This is an archive of the discontinued LLVM Phabricator instance.

Differential D4774

[clang/asan] call __asan_poison_cxx_array_cookie after operator new[]
ClosedPublic

Authored by kcc on Aug 4 2014, 5:58 AM.

Details

Reviewers
samsonov
timurrrr
rsmith
Commits
rG4ee6904288f1: [clang/asan] call __asan_poison_cxx_array_cookie after operator new[]
rC216434: [clang/asan] call __asan_poison_cxx_array_cookie after operator new[]
rL216434: [clang/asan] call __asan_poison_cxx_array_cookie after operator new[]
Summary

PR19838
When operator new[] is called and an array cookie is created
we want asan to detect buffer overflow bugs that touch the cookie.
For that we need to

a) poison the shadow for the array cookie (call __asan_poison_cxx_array_cookie).
b) ignore the legal accesses to the cookie generated by clang (add 'nosanitize' metadata)

Diff Detail

Event Timeline

kcc updated this revision to Diff 12155.Aug 4 2014, 5:58 AM
kcc retitled this revision from to [clang/asan] call __asan_poison_cxx_array_cookie after operator new[].
kcc updated this object.
kcc edited the test plan for this revision. (Show Details)
kcc added reviewers: samsonov, rsmith.
kcc added a subscriber: Unknown Object (MLST).
kcc updated this revision to Diff 12156.Aug 4 2014, 6:06 AM

remove unnecessary file

kcc added a comment.Aug 15 2014, 3:28 PM

ping?

samsonov edited edge metadata.Aug 21 2014, 10:46 AM

Sorry for delay. Looking at it now.

samsonov added a reviewer: timurrrr.Aug 21 2014, 10:57 AM
samsonov added inline comments.
lib/CodeGen/ItaniumCXXABI.cpp
1450

Hm, I think we'd need to ask Timur to implement similar logic for Microsoft ABI?

1482

Please start local variable names with capitals

1483

Why don't you use fixed type for __asan_poison_cxx_array_cookie (like IntptrTy)?

rsmith edited edge metadata.Aug 21 2014, 11:25 AM

Is this change correct? Suppose I do this:

char Buffer[32];
// ...
new (Buffer) int[4];
// ...
new (Buffer) int(0);

Won't we get a false positive on the last line?

samsonov added a comment.Aug 21 2014, 1:17 PM

I thought of one more test case we should add:

__attribute__((no_sanitize_address))
int *createArray(int n) {
  return new int[n];
}

int bad_access() {  
  int *array = createArray(4);
  return array[-1];
}

We certainly want to print an error in this case, even though we have attribute on createArray() function. I believe current code *would* handle this correctly, but let's test this behavior.

timurrrr edited edge metadata.Aug 22 2014, 5:34 AM

Am I right that skipping MicrosoftCXXABI for a while won't give us false positives?
If so, I'd wait until a change to ItaniumCXXABI lands and then I can just do that for MicrosoftCXXABI.

samsonov added a comment.Aug 22 2014, 1:38 PM

Sure, we can add support for this to MicrosoftCXXABI later.

kcc added a comment.Aug 25 2014, 11:20 AM
In D4774#11, @samsonov wrote:

I thought of one more test case we should add:

__attribute__((no_sanitize_address))
int *createArray(int n) {
  return new int[n];
}

int bad_access() {  
  int *array = createArray(4);
  return array[-1];
}

We certainly want to print an error in this case, even though we have attribute on createArray() function. I believe current code *would* handle this correctly, but let's test this behavior.

I'd prefer to add such test to compiler-rt, not to clang, as it is a run-time test.

In D4774#10, @rsmith wrote:

Is this change correct? Suppose I do this:

char Buffer[32];
// ...
new (Buffer) int[4];
// ...
new (Buffer) int(0);

Won't we get a false positive on the last line?

