This is an archive of the discontinued LLVM Phabricator instance.

Differential D46545

[sanitizer] Add fgets, fputs and puts into sanitizer_common
ClosedPublic

Authored by Lekensteyn on May 7 2018, 1:06 PM.

Details

Reviewers
vitalybuka
bruening
m.ostapenko
krytarowski
kcc
eugenis
Commits
rG1c05c957394e: [sanitizer] Add fgets, fputs and puts into sanitizer_common
rL334450: [sanitizer] Add fgets, fputs and puts into sanitizer_common
rCRT334450: [sanitizer] Add fgets, fputs and puts into sanitizer_common
Summary

Add fgets, fputs and puts to sanitizer_common. This adds ASAN coverage
for these functions, extends MSAN support from fgets to fputs/puts and
extends TSAN support from puts to fputs.

Fixes: https://github.com/google/sanitizers/issues/952

Diff Detail

Event Timeline

Lekensteyn created this revision.May 7 2018, 1:06 PM
Herald added subscribers: Restricted Project, llvm-commits, kubamracek. · View Herald TranscriptMay 7 2018, 1:06 PM
vitalybuka added a comment.May 7 2018, 4:43 PM

Why it's "cost of false negatives for MSAN" ?

test/asan/TestCases/Posix/fgets_fputs.cc
3

could you please also create sanitizer_common test for each of moved functions?

krytarowski added a comment.May 7 2018, 6:09 PM

It looks fine. It would be nicer to use separate tests for each function. Not all in one.

Lekensteyn added a comment.May 8 2018, 2:42 AM

If a "good weather" test has to be added, I'll probably combine fgets/fputs/gets in a single sanitizer_common test.
In a future patch, I'll split the existing ASAN test into three separate programs.

lib/esan/esan_interceptors.cpp
497

FYI: this seemed a leftover after https://reviews.llvm.org/D31456 (https://github.com/google/sanitizers/issues/793)

lib/msan/msan_interceptors.cc
753

FYI: This was added in https://reviews.llvm.org/D42884, but I believe that the COMMON_INTERCEPTOR_ENTER macro in lib/msan/msan_interceptors.cc covers this now.

lib/sanitizer_common/sanitizer_common_interceptors.inc
1203

This is what I meant by "false negatives for msan". Possible choices for the length parameter:

  • REAL(strlen)(s) / internal_strlen (as it did before in msan): if the read was short, then the buffer might not be fully initialized. MSAN could have caught this.
  • size (proposed in this patch): even if the read was short, the full buffer is unpoisoned and MSAN would not complain about uninitialized memory.
test/asan/TestCases/Posix/fgets_fputs.cc
3

Do you mean a test that checks that everything works fine with valid boundaries, for example test/sanitizer_common/TestCases/Posix/access.cc?
Otherwise, stack/heap OOB is not caught by msan, tsan, ubsan, only by ASAN. As for UAF, only ASAN and TSAN managed to detect that.

TSAN already has an additional test in test/tsan/race_on_puts.c. Should I create a similar race_on_fgets/race_on_fputs?

It seems that the previous fgets interceptor in the msan was not tested either, that could also be a point of improvement.

vitalybuka requested changes to this revision.May 17 2018, 1:23 PM
vitalybuka added inline comments.
lib/sanitizer_common/sanitizer_common_interceptors.inc
1203

Let not mix refactoring with behavior change.
Please make this patch "move to sanitizer_common only" and a separate patch for "size vs strlen" (Also I am not yet convinced that we have to do so).

test/asan/TestCases/Posix/fgets_fputs.cc
3

Yes, it's hard to test reports in sanitizer_common
Just positive test which just make sure that interceptor does not crash.

This revision now requires changes to proceed.May 17 2018, 1:23 PM
krytarowski added a comment.Jun 8 2018, 9:24 AM

We are now requiring this on NetBSD for MSanitized userland. Some programs break without puts(3) / fputs(3) interceptors there.

Lekensteyn added a comment.Jun 8 2018, 9:31 AM
In D46545#1126599, @krytarowski wrote:

We are now requiring this on NetBSD for MSanitized userland. Some programs break without puts(3) / fputs(3) interceptors there.

Is there a link/discussion to this issue? (f)puts just read from a buffer, how would lack of interceptors cause MSan to break?
I found https://github.com/google/sanitizers/issues/955, but it does not directly mention such an issue.

(This change is still on my TODO list.)

krytarowski added a subscriber: tomsun.0.7.EditedJun 8 2018, 9:43 AM
In D46545#1126617, @Lekensteyn wrote:
In D46545#1126599, @krytarowski wrote:

We are now requiring this on NetBSD for MSanitized userland. Some programs break without puts(3) / fputs(3) interceptors there.

Is there a link/discussion to this issue? (f)puts just read from a buffer, how would lack of interceptors cause MSan to break?
I found https://github.com/google/sanitizers/issues/955, but it does not directly mention such an issue.

(This change is still on my TODO list.)

https://github.com/google/sanitizers/issues/955 context "libfuzzer integration with the NetBSD userland #955"

There are so many issues with local utilities that we don't bother with reporting them.. as we need to fix them on our own.

https://github.com/plusun/compiler-rt/commit/bbcbdbd2d6714c6d2e4436b17e694c355670e58c our fix for this issue "Add interceptors for puts and fputs, remove old ones"

If I remember correctly, puts(3)/fputs(3) was breaking GNU groff in the LLVM style of NetBSD distribution. (CC: @tomsun.0.7 -- the author)

krytarowski added a comment.Jun 8 2018, 9:46 AM

It causes breakage because there is called an interceptor inside libc that is reported as false positive.

Lekensteyn updated this revision to Diff 150653.EditedJun 10 2018, 9:53 AM
Lekensteyn marked 7 inline comments as done.
Lekensteyn retitled this revision from [sanitizer] Move fgets, fputs and puts into sanitizer_common to [sanitizer] Add fgets, fputs and puts into sanitizer_common.
Lekensteyn edited the summary of this revision. (Show Details)

Changes:

  • Restore strlen(s)+1 length calculation for fgets(s, size, fp) as suggested (matching previous TSAN behavior).
  • Add MSAN, TSAN test coverage for bad cases.
  • Add sanitizer_common tests for good cases.
Lekensteyn updated this revision to Diff 150656.Jun 10 2018, 10:54 AM

Changed since last patch: small fix to make the fputs test deterministically fail. No further test regressions caught during check-all.

