This is an archive of the discontinued LLVM Phabricator instance.

Differential D43013

ASan+operator new[]: Fix operator new[] cookie poisoning
ClosedPublic

Authored by filcab on Feb 7 2018, 3:18 AM.

Details

Reviewers
rjmccall
kcc
rsmith
Commits
rG4ba5817b8b7f: ASan+operator new[]: Add an option for more thorough operator new[] cookie…
rL324884: ASan+operator new[]: Add an option for more thorough operator new[] cookie…
rC324884: ASan+operator new[]: Add an option for more thorough operator new[] cookie…
Summary

Right now clang is skipping array cookie poisoning for any operator
new[] which is not part of the set of replaceable global allocation
functions.

This commit adds a flag to tell clang to poison all operator new[]
cookies.

A previous review was poisoning all array cookies unconditionally, but
there is an edge case which would stop working under ASan (a custom
operator new[] saves whatever pointer it returned, and then accesses
it).

This newer revision adds a command line argument to toggle this feature.

Original revision: https://reviews.llvm.org/D41301
Compiler-rt test revision with an explanation of the edge case: https://reviews.llvm.org/D41664

Diff Detail

Repository
rC Clang

Event Timeline

filcab created this revision.Feb 7 2018, 3:18 AM
Harbormaster completed remote builds in B14709: Diff 133190.Feb 7 2018, 3:18 AM
filcab mentioned this in D41664: Remove test which assumed array cookies can't be poisoned when using an operator new defined in a class.Feb 7 2018, 4:08 AM
rjmccall added a comment.Feb 7 2018, 12:13 PM

I don't understand why your description of this patch mentions the void* placement new[] operator. There's no cookie to poison for that operator.

filcab added a comment.Feb 8 2018, 2:25 AM
In D43013#1001006, @rjmccall wrote:

I don't understand why your description of this patch mentions the void* placement new[] operator. There's no cookie to poison for that operator.

Hah, sorry. In writing this commit log I used parts of the old patch one. I'll update with a better commit log.

filcab updated this revision to Diff 133389.Feb 8 2018, 2:29 AM

Update commit message.

Harbormaster completed remote builds in B14750: Diff 133389.Feb 8 2018, 2:30 AM
filcab edited the summary of this revision. (Show Details)Feb 8 2018, 2:31 AM
filcab edited the summary of this revision. (Show Details)
rjmccall accepted this revision.Feb 8 2018, 11:03 AM

Okay, thanks. LGTM.

This revision is now accepted and ready to land.Feb 8 2018, 11:03 AM
Closed by commit rC324884: ASan+operator new[]: Add an option for more thorough operator new[] cookie… (authored by filcab). · Explain WhyFeb 12 2018, 3:51 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
include/
clang/
Driver/
8 lines
Frontend/
3 lines
lib/
CodeGen/
3 lines
Frontend/
7 lines
test/
CodeGen/
9 lines