Not sure I understand this test.
First, with arrays of PODs you don't have cookies at all.
Second, do we have the cookie with placement new at all?
Pardon my ignorance here; this is my test case:

#include <stdio.h>
#include <new>
struct C {
  int x;
  ~C() {fprintf(stderr, "ZZZZZZZZ\n");}
};
char Buffer[100];
C *c;
int main(int argc, char **argv) { 
  c = new (Buffer) C[argc];
}

clang++ -O -fsanitize=address ~/tmp/new_ar_placement.cc -S -o - -emit-llvm

define i32 @main(i32 %argc, i8** nocapture readnone %argv) #0 {
entry:

store %struct.C* bitcast ({ [100 x i8], [60 x i8] }* @Buffer to %struct.C*), %struct.C** getelementptr inbounds ({ %struct.C*, [56 x i8] }* @c, i32 0, i32 0), align 8, !tbaa !5
ret i32 0

}

// No cookie

lib/CodeGen/ItaniumCXXABI.cpp
1450

yes, but not in this round

1482

done

1483

What's wrong with i64* ?
Having I64 here will just require one more cast

kcc updated this revision to Diff 12906.Aug 25 2014, 11:24 AM
kcc edited edge metadata.

address some of the comments

kcc updated this revision to Diff 12914.Aug 25 2014, 1:10 PM

Don't insert insrumentation for placement new, add a relevant test.

Richard, PTAL

rsmith added inline comments.Aug 25 2014, 4:10 PM
lib/CodeGen/ItaniumCXXABI.cpp
1480

Use expr->getOperatorNew()->isReplaceableGlobalAllocationFunction() here, so that you also sanitize new (std::nothrow) X[n].

kcc updated this revision to Diff 12924.Aug 25 2014, 4:24 PM

Use expr->getOperatorNew()->isReplaceableGlobalAllocationFunction()
and add a test to verify that new (std::nothrow) X[n] is instrumented.

PTAL

rsmith accepted this revision.Aug 25 2014, 6:33 PM
rsmith edited edge metadata.

LGTM

This revision is now accepted and ready to land.Aug 25 2014, 6:33 PM
kcc closed this revision.Aug 25 2014, 7:39 PM

Revision Contents

Diff 12906

lib/CodeGen/CodeGenFunction.cpp

Show First 20 LinesShow All 1,677 Lines▼ Show 20 LinesCodeGenFunction::SanitizerScope::~SanitizerScope() {
CGF->IsSanitizerScope = false; CGF->IsSanitizerScope = false;
} }
void CodeGenFunction::InsertHelper(llvm::Instruction *I, void CodeGenFunction::InsertHelper(llvm::Instruction *I,
const llvm::Twine &Name, const llvm::Twine &Name,
llvm::BasicBlock *BB, llvm::BasicBlock *BB,
llvm::BasicBlock::iterator InsertPt) const { llvm::BasicBlock::iterator InsertPt) const {
LoopStack.InsertHelper(I); LoopStack.InsertHelper(I);
if (IsSanitizerScope) { if (IsSanitizerScope)
I->setMetadata( CGM.getSanitizerMetadata()->disableSanitizerForInstruction(I);
CGM.getModule().getMDKindID("nosanitize"),
llvm::MDNode::get(CGM.getLLVMContext(), ArrayRef<llvm::Value *>()));
}
} }
template <bool PreserveNames> template <bool PreserveNames>
void CGBuilderInserter<PreserveNames>::InsertHelper( void CGBuilderInserter<PreserveNames>::InsertHelper(
llvm::Instruction *I, const llvm::Twine &Name, llvm::BasicBlock *BB, llvm::Instruction *I, const llvm::Twine &Name, llvm::BasicBlock *BB,
llvm::BasicBlock::iterator InsertPt) const { llvm::BasicBlock::iterator InsertPt) const {
llvm::IRBuilderDefaultInserter<PreserveNames>::InsertHelper(I, Name, BB, llvm::IRBuilderDefaultInserter<PreserveNames>::InsertHelper(I, Name, BB,
InsertPt); InsertPt);
Show All 13 Lines

lib/CodeGen/ItaniumCXXABI.cpp

Show First 20 LinesShow All 1,441 Lines▼ Show 20 Lines
CharUnits ItaniumCXXABI::getArrayCookieSizeImpl(QualType elementType) { CharUnits ItaniumCXXABI::getArrayCookieSizeImpl(QualType elementType) {
// The array cookie is a size_t; pad that up to the element alignment. // The array cookie is a size_t; pad that up to the element alignment.
// The cookie is actually right-justified in that space. // The cookie is actually right-justified in that space.
return std::max(CharUnits::fromQuantity(CGM.SizeSizeInBytes), return std::max(CharUnits::fromQuantity(CGM.SizeSizeInBytes),
CGM.getContext().getTypeAlignInChars(elementType)); CGM.getContext().getTypeAlignInChars(elementType));
} }
llvm::Value *ItaniumCXXABI::InitializeArrayCookie(CodeGenFunction &CGF, llvm::Value *ItaniumCXXABI::InitializeArrayCookie(CodeGenFunction &CGF,
samsonovUnsubmitted
Not Done
ReplyInline Actions