--- a/test/asan/TestCases/Posix/fgets_fputs.cc
+++ b/test/asan/TestCases/Posix/fgets_fputs.cc
@@ -17,7 +17,7 @@ int test_fgets() {
 
 int test_fputs() {
   FILE *fp = fopen("/dev/null", "w");
-  char buf[2];
+  char buf[1] = { 'x' }; // Note: not nul-terminated
   fputs(buf, fp); // BOOM
   return fclose(fp);
 }
krytarowski added inline comments.Jun 11 2018, 1:16 AM
lib/msan/msan_interceptors.cc
753

Right, the MSan macro COMMON_INTERCEPTOR_ENTER covers it.

lib/sanitizer_common/sanitizer_common_interceptors.inc
1197

Is this bug still valid? Is it Linux specific?

Lekensteyn marked 2 inline comments as done.Jun 11 2018, 2:11 AM
Lekensteyn added inline comments.
lib/sanitizer_common/sanitizer_common_interceptors.inc
1197

It seems still valid, COMMON_INTERCEPTOR_ENTER does not check the parameters, so REAL(fgets) below can overwrite invalid memory.

Reproducer with fread (which has the same issue):

#include <stdio.h>
#include <stdlib.h>

int main() {
    FILE *fp = fopen("/proc/cpuinfo", "r");
    if (!fp)
        return 1;
    void *p = malloc(4096);
    if (!p)
        return 1;
    free(p);
    if (!fread(p, 4096, 1, fp))
        perror("fread");
    fclose(fp);
    return 0;
}

Trace:

==4458==ERROR: AddressSanitizer: heap-use-after-free on address 0x621000000100 at pc 0x00000048f8c0 bp 0x7ffe28520fa0 sp 0x7ffe28520750
WRITE of size 4096 at 0x621000000100 thread T0
    #0 0x48f8bf in __interceptor_fread.part.52 projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:991:16
    #1 0x5274eb in main fread.c:12:10
    #2 0x7f6a35eb106a in __libc_start_main (/usr/lib/libc.so.6+0x2306a)
    #3 0x41d039 in _start (fread+0x41d039)

0x621000000100 is located 0 bytes inside of 4096-byte region [0x621000000100,0x621000001100)
freed by thread T0 here:
==4458==AddressSanitizer CHECK failed: projects/compiler-rt/lib/asan/asan_descriptions.cc:179 "((res.trace)) != (0)" (0x0, 0x0)
    #0 0x4f9575 in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) projects/compiler-rt/lib/asan/asan_rtl.cc:70:3
    #1 0x512009 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) projects/compiler-rt/lib/sanitizer_common/sanitizer_termination.cc:79:24
    #2 0x42b264 in GetStackTraceFromId projects/compiler-rt/lib/asan/asan_descriptions.cc:179:3
    #3 0x42b264 in __asan::HeapAddressDescription::Print() const projects/compiler-rt/lib/asan/asan_descriptions.cc:420:62
    #4 0x42ea03 in __asan::AddressDescription::Print(char const*) const projects/compiler-rt/lib/asan/asan_descriptions.h:224:31
    #5 0x42ea03 in __asan::ErrorGeneric::Print() projects/compiler-rt/lib/asan/asan_errors.cc:597:25
    #6 0x4f9086 in __asan::ErrorDescription::Print() projects/compiler-rt/lib/asan/asan_errors.h:422:7
    #7 0x4f9086 in __asan::ScopedInErrorReport::~ScopedInErrorReport() projects/compiler-rt/lib/asan/asan_report.cc:142:55
    #8 0x4f9086 in __asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) projects/compiler-rt/lib/asan/asan_report.cc:460:38
    #9 0x48f8e1 in __interceptor_fread.part.52 projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:991:16
    #10 0x5274eb in main fread.c:12:10
    #11 0x7f6a35eb106a in __libc_start_main (/usr/lib/libc.so.6+0x2306a)
    #12 0x41d039 in _start (fread+0x41d039)
vitalybuka accepted this revision.Jun 11 2018, 2:00 PM
vitalybuka added inline comments.
lib/sanitizer_common/sanitizer_common_interceptors.inc
1200

I'd expect

if (res)
  COMMON_INTERCEPTOR_WRITE_RANGE

Could you try:

git clang-format -f --style=file --extensions=inc,cc,h,c,cpp  HEAD^
This revision is now accepted and ready to land.Jun 11 2018, 2:00 PM
Lekensteyn updated this revision to Diff 150866.Jun 11 2018, 3:59 PM
Lekensteyn marked an inline comment as done.

Thanks Vitaly, that's a very useful tool!

This version only has whitespace changes:

--- a/lib/sanitizer_common/sanitizer_common_interceptors.inc
+++ b/lib/sanitizer_common/sanitizer_common_interceptors.inc
@@ -1190,7 +1190,7 @@ INTERCEPTOR(SSIZE_T, pwritev64, int fd, __sanitizer_iovec *iov, int iovcnt,
 #endif
 