Diff 133830

include/clang/Driver/Options.td

Show First 20 LinesShow All 892 Lines▼ Show 20 Linesdef fsanitize_address_field_padding : Joined<["-"], "fsanitize-address-field-padding=">,
HelpText<"Level of field padding for AddressSanitizer">; HelpText<"Level of field padding for AddressSanitizer">;
def fsanitize_address_use_after_scope : Flag<["-"], "fsanitize-address-use-after-scope">, def fsanitize_address_use_after_scope : Flag<["-"], "fsanitize-address-use-after-scope">,
Group<f_clang_Group>, Group<f_clang_Group>,
HelpText<"Enable use-after-scope detection in AddressSanitizer">; HelpText<"Enable use-after-scope detection in AddressSanitizer">;
def fno_sanitize_address_use_after_scope : Flag<["-"], "fno-sanitize-address-use-after-scope">, def fno_sanitize_address_use_after_scope : Flag<["-"], "fno-sanitize-address-use-after-scope">,
Group<f_clang_Group>, Group<f_clang_Group>,
Flags<[CoreOption, DriverOption]>, Flags<[CoreOption, DriverOption]>,
HelpText<"Disable use-after-scope detection in AddressSanitizer">; HelpText<"Disable use-after-scope detection in AddressSanitizer">;
def fsanitize_address_poison_class_member_array_new_cookie
: Flag<[ "-" ], "fsanitize-address-poison-class-member-array-new-cookie">,
Group<f_clang_Group>,
HelpText<"Enable poisoning array cookies when using class member operator new[] in AddressSanitizer">;
def fno_sanitize_address_poison_class_member_array_new_cookie
: Flag<[ "-" ], "fno-sanitize-address-poison-class-member-array-new-cookie">,
Group<f_clang_Group>,
HelpText<"Disable poisoning array cookies when using class member operator new[] in AddressSanitizer">;
def fsanitize_address_globals_dead_stripping : Flag<["-"], "fsanitize-address-globals-dead-stripping">, def fsanitize_address_globals_dead_stripping : Flag<["-"], "fsanitize-address-globals-dead-stripping">,
Group<f_clang_Group>, Group<f_clang_Group>,
HelpText<"Enable linker dead stripping of globals in AddressSanitizer">; HelpText<"Enable linker dead stripping of globals in AddressSanitizer">;
def fsanitize_recover : Flag<["-"], "fsanitize-recover">, Group<f_clang_Group>; def fsanitize_recover : Flag<["-"], "fsanitize-recover">, Group<f_clang_Group>;
def fno_sanitize_recover : Flag<["-"], "fno-sanitize-recover">, def fno_sanitize_recover : Flag<["-"], "fno-sanitize-recover">,
Flags<[CoreOption, DriverOption]>, Flags<[CoreOption, DriverOption]>,
Group<f_clang_Group>; Group<f_clang_Group>;
def fsanitize_recover_EQ : CommaJoined<["-"], "fsanitize-recover=">, def fsanitize_recover_EQ : CommaJoined<["-"], "fsanitize-recover=">,
▲ Show 20 LinesShow All 1,911 LinesShow Last 20 Lines

include/clang/Frontend/CodeGenOptions.def

Show First 20 LinesShow All 153 Lines▼ Show 20 Lines
CODEGENOPT(RelaxAll , 1, 0) ///< Relax all machine code instructions. CODEGENOPT(RelaxAll , 1, 0) ///< Relax all machine code instructions.
CODEGENOPT(RelaxedAliasing , 1, 0) ///< Set when -fno-strict-aliasing is enabled. CODEGENOPT(RelaxedAliasing , 1, 0) ///< Set when -fno-strict-aliasing is enabled.
CODEGENOPT(StructPathTBAA , 1, 0) ///< Whether or not to use struct-path TBAA. CODEGENOPT(StructPathTBAA , 1, 0) ///< Whether or not to use struct-path TBAA.
CODEGENOPT(NewStructPathTBAA , 1, 0) ///< Whether or not to use enhanced struct-path TBAA. CODEGENOPT(NewStructPathTBAA , 1, 0) ///< Whether or not to use enhanced struct-path TBAA.
CODEGENOPT(SaveTempLabels , 1, 0) ///< Save temporary labels. CODEGENOPT(SaveTempLabels , 1, 0) ///< Save temporary labels.
CODEGENOPT(SanitizeAddressUseAfterScope , 1, 0) ///< Enable use-after-scope detection CODEGENOPT(SanitizeAddressUseAfterScope , 1, 0) ///< Enable use-after-scope detection
///< in AddressSanitizer ///< in AddressSanitizer
CODEGENOPT(SanitizeAddressPoisonClassMemberArrayNewCookie, 1,
0) ///< Enable poisoning operator new[] which is not a replaceable
///< global allocation function in AddressSanitizer
CODEGENOPT(SanitizeAddressGlobalsDeadStripping, 1, 0) ///< Enable linker dead stripping CODEGENOPT(SanitizeAddressGlobalsDeadStripping, 1, 0) ///< Enable linker dead stripping
///< of globals in AddressSanitizer ///< of globals in AddressSanitizer
CODEGENOPT(SanitizeMemoryTrackOrigins, 2, 0) ///< Enable tracking origins in CODEGENOPT(SanitizeMemoryTrackOrigins, 2, 0) ///< Enable tracking origins in
///< MemorySanitizer ///< MemorySanitizer
CODEGENOPT(SanitizeMemoryUseAfterDtor, 1, 0) ///< Enable use-after-delete detection CODEGENOPT(SanitizeMemoryUseAfterDtor, 1, 0) ///< Enable use-after-delete detection
///< in MemorySanitizer ///< in MemorySanitizer
CODEGENOPT(SanitizeCfiCrossDso, 1, 0) ///< Enable cross-dso support in CFI. CODEGENOPT(SanitizeCfiCrossDso, 1, 0) ///< Enable cross-dso support in CFI.
CODEGENOPT(SanitizeMinimalRuntime, 1, 0) ///< Use "_minimal" sanitizer runtime for CODEGENOPT(SanitizeMinimalRuntime, 1, 0) ///< Use "_minimal" sanitizer runtime for
▲ Show 20 LinesShow All 150 LinesShow Last 20 Lines