Hm, I think we'd need to ask Timur to implement similar logic for Microsoft ABI?

samsonov: Hm, I think we'd need to ask Timur to implement similar logic for Microsoft ABI?
kccAuthorUnsubmitted
Not Done
ReplyInline Actions

yes, but not in this round

kcc: yes, but not in this round
llvm::Value *NewPtr, llvm::Value *NewPtr,
llvm::Value *NumElements, llvm::Value *NumElements,
const CXXNewExpr *expr, const CXXNewExpr *expr,
QualType ElementType) { QualType ElementType) {
assert(requiresArrayCookie(expr)); assert(requiresArrayCookie(expr));
unsigned AS = NewPtr->getType()->getPointerAddressSpace(); unsigned AS = NewPtr->getType()->getPointerAddressSpace();
Show All 9 Linesllvm::Value *ItaniumCXXABI::InitializeArrayCookie(CodeGenFunction &CGF,
// Compute an offset to the cookie. // Compute an offset to the cookie.
llvm::Value *CookiePtr = NewPtr; llvm::Value *CookiePtr = NewPtr;
CharUnits CookieOffset = CookieSize - SizeSize; CharUnits CookieOffset = CookieSize - SizeSize;
if (!CookieOffset.isZero()) if (!CookieOffset.isZero())
CookiePtr = CGF.Builder.CreateConstInBoundsGEP1_64(CookiePtr, CookiePtr = CGF.Builder.CreateConstInBoundsGEP1_64(CookiePtr,
CookieOffset.getQuantity()); CookieOffset.getQuantity());
// Write the number of elements into the appropriate slot. // Write the number of elements into the appropriate slot.
llvm::Value *NumElementsPtr llvm::Type *NumElementsTy = CGF.ConvertType(SizeTy)->getPointerTo(AS);
= CGF.Builder.CreateBitCast(CookiePtr, llvm::Value *NumElementsPtr =
CGF.ConvertType(SizeTy)->getPointerTo(AS)); CGF.Builder.CreateBitCast(CookiePtr, NumElementsTy);
CGF.Builder.CreateStore(NumElements, NumElementsPtr); llvm::Instruction *SI = CGF.Builder.CreateStore(NumElements, NumElementsPtr);
if (CGM.getLangOpts().Sanitize.Address) {
rsmithUnsubmitted
Not Done
ReplyInline Actions

Use expr->getOperatorNew()->isReplaceableGlobalAllocationFunction() here, so that you also sanitize new (std::nothrow) X[n].

rsmith: Use `expr->getOperatorNew()->isReplaceableGlobalAllocationFunction()` here, so that you also…
CGM.getSanitizerMetadata()->disableSanitizerForInstruction(SI);
llvm::FunctionType *FTy =
samsonovUnsubmitted
Not Done
ReplyInline Actions

Please start local variable names with capitals

samsonov: Please start local variable names with capitals
kccAuthorUnsubmitted
Not Done
ReplyInline Actions

done

kcc: done
llvm::FunctionType::get(CGM.VoidTy, NumElementsTy, false);
samsonovUnsubmitted
Not Done
ReplyInline Actions

Why don't you use fixed type for __asan_poison_cxx_array_cookie (like IntptrTy)?

samsonov: Why don't you use fixed type for __asan_poison_cxx_array_cookie (like IntptrTy)?
kccAuthorUnsubmitted
Not Done
ReplyInline Actions