 #if SANITIZER_INTERCEPT_FGETS
-INTERCEPTOR(char*, fgets, char *s, SIZE_T size, void *file) {
+INTERCEPTOR(char *, fgets, char *s, SIZE_T size, void *file) {
   // libc file streams can call user-supplied functions, see fopencookie.
   void *ctx;
   COMMON_INTERCEPTOR_ENTER(ctx, fgets, s, size, file);
@@ -1198,7 +1198,8 @@ INTERCEPTOR(char*, fgets, char *s, SIZE_T size, void *file) {
   // its metadata. See
   // https://github.com/google/sanitizers/issues/321.
   char *res = REAL(fgets)(s, size, file);
-  if (res) COMMON_INTERCEPTOR_WRITE_RANGE(ctx, s, REAL(strlen)(s) + 1);
+  if (res)
+    COMMON_INTERCEPTOR_WRITE_RANGE(ctx, s, REAL(strlen)(s) + 1);
   return res;
 }
 #define INIT_FGETS COMMON_INTERCEPT_FUNCTION(fgets)
--- a/test/asan/TestCases/Posix/fgets_fputs.cc
+++ b/test/asan/TestCases/Posix/fgets_fputs.cc
@@ -17,8 +17,8 @@ int test_fgets() {
 
 int test_fputs() {
   FILE *fp = fopen("/dev/null", "w");
-  char buf[1] = { 'x' }; // Note: not nul-terminated
-  fputs(buf, fp); // BOOM
+  char buf[1] = {'x'}; // Note: not nul-terminated
+  fputs(buf, fp);      // BOOM
   return fclose(fp);
 }
Closed by commit rCRT334450: [sanitizer] Add fgets, fputs and puts into sanitizer_common (authored by Lekensteyn). · Explain WhyJun 11 2018, 4:02 PM
This revision was automatically updated to reflect the committed changes.
morehouse added a subscriber: morehouse.Jun 12 2018, 9:28 AM

This is breaking the Android sanitizer bot: http://lab.llvm.org:8011/builders/sanitizer-x86_64-linux-android/builds/11563.

Please take a look and/or revert.

Lekensteyn added a comment.Jun 12 2018, 10:50 AM
In D46545#1129800, @morehouse wrote:

This is breaking the Android sanitizer bot: http://lab.llvm.org:8011/builders/sanitizer-x86_64-linux-android/builds/11563.

Please take a look and/or revert.

I had a look already and am trying to set up an environment to reproduce it. It however seems an impossible situation. Either the test suite fails to execute the commands correctly, or the Android runtime or test suite are stripping paths. It is not the first test that would fail on Android either: https://github.com/google/sanitizers/issues/316

Another issue that popped up is a failure on macOS: http://green.lab.llvm.org/green/job/clang-stage1-configure-RA/46011/
Perhaps this issue occurs because the runtime interceptor does not catch the symbol on macOS.

Since the code appears to be functionally correct, I am considering adding XFAIL for both cases.

For the record, this is the test output:

FAIL: AddressSanitizer-aarch64-android :: TestCases/Posix/fgets_fputs.cc (126 of 1137)
******************** TEST 'AddressSanitizer-aarch64-android :: TestCases/Posix/fgets_fputs.cc' FAILED ********************
Script:
--
: 'RUN: at line 1';     /var/lib/buildbot/sanitizer-buildbot6/sanitizer-x86_64-linux-android/build/llvm/projects/compiler-rt/test/sanitizer_common/android_commands/android_compile.py  /var/lib/buildbot/sanitizer-buildbot6/sanitizer-x86_64-linux-android/build/llvm_build64/bin/clang  --driver-mode=g++ -fsanitize=address -mno-omit-leaf-frame-pointer -fno-omit-frame-pointer -fno-optimize-sibling-calls -gline-tables-only  --target=aarch64-linux-android --sysroot=/var/lib/buildbot/sanitizer-buildbot6/sanitizer-x86_64-linux-android/build/android_ndk/standalone-aarch64/sysroot -B/var/lib/buildbot/sanitizer-buildbot6/sanitizer-x86_64-linux-android/build/android_ndk/standalone-aarch64 -pie -fuse-ld=gold -Wl,--enable-new-dtags  -shared-libasan -g /var/lib/buildbot/sanitizer-buildbot6/sanitizer-x86_64-linux-android/build/llvm/projects/compiler-rt/test/asan/TestCases/Posix/fgets_fputs.cc -o /var/lib/buildbot/sanitizer-buildbot6/sanitizer-x86_64-linux-android/build/compiler_rt_build_android_aarch64/test/asan/AARCH64AndroidConfig/TestCases/Posix/Output/fgets_fputs.cc.tmp
: 'RUN: at line 2';   echo data > /var/lib/buildbot/sanitizer-buildbot6/sanitizer-x86_64-linux-android/build/compiler_rt_build_android_aarch64/test/asan/AARCH64AndroidConfig/TestCases/Posix/Output/fgets_fputs.cc.tmp-testdata
: 'RUN: at line 3';   not  /var/lib/buildbot/sanitizer-buildbot6/sanitizer-x86_64-linux-android/build/compiler_rt_build_android_aarch64/test/asan/AARCH64AndroidConfig/TestCases/Posix/Output/fgets_fputs.cc.tmp 1 /var/lib/buildbot/sanitizer-buildbot6/sanitizer-x86_64-linux-android/build/compiler_rt_build_android_aarch64/test/asan/AARCH64AndroidConfig/TestCases/Posix/Output/fgets_fputs.cc.tmp-testdata 2>&1 | FileCheck /var/lib/buildbot/sanitizer-buildbot6/sanitizer-x86_64-linux-android/build/llvm/projects/compiler-rt/test/asan/TestCases/Posix/fgets_fputs.cc --check-prefix=CHECK-FGETS
: 'RUN: at line 4';   not  /var/lib/buildbot/sanitizer-buildbot6/sanitizer-x86_64-linux-android/build/compiler_rt_build_android_aarch64/test/asan/AARCH64AndroidConfig/TestCases/Posix/Output/fgets_fputs.cc.tmp 2 2>&1 | FileCheck /var/lib/buildbot/sanitizer-buildbot6/sanitizer-x86_64-linux-android/build/llvm/projects/compiler-rt/test/asan/TestCases/Posix/fgets_fputs.cc --check-prefix=CHECK-FPUTS
: 'RUN: at line 5';   not  /var/lib/buildbot/sanitizer-buildbot6/sanitizer-x86_64-linux-android/build/compiler_rt_build_android_aarch64/test/asan/AARCH64AndroidConfig/TestCases/Posix/Output/fgets_fputs.cc.tmp 3 2>&1 | FileCheck /var/lib/buildbot/sanitizer-buildbot6/sanitizer-x86_64-linux-android/build/llvm/projects/compiler-rt/test/asan/TestCases/Posix/fgets_fputs.cc --check-prefix=CHECK-PUTS
--
Exit Code: 1

