diff --git a/compiler-rt/lib/asan/asan_errors.h b/compiler-rt/lib/asan/asan_errors.h --- a/compiler-rt/lib/asan/asan_errors.h +++ b/compiler-rt/lib/asan/asan_errors.h @@ -48,7 +48,8 @@ scariness.Scare(10, "stack-overflow"); } else if (!signal.is_memory_access) { scariness.Scare(10, "signal"); - } else if (signal.addr < GetPageSizeCached()) { + } else if (signal.is_true_faulting_addr && + signal.addr < GetPageSizeCached()) { scariness.Scare(10, "null-deref"); } else if (signal.addr == signal.pc) { scariness.Scare(60, "wild-jump"); diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_common.h b/compiler-rt/lib/sanitizer_common/sanitizer_common.h --- a/compiler-rt/lib/sanitizer_common/sanitizer_common.h +++ b/compiler-rt/lib/sanitizer_common/sanitizer_common.h @@ -881,6 +881,11 @@ bool is_memory_access; enum WriteFlag { UNKNOWN, READ, WRITE } write_flag; + // In some cases the kernel cannot provide the true faulting address; `addr` + // will be zero then. This field allows to distinguish between these cases + // and "null dereferences". + bool is_true_faulting_addr; + // VS2013 doesn't implement unrestricted unions, so we need a trivial default // constructor SignalContext() = default; @@ -893,7 +898,8 @@ context(context), addr(GetAddress()), is_memory_access(IsMemoryAccess()), - write_flag(GetWriteFlag()) { + write_flag(GetWriteFlag()), + is_true_faulting_addr(IsTrueFaultingAddress()) { InitPcSpBp(); } @@ -914,6 +920,7 @@ uptr GetAddress() const; WriteFlag GetWriteFlag() const; bool IsMemoryAccess() const; + bool IsTrueFaultingAddress() const; }; void InitializePlatformEarly(); diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_posix.cpp b/compiler-rt/lib/sanitizer_common/sanitizer_posix.cpp --- a/compiler-rt/lib/sanitizer_common/sanitizer_posix.cpp +++ b/compiler-rt/lib/sanitizer_common/sanitizer_posix.cpp @@ -296,6 +296,12 @@ return si->si_signo == SIGSEGV; } +bool SignalContext::IsTrueFaultingAddress() const { + auto si = static_cast(siginfo); + // The real codes (e.g., SEGV_MAPERR, SEGV_MAPERR) are non-zero + return si->si_signo == SIGSEGV && si->si_code != 0; +} + int SignalContext::GetType() const { return static_cast(siginfo)->si_signo; } diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_symbolizer_report.cpp b/compiler-rt/lib/sanitizer_common/sanitizer_symbolizer_report.cpp --- a/compiler-rt/lib/sanitizer_common/sanitizer_symbolizer_report.cpp +++ b/compiler-rt/lib/sanitizer_common/sanitizer_symbolizer_report.cpp @@ -191,9 +191,11 @@ SanitizerCommonDecorator d; Printf("%s", d.Warning()); const char *description = sig.Describe(); - Report("ERROR: %s: %s on unknown address %p (pc %p bp %p sp %p T%d)\n", - SanitizerToolName, description, (void *)sig.addr, (void *)sig.pc, - (void *)sig.bp, (void *)sig.sp, tid); + Report("ERROR: %s: %s on unknown address", SanitizerToolName, description); + if (!sig.is_memory_access || sig.is_true_faulting_addr) + Printf(" %p", (void *)sig.addr); + Printf(" (pc %p bp %p sp %p T%d)\n", (void *)sig.pc, (void *)sig.bp, + (void *)sig.sp, tid); Printf("%s", d.Default()); if (sig.pc < GetPageSizeCached()) Report("Hint: pc points to the zero page.\n"); @@ -203,7 +205,11 @@ ? "WRITE" : (sig.write_flag == SignalContext::READ ? "READ" : "UNKNOWN"); Report("The signal is caused by a %s memory access.