Index: lib/sanitizer_common/sanitizer_common.h =================================================================== --- lib/sanitizer_common/sanitizer_common.h +++ lib/sanitizer_common/sanitizer_common.h @@ -106,6 +106,8 @@ bool MprotectNoAccess(uptr addr, uptr size); bool MprotectReadOnly(uptr addr, uptr size); +void MprotectMallocZones(void *addr, int prot); + // Find an available address space. uptr FindAvailableMemoryRange(uptr size, uptr alignment, uptr left_padding, uptr *largest_gap_found, uptr *max_occupied_addr); @@ -378,7 +380,7 @@ void ReportErrorSummary(const char *error_type, const StackTrace *trace, const char *alt_tool_name = nullptr); -void ReportMmapWriteExec(); +void ReportMmapWriteExec(int prot); // Math #if SANITIZER_WINDOWS && !defined(__clang__) && !defined(__GNUC__) Index: lib/sanitizer_common/sanitizer_common_interceptors.inc =================================================================== --- lib/sanitizer_common/sanitizer_common_interceptors.inc +++ lib/sanitizer_common/sanitizer_common_interceptors.inc @@ -6884,17 +6884,31 @@ #endif #if SANITIZER_INTERCEPT_MMAP + INTERCEPTOR(void *, mmap, void *addr, SIZE_T sz, int prot, int flags, int fd, OFF_T off) { void *ctx; if (common_flags()->detect_write_exec) - ReportMmapWriteExec(); + ReportMmapWriteExec(prot); if (COMMON_INTERCEPTOR_NOTHING_IS_INITIALIZED) return (void *)internal_mmap(addr, sz, prot, flags, fd, off); COMMON_INTERCEPTOR_ENTER(ctx, mmap, addr, sz, prot, flags, fd, off); COMMON_INTERCEPTOR_MMAP_IMPL(ctx, mmap, addr, sz, prot, flags, fd, off); } -#define INIT_MMAP COMMON_INTERCEPT_FUNCTION(mmap); + +INTERCEPTOR(int, mprotect, void *addr, SIZE_T sz, int prot) { + void *ctx; + if (common_flags()->detect_write_exec) + ReportMmapWriteExec(prot); + if (COMMON_INTERCEPTOR_NOTHING_IS_INITIALIZED) + return (int)internal_mprotect(addr, sz, prot); + COMMON_INTERCEPTOR_ENTER(ctx, mprotect, addr, sz, prot); + MprotectMallocZones(addr, prot); + return REAL(mprotect)(addr, sz, prot); +} +#define INIT_MMAP \ + COMMON_INTERCEPT_FUNCTION(mmap); \ + COMMON_INTERCEPT_FUNCTION(mprotect); #else #define INIT_MMAP #endif @@ -6904,7 +6918,7 @@ OFF64_T off) { void *ctx; if (common_flags()->detect_write_exec) - ReportMmapWriteExec(); + ReportMmapWriteExec(prot); if (COMMON_INTERCEPTOR_NOTHING_IS_INITIALIZED) return (void *)internal_mmap(addr, sz, prot, flags, fd, off); COMMON_INTERCEPTOR_ENTER(ctx, mmap64, addr, sz, prot, flags, fd, off); Index: lib/sanitizer_common/sanitizer_common_libcdep.cc =================================================================== --- lib/sanitizer_common/sanitizer_common_libcdep.cc +++ lib/sanitizer_common/sanitizer_common_libcdep.cc @@ -24,6 +24,7 @@ #if SANITIZER_POSIX #include "sanitizer_posix.h" +#include #endif namespace __sanitizer { @@ -81,8 +82,11 @@ #endif } -void ReportMmapWriteExec() { -#if !SANITIZER_GO && !SANITIZER_ANDROID +void ReportMmapWriteExec(int prot) { +#if SANITIZER_POSIX && (!SANITIZER_GO && !SANITIZER_ANDROID) + if ((prot & (PROT_WRITE | PROT_EXEC)) != (PROT_WRITE | PROT_EXEC)) + return; + ScopedErrorReportLock l; SanitizerCommonDecorator d; Index: lib/sanitizer_common/sanitizer_mac.h =================================================================== --- lib/sanitizer_common/sanitizer_mac.h +++ lib/sanitizer_common/sanitizer_mac.h @@ -18,6 +18,8 @@ #if SANITIZER_MAC #include "sanitizer_posix.h" +#include + namespace __sanitizer { struct MemoryMappingLayoutData { @@ -51,6 +53,10 @@ } // namespace __sanitizer +extern unsigned malloc_num_zones; +extern malloc_zone_t **malloc_zones; +static malloc_zone_t sanitizer_zone; + extern "C" { static char __crashreporter_info_buff__[__sanitizer::kErrorMessageBufferSize] = {}; Index: lib/sanitizer_common/sanitizer_mac.cc =================================================================== --- lib/sanitizer_common/sanitizer_mac.cc +++ lib/sanitizer_common/sanitizer_mac.cc @@ -343,6 +343,26 @@ return sysconf(_SC_PAGESIZE); } + +// We need to make sure that sanitizer_zone is registered as malloc_zones[0]. If +// libmalloc tries to set up a different zone as malloc_zones[0], it will call +// mprotect(malloc_zones, ..., PROT_READ). This interceptor will catch that and +// make sure we are still the first (default) zone. +void MprotectMallocZones(void *addr, int