Command Output (stderr):
--
/var/lib/buildbot/sanitizer-buildbot6/sanitizer-x86_64-linux-android/build/llvm/projects/compiler-rt/test/asan/TestCases/Posix/fgets_fputs.cc:51:17: error: expected string not found in input
// CHECK-FGETS: {{.*ERROR: AddressSanitizer: stack-buffer-overflow}}
                ^
<stdin>:1:1: note: scanning from here
/var/lib/buildbot/sanitizer-buildbot6/sanitizer-x86_64-linux-android/build/llvm/projects/compiler-rt/test/asan/TestCases/Posix/fgets_fputs.cc:15: int test_fgets(const char *): assertion "fp" failed
^
<stdin>:1:3: note: possible intended match here
/var/lib/buildbot/sanitizer-buildbot6/sanitizer-x86_64-linux-android/build/llvm/projects/compiler-rt/test/asan/TestCases/Posix/fgets_fputs.cc:15: int test_fgets(const char *): assertion "fp" failed
  ^
morehouse added a comment.Jun 12 2018, 3:04 PM
In D46545#1129900, @Lekensteyn wrote:

Since the code appears to be functionally correct, I am considering adding XFAIL for both cases.

Please do this for now to get the bot green again. If you figure out the root cause you can submit a fix later.

Lekensteyn added a comment.Jun 12 2018, 4:14 PM
In D46545#1130319, @morehouse wrote:
In D46545#1129900, @Lekensteyn wrote:

Since the code appears to be functionally correct, I am considering adding XFAIL for both cases.

Please do this for now to get the bot green again. If you figure out the root cause you can submit a fix later.

Disabled now in r334558, apologies for the inconvenience.

Revision Contents

PathSize
lib/
esan/
10 lines
msan/
10 lines
sanitizer_common/
47 lines
3 lines
tsan/
rtl/
9 lines
test/
asan/
TestCases/
Posix/
46 lines
msan/
47 lines
sanitizer_common/
TestCases/
Posix/
20 lines
18 lines
tsan/
29 lines

Diff 150867

lib/esan/esan_interceptors.cpp

Show First 20 LinesShow All 310 Lines▼ Show 20 Lines
INTERCEPTOR(int, unlink, char *path) { INTERCEPTOR(int, unlink, char *path) {
void *ctx; void *ctx;
COMMON_INTERCEPTOR_ENTER(ctx, unlink, path); COMMON_INTERCEPTOR_ENTER(ctx, unlink, path);
COMMON_INTERCEPTOR_READ_STRING(ctx, path, 0); COMMON_INTERCEPTOR_READ_STRING(ctx, path, 0);
return REAL(unlink)(path); return REAL(unlink)(path);
} }
INTERCEPTOR(int, puts, const char *s) {
void *ctx;
COMMON_INTERCEPTOR_ENTER(ctx, puts, s);
COMMON_INTERCEPTOR_READ_RANGE(ctx, s, internal_strlen(s));
return REAL(puts)(s);
}
INTERCEPTOR(int, rmdir, char *path) { INTERCEPTOR(int, rmdir, char *path) {
void *ctx; void *ctx;
COMMON_INTERCEPTOR_ENTER(ctx, rmdir, path); COMMON_INTERCEPTOR_ENTER(ctx, rmdir, path);
COMMON_INTERCEPTOR_READ_STRING(ctx, path, 0); COMMON_INTERCEPTOR_READ_STRING(ctx, path, 0);
return REAL(rmdir)(path); return REAL(rmdir)(path);
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
▲ Show 20 LinesShow All 154 Lines▼ Show 20 Linesvoid initializeInterceptors() {
INTERCEPT_FUNCTION(strcpy); // NOLINT INTERCEPT_FUNCTION(strcpy); // NOLINT
INTERCEPT_FUNCTION(strncpy); INTERCEPT_FUNCTION(strncpy);
INTERCEPT_FUNCTION(open); INTERCEPT_FUNCTION(open);
ESAN_MAYBE_INTERCEPT_OPEN64; ESAN_MAYBE_INTERCEPT_OPEN64;
INTERCEPT_FUNCTION(creat); INTERCEPT_FUNCTION(creat);
ESAN_MAYBE_INTERCEPT_CREAT64; ESAN_MAYBE_INTERCEPT_CREAT64;
INTERCEPT_FUNCTION(unlink); INTERCEPT_FUNCTION(unlink);
INTERCEPT_FUNCTION(fread);
INTERCEPT_FUNCTION(fwrite);
LekensteynAuthorUnsubmitted
Done
ReplyInline Actions

FYI: this seemed a leftover after https://reviews.llvm.org/D31456 (https://github.com/google/sanitizers/issues/793)

Lekensteyn: FYI: this seemed a leftover after https://reviews.llvm.org/D31456 (https://github.
INTERCEPT_FUNCTION(puts);
INTERCEPT_FUNCTION(rmdir); INTERCEPT_FUNCTION(rmdir);
ESAN_MAYBE_INTERCEPT_SIGNAL; ESAN_MAYBE_INTERCEPT_SIGNAL;
ESAN_MAYBE_INTERCEPT_SIGACTION; ESAN_MAYBE_INTERCEPT_SIGACTION;
ESAN_MAYBE_INTERCEPT_SIGPROCMASK; ESAN_MAYBE_INTERCEPT_SIGPROCMASK;
ESAN_MAYBE_INTERCEPT_PTHREAD_SIGMASK; ESAN_MAYBE_INTERCEPT_PTHREAD_SIGMASK;
INTERCEPT_FUNCTION(calloc); INTERCEPT_FUNCTION(calloc);
Show All 12 Lines

lib/msan/msan_interceptors.cc

Show First 20 LinesShow All 742 Lines▼ Show 20 Lines
INTERCEPTOR(int, socketpair, int domain, int type, int protocol, int sv[2]) { INTERCEPTOR(int, socketpair, int domain, int type, int protocol, int sv[2]) {
ENSURE_MSAN_INITED(); ENSURE_MSAN_INITED();
int res = REAL(socketpair)(domain, type, protocol, sv); int res = REAL(socketpair)(domain, type, protocol, sv);
if (!res) if (!res)
__msan_unpoison(sv, sizeof(int[2])); __msan_unpoison(sv, sizeof(int[2]));
return res; return res;
} }
INTERCEPTOR(char *, fgets, char *s, int size, void *stream) {
ENSURE_MSAN_INITED();
InterceptorScope interceptor_scope;
LekensteynAuthorUnsubmitted
Done
ReplyInline Actions

FYI: This was added in https://reviews.llvm.org/D42884, but I believe that the COMMON_INTERCEPTOR_ENTER macro in lib/msan/msan_interceptors.cc covers this now.