lib/CodeGen/ItaniumCXXABI.cpp

Show First 20 LinesShow All 1,842 Lines▼ Show 20 LinesAddress ItaniumCXXABI::InitializeArrayCookie(CodeGenFunction &CGF,
// Write the number of elements into the appropriate slot. // Write the number of elements into the appropriate slot.
Address NumElementsPtr = Address NumElementsPtr =
CGF.Builder.CreateElementBitCast(CookiePtr, CGF.SizeTy); CGF.Builder.CreateElementBitCast(CookiePtr, CGF.SizeTy);
llvm::Instruction *SI = CGF.Builder.CreateStore(NumElements, NumElementsPtr); llvm::Instruction *SI = CGF.Builder.CreateStore(NumElements, NumElementsPtr);
// Handle the array cookie specially in ASan. // Handle the array cookie specially in ASan.
if (CGM.getLangOpts().Sanitize.has(SanitizerKind::Address) && AS == 0 && if (CGM.getLangOpts().Sanitize.has(SanitizerKind::Address) && AS == 0 &&
expr->getOperatorNew()->isReplaceableGlobalAllocationFunction()) { (expr->getOperatorNew()->isReplaceableGlobalAllocationFunction() ||
CGM.getCodeGenOpts().SanitizeAddressPoisonClassMemberArrayNewCookie)) {
// The store to the CookiePtr does not need to be instrumented. // The store to the CookiePtr does not need to be instrumented.
CGM.getSanitizerMetadata()->disableSanitizerForInstruction(SI); CGM.getSanitizerMetadata()->disableSanitizerForInstruction(SI);
llvm::FunctionType *FTy = llvm::FunctionType *FTy =
llvm::FunctionType::get(CGM.VoidTy, NumElementsPtr.getType(), false); llvm::FunctionType::get(CGM.VoidTy, NumElementsPtr.getType(), false);
llvm::Constant *F = llvm::Constant *F =
CGM.CreateRuntimeFunction(FTy, "__asan_poison_cxx_array_cookie"); CGM.CreateRuntimeFunction(FTy, "__asan_poison_cxx_array_cookie");
CGF.Builder.CreateCall(F, NumElementsPtr.getPointer()); CGF.Builder.CreateCall(F, NumElementsPtr.getPointer());
} }
▲ Show 20 LinesShow All 2,203 LinesShow Last 20 Lines

