c76045d9bf
This PR adds a `__sanitizer_copy_contiguous_container_annotations`
function, which copies annotations from one memory area to another. New
area is annotated in the same way as the old region at the beginning
(within limitations of ASan).
Overlapping case: The function supports overlapping containers, however
no assumptions should be made outside of no false positives in new
buffer area. (It doesn't modify old container annotations where it's not
necessary, false negatives may happen in edge granules of the new
container area.) I don't expect this function to be used with
overlapping buffers, but it's designed to work with them and not result
in incorrect ASan errors (false positives).
If buffers have granularity-aligned distance between them (`old_beg %
granularity == new_beg % granularity`), copying algorithm works faster.
If the distance is not granularity-aligned, annotations are copied byte
after byte.
```cpp
void __sanitizer_copy_contiguous_container_annotations(
const void *old_storage_beg_p, const void *old_storage_end_p,
const void *new_storage_beg_p, const void *new_storage_end_p) {
```
This function aims to help with short string annotations and similar
container annotations. Right now we change trait types of
`std::basic_string` when compiling with ASan and this function purpose
is reverting that change as soon as possible.
87f3407856/libcxx/include/string (L738-L751)
The goal is to not change `__trivially_relocatable` when compiling with
ASan. If this function is accepted and upstreamed, the next step is
creating a function like `__memcpy_with_asan` moving memory with ASan.
And then using this function instead of `__builtin__memcpy` while moving
trivially relocatable objects.
11a6799740/libcxx/include/__memory/uninitialized_algorithms.h (L644-L646)
---
I'm thinking if there is a good way to address fact that in a container
the new buffer is usually bigger than the previous one. We may add two
more arguments to the functions to address it (the beginning and the end
of the whole buffer.
Another potential change is removing `new_storage_end_p` as it's
redundant, because we require the same size.
Potential future work is creating a function `__asan_unsafe_memmove`,
which will be basically memmove, but with turned off instrumentation
(therefore it will allow copy data from poisoned area).
---------
Co-authored-by: Vitaly Buka <vitalybuka@google.com>
629 lines
23 KiB
C++
629 lines
23 KiB
C++
//===-- asan_errors.cpp -----------------------------------------*- C++ -*-===//
|
|
//
|
|
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
|
|
// See https://llvm.org/LICENSE.txt for license information.
|
|
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
|
|
//
|
|
//===----------------------------------------------------------------------===//
|
|
//
|
|
// This file is a part of AddressSanitizer, an address sanity checker.
|
|
//
|
|
// ASan implementation for error structures.
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
#include "asan_errors.h"
|
|
#include "asan_descriptions.h"
|
|
#include "asan_mapping.h"
|
|
#include "asan_report.h"
|
|
#include "asan_stack.h"
|
|
#include "sanitizer_common/sanitizer_stackdepot.h"
|
|
|
|
namespace __asan {
|
|
|
|
static void OnStackUnwind(const SignalContext &sig,
|
|
const void *callback_context,
|
|
BufferedStackTrace *stack) {
|
|
bool fast = common_flags()->fast_unwind_on_fatal;
|
|
#if SANITIZER_FREEBSD || SANITIZER_NETBSD
|
|
// On FreeBSD the slow unwinding that leverages _Unwind_Backtrace()
|
|
// yields the call stack of the signal's handler and not of the code
|
|
// that raised the signal (as it does on Linux).
|
|
fast = true;
|
|
#endif
|
|
// Tests and maybe some users expect that scariness is going to be printed
|
|
// just before the stack. As only asan has scariness score we have no
|
|
// corresponding code in the sanitizer_common and we use this callback to
|
|
// print it.