Lekensteyn: FYI: This was added in https://reviews.llvm.org/D42884, but I believe that the…
krytarowskiUnsubmitted
Done
ReplyInline Actions

Right, the MSan macro COMMON_INTERCEPTOR_ENTER covers it.

krytarowski: Right, the MSan macro COMMON_INTERCEPTOR_ENTER covers it.
char *res = REAL(fgets)(s, size, stream);
if (res)
__msan_unpoison(s, REAL(strlen)(s) + 1);
return res;
}
#if !SANITIZER_FREEBSD && !SANITIZER_NETBSD #if !SANITIZER_FREEBSD && !SANITIZER_NETBSD
INTERCEPTOR(char *, fgets_unlocked, char *s, int size, void *stream) { INTERCEPTOR(char *, fgets_unlocked, char *s, int size, void *stream) {
ENSURE_MSAN_INITED(); ENSURE_MSAN_INITED();
char *res = REAL(fgets_unlocked)(s, size, stream); char *res = REAL(fgets_unlocked)(s, size, stream);
if (res) if (res)
__msan_unpoison(s, REAL(strlen)(s) + 1); __msan_unpoison(s, REAL(strlen)(s) + 1);
return res; return res;
} }
▲ Show 20 LinesShow All 836 Lines▼ Show 20 Lines#endif
MSAN_MAYBE_INTERCEPT_FSTAT; MSAN_MAYBE_INTERCEPT_FSTAT;
MSAN_MAYBE_INTERCEPT___FXSTAT; MSAN_MAYBE_INTERCEPT___FXSTAT;
MSAN_INTERCEPT_FSTATAT; MSAN_INTERCEPT_FSTATAT;
MSAN_MAYBE_INTERCEPT___FXSTAT64; MSAN_MAYBE_INTERCEPT___FXSTAT64;
MSAN_MAYBE_INTERCEPT___FXSTATAT64; MSAN_MAYBE_INTERCEPT___FXSTATAT64;
INTERCEPT_FUNCTION(pipe); INTERCEPT_FUNCTION(pipe);
INTERCEPT_FUNCTION(pipe2); INTERCEPT_FUNCTION(pipe2);
INTERCEPT_FUNCTION(socketpair); INTERCEPT_FUNCTION(socketpair);
INTERCEPT_FUNCTION(fgets);
MSAN_MAYBE_INTERCEPT_FGETS_UNLOCKED; MSAN_MAYBE_INTERCEPT_FGETS_UNLOCKED;
INTERCEPT_FUNCTION(getrlimit); INTERCEPT_FUNCTION(getrlimit);
MSAN_MAYBE_INTERCEPT_GETRLIMIT64; MSAN_MAYBE_INTERCEPT_GETRLIMIT64;
MSAN_MAYBE_INTERCEPT_PRLIMIT; MSAN_MAYBE_INTERCEPT_PRLIMIT;
MSAN_MAYBE_INTERCEPT_PRLIMIT64; MSAN_MAYBE_INTERCEPT_PRLIMIT64;
MSAN_INTERCEPT_UNAME; MSAN_INTERCEPT_UNAME;
INTERCEPT_FUNCTION(gethostname); INTERCEPT_FUNCTION(gethostname);
MSAN_MAYBE_INTERCEPT_EPOLL_WAIT; MSAN_MAYBE_INTERCEPT_EPOLL_WAIT;
Show All 27 Lines

lib/sanitizer_common/sanitizer_common_interceptors.inc

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 1,183 Lines▼ Show 20 LinesINTERCEPTOR(SSIZE_T, pwritev64, int fd, __sanitizer_iovec *iov, int iovcnt,
if (res > 0) read_iovec(ctx, iov, iovcnt, res); if (res > 0) read_iovec(ctx, iov, iovcnt, res);
return res; return res;
} }
#define INIT_PWRITEV64 COMMON_INTERCEPT_FUNCTION(pwritev64) #define INIT_PWRITEV64 COMMON_INTERCEPT_FUNCTION(pwritev64)
#else #else
#define INIT_PWRITEV64 #define INIT_PWRITEV64
#endif #endif
#if SANITIZER_INTERCEPT_FGETS
INTERCEPTOR(char *, fgets, char *s, SIZE_T size, void *file) {
// libc file streams can call user-supplied functions, see fopencookie.
void *ctx;
COMMON_INTERCEPTOR_ENTER(ctx, fgets, s, size, file);
// FIXME: under ASan the call below may write to freed memory and corrupt
krytarowskiUnsubmitted
Done
ReplyInline Actions

Is this bug still valid? Is it Linux specific?

krytarowski: Is this bug still valid? Is it Linux specific?
LekensteynAuthorUnsubmitted
Not Done
ReplyInline Actions

It seems still valid, COMMON_INTERCEPTOR_ENTER does not check the parameters, so REAL(fgets) below can overwrite invalid memory.