\n", access_type); - if (sig.addr < GetPageSizeCached()) + if (!sig.is_true_faulting_addr) + Report("Hint: this fault was caused by a dereference of a high value " + "address (see registers below). Dissassemble the provided pc " + "to learn which register value was used.\n"); + else if (sig.addr < GetPageSizeCached()) Report("Hint: address points to the zero page.\n"); } MaybeReportNonExecRegion(sig.pc); diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_win.cpp b/compiler-rt/lib/sanitizer_common/sanitizer_win.cpp --- a/compiler-rt/lib/sanitizer_common/sanitizer_win.cpp +++ b/compiler-rt/lib/sanitizer_common/sanitizer_win.cpp @@ -945,6 +945,10 @@ return GetWriteFlag() != SignalContext::UNKNOWN; } +bool SignalContext::IsTrueFaultingAddress() const { + return IsMemoryAccess(); +} + SignalContext::WriteFlag SignalContext::GetWriteFlag() const { EXCEPTION_RECORD *exception_record = (EXCEPTION_RECORD *)siginfo; // The contents of this array are documented at diff --git a/compiler-rt/test/asan/TestCases/Darwin/high-address-dereference.c b/compiler-rt/test/asan/TestCases/Darwin/high-address-dereference.c new file mode 100644 --- /dev/null +++ b/compiler-rt/test/asan/TestCases/Darwin/high-address-dereference.c @@ -0,0 +1,49 @@ +// On x86_64 XNU does not provide the faulting address for dereferences of +// addresses greater than the 48-bit hardware addressable range, i.e., +// `siginfo.si_addr` is zero in ASan's SEGV signal handler. This test checks +// that ASan does not misrepresent such cases as "NULL dereferences". + +// REQUIRES: x86_64-target-arch +// RUN: %clang_asan %s -o %t +// RUN: export %env_asan_opts=print_scariness=1 +// RUN: not %run %t 0x0000000000000000 2>&1 | FileCheck %s --check-prefixes=ZERO,HINT-PAGE0 +// RUN: not %run %t 0x0000000000000FFF 2>&1 | FileCheck %s --check-prefixes=LOW1,HINT-PAGE0 +// RUN: not %run %t 0x0000000000001000 2>&1 | FileCheck %s --check-prefixes=LOW2,HINT-NONE +// RUN: not %run %t 0x4141414141414141 2>&1 | FileCheck %s --check-prefixes=HIGH,HINT-HIGHADDR +// RUN: not %run %t 0xFFFFFFFFFFFFFFFF 2>&1 | FileCheck %s --check-prefixes=MAX,HINT-HIGHADDR + +#include +#include + +int main(int argc, const char *argv[]) { + const char *hex = argv[1]; + uint64_t *addr = (uint64_t *)strtoull(hex, NULL, 16); + uint64_t x = *addr; + printf("%llu\n", x); + return 0; +} + +// ZERO: SEGV on unknown address 0x000000000000 (pc +// LOW1: SEGV on unknown address 0x000000000fff (pc +// LOW2: SEGV on unknown address 0x000000001000 (pc +// HIGH: SEGV on unknown address (pc +// MAX: SEGV on unknown address (pc + +// HINT-PAGE0-NOT: Hint: this fault was caused by a dereference of a high value address +// HINT-PAGE0: Hint: address points to the zero page. + +// HINT-NONE-NOT: Hint: this fault was caused by a dereference of a high value address +// HINT-NONE-NOT: Hint: address points to the zero page. + +// HINT-HIGHADDR: Hint: this fault was caused by a dereference of a high value address +// HINT-HIGHADDR-NOT: Hint: address points to the zero page. + +// ZERO: SCARINESS: 10 (null-deref) +// LOW1: SCARINESS: 10 (null-deref) +// LOW2: SCARINESS: 20 (wild-addr-read) +// HIGH: SCARINESS: 20 (wild-addr-read) +// MAX: SCARINESS: 20 (wild-addr-read) + +// HIGH,MAX: Register values: +// HIGH: = 0x4141414141414141 +// MAX: = 0xffffffffffffffff