diff options
author | Thurston Dang <thurston@google.com> | 2023-05-13 00:00:31 +0000 |
---|---|---|
committer | Thurston Dang <thurston@google.com> | 2023-05-13 05:26:45 +0000 |
commit | 04fd535409ddc601a4654e38ff28db3f13c10713 (patch) | |
tree | 95da8bea961be4f6b220f3d7b908f41e08cab2f7 /compiler-rt | |
parent | 0bbf3ddf5fea86e0eb0726142827e175aadaf53b (diff) | |
download | llvm-04fd535409ddc601a4654e38ff28db3f13c10713.tar.gz |
ASan: add backtrace_symbols test and clarify code is correct
This is another patch for https://github.com/google/sanitizers/issues/321
(sanitizer interceptors can write to freed memory, causing corruption),
in this case for backtrace_symbols.
backtrace_symbols is already correct, hence this patch removes the
TODO note. Additionally, this patch adds a test case for it.
Differential Revision: https://reviews.llvm.org/D150498
Diffstat (limited to 'compiler-rt')
-rw-r--r-- | compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc | 5 | ||||
-rw-r--r-- | compiler-rt/test/asan/TestCases/backtrace_symbols_interceptor.cpp | 36 |
2 files changed, 38 insertions, 3 deletions
diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc b/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc index 490a8b12d8b1..1c315a5183c6 100644 --- a/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc +++ b/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc @@ -4418,9 +4418,8 @@ INTERCEPTOR(char **, backtrace_symbols, void **buffer, int size) { COMMON_INTERCEPTOR_ENTER(ctx, backtrace_symbols, buffer, size); if (buffer && size) COMMON_INTERCEPTOR_READ_RANGE(ctx, buffer, size * sizeof(*buffer)); - // FIXME: under ASan the call below may write to freed memory and corrupt - // its metadata. See - // https://github.com/google/sanitizers/issues/321. + // The COMMON_INTERCEPTOR_READ_RANGE above ensures that 'buffer' is + // valid for reading. char **res = REAL(backtrace_symbols)(buffer, size); if (res && size) { COMMON_INTERCEPTOR_WRITE_RANGE(ctx, res, size * sizeof(*res)); diff --git a/compiler-rt/test/asan/TestCases/backtrace_symbols_interceptor.cpp b/compiler-rt/test/asan/TestCases/backtrace_symbols_interceptor.cpp new file mode 100644 index 000000000000..a78969408a7f --- /dev/null +++ b/compiler-rt/test/asan/TestCases/backtrace_symbols_interceptor.cpp @@ -0,0 +1,36 @@ +// RUN: %clangxx_asan -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s + +// Test the backtrace_symbols() interceptor. + +#include <assert.h> +#include <execinfo.h> +#include <math.h> +#include <stdio.h> +#include <stdlib.h> + +#define MAX_BT 100 + +int main() { + void **buffer = (void **)malloc(sizeof(void *) * MAX_BT); + assert(buffer != NULL); + + int numEntries = backtrace(buffer, MAX_BT); + printf("backtrace returned %d entries\n", numEntries); + + free(buffer); + + // Deliberate use-after-free of 'buffer'. We expect ASan to + // catch this, without triggering internal sanitizer errors. + char **strings = backtrace_symbols(buffer, numEntries); + assert(strings != NULL); + + for (int i = 0; i < numEntries; i++) { + printf("%s\n", strings[i]); + } + + free(strings); + + // CHECK: use-after-free + // CHECK: SUMMARY + return 0; +} |