Reproducer with fread (which has the same issue):

#include <stdio.h>
#include <stdlib.h>

int main() {
    FILE *fp = fopen("/proc/cpuinfo", "r");
    if (!fp)
        return 1;
    void *p = malloc(4096);
    if (!p)
        return 1;
    free(p);
    if (!fread(p, 4096, 1, fp))
        perror("fread");
    fclose(fp);
    return 0;
}

Trace:

==4458==ERROR: AddressSanitizer: heap-use-after-free on address 0x621000000100 at pc 0x00000048f8c0 bp 0x7ffe28520fa0 sp 0x7ffe28520750
WRITE of size 4096 at 0x621000000100 thread T0
    #0 0x48f8bf in __interceptor_fread.part.52 projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:991:16
    #1 0x5274eb in main fread.c:12:10
    #2 0x7f6a35eb106a in __libc_start_main (/usr/lib/libc.so.6+0x2306a)
    #3 0x41d039 in _start (fread+0x41d039)

0x621000000100 is located 0 bytes inside of 4096-byte region [0x621000000100,0x621000001100)
freed by thread T0 here:
==4458==AddressSanitizer CHECK failed: projects/compiler-rt/lib/asan/asan_descriptions.cc:179 "((res.trace)) != (0)" (0x0, 0x0)
    #0 0x4f9575 in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) projects/compiler-rt/lib/asan/asan_rtl.cc:70:3
    #1 0x512009 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) projects/compiler-rt/lib/sanitizer_common/sanitizer_termination.cc:79:24
    #2 0x42b264 in GetStackTraceFromId projects/compiler-rt/lib/asan/asan_descriptions.cc:179:3
    #3 0x42b264 in __asan::HeapAddressDescription::Print() const projects/compiler-rt/lib/asan/asan_descriptions.cc:420:62
    #4 0x42ea03 in __asan::AddressDescription::Print(char const*) const projects/compiler-rt/lib/asan/asan_descriptions.h:224:31
    #5 0x42ea03 in __asan::ErrorGeneric::Print() projects/compiler-rt/lib/asan/asan_errors.cc:597:25
    #6 0x4f9086 in __asan::ErrorDescription::Print() projects/compiler-rt/lib/asan/asan_errors.h:422:7
    #7 0x4f9086 in __asan::ScopedInErrorReport::~ScopedInErrorReport() projects/compiler-rt/lib/asan/asan_report.cc:142:55
    #8 0x4f9086 in __asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) projects/compiler-rt/lib/asan/asan_report.cc:460:38
    #9 0x48f8e1 in __interceptor_fread.part.52 projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:991:16
    #10 0x5274eb in main fread.c:12:10
    #11 0x7f6a35eb106a in __libc_start_main (/usr/lib/libc.so.6+0x2306a)
    #12 0x41d039 in _start (fread+0x41d039)
Lekensteyn: It seems still valid, `COMMON_INTERCEPTOR_ENTER` does not check the parameters, so `REAL…
// its metadata. See
// https://github.com/google/sanitizers/issues/321.
char *res = REAL(fgets)(s, size, file);
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

I'd expect

if (res)
  COMMON_INTERCEPTOR_WRITE_RANGE

Could you try:

git clang-format -f --style=file --extensions=inc,cc,h,c,cpp  HEAD^
vitalybuka: I'd expect ``` if (res) COMMON_INTERCEPTOR_WRITE_RANGE ``` Could you try: ``` git clang…
if (res)
COMMON_INTERCEPTOR_WRITE_RANGE(ctx, s, REAL(strlen)(s) + 1);
return res;
LekensteynAuthorUnsubmitted
Done
ReplyInline Actions

This is what I meant by "false negatives for msan". Possible choices for the length parameter:

  • REAL(strlen)(s) / internal_strlen (as it did before in msan): if the read was short, then the buffer might not be fully initialized. MSAN could have caught this.
  • size (proposed in this patch): even if the read was short, the full buffer is unpoisoned and MSAN would not complain about uninitialized memory.
Lekensteyn: This is what I meant by "false negatives for msan". Possible choices for the length parameter…
vitalybukaUnsubmitted
Done
ReplyInline Actions

Let not mix refactoring with behavior change.
Please make this patch "move to sanitizer_common only" and a separate patch for "size vs strlen" (Also I am not yet convinced that we have to do so).

vitalybuka: Let not mix refactoring with behavior change. Please make this patch "move to sanitizer_common…
}
#define INIT_FGETS COMMON_INTERCEPT_FUNCTION(fgets)
#else
#define INIT_FGETS
#endif
#if SANITIZER_INTERCEPT_FPUTS
INTERCEPTOR(int, fputs, char *s, void *file) {
// libc file streams can call user-supplied functions, see fopencookie.
void *ctx;
COMMON_INTERCEPTOR_ENTER(ctx, fputs, s, file);
COMMON_INTERCEPTOR_READ_RANGE(ctx, s, REAL(strlen)(s) + 1);
return REAL(fputs)(s, file);
}
#define INIT_FPUTS COMMON_INTERCEPT_FUNCTION(fputs)
#else
#define INIT_FPUTS
#endif
#if SANITIZER_INTERCEPT_PUTS
INTERCEPTOR(int, puts, char *s) {
// libc file streams can call user-supplied functions, see fopencookie.
void *ctx;
COMMON_INTERCEPTOR_ENTER(ctx, puts, s);
COMMON_INTERCEPTOR_READ_RANGE(ctx, s, REAL(strlen)(s) + 1);
return REAL(puts)(s);
}
#define INIT_PUTS COMMON_INTERCEPT_FUNCTION(puts)
#else
#define INIT_PUTS
#endif
#if SANITIZER_INTERCEPT_PRCTL #if SANITIZER_INTERCEPT_PRCTL
INTERCEPTOR(int, prctl, int option, unsigned long arg2, INTERCEPTOR(int, prctl, int option, unsigned long arg2,
unsigned long arg3, // NOLINT unsigned long arg3, // NOLINT
unsigned long arg4, unsigned long arg5) { // NOLINT unsigned long arg4, unsigned long arg5) { // NOLINT
void *ctx; void *ctx;
COMMON_INTERCEPTOR_ENTER(ctx, prctl, option, arg2, arg3, arg4, arg5); COMMON_INTERCEPTOR_ENTER(ctx, prctl, option, arg2, arg3, arg4, arg5);
static const int PR_SET_NAME = 15; static const int PR_SET_NAME = 15;
int res = REAL(prctl(option, arg2, arg3, arg4, arg5)); int res = REAL(prctl(option, arg2, arg3, arg4, arg5));
▲ Show 20 LinesShow All 6,031 Lines▼ Show 20 Linesstatic void InitializeCommonInterceptors() {
INIT_PREADV64; INIT_PREADV64;
INIT_WRITE; INIT_WRITE;
INIT_FWRITE; INIT_FWRITE;
INIT_PWRITE; INIT_PWRITE;
INIT_PWRITE64; INIT_PWRITE64;
INIT_WRITEV; INIT_WRITEV;
INIT_PWRITEV; INIT_PWRITEV;
INIT_PWRITEV64; INIT_PWRITEV64;
INIT_FGETS;
INIT_FPUTS;
INIT_PUTS;
INIT_PRCTL; INIT_PRCTL;
INIT_LOCALTIME_AND_FRIENDS; INIT_LOCALTIME_AND_FRIENDS;
INIT_STRPTIME; INIT_STRPTIME;
INIT_SCANF; INIT_SCANF;
INIT_ISOC99_SCANF; INIT_ISOC99_SCANF;
INIT_PRINTF; INIT_PRINTF;
INIT_PRINTF_L; INIT_PRINTF_L;
INIT_ISOC99_PRINTF; INIT_ISOC99_PRINTF;
▲ Show 20 LinesShow All 195 LinesShow Last 20 Lines

