMetadata()->disableSanitizerForInstruction(SI);
llvm::FunctionType *FTy =		llvm::FunctionType *FTy =
llvm::FunctionType::get(CGM.VoidTy, NumElementsPtr.getType(), false);		llvm::FunctionType::get(CGM.VoidTy, NumElementsPtr.getType(), false);
llvm::Constant *F =		llvm::Constant *F =
CGM.CreateRuntimeFunction(FTy, "__asan_poison_cxx_array_cookie");		CGM.CreateRuntimeFunction(FTy, "__asan_poison_cxx_array_cookie");
CGF.Builder.CreateCall(F, NumElementsPtr.getPointer());		CGF.Builder.CreateCall(F, NumElementsPtr.getPointer());
}		}
▲ Show 20 Lines • Show All 2,194 Lines • Show Last 20 Lines

cfe/trunk/test/CodeGen/address-sanitizer-and-array-cookie.cpp

	// RUN: %clang_cc1 -triple x86_64-gnu-linux -emit-llvm -o - %s \| FileCheck %s -check-prefix=PLAIN			// RUN: %clang_cc1 -triple x86_64-gnu-linux -emit-llvm -o - %s \| FileCheck %s -check-prefix=PLAIN
	// RUN: %clang_cc1 -triple x86_64-gnu-linux -emit-llvm -o - -fsanitize=address %s \| FileCheck %s -check-prefix=ASAN			// RUN: %clang_cc1 -triple x86_64-gnu-linux -emit-llvm -o - -fsanitize=address %s \| FileCheck %s -check-prefix=ASAN

	typedef __typeof__(sizeof(0)) size_t;			typedef __typeof__(sizeof(0)) size_t;
	namespace std {			namespace std {
	struct nothrow_t {};			struct nothrow_t {};
	std::nothrow_t nothrow;			std::nothrow_t nothrow;
	}			}
	void *operator new[](size_t, const std::nothrow_t &) throw();			void *operator new[](size_t, const std::nothrow_t &) throw();
	void operator new[](size_t, char );			void operator new[](size_t, void );

	struct C {			struct C {
	int x;			int x;
	~C();			~C();
	};			};

	C *CallNew() {			C *CallNew() {
	return new C[10];			return new C[10];
	Show All 29 Lines
	// ASAN-NOT: nosanitize			// ASAN-NOT: nosanitize

	char Buffer[20];			char Buffer[20];
	C *CallPlacementNew() {			C *CallPlacementNew() {
	return new (Buffer) C[20];			return new (Buffer) C[20];
	}			}
	// ASAN-LABEL: CallPlacementNew			// ASAN-LABEL: CallPlacementNew
	// ASAN-NOT: __asan_poison_cxx_array_cookie			// ASAN-NOT: __asan_poison_cxx_array_cookie

				void *operator new[](size_t n, int);

				C *CallNewWithArgs() {
				// ASAN-LABEL: CallNewWithArgs
				// ASAN: call void @__asan_poison_cxx_array_cookie
				return new (123) C[20];
				}