Commit Graph

5 Commits

Author SHA1 Message Date
Filipe Cabecinhas 4ba5817b8b ASan+operator new[]: Add an option for more thorough operator new[] cookie poisoning
Summary:
Right now clang is skipping array cookie poisoning for any operator
new[] which is not part of the set of replaceable global allocation
functions.

This commit adds a flag to tell clang to poison all operator new[]
cookies.

A previous review was poisoning all array cookies unconditionally, but
there is an edge case which would stop working under ASan (a custom
operator new[] saves whatever pointer it returned, and then accesses
it).

This newer revision adds a command line argument to toggle this feature.

Original revision: https://reviews.llvm.org/D41301
Compiler-rt test revision with an explanation of the edge case: https://reviews.llvm.org/D41664

Reviewers: rjmccall, kcc, rsmith

Subscribers: cfe-commits

Differential Revision: https://reviews.llvm.org/D43013

llvm-svn: 324884
2018-02-12 11:49:02 +00:00
Filipe Cabecinhas 6f83fa9934 Revert "ASan+operator new[]: Fix operator new[] cookie poisoning"
This reverts r321645.

I missed a compiler-rt test that needs updating.

llvm-svn: 321647
2018-01-02 13:46:12 +00:00
Filipe Cabecinhas 016860cf2f ASan+operator new[]: Fix operator new[] cookie poisoning
Summary:
The C++ Itanium ABI says:
No cookie is required if the new operator being used is ::operator new[](size_t, void*).

We should only avoid poisoning the cookie if we're calling this
operator, not others. This is dealt with before the call to
InitializeArrayCookie.

Reviewers: rjmccall, kcc, rsmith

Subscribers: cfe-commits

Differential Revision: https://reviews.llvm.org/D41301

llvm-svn: 321645
2018-01-02 13:21:50 +00:00
Kostya Serebryany 4a9187a810 call __asan_load_cxx_array_cookie when loading array cookie in asan mode.
Summary:
The current implementation of asan cookie is incorrect:
we add nosanitize metadata to the cookie load, but the metadata may be lost
and we will instrument the load from poisoned memory.
This change replaces the load with a call to __asan_load_cxx_array_cookie (r216692)

Reviewers: rsmith

Reviewed By: rsmith

Subscribers: cfe-commits

Differential Revision: http://reviews.llvm.org/D5111

llvm-svn: 216702
2014-08-29 01:01:32 +00:00
Kostya Serebryany 4ee6904288 [clang/asan] call __asan_poison_cxx_array_cookie after operator new[]
Summary:
PR19838
When operator new[] is called and an array cookie is created
we want asan to detect buffer overflow bugs that touch the cookie.
For that we need to
  a) poison the shadow for the array cookie (call __asan_poison_cxx_array_cookie).
  b) ignore the legal accesses to the cookie generated by clang (add 'nosanitize' metadata)

Reviewers: timurrrr, samsonov, rsmith

Reviewed By: rsmith

Subscribers: cfe-commits

Differential Revision: http://reviews.llvm.org/D4774

llvm-svn: 216434
2014-08-26 02:29:59 +00:00