lib/sanitizer_common/sanitizer_platform_interceptors.h

Show First 20 LinesShow All 158 Lines▼ Show 20 Lines
#define SANITIZER_INTERCEPT_READ SI_POSIX #define SANITIZER_INTERCEPT_READ SI_POSIX
#define SANITIZER_INTERCEPT_PREAD SI_POSIX #define SANITIZER_INTERCEPT_PREAD SI_POSIX
#define SANITIZER_INTERCEPT_WRITE SI_POSIX #define SANITIZER_INTERCEPT_WRITE SI_POSIX
#define SANITIZER_INTERCEPT_PWRITE SI_POSIX #define SANITIZER_INTERCEPT_PWRITE SI_POSIX
#define SANITIZER_INTERCEPT_FREAD SI_POSIX #define SANITIZER_INTERCEPT_FREAD SI_POSIX
#define SANITIZER_INTERCEPT_FWRITE SI_POSIX #define SANITIZER_INTERCEPT_FWRITE SI_POSIX
#define SANITIZER_INTERCEPT_FGETS SI_POSIX
#define SANITIZER_INTERCEPT_FPUTS SI_POSIX
#define SANITIZER_INTERCEPT_PUTS SI_POSIX
#define SANITIZER_INTERCEPT_PREAD64 SI_LINUX_NOT_ANDROID || SI_SOLARIS32 #define SANITIZER_INTERCEPT_PREAD64 SI_LINUX_NOT_ANDROID || SI_SOLARIS32
#define SANITIZER_INTERCEPT_PWRITE64 SI_LINUX_NOT_ANDROID || SI_SOLARIS32 #define SANITIZER_INTERCEPT_PWRITE64 SI_LINUX_NOT_ANDROID || SI_SOLARIS32
#define SANITIZER_INTERCEPT_READV SI_POSIX #define SANITIZER_INTERCEPT_READV SI_POSIX
#define SANITIZER_INTERCEPT_WRITEV SI_POSIX #define SANITIZER_INTERCEPT_WRITEV SI_POSIX
#define SANITIZER_INTERCEPT_PREADV \ #define SANITIZER_INTERCEPT_PREADV \
▲ Show 20 LinesShow All 336 LinesShow Last 20 Lines

lib/tsan/rtl/tsan_interceptors.cc

Show First 20 LinesShow All 1,730 Lines▼ Show 20 Lines
} }
TSAN_INTERCEPTOR(void, abort, int fake) { TSAN_INTERCEPTOR(void, abort, int fake) {
SCOPED_TSAN_INTERCEPTOR(abort, fake); SCOPED_TSAN_INTERCEPTOR(abort, fake);
FlushStreams(); FlushStreams();
REAL(abort)(fake); REAL(abort)(fake);
} }
TSAN_INTERCEPTOR(int, puts, const char *s) {
SCOPED_TSAN_INTERCEPTOR(puts, s);
MemoryAccessRange(thr, pc, (uptr)s, internal_strlen(s), false);
return REAL(puts)(s);
}
TSAN_INTERCEPTOR(int, rmdir, char *path) { TSAN_INTERCEPTOR(int, rmdir, char *path) {
SCOPED_TSAN_INTERCEPTOR(rmdir, path); SCOPED_TSAN_INTERCEPTOR(rmdir, path);
Release(thr, pc, Dir2addr(path)); Release(thr, pc, Dir2addr(path));
int res = REAL(rmdir)(path); int res = REAL(rmdir)(path);
return res; return res;
} }
TSAN_INTERCEPTOR(int, closedir, void *dirp) { TSAN_INTERCEPTOR(int, closedir, void *dirp) {
▲ Show 20 LinesShow All 948 Lines▼ Show 20 Lines#endif
TSAN_MAYBE_INTERCEPT___CLOSE; TSAN_MAYBE_INTERCEPT___CLOSE;
TSAN_MAYBE_INTERCEPT___RES_ICLOSE; TSAN_MAYBE_INTERCEPT___RES_ICLOSE;
TSAN_INTERCEPT(pipe); TSAN_INTERCEPT(pipe);
TSAN_INTERCEPT(pipe2); TSAN_INTERCEPT(pipe2);
TSAN_INTERCEPT(unlink); TSAN_INTERCEPT(unlink);
TSAN_INTERCEPT(tmpfile); TSAN_INTERCEPT(tmpfile);
TSAN_MAYBE_INTERCEPT_TMPFILE64; TSAN_MAYBE_INTERCEPT_TMPFILE64;
TSAN_INTERCEPT(fread);
TSAN_INTERCEPT(fwrite);
TSAN_INTERCEPT(abort); TSAN_INTERCEPT(abort);
TSAN_INTERCEPT(puts);
TSAN_INTERCEPT(rmdir); TSAN_INTERCEPT(rmdir);
TSAN_INTERCEPT(closedir); TSAN_INTERCEPT(closedir);
TSAN_INTERCEPT(sigsuspend); TSAN_INTERCEPT(sigsuspend);
TSAN_INTERCEPT(sigblock); TSAN_INTERCEPT(sigblock);
TSAN_INTERCEPT(sigsetmask); TSAN_INTERCEPT(sigsetmask);
TSAN_INTERCEPT(pthread_sigmask); TSAN_INTERCEPT(pthread_sigmask);
TSAN_INTERCEPT(raise); TSAN_INTERCEPT(raise);
▲ Show 20 LinesShow All 100 LinesShow Last 20 Lines