What's wrong with i64* ?
Having I64 here will just require one more cast

kcc: What's wrong with i64* ? Having I64 here will just require one more cast
llvm::Constant *F =
CGM.CreateRuntimeFunction(FTy, "__asan_poison_cxx_array_cookie");
CGF.Builder.CreateCall(F, NumElementsPtr);
}
// Finally, compute a pointer to the actual data buffer by skipping // Finally, compute a pointer to the actual data buffer by skipping
// over the cookie completely. // over the cookie completely.
return CGF.Builder.CreateConstInBoundsGEP1_64(NewPtr, return CGF.Builder.CreateConstInBoundsGEP1_64(NewPtr,
CookieSize.getQuantity()); CookieSize.getQuantity());
} }
llvm::Value *ItaniumCXXABI::readArrayCookieImpl(CodeGenFunction &CGF, llvm::Value *ItaniumCXXABI::readArrayCookieImpl(CodeGenFunction &CGF,
llvm::Value *allocPtr, llvm::Value *allocPtr,
CharUnits cookieSize) { CharUnits cookieSize) {
// The element size is right-justified in the cookie. // The element size is right-justified in the cookie.
llvm::Value *numElementsPtr = allocPtr; llvm::Value *numElementsPtr = allocPtr;
CharUnits numElementsOffset = CharUnits numElementsOffset =
cookieSize - CharUnits::fromQuantity(CGF.SizeSizeInBytes); cookieSize - CharUnits::fromQuantity(CGF.SizeSizeInBytes);
if (!numElementsOffset.isZero()) if (!numElementsOffset.isZero())
numElementsPtr = numElementsPtr =
CGF.Builder.CreateConstInBoundsGEP1_64(numElementsPtr, CGF.Builder.CreateConstInBoundsGEP1_64(numElementsPtr,
numElementsOffset.getQuantity()); numElementsOffset.getQuantity());
unsigned AS = allocPtr->getType()->getPointerAddressSpace(); unsigned AS = allocPtr->getType()->getPointerAddressSpace();
numElementsPtr = numElementsPtr =
CGF.Builder.CreateBitCast(numElementsPtr, CGF.SizeTy->getPointerTo(AS)); CGF.Builder.CreateBitCast(numElementsPtr, CGF.SizeTy->getPointerTo(AS));
return CGF.Builder.CreateLoad(numElementsPtr); llvm::Instruction *LI = CGF.Builder.CreateLoad(numElementsPtr);
if (CGM.getLangOpts().Sanitize.Address)
CGM.getSanitizerMetadata()->disableSanitizerForInstruction(LI);
return LI;
} }
CharUnits ARMCXXABI::getArrayCookieSizeImpl(QualType elementType) { CharUnits ARMCXXABI::getArrayCookieSizeImpl(QualType elementType) {
// ARM says that the cookie is always: // ARM says that the cookie is always:
// struct array_cookie { // struct array_cookie {
// std::size_t element_size; // element_size != 0 // std::size_t element_size; // element_size != 0
// std::size_t element_count; // std::size_t element_count;
// }; // };
▲ Show 20 LinesShow All 1,480 LinesShow Last 20 Lines

lib/CodeGen/SanitizerMetadata.h

Show All 12 Lines
#ifndef LLVM_CLANG_LIB_CODEGEN_SANITIZERMETADATA_H #ifndef LLVM_CLANG_LIB_CODEGEN_SANITIZERMETADATA_H
#define LLVM_CLANG_LIB_CODEGEN_SANITIZERMETADATA_H #define LLVM_CLANG_LIB_CODEGEN_SANITIZERMETADATA_H
#include "clang/Basic/LLVM.h" #include "clang/Basic/LLVM.h"
#include "clang/Basic/SourceLocation.h" #include "clang/Basic/SourceLocation.h"
namespace llvm { namespace llvm {
class GlobalVariable; class GlobalVariable;
class Instruction;
class MDNode; class MDNode;
} }
namespace clang { namespace clang {
class VarDecl; class VarDecl;
namespace CodeGen { namespace CodeGen {
class CodeGenModule; class CodeGenModule;
class SanitizerMetadata { class SanitizerMetadata {
SanitizerMetadata(const SanitizerMetadata &) LLVM_DELETED_FUNCTION; SanitizerMetadata(const SanitizerMetadata &) LLVM_DELETED_FUNCTION;
void operator=(const SanitizerMetadata &) LLVM_DELETED_FUNCTION; void operator=(const SanitizerMetadata &) LLVM_DELETED_FUNCTION;
CodeGenModule &CGM; CodeGenModule &CGM;
public: public:
SanitizerMetadata(CodeGenModule &CGM); SanitizerMetadata(CodeGenModule &CGM);
void reportGlobalToASan(llvm::GlobalVariable *GV, const VarDecl &D, void reportGlobalToASan(llvm::GlobalVariable *GV, const VarDecl &D,
bool IsDynInit = false); bool IsDynInit = false);
void reportGlobalToASan(llvm::GlobalVariable *GV, SourceLocation Loc, void reportGlobalToASan(llvm::GlobalVariable *GV, SourceLocation Loc,
StringRef Name, bool IsDynInit = false, StringRef Name, bool IsDynInit = false,
bool IsBlacklisted = false); bool IsBlacklisted = false);
void disableSanitizerForGlobal(llvm::GlobalVariable *GV); void disableSanitizerForGlobal(llvm::GlobalVariable *GV);
void disableSanitizerForInstruction(llvm::Instruction *I);
private: private:
llvm::MDNode *getLocationMetadata(SourceLocation Loc); llvm::MDNode *getLocationMetadata(SourceLocation Loc);
}; };
} // end namespace CodeGen } // end namespace CodeGen
} // end namespace clang } // end namespace clang
#endif #endif