|
|
static_cast<const ScarinessScoreBase *>(callback_context)->Print();
|
|
stack->Unwind(StackTrace::GetNextInstructionPc(sig.pc), sig.bp, sig.context,
|
|
fast);
|
|
}
|
|
|
|
void ErrorDeadlySignal::Print() {
|
|
ReportDeadlySignal(signal, tid, &OnStackUnwind, &scariness);
|
|
}
|
|
|
|
void ErrorDoubleFree::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
Report("ERROR: AddressSanitizer: attempting %s on %p in thread %s:\n",
|
|
scariness.GetDescription(), (void *)addr_description.addr,
|
|
AsanThreadIdAndName(tid).c_str());
|
|
Printf("%s", d.Default());
|
|
scariness.Print();
|
|
GET_STACK_TRACE_FATAL(second_free_stack->trace[0],
|
|
second_free_stack->top_frame_bp);
|
|
stack.Print();
|
|
addr_description.Print();
|
|
ReportErrorSummary(scariness.GetDescription(), &stack);
|
|
}
|
|
|
|
void ErrorNewDeleteTypeMismatch::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
Report("ERROR: AddressSanitizer: %s on %p in thread %s:\n",
|
|
scariness.GetDescription(), (void *)addr_description.addr,
|
|
AsanThreadIdAndName(tid).c_str());
|
|
Printf("%s object passed to delete has wrong type:\n", d.Default());
|
|
if (delete_size != 0) {
|
|
Printf(
|
|
" size of the allocated type: %zd bytes;\n"
|
|
" size of the deallocated type: %zd bytes.\n",
|
|
addr_description.chunk_access.chunk_size, delete_size);
|
|
}
|
|
const uptr user_alignment =
|
|
addr_description.chunk_access.user_requested_alignment;
|
|
if (delete_alignment != user_alignment) {
|
|
char user_alignment_str[32];
|
|
char delete_alignment_str[32];
|
|
internal_snprintf(user_alignment_str, sizeof(user_alignment_str),
|
|
"%zd bytes", user_alignment);
|
|
internal_snprintf(delete_alignment_str, sizeof(delete_alignment_str),
|
|
"%zd bytes", delete_alignment);
|
|
static const char *kDefaultAlignment = "default-aligned";
|
|
Printf(
|
|
" alignment of the allocated type: %s;\n"
|
|
" alignment of the deallocated type: %s.\n",
|
|
user_alignment > 0 ? user_alignment_str : kDefaultAlignment,
|
|
delete_alignment > 0 ? delete_alignment_str : kDefaultAlignment);
|
|
}
|
|
CHECK_GT(free_stack->size, 0);
|
|
scariness.Print();
|
|
GET_STACK_TRACE_FATAL(free_stack->trace[0], free_stack->top_frame_bp);
|
|
stack.Print();
|
|
addr_description.Print();
|
|
ReportErrorSummary(scariness.GetDescription(), &stack);
|
|
Report(
|
|
"HINT: if you don't care about these errors you may set "
|
|
"ASAN_OPTIONS=new_delete_type_mismatch=0\n");
|
|
}
|
|
|
|
void ErrorFreeNotMalloced::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
Report(
|
|
"ERROR: AddressSanitizer: attempting free on address "
|
|
"which was not malloc()-ed: %p in thread %s\n",
|
|
(void *)addr_description.Address(), AsanThreadIdAndName(tid).c_str());
|
|
Printf("%s", d.Default());
|
|
CHECK_GT(free_stack->size, 0);
|
|
scariness.Print();
|
|
GET_STACK_TRACE_FATAL(free_stack->trace[0], free_stack->top_frame_bp);
|
|
stack.Print();
|
|
addr_description.Print();
|
|
ReportErrorSummary(scariness.GetDescription(), &stack);
|
|
}
|
|
|
|
void ErrorAllocTypeMismatch::Print() {
|
|
static const char *alloc_names[] = {"INVALID", "malloc", "operator new",
|
|
"operator new []"};
|
|
static const char *dealloc_names[] = {"INVALID", "free", "operator delete",
|
|
"operator delete []"};
|
|
CHECK_NE(alloc_type, dealloc_type);
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
Report("ERROR: AddressSanitizer: %s (%s vs %s) on %p\n",
|
|
scariness.GetDescription(), alloc_names[alloc_type],
|
|
dealloc_names[dealloc_type], (void *)addr_description.Address());
|
|
Printf("%s", d.Default());
|
|
CHECK_GT(dealloc_stack->size, 0);
|
|
scariness.Print();
|
|
GET_STACK_TRACE_FATAL(dealloc_stack->trace[0], dealloc_stack->top_frame_bp);
|
|
stack.Print();
|
|
addr_description.Print();
|
|
ReportErrorSummary(scariness.GetDescription(), &stack);