test/asan/TestCases/Posix/fgets_fputs.cc

// RUN: %clangxx_asan -g %s -o %t
// RUN: not %run %t 2>&1 | FileCheck %s --check-prefix=CHECK-FGETS
// RUN: not %run %t 2 2>&1 | FileCheck %s --check-prefix=CHECK-FPUTS
vitalybukaUnsubmitted
Done
ReplyInline Actions

could you please also create sanitizer_common test for each of moved functions?

vitalybuka: could you please also create sanitizer_common test for each of moved functions?
LekensteynAuthorUnsubmitted
Done
ReplyInline Actions

Do you mean a test that checks that everything works fine with valid boundaries, for example test/sanitizer_common/TestCases/Posix/access.cc?
Otherwise, stack/heap OOB is not caught by msan, tsan, ubsan, only by ASAN. As for UAF, only ASAN and TSAN managed to detect that.

TSAN already has an additional test in test/tsan/race_on_puts.c. Should I create a similar race_on_fgets/race_on_fputs?

It seems that the previous fgets interceptor in the msan was not tested either, that could also be a point of improvement.

Lekensteyn: Do you mean a test that checks that everything works fine with valid boundaries, for example…
vitalybukaUnsubmitted
Done
ReplyInline Actions

Yes, it's hard to test reports in sanitizer_common
Just positive test which just make sure that interceptor does not crash.

vitalybuka: Yes, it's hard to test reports in sanitizer_common Just positive test which just make sure…
// RUN: not %run %t 3 3 2>&1 | FileCheck %s --check-prefix=CHECK-PUTS
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int test_fgets() {
FILE *fp = fopen("/etc/passwd", "r");
char buf[2];
fgets(buf, sizeof(buf) + 1, fp); // BOOM
fclose(fp);
return 0;
}
int test_fputs() {
FILE *fp = fopen("/dev/null", "w");
char buf[1] = {'x'}; // Note: not nul-terminated
fputs(buf, fp); // BOOM
return fclose(fp);
}
void test_puts() {
char *p = strdup("x");
free(p);
puts(p); // BOOM
}
int main(int argc, char *argv[]) {
if (argc == 1)
test_fgets();
else if (argc == 2)
test_fputs();
else
test_puts();
return 0;
}
// CHECK-FGETS: {{.*ERROR: AddressSanitizer: stack-buffer-overflow}}
// CHECK-FGETS: #{{.*}} in {{(wrap_|__interceptor_)?}}fgets
// CHECK-FPUTS: {{.*ERROR: AddressSanitizer: stack-buffer-overflow}}
// CHECK-FPUTS: #{{.*}} in {{(wrap_|__interceptor_)?}}fputs
// CHECK-PUTS: {{.*ERROR: AddressSanitizer: heap-use-after-free}}
// CHECK-PUTS: #{{.*}} in {{(wrap_|__interceptor_)?}}puts

test/msan/fgets_fputs.cc

// RUN: %clangxx_msan -g %s -o %t
// RUN: %run %t
// RUN: not %run %t 2 2>&1 | FileCheck %s --check-prefix=CHECK-FPUTS
// RUN: not %run %t 3 3 2>&1 | FileCheck %s --check-prefix=CHECK-PUTS
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int test_fgets() {
FILE *fp = fopen("/dev/zero", "r");
char c;
if (!fgets(&c, 1, fp))
return 1;
if (c == '1') // No error
return 2;
fclose(fp);
return 0;
}
int test_fputs() {
FILE *fp = fopen("/dev/null", "w");
char buf[2];
fputs(buf, fp); // BOOM
return fclose(fp);
}
void test_puts() {
char buf[2];
puts(buf); // BOOM
}
int main(int argc, char *argv[]) {
if (argc == 1)
test_fgets();
else if (argc == 2)
test_fputs();
else
test_puts();
return 0;
}
// CHECK-FPUTS: Uninitialized bytes in __interceptor_fputs at offset 0 inside
// CHECK-PUTS: Uninitialized bytes in __interceptor_puts at offset 0 inside

test/sanitizer_common/TestCases/Posix/fgets.cc

// RUN: %clangxx -g %s -o %t && %run %t
#include <stdio.h>
int main(void) {
FILE *fp;
char buf[2];
char *s;
fp = fopen("/etc/passwd", "r");
if (!fp)
return 1;
s = fgets(buf, sizeof(buf), fp);
if (!s)
return 2;
fclose(fp);
return 0;
}

test/sanitizer_common/TestCases/Posix/fputs_puts.cc

// RUN: %clangxx -g %s -o %t && %run %t | FileCheck %s
// CHECK: {{^foobar$}}
#include <stdio.h>
int main(void) {
int r;
r = fputs("foo", stdout);
if (r < 0)
return 1;
r = puts("bar");
if (r < 0)
return 1;
return 0;
}

test/tsan/race_on_fputs.cc

// RUN: %clangxx_tsan -O1 %s -o %t && %deflake %run %t | FileCheck %s
#include "test.h"
char s[] = "abracadabra";
void *Thread0(void *p) {
fputs(s, stdout);
barrier_wait(&barrier);
return 0;
}
void *Thread1(void *p) {
barrier_wait(&barrier);
s[3] = 'z';
return 0;
}
int main() {
barrier_init(&barrier, 2);
pthread_t th[2];
pthread_create(&th[0], 0, Thread0, 0);
pthread_create(&th[1], 0, Thread1, 0);
pthread_join(th[0], 0);
pthread_join(th[1], 0);
fprintf(stderr, "DONE");
}
// CHECK: WARNING: ThreadSanitizer: data race
// CHECK: DONE