[Sanitizer] Fix a possible write to freed memory in the wcrtomb interceptor

Summary: r357240 added an interceptor for wctomb, which uses a temporary local buffer to make sure we don't write to unallocated memory. This patch applies the same technique to wcrtomb, and adds some additional tests for this function. Reviewers: vitalybuka, eugenis Subscribers: kubamracek, delcypher, llvm-commits, #sanitizers Tags: #llvm, #sanitizers Differential Revision: https://reviews.llvm.org/D59984 llvm-svn: 357889
2019-04-08 08:39:50 +00:00 · 2019-04-08 08:39:50 +00:00 · 618dcfcaa3
parent 6a6da233b9
commit 618dcfcaa3
3 changed files with 59 additions and 7 deletions
--- a/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc
+++ b/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc
@ -3524,13 +3524,16 @@ INTERCEPTOR(SIZE_T, wcrtomb, char *dest, wchar_t src, void *ps) {
  void *ctx;
  COMMON_INTERCEPTOR_ENTER(ctx, wcrtomb, dest, src, ps);
  if (ps) COMMON_INTERCEPTOR_READ_RANGE(ctx, ps, mbstate_t_sz);
-  // FIXME: under ASan the call below may write to freed memory and corrupt
-  // its metadata. See
-  // https://github.com/google/sanitizers/issues/321.
-  SIZE_T res = REAL(wcrtomb)(dest, src, ps);
-  if (res != ((SIZE_T)-1) && dest) {
-    SIZE_T write_cnt = res;
-    COMMON_INTERCEPTOR_WRITE_RANGE(ctx, dest, write_cnt);
+
+  if (!dest)
+    return REAL(wcrtomb)(dest, src, ps);
+
+  char local_dest[32];
+  SIZE_T res = REAL(wcrtomb)(local_dest, src, ps);
+  if (res != ((SIZE_T)-1)) {
+    CHECK_LE(res, sizeof(local_dest));
+    COMMON_INTERCEPTOR_WRITE_RANGE(ctx, dest, res);
+    REAL(memcpy)(dest, local_dest, res);
  }
  return res;
 }
--- a/compiler-rt/test/asan/TestCases/wcrtomb.c
+++ b/compiler-rt/test/asan/TestCases/wcrtomb.c
@ -0,0 +1,13 @@
+// RUN: %clangxx_asan -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s
+
+#include <stdlib.h>
+#include <wchar.h>
+
+int main() {
+  char *buff = (char*) malloc(MB_CUR_MAX);
+  free(buff);
+  wcrtomb(buff, L'a', NULL);
+  // CHECK: use-after-free
+  // CHECK: SUMMARY
+  return 0;
+}
--- a/compiler-rt/test/sanitizer_common/TestCases/wcrtomb.c
+++ b/compiler-rt/test/sanitizer_common/TestCases/wcrtomb.c
@ -0,0 +1,36 @@
+// RUN: %clang %s -o %t && %run %t 2>&1
+
+#include <assert.h>
+#include <stdlib.h>
+#include <string.h>
+#include <wchar.h>
+
+int main(int argc, char **argv) {
+  mbstate_t state;
+  memset(&state, 0, sizeof(state));
+
+  char buff[10];
+  size_t res = wcrtomb(buff, L'a', &state);
+  assert(res == 1);
+  assert(buff[0] == 'a');
+
+  res = wcrtomb(buff, L'\0', &state);
+  assert(res == 1);
+  assert(buff[0] == '\0');
+
+  res = wcrtomb(NULL, L'\0', &state);
+  assert(res == 1);
+
+  res = wcrtomb(buff, L'a', NULL);
+  assert(res == 1);
+  assert(buff[0] == 'a');
+
+  res = wcrtomb(buff, L'\0', NULL);
+  assert(res == 1);
+  assert(buff[0] == '\0');
+
+  res = wcrtomb(NULL, L'\0', NULL);
+  assert(res == 1);
+
+  return 0;
+}