lib/Frontend/CompilerInvocation.cpp

Show First 20 LinesShow All 884 Lines▼ Show 20 Lines Opts.SanitizeMemoryUseAfterDtor =
Args.hasFlag(OPT_fsanitize_memory_use_after_dtor, Args.hasFlag(OPT_fsanitize_memory_use_after_dtor,
OPT_fno_sanitize_memory_use_after_dtor, OPT_fno_sanitize_memory_use_after_dtor,
false); false);
Opts.SanitizeMinimalRuntime = Args.hasArg(OPT_fsanitize_minimal_runtime); Opts.SanitizeMinimalRuntime = Args.hasArg(OPT_fsanitize_minimal_runtime);
Opts.SanitizeCfiCrossDso = Args.hasArg(OPT_fsanitize_cfi_cross_dso); Opts.SanitizeCfiCrossDso = Args.hasArg(OPT_fsanitize_cfi_cross_dso);
Opts.SanitizeCfiICallGeneralizePointers = Opts.SanitizeCfiICallGeneralizePointers =
Args.hasArg(OPT_fsanitize_cfi_icall_generalize_pointers); Args.hasArg(OPT_fsanitize_cfi_icall_generalize_pointers);
Opts.SanitizeStats = Args.hasArg(OPT_fsanitize_stats); Opts.SanitizeStats = Args.hasArg(OPT_fsanitize_stats);
if (Arg *A = Args.getLastArg(
OPT_fsanitize_address_poison_class_member_array_new_cookie,
OPT_fno_sanitize_address_poison_class_member_array_new_cookie)) {
Opts.SanitizeAddressPoisonClassMemberArrayNewCookie =
A->getOption().getID() ==
OPT_fsanitize_address_poison_class_member_array_new_cookie;
}
if (Arg *A = Args.getLastArg(OPT_fsanitize_address_use_after_scope, if (Arg *A = Args.getLastArg(OPT_fsanitize_address_use_after_scope,
OPT_fno_sanitize_address_use_after_scope)) { OPT_fno_sanitize_address_use_after_scope)) {
Opts.SanitizeAddressUseAfterScope = Opts.SanitizeAddressUseAfterScope =
A->getOption().getID() == OPT_fsanitize_address_use_after_scope; A->getOption().getID() == OPT_fsanitize_address_use_after_scope;
} }
Opts.SanitizeAddressGlobalsDeadStripping = Opts.SanitizeAddressGlobalsDeadStripping =
Args.hasArg(OPT_fsanitize_address_globals_dead_stripping); Args.hasArg(OPT_fsanitize_address_globals_dead_stripping);
Opts.SSPBufferSize = Opts.SSPBufferSize =
▲ Show 20 LinesShow All 2,147 LinesShow Last 20 Lines

test/CodeGen/address-sanitizer-and-array-cookie.cpp

// RUN: %clang_cc1 -triple x86_64-gnu-linux -emit-llvm -o - %s | FileCheck %s -check-prefix=PLAIN // RUN: %clang_cc1 -triple x86_64-gnu-linux -emit-llvm -o - %s | FileCheck %s -check-prefix=PLAIN
// RUN: %clang_cc1 -triple x86_64-gnu-linux -emit-llvm -o - -fsanitize=address %s | FileCheck %s -check-prefix=ASAN // RUN: %clang_cc1 -triple x86_64-gnu-linux -emit-llvm -o - -fsanitize=address %s | FileCheck %s -check-prefix=ASAN
// RUN: %clang_cc1 -triple x86_64-gnu-linux -emit-llvm -o - -fsanitize=address -fsanitize-address-poison-class-member-array-new-cookie %s | FileCheck %s -check-prefix=ASAN-POISON-ALL-NEW-ARRAY
typedef __typeof__(sizeof(0)) size_t; typedef __typeof__(sizeof(0)) size_t;
namespace std { namespace std {
struct nothrow_t {}; struct nothrow_t {};
std::nothrow_t nothrow; std::nothrow_t nothrow;
} }
void *operator new[](size_t, const std::nothrow_t &) throw(); void *operator new[](size_t, const std::nothrow_t &) throw();
void *operator new[](size_t, char *); void *operator new[](size_t, char *);
void *operator new[](size_t, int, int);
struct C { struct C {
int x; int x;
~C(); ~C();
}; };
C *CallNew() { C *CallNew() {
return new C[10]; return new C[10];
Show All 29 Lines
// ASAN-NOT: nosanitize // ASAN-NOT: nosanitize
char Buffer[20]; char Buffer[20];
C *CallPlacementNew() { C *CallPlacementNew() {
return new (Buffer) C[20]; return new (Buffer) C[20];
} }
// ASAN-LABEL: CallPlacementNew // ASAN-LABEL: CallPlacementNew
// ASAN-NOT: __asan_poison_cxx_array_cookie // ASAN-NOT: __asan_poison_cxx_array_cookie
C *CallNewWithArgs() {
// ASAN-LABEL: CallNewWithArgs
// ASAN-NOT: call void @__asan_poison_cxx_array_cookie
// ASAN-POISON-ALL-NEW-ARRAY: call void @__asan_poison_cxx_array_cookie
return new (123, 456) C[20];
}