[asan] instrument memory accesses with unusual sizes

kcc · kcc · commit 9f298da9bd4a · 2013-02-19T11:30:25.000Z
This patch makes asan instrument memory accesses with unusual sizes (e.g. 5 bytes or 10 bytes), e.g. long double or
packed structures.
Instrumentation is done with two 1-byte checks
(first and last bytes) and if the error is found
__asan_report_load_n(addr, real_size) or
__asan_report_store_n(addr, real_size)
is called.

asan-rt part

Also fix lint.

llvm-svn: 175508
diff --git a/compiler-rt/lib/asan/asan_mac.cc b/compiler-rt/lib/asan/asan_mac.cc
@@ -114,7 +114,7 @@ void LeakyResetEnv(const char *name, const char *name_value) {
           char **del = environ;
           do {
             del[0] = del[1];
-          } while(*del++);
+          } while (*del++);
         }
       }
     }
@@ -193,7 +193,8 @@ void MaybeReexec() {
         if ((uptr)(piece_start - dyld_insert_libraries) > old_env_len) break;
         uptr piece_len = piece_end - piece_start;
 
-        // If the current piece isn't the runtime library name, append it to new_env.
+        // If the current piece isn't the runtime library name,
+        // append it to new_env.
         if ((piece_len != fname_len) ||
             (internal_strncmp(piece_start, info.dli_fname, fname_len) != 0)) {
           if (new_env_pos != new_env + env_name_len + 1) {
@@ -202,7 +203,7 @@ void MaybeReexec() {
           }
           internal_strncpy(new_env_pos, piece_start, piece_len);
         }
-        // Move on to the next piece. 
+        // Move on to the next piece.
         new_env_pos += piece_len;
         piece_start = piece_end;
       } while (piece_start < old_env_end);
diff --git a/compiler-rt/lib/asan/asan_rtl.cc b/compiler-rt/lib/asan/asan_rtl.cc
@@ -222,6 +222,17 @@ ASAN_REPORT_ERROR(store, true, 4)
 ASAN_REPORT_ERROR(store, true, 8)
 ASAN_REPORT_ERROR(store, true, 16)
 
+#define ASAN_REPORT_ERROR_N(type, is_write)                    \
+extern "C" NOINLINE INTERFACE_ATTRIBUTE                        \
+void __asan_report_ ## type ## _n(uptr addr, uptr size);       \
+void __asan_report_ ## type ## _n(uptr addr, uptr size) {      \
+  GET_CALLER_PC_BP_SP;                                         \
+  __asan_report_error(pc, bp, sp, addr, is_write, size);       \
+}
+
+ASAN_REPORT_ERROR_N(load, false)
+ASAN_REPORT_ERROR_N(store, true)
+
 // Force the linker to keep the symbols for various ASan interface functions.
 // We want to keep those in the executable in order to let the instrumented
 // dynamic libraries access the symbol even if it is not used by the executable
diff --git a/compiler-rt/lib/asan/lit_tests/Darwin/interface_symbols_darwin.c b/compiler-rt/lib/asan/lit_tests/Darwin/interface_symbols_darwin.c
@@ -31,6 +31,8 @@
 // RUN: echo __asan_report_store4 >> %t.interface
 // RUN: echo __asan_report_store8 >> %t.interface
 // RUN: echo __asan_report_store16 >> %t.interface
+// RUN: echo __asan_report_load_n >> %t.interface
+// RUN: echo __asan_report_store_n >> %t.interface
 
