This is an archive of the discontinued LLVM Phabricator instance.

Differential D8193

asan: fix overflows in isSafeAccess
ClosedPublic

Authored by dvyukov on Mar 10 2015, 3:24 AM.

Details

Reviewers
nlopes
Summary

As pointed out in http://reviews.llvm.org/D7583
The current checks can cause overflows when object size/access offset cross Quintillion bytes.

Diff Detail

Event Timeline

dvyukov updated this revision to Diff 21558.Mar 10 2015, 3:24 AM
dvyukov retitled this revision from to asan: fix overflows in isSafeAccess.
dvyukov updated this object.
dvyukov edited the test plan for this revision. (Show Details)
dvyukov added a reviewer: nlopes.
dvyukov added a subscriber: Unknown Object (MLST).
nlopes accepted this revision.Mar 14 2015, 11:32 AM
nlopes edited edge metadata.

LGTM.

This revision is now accepted and ready to land.Mar 14 2015, 11:32 AM
dvyukov added a comment.Mar 16 2015, 1:07 AM

committed as 232358.

Eugene.Zelenko closed this revision.Sep 22 2016, 12:05 PM

Revision Contents

PathSize
lib/
Transforms/
Instrumentation/
6 lines

Diff 21558

lib/Transforms/Instrumentation/AddressSanitizer.cpp

Show First 20 LinesShow All 2,045 Lines▼ Show 20 Lines
// isSafeAccess returns true if Addr is always inbounds with respect to its // isSafeAccess returns true if Addr is always inbounds with respect to its
// base object. For example, it is a field access or an array access with // base object. For example, it is a field access or an array access with
// constant inbounds index. // constant inbounds index.
bool AddressSanitizer::isSafeAccess(ObjectSizeOffsetVisitor &ObjSizeVis, bool AddressSanitizer::isSafeAccess(ObjectSizeOffsetVisitor &ObjSizeVis,
Value *Addr, uint64_t TypeSize) const { Value *Addr, uint64_t TypeSize) const {
SizeOffsetType SizeOffset = ObjSizeVis.compute(Addr); SizeOffsetType SizeOffset = ObjSizeVis.compute(Addr);
if (!ObjSizeVis.bothKnown(SizeOffset)) return false; if (!ObjSizeVis.bothKnown(SizeOffset)) return false;
int64_t Size = SizeOffset.first.getSExtValue(); uint64_t Size = SizeOffset.first.getZExtValue();
int64_t Offset = SizeOffset.second.getSExtValue(); int64_t Offset = SizeOffset.second.getSExtValue();
// Three checks are required to ensure safety: // Three checks are required to ensure safety:
// . Offset >= 0 (since the offset is given from the base ptr) // . Offset >= 0 (since the offset is given from the base ptr)
// . Size >= Offset (unsigned) // . Size >= Offset (unsigned)
// . Size - Offset >= NeededSize (unsigned) // . Size - Offset >= NeededSize (unsigned)
return Offset >= 0 && Size >= Offset && return Offset >= 0 && Size >= uint64_t(Offset) &&
uint64_t(Size - Offset) >= TypeSize / 8; Size - uint64_t(Offset) >= TypeSize / 8;
} }