lib/CodeGen/SanitizerMetadata.cpp

Show First 20 LinesShow All 61 Lines▼ Show 20 Lines
void SanitizerMetadata::disableSanitizerForGlobal(llvm::GlobalVariable *GV) { void SanitizerMetadata::disableSanitizerForGlobal(llvm::GlobalVariable *GV) {
// For now, just make sure the global is not modified by the ASan // For now, just make sure the global is not modified by the ASan
// instrumentation. // instrumentation.
if (CGM.getLangOpts().Sanitize.Address) if (CGM.getLangOpts().Sanitize.Address)
reportGlobalToASan(GV, SourceLocation(), "", false, true); reportGlobalToASan(GV, SourceLocation(), "", false, true);
} }
void SanitizerMetadata::disableSanitizerForInstruction(llvm::Instruction *I) {
I->setMetadata(
CGM.getModule().getMDKindID("nosanitize"),
llvm::MDNode::get(CGM.getLLVMContext(), ArrayRef<llvm::Value *>()));
}
llvm::MDNode *SanitizerMetadata::getLocationMetadata(SourceLocation Loc) { llvm::MDNode *SanitizerMetadata::getLocationMetadata(SourceLocation Loc) {
PresumedLoc PLoc = CGM.getContext().getSourceManager().getPresumedLoc(Loc); PresumedLoc PLoc = CGM.getContext().getSourceManager().getPresumedLoc(Loc);
if (!PLoc.isValid()) if (!PLoc.isValid())
return nullptr; return nullptr;
llvm::LLVMContext &VMContext = CGM.getLLVMContext(); llvm::LLVMContext &VMContext = CGM.getLLVMContext();
llvm::Value *LocMetadata[] = { llvm::Value *LocMetadata[] = {
llvm::MDString::get(VMContext, PLoc.getFilename()), llvm::MDString::get(VMContext, PLoc.getFilename()),
llvm::ConstantInt::get(llvm::Type::getInt32Ty(VMContext), PLoc.getLine()), llvm::ConstantInt::get(llvm::Type::getInt32Ty(VMContext), PLoc.getLine()),
llvm::ConstantInt::get(llvm::Type::getInt32Ty(VMContext), llvm::ConstantInt::get(llvm::Type::getInt32Ty(VMContext),
PLoc.getColumn()), PLoc.getColumn()),
}; };
return llvm::MDNode::get(VMContext, LocMetadata); return llvm::MDNode::get(VMContext, LocMetadata);
} }

test/CodeGen/address-sanitizer-and-array-cookie.cpp

  • This file was added.
// RUN: %clang_cc1 -triple x86_64-gnu-linux -emit-llvm -o - %s | FileCheck %s -check-prefix=PLAIN
// RUN: %clang_cc1 -triple x86_64-gnu-linux -emit-llvm -o - -fsanitize=address %s | FileCheck %s -check-prefix=ASAN
struct C {
int x;
~C();
};
C *CallNew() {
return new C[10];
}
// PLAIN-LABEL: CallNew
// PLAIN-NOT: nosanitize
// PLAIN-NOT: __asan_poison_cxx_array_cookie
// ASAN-LABEL: CallNew
// ASAN: store{{.*}}nosanitize
// ASAN-NOT: nosanitize
// ASAN: call void @__asan_poison_cxx_array_cookie
void CallDelete(C *c) {
delete [] c;
}
// PLAIN-LABEL: CallDelete
// PLAIN-NOT: nosanitize
// ASAN-LABEL: CallDelete
// ASAN: load{{.*}}!nosanitize
// ASAN-NOT: nosanitize