Skip to content

Commit f4c7b3f

Browse files
thurstondthurstond
committed
Check next shadow byte if partial granule. Add test case.
1 parent c2b1947 commit f4c7b3f

File tree

2 files changed

+46
-3
lines changed

2 files changed

+46
-3
lines changed

compiler-rt/lib/asan/asan_errors.cpp

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -605,10 +605,13 @@ static void PrintShadowMemoryForAddress(uptr addr) {
605605
static void CheckPoisonRecords(uptr addr) {
606606
if (!AddrIsInMem(addr))
607607
return;
608-
uptr shadow_addr = MemToShadow(addr);
609-
unsigned char poison_magic = *(reinterpret_cast<u8 *>(shadow_addr));
610608

611-
if (poison_magic != kAsanUserPoisonedMemoryMagic)
609+
u8 *shadow_addr = (u8 *)MemToShadow(addr);
610+
// If we are in the partial right redzone, look at the next shadow byte.
611+
if (*shadow_addr > 0 && *shadow_addr < 128) shadow_addr++;
612+
u8 shadow_val = *shadow_addr;
613+
614+
if (shadow_val != kAsanUserPoisonedMemoryMagic)
612615
return;
613616

614617
Printf("\n");

compiler-rt/test/asan/TestCases/use-after-poison-history-size-partial-granule.cpp

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
// Check that __asan_poison_memory_region and ASAN_OPTIONS=poison_history_size work.
2+
//
3+
// RUN: %clangxx_asan -O0 %s -o %t && env ASAN_OPTIONS=poison_history_size=1000 not %run %t 20 2>&1 | FileCheck %s
4+
//
5+
// Partial granule
6+
// RUN: %clangxx_asan -O0 %s -o %t && env ASAN_OPTIONS=poison_history_size=1000 not %run %t 2>&1 | FileCheck %s
7+
8+
#include <stdio.h>
9+
#include <stdlib.h>
10+
11+
extern "C" void __asan_poison_memory_region(void *, size_t);
12+
extern "C" void __asan_unpoison_memory_region(void *, size_t);
13+
14+
void honey_ive_poisoned_the_memory(char *x) {
15+
__asan_poison_memory_region(x + 10, 20);
16+
}
17+
18+
void foo(char *x) { honey_ive_poisoned_the_memory(x); }
19+
20+
int main(int argc, char **argv) {
21+
char *x = new char[64];
22+
x[10] = 0;
23+
foo(x);
24+
// Bytes [0, 9]: addressable
25+
// Bytes [10, 31]: poisoned by A
26+
// Bytes [32, 63]: addressable
27+
28+
int res = x[argc * 10]; // BOOOM
29+
// CHECK: ERROR: AddressSanitizer: use-after-poison
30+
// CHECK: main{{.*}}use-after-poison-history-size-partial-granule.cpp:[[@LINE-2]]
31+
32+
// CHECK: Memory was manually poisoned by thread T0:
33+
// CHECK: honey_ive_poisoned_the_memory{{.*}}use-after-poison-history-size-partial-granule.cpp:[[@LINE-18]]
34+
// CHECK: foo{{.*}}use-after-poison-history-size-partial-granule.cpp:[[@LINE-16]]
35+
// CHECK: main{{.*}}use-after-poison-history-size-partial-granule.cpp:[[@LINE-12]]
36+
37+
delete[] x;
38+
39+
return 0;
40+
}

0 commit comments

Comments
 (0)