[asan] provide better reports for cases where memcpy/etc get negative size parameter. Also fix a typo found by Tetsuo Kiso

llvm-svn: 206158
This commit is contained in:
Kostya Serebryany 2014-04-14 09:50:52 +00:00
parent 68b03049e0
commit f694ab1f18
6 changed files with 30 additions and 1 deletions

View File

@ -43,6 +43,10 @@ static inline bool QuickCheckForUnpoisonedRegion(uptr beg, uptr size) {
uptr __offset = (uptr)(offset); \
uptr __size = (uptr)(size); \
uptr __bad = 0; \
if (__offset > __offset + __size) { \
GET_STACK_TRACE_FATAL_HERE; \
ReportStringFunctionSizeOverflow(__offset, __size, &stack); \
} \
if (!QuickCheckForUnpoisonedRegion(__offset, __size) && \
(__bad = __asan_region_is_poisoned(__offset, __size))) { \
GET_CURRENT_PC_BP_SP; \

View File

@ -155,6 +155,7 @@ uptr __asan_region_is_poisoned(uptr beg, uptr size) {
uptr end = beg + size;
if (!AddrIsInMem(beg)) return beg;
if (!AddrIsInMem(end)) return end;
CHECK_LT(beg, end);
uptr aligned_b = RoundUpTo(beg, SHADOW_GRANULARITY);
uptr aligned_e = RoundDownTo(end, SHADOW_GRANULARITY);
uptr shadow_beg = MemToShadow(aligned_b);

View File

@ -701,6 +701,19 @@ void ReportStringFunctionMemoryRangesOverlap(
ReportErrorSummary(bug_type, stack);
}
void ReportStringFunctionSizeOverflow(uptr offset, uptr size,
StackTrace *stack) {
ScopedInErrorReport in_report;
Decorator d;
const char *bug_type = "negative-size-param";
Printf("%s", d.Warning());
Report("ERROR: AddressSanitizer: %s: (size=%zd)\n", bug_type, size);
Printf("%s", d.EndWarning());
stack->Print();
DescribeAddress(offset, size);
ReportErrorSummary(bug_type, stack);
}
void ReportBadParamsToAnnotateContiguousContainer(uptr beg, uptr end,
uptr old_mid, uptr new_mid,
StackTrace *stack) {

View File

@ -49,6 +49,8 @@ void NORETURN ReportStringFunctionMemoryRangesOverlap(
const char *function, const char *offset1, uptr length1,
const char *offset2, uptr length2, StackTrace *stack);
void NORETURN
ReportStringFunctionSizeOverflow(uptr offset, uptr size, StackTrace *stack);
void NORETURN
ReportBadParamsToAnnotateContiguousContainer(uptr beg, uptr end, uptr old_mid,
uptr new_mid, StackTrace *stack);

View File

@ -52,7 +52,7 @@ uptr GetMaxVirtualAddress() {
#if SANITIZER_WORDSIZE == 64
# if defined(__powerpc64__)
// On PowerPC64 we have two different address space layouts: 44- and 46-bit.
// We somehow need to figure our which one we are using now and choose
// We somehow need to figure out which one we are using now and choose
// one of 0x00000fffffffffffUL and 0x00003fffffffffffUL.
// Note that with 'ulimit -s unlimited' the stack is moved away from the top
// of the address space, so simply checking the stack address is not enough.

View File

@ -27,6 +27,9 @@
// RUN: %clangxx_asan -O3 -DTEST_MEMMOVE %s -o %t && not %t 2>&1 | \
// RUN: FileCheck %s --check-prefix=CHECK-MEMMOVE
// RUN: %clangxx_asan -O2 -DTEST_MEMCPY_SIZE_OVERFLOW %s -o %t && not %t 2>&1 | \
// RUN: FileCheck %s --check-prefix=CHECK-MEMCPY_SIZE_OVERFLOW
#include <assert.h>
#include <string.h>
#include <stdlib.h>
@ -34,6 +37,8 @@
#include <sanitizer/asan_interface.h>
typedef void *(*memcpy_t)(void *, const void *, size_t);
int main(int argc, char **argv) {
char * volatile p = (char *)malloc(3000);
__asan_poison_memory_region(p + 512, 16);
@ -53,6 +58,10 @@ int main(int argc, char **argv) {
memmove(q, p, 3000);
// CHECK-MEMMOVE: AddressSanitizer: use-after-poison on address
// CHECK-MEMMOVE: in {{.*(memmove|memcpy)}}
#elif defined(TEST_MEMCPY_SIZE_OVERFLOW)
volatile memcpy_t my_memcpy = &memcpy;
my_memcpy(p, q, -argc);
// CHECK-MEMCPY_SIZE_OVERFLOW: AddressSanitizer: negative-size-param: (size=-1)
#endif
assert(q[1] == 0);
free(q);