diff --git a/compiler-rt/lib/hwasan/hwasan_allocator.cc b/compiler-rt/lib/hwasan/hwasan_allocator.cc index 6b62b6a34f41..0c541679bdec 100644 --- a/compiler-rt/lib/hwasan/hwasan_allocator.cc +++ b/compiler-rt/lib/hwasan/hwasan_allocator.cc @@ -119,11 +119,11 @@ void HwasanThreadLocalMallocStorage::CommitBack() { allocator.SwallowCache(GetAllocatorCache(this)); } -static void *HwasanAllocate(StackTrace *stack, uptr size, uptr alignment, - bool zeroise) { - if (!size) return nullptr; +static void *HwasanAllocate(StackTrace *stack, uptr orig_size, uptr alignment, + bool zeroise) { + if (!orig_size) return nullptr; alignment = Max(alignment, kShadowAlignment); - size = RoundUpTo(size, kShadowAlignment); + uptr size = RoundUpTo(orig_size, kShadowAlignment); if (size > kMaxAllowedMallocSize) { if (AllocatorMayReturnNull()) { @@ -152,7 +152,7 @@ static void *HwasanAllocate(StackTrace *stack, uptr size, uptr alignment, Metadata *meta = reinterpret_cast(allocator.GetMetaData(allocated)); meta->state = CHUNK_ALLOCATED; - meta->requested_size = static_cast(size); + meta->requested_size = static_cast(orig_size); meta->alloc_context_id = StackDepotPut(*stack); if (zeroise) { internal_memset(allocated, 0, size); @@ -204,7 +204,7 @@ void HwasanDeallocate(StackTrace *stack, void *tagged_ptr) { } if (flags()->tag_in_free && atomic_load_relaxed(&hwasan_allocator_tagging_enabled)) - TagMemoryAligned((uptr)untagged_ptr, size, + TagMemoryAligned((uptr)untagged_ptr, RoundUpTo(size, kShadowAlignment), t ? t->GenerateRandomTag() : kFallbackFreeTag); if (t) { AllocatorCache *cache = GetAllocatorCache(&t->malloc_storage()); diff --git a/compiler-rt/lib/hwasan/hwasan_report.cc b/compiler-rt/lib/hwasan/hwasan_report.cc index 807d73940bd0..b1be72f6b933 100644 --- a/compiler-rt/lib/hwasan/hwasan_report.cc +++ b/compiler-rt/lib/hwasan/hwasan_report.cc @@ -65,6 +65,49 @@ void PrintAddressDescription(uptr tagged_addr, uptr access_size) { uptr untagged_addr = UntagAddr(tagged_addr); Thread::VisitAllLiveThreads([&](Thread *t) { Decorator d; + // Check if this looks like a heap buffer overflow by scanning + // the shadow left and right and looking for the first adjacent + // object with a different memory tag. If that tag matches addr_tag, + // check the allocator if it has a live chunk there. + tag_t addr_tag = GetTagFromPointer(tagged_addr); + tag_t *tag_ptr = reinterpret_cast(MemToShadow(untagged_addr)); + if (*tag_ptr != addr_tag) { // should be true usually. + tag_t *left = tag_ptr, *right = tag_ptr; + // scan left. + for (int i = 0; i < 1000 && *left == *tag_ptr; i++, left--){} + // scan right. + for (int i = 0; i < 1000 && *right == *tag_ptr; i++, right++){} + // Chose the object that has addr_tag and that is closer to addr. + tag_t *candidate = nullptr; + if (*right == addr_tag && *left == addr_tag) + candidate = right - tag_ptr < tag_ptr - left ? right : left; + else if (*right == addr_tag) + candidate = right; + else if (*left == addr_tag) + candidate = left; + + if (candidate) { + uptr mem = ShadowToMem(reinterpret_cast(candidate)); + HwasanChunkView chunk = FindHeapChunkByAddress(mem); + if (chunk.IsAllocated()) { + Printf("%s", d.Location()); + Printf( + "%p is located %zd bytes to the %s of %zd-byte region [%p,%p)\n", + untagged_addr, + candidate == left ? untagged_addr - chunk.End() + : chunk.Beg() - untagged_addr, + candidate == right ? "left" : "right", chunk.UsedSize(), + chunk.Beg(), chunk.End()); + Printf("%s", d.Allocation()); + Printf("allocated here:\n", t); + Printf("%s", d.Default()); + GetStackTraceFromId(chunk.GetAllocStackId()).Print(); + num_descriptions_printed++; + } + } + } + + // Scan all threads' ring buffers to find if it's a heap-use-after-free. HeapAllocationRecord har; if (FindHeapAllocation(t->heap_allocations(), tagged_addr, &har)) { Printf("%s", d.Location()); @@ -84,6 +127,8 @@ void PrintAddressDescription(uptr tagged_addr, uptr access_size) { num_descriptions_printed++; } + + // Very basic check for stack memory. if (t->AddrIsInStack(untagged_addr)) { Printf("%s", d.Location()); Printf("Address %p is located in stack of thread %p\n", untagged_addr, t); diff --git a/compiler-rt/test/hwasan/TestCases/heap-buffer-overflow.c b/compiler-rt/test/hwasan/TestCases/heap-buffer-overflow.c new file mode 100644 index 000000000000..36c09b294cca --- /dev/null +++ b/compiler-rt/test/hwasan/TestCases/heap-buffer-overflow.c @@ -0,0 +1,16 @@ +// RUN: %clang_hwasan %s -o %t && not %run %t 2>&1 | FileCheck %s + +// REQUIRES: stable-runtime +// TODO: test more cases. + +#include +#include +#include + +int main() { + __hwasan_enable_allocator_tagging(); + char * volatile x = (char*)malloc(30); + x[40] = 42; +// CHECK: is located 10 bytes to the right of 30-byte region + free(x); +}