prot) { + if (addr == malloc_zones && prot == PROT_READ) { + if (malloc_num_zones > 1 && malloc_zones[0] != &sanitizer_zone) { + for (unsigned i = 1; i < malloc_num_zones; i++) { + if (malloc_zones[i] == &sanitizer_zone) { + // Swap malloc_zones[0] and malloc_zones[i]. + malloc_zones[i] = malloc_zones[0]; + malloc_zones[0] = &sanitizer_zone; + break; + } + } + } + } +} + BlockingMutex::BlockingMutex() { internal_memset(this, 0, sizeof(*this)); } Index: lib/sanitizer_common/sanitizer_malloc_mac.inc =================================================================== --- lib/sanitizer_common/sanitizer_malloc_mac.inc +++ lib/sanitizer_common/sanitizer_malloc_mac.inc @@ -29,8 +29,6 @@ // Similar code is used in Google Perftools, // https://github.com/gperftools/gperftools. -static malloc_zone_t sanitizer_zone; - INTERCEPTOR(malloc_zone_t *, malloc_create_zone, vm_size_t start_size, unsigned zone_flags) { COMMON_MALLOC_ENTER(); @@ -65,29 +63,6 @@ COMMON_MALLOC_FREE(zone); } -extern unsigned malloc_num_zones; -extern malloc_zone_t **malloc_zones; - -// We need to make sure that sanitizer_zone is registered as malloc_zones[0]. If -// libmalloc tries to set up a different zone as malloc_zones[0], it will call -// mprotect(malloc_zones, ..., PROT_READ). This interceptor will catch that and -// make sure we are still the first (default) zone. -INTERCEPTOR(int, mprotect, void *addr, size_t len, int prot) { - if (addr == malloc_zones && prot == PROT_READ) { - if (malloc_num_zones > 1 && malloc_zones[0] != &sanitizer_zone) { - for (unsigned i = 1; i < malloc_num_zones; i++) { - if (malloc_zones[i] == &sanitizer_zone) { - // Swap malloc_zones[0] and malloc_zones[i]. - malloc_zones[i] = malloc_zones[0]; - malloc_zones[0] = &sanitizer_zone; - break; - } - } - } - } - return REAL(mprotect)(addr, len, prot); -} - INTERCEPTOR(malloc_zone_t *, malloc_default_zone, void) { COMMON_MALLOC_ENTER(); return &sanitizer_zone; @@ -321,6 +296,7 @@ } // unnamed namespace + namespace COMMON_MALLOC_NAMESPACE { void ReplaceSystemMalloc() { Index: lib/sanitizer_common/sanitizer_posix.cc =================================================================== --- lib/sanitizer_common/sanitizer_posix.cc +++ lib/sanitizer_common/sanitizer_posix.cc @@ -153,6 +153,10 @@ return 0 == internal_mprotect((void *)addr, size, PROT_READ); } +#if !SANITIZER_MAC +void MprotectMallocZones(void *addr, int prot) {} +#endif + fd_t OpenFile(const char *filename, FileAccessMode mode, error_t *errno_p) { int flags; switch (mode) { Index: test/sanitizer_common/TestCases/Linux/mmap_write_exec.cpp =================================================================== --- test/sanitizer_common/TestCases/Linux/mmap_write_exec.cpp +++ test/sanitizer_common/TestCases/Linux/mmap_write_exec.cpp @@ -1,15 +1,37 @@ // RUN: %clangxx %s -o %t // RUN: %env_tool_opts=detect_write_exec=1 %run %t 2>&1 | FileCheck %s -// ubsan and lsan do not install mmap interceptors -// UNSUPPORTED: ubsan, lsan +// RUN: %env_tool_opts=detect_write_exec=0 %run %t 2>&1 | FileCheck %s \ +// RUN: --check-prefix=CHECK-DISABLED +// ubsan and lsan do not install mmap interceptors UNSUPPORTED: ubsan, lsan // TODO: Fix option on Android, it hangs there for unknown reasons. // XFAIL: android +#include #include int main(int argc, char **argv) { char *p = (char *)mmap(0, 1024, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0); // CHECK: WARNING: {{.*}}Sanitizer: writable-executable page usage + // CHECK: #{{[0-9]+.*}}main{{.*}}mmap_write_exec.cpp:[[@LINE-3]] + // CHECK: SUMMARY: {{.*}}Sanitizer: w-and-x-usage + + char *q = (char *)mmap(p, 64, PROT_READ | PROT_WRITE, + MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0); + (void)mprotect(q, 64, PROT_WRITE | PROT_EXEC); + // CHECK: WARNING: {{.*}}Sanitizer: writable-executable page usage + // CHECK: #{{[0-9]+.*}}main{{.*}}mmap_write_exec.cpp:[[@LINE-2]] + // CHECK: SUMMARY: {{.*}}Sanitizer: w-and-x-usage + + char *a = (char *)mmap(0, 1024, PROT_READ | PROT_WRITE, + MAP_ANONYMOUS | MAP_PRIVATE, -1, 0); + char *b = (char *)mmap(a, 64, PROT_READ | PROT_WRITE, + MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0); + (void)mprotect(q, 64, PROT_READ | PROT_EXEC); + // CHECK-NOT: Sanitizer + + printf("done\n"); + // CHECK-DISABLED-NOT: Sanitizer + // CHECK-DISABLED: done }