wangtao
/
llvm-project
forked from OSchip/llvm-project
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[hwasan] implement detection of realloc-after-free 

llvm-svn: 340593
This commit is contained in:
Kostya Serebryany 2018-08-24 01:44:17 +00:00
parent c6ba9ca169
commit a7c3846a2e
2 changed files with 33 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
compiler-rt/lib/hwasan/hwasan_allocator.cc
View File

@ -186,9 +186,10 @@ void HwasanDeallocate(StackTrace *stack, void *user_ptr) {
CHECK(user_ptr);
HWASAN_FREE_HOOK(user_ptr);
void *p = GetAddressFromPointer(user_ptr);
if (!PointerAndMemoryTagsMatch(user_ptr))
ReportInvalidFree(stack, reinterpret_cast<uptr>(user_ptr));
void *p = GetAddressFromPointer(user_ptr);
Metadata *meta = reinterpret_cast<Metadata *>(allocator.GetMetaData(p));
uptr size = meta->requested_size;
meta->state = CHUNK_FREE;
@ -220,6 +221,9 @@ void *HwasanReallocate(StackTrace *stack, void *user_old_p, uptr new_size,
alignment = Max(alignment, kShadowAlignment);
new_size = RoundUpTo(new_size, kShadowAlignment);
if (!PointerAndMemoryTagsMatch(user_old_p))
ReportInvalidFree(stack, reinterpret_cast<uptr>(user_old_p));
void *old_p = GetAddressFromPointer(user_old_p);
Metadata *meta = reinterpret_cast<Metadata*>(allocator.GetMetaData(old_p));
uptr old_size = meta->requested_size;

28
compiler-rt/test/hwasan/TestCases/realloc-after-free.c Normal file
View File

@ -0,0 +1,28 @@
// RUN: %clang_hwasan %s -o %t
// RUN: not %run %t 50 2>&1 | FileCheck %s
// RUN: not %run %t 40 2>&1 | FileCheck %s
// RUN: not %run %t 30 2>&1 | FileCheck %s
// REQUIRES: stable-runtime
#include <stdlib.h>
#include <stdio.h>
#include <sanitizer/hwasan_interface.h>
int main(int argc, char **argv) {
__hwasan_enable_allocator_tagging();
if (argc != 2) return 0;
int realloc_size = atoi(argv[1]);
char * volatile x = (char*)malloc(40);
free(x);
x = realloc(x, realloc_size);
// CHECK: ERROR: HWAddressSanitizer: invalid-free on address
// CHECK: tags: [[PTR_TAG:..]]/[[MEM_TAG:..]] (ptr/mem)
// CHECK: freed here:
// CHECK: previously allocated here:
// CHECK: Memory tags around the buggy address (one tag corresponds to 16 bytes):
// CHECK: =>{{.*}}[[MEM_TAG]]
fprintf(stderr, "DONE\n");
__hwasan_disable_allocator_tagging();
// CHECK-NOT: DONE
}