 // RUN: cat %t.interface | sort -u | diff %t.symbols -
 
diff --git a/compiler-rt/lib/asan/lit_tests/Linux/interface_symbols_linux.c b/compiler-rt/lib/asan/lit_tests/Linux/interface_symbols_linux.c
@@ -23,6 +23,8 @@
 // RUN: echo __asan_report_store4 >> %t.interface
 // RUN: echo __asan_report_store8 >> %t.interface
 // RUN: echo __asan_report_store16 >> %t.interface
+// RUN: echo __asan_report_load_n >> %t.interface
+// RUN: echo __asan_report_store_n >> %t.interface
 // RUN: cat %t.interface | sort -u | diff %t.symbols -
 
 int main() { return 0; }
diff --git a/compiler-rt/lib/asan/tests/asan_test.cc b/compiler-rt/lib/asan/tests/asan_test.cc
@@ -170,6 +170,26 @@ TEST(AddressSanitizer, UAF_char) {
   EXPECT_DEATH(uaf_test<U1>(kLargeMalloc, kLargeMalloc / 2), uaf_string);
 }
 
+TEST(AddressSanitizer, UAF_long_double) {
+  long double *p = Ident(new long double[10]);
+  EXPECT_DEATH(Ident(p)[12] = 0, "WRITE of size 10");
+  EXPECT_DEATH(Ident(p)[0] = Ident(p)[12], "READ of size 10");
+  delete [] Ident(p);
+}
+
+struct Packed5 {
+  int x;
+  char c;
+} __attribute__((packed));
+
+
+TEST(AddressSanitizer, UAF_Packed5) {
+  Packed5 *p = Ident(new Packed5[2]);
+  EXPECT_DEATH(p[0] = p[3], "READ of size 5");
+  EXPECT_DEATH(p[3] = p[0], "WRITE of size 5");
+  delete [] Ident(p);
+}
+
 #if ASAN_HAS_BLACKLIST
 TEST(AddressSanitizer, IgnoreTest) {
   int *x = Ident(new int);
diff --git a/compiler-rt/lib/sanitizer_common/tests/sanitizer_libc_test.cc b/compiler-rt/lib/sanitizer_common/tests/sanitizer_libc_test.cc
@@ -57,7 +57,8 @@ TEST(SanitizerCommon, FileOps) {
 
   u32 uid = GetUid();
   char temp_filename[128];
-  internal_snprintf(temp_filename, 128, "/tmp/sanitizer_common.tmp.%d", uid);
+  internal_snprintf(temp_filename, sizeof(temp_filename),
+                    "/tmp/sanitizer_common.tmp.%d", uid);
   fd_t fd = OpenFile(temp_filename, true);
   EXPECT_NE(fd, kInvalidFd);
   EXPECT_EQ(len1, internal_write(fd, str1, len1));

Original file line number	Diff line number	Diff line change
`@@ -114,7 +114,7 @@ void LeakyResetEnv(const char name, const char name_value) {`
`114`	`114`	`char **del = environ;`
`115`	`115`	`do {`
`116`	`116`	`del[0] = del[1];`
`117`		`- } while(*del++);`
	`117`	`+ } while (*del++);`
`118`	`118`	`}`
`119`	`119`	`}`
`120`	`120`	`}`
`@@ -193,7 +193,8 @@ void MaybeReexec() {`
`193`	`193`	`if ((uptr)(piece_start - dyld_insert_libraries) > old_env_len) break;`
`194`	`194`	`uptr piece_len = piece_end - piece_start;`
`195`	`195`
`196`		`- // If the current piece isn't the runtime library name, append it to new_env.`
	`196`	`+ // If the current piece isn't the runtime library name,`
	`197`	`+ // append it to new_env.`
`197`	`198`	`if ((piece_len != fname_len) \|\|`
`198`	`199`	`(internal_strncmp(piece_start, info.dli_fname, fname_len) != 0)) {`
`199`	`200`	`if (new_env_pos != new_env + env_name_len + 1) {`
`@@ -202,7 +203,7 @@ void MaybeReexec() {`
`202`	`203`	`}`
`203`	`204`	`internal_strncpy(new_env_pos, piece_start, piece_len);`
`204`	`205`	`}`
`205`		`- // Move on to the next piece.`
	`206`	`+ // Move on to the next piece.`
`206`	`207`	`new_env_pos += piece_len;`
`207`	`208`	`piece_start = piece_end;`
`208`	`209`	`} while (piece_start < old_env_end);`