[msan] unpoison_file from fclose and fflash

Also unpoison IO_write_base/_IO_write_end buffer memcpy from fclose and fflash can copy internal bytes without metadata into user memory. Reviewed By: eugenis Differential Revision: https://reviews.llvm.org/D91858
2020-11-20 03:51:13 -08:00 · 2020-11-20 03:51:13 -08:00 · 3b947cc8ce
parent 33c79f76af
commit 3b947cc8ce
2 changed files with 36 additions and 0 deletions
--- a/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc
+++ b/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc
@ -5978,6 +5978,9 @@ void unpoison_file(__sanitizer_FILE *fp) {
  if (fp->_IO_read_base && fp->_IO_read_base < fp->_IO_read_end)
    COMMON_INTERCEPTOR_INITIALIZE_RANGE(fp->_IO_read_base,
                                        fp->_IO_read_end - fp->_IO_read_base);
+  if (fp->_IO_write_base && fp->_IO_write_base < fp->_IO_write_end)
+    COMMON_INTERCEPTOR_INITIALIZE_RANGE(fp->_IO_write_base,
+                                        fp->_IO_write_end - fp->_IO_write_base);
 #endif
 #endif  // SANITIZER_HAS_STRUCT_FILE
 }
@ -6204,6 +6207,8 @@ INTERCEPTOR(void, _obstack_newchunk, __sanitizer_obstack *obstack, int length) {
 INTERCEPTOR(int, fflush, __sanitizer_FILE *fp) {
  void *ctx;
  COMMON_INTERCEPTOR_ENTER(ctx, fflush, fp);
+  if (fp)
+    unpoison_file(fp);
  int res = REAL(fflush)(fp);
  // FIXME: handle fp == NULL
  if (fp) {
@ -6223,6 +6228,8 @@ INTERCEPTOR(int, fclose, __sanitizer_FILE *fp) {
  COMMON_INTERCEPTOR_ENTER(ctx, fclose, fp);
  COMMON_INTERCEPTOR_FILE_CLOSE(ctx, fp);
  const FileMetadata *m = GetInterceptorMetadata(fp);
+  if (fp)
+    unpoison_file(fp);
  int res = REAL(fclose)(fp);
  if (m) {
    COMMON_INTERCEPTOR_INITIALIZE_RANGE(*m->addr, *m->size);
--- a/compiler-rt/test/msan/Linux/file.cpp
+++ b/compiler-rt/test/msan/Linux/file.cpp
@ -0,0 +1,29 @@
+// RUN: %clangxx_msan -std=c++11 -O0 %s -o %t && %run %t
+// RUN: %clangxx_msan -std=c++11 -fsanitize-memory-track-origins -O0 %s -o %t && %run %t
+
+#include <assert.h>
+#include <stdio.h>
+
+#include <sanitizer/msan_interface.h>
+
+int main(int argc, char *argv[]) {
+  FILE *f = fopen(argv[0], "r");
+  assert(f);
+  char buf[50];
+  fread(buf, 1, 1, f);
+  fflush(f);
+
+  assert(f->_IO_read_end > f->_IO_read_base);
+  __msan_check_mem_is_initialized(f->_IO_read_end, f->_IO_read_end - f->_IO_read_base);
+
+  char tmp_file[1000];
+  sprintf(tmp_file, "%s.write.tmp", argv[0]);
+
+  f = fopen(tmp_file, "w+");
+  assert(f);
+  fwrite(buf, 1, 1, f);
+  fflush(f);
+
+  assert(f->_IO_write_end > f->_IO_write_base);
+  __msan_check_mem_is_initialized(f->_IO_write_end, f->_IO_write_end - f->_IO_write_base);
+}