|
|
Report(
|
|
"HINT: if you don't care about these errors you may set "
|
|
"ASAN_OPTIONS=alloc_dealloc_mismatch=0\n");
|
|
}
|
|
|
|
void ErrorMallocUsableSizeNotOwned::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
Report(
|
|
"ERROR: AddressSanitizer: attempting to call malloc_usable_size() for "
|
|
"pointer which is not owned: %p\n",
|
|
(void *)addr_description.Address());
|
|
Printf("%s", d.Default());
|
|
stack->Print();
|
|
addr_description.Print();
|
|
ReportErrorSummary(scariness.GetDescription(), stack);
|
|
}
|
|
|
|
void ErrorSanitizerGetAllocatedSizeNotOwned::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
Report(
|
|
"ERROR: AddressSanitizer: attempting to call "
|
|
"__sanitizer_get_allocated_size() for pointer which is not owned: %p\n",
|
|
(void *)addr_description.Address());
|
|
Printf("%s", d.Default());
|
|
stack->Print();
|
|
addr_description.Print();
|
|
ReportErrorSummary(scariness.GetDescription(), stack);
|
|
}
|
|
|
|
void ErrorCallocOverflow::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
Report(
|
|
"ERROR: AddressSanitizer: calloc parameters overflow: count * size "
|
|
"(%zd * %zd) cannot be represented in type size_t (thread %s)\n",
|
|
count, size, AsanThreadIdAndName(tid).c_str());
|
|
Printf("%s", d.Default());
|
|
stack->Print();
|
|
PrintHintAllocatorCannotReturnNull();
|
|
ReportErrorSummary(scariness.GetDescription(), stack);
|
|
}
|
|
|
|
void ErrorReallocArrayOverflow::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
Report(
|
|
"ERROR: AddressSanitizer: reallocarray parameters overflow: count * size "
|
|
"(%zd * %zd) cannot be represented in type size_t (thread %s)\n",
|
|
count, size, AsanThreadIdAndName(tid).c_str());
|
|
Printf("%s", d.Default());
|
|
stack->Print();
|
|
PrintHintAllocatorCannotReturnNull();
|
|
ReportErrorSummary(scariness.GetDescription(), stack);
|
|
}
|
|
|
|
void ErrorPvallocOverflow::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
Report(
|
|
"ERROR: AddressSanitizer: pvalloc parameters overflow: size 0x%zx "
|
|
"rounded up to system page size 0x%zx cannot be represented in type "
|
|
"size_t (thread %s)\n",
|
|
size, GetPageSizeCached(), AsanThreadIdAndName(tid).c_str());
|
|
Printf("%s", d.Default());
|
|
stack->Print();
|
|
PrintHintAllocatorCannotReturnNull();
|
|
ReportErrorSummary(scariness.GetDescription(), stack);
|
|
}
|
|
|
|
void ErrorInvalidAllocationAlignment::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
Report(
|
|
"ERROR: AddressSanitizer: invalid allocation alignment: %zd, "
|
|
"alignment must be a power of two (thread %s)\n",
|
|
alignment, AsanThreadIdAndName(tid).c_str());
|
|
Printf("%s", d.Default());
|
|
stack->Print();
|
|
PrintHintAllocatorCannotReturnNull();
|
|
ReportErrorSummary(scariness.GetDescription(), stack);
|
|
}
|
|
|
|
void ErrorInvalidAlignedAllocAlignment::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
#if SANITIZER_POSIX
|
|
Report("ERROR: AddressSanitizer: invalid alignment requested in "
|
|
"aligned_alloc: %zd, alignment must be a power of two and the "
|
|
"requested size 0x%zx must be a multiple of alignment "
|
|
"(thread %s)\n", alignment, size, AsanThreadIdAndName(tid).c_str());
|
|
#else
|
|
Report("ERROR: AddressSanitizer: invalid alignment requested in "
|
|
"aligned_alloc: %zd, the requested size 0x%zx must be a multiple of "
|
|
"alignment (thread %s)\n", alignment, size,
|
|
AsanThreadIdAndName(tid).c_str());
|
|
#endif
|
|
Printf("%s", d.Default());
|
|
stack->Print();
|
|
PrintHintAllocatorCannotReturnNull();
|
|
ReportErrorSummary(scariness.GetDescription(), stack);
|
|
}
|
|
|
|
void ErrorInvalidPosixMemalignAlignment::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
Report(
|
|
"ERROR: AddressSanitizer: invalid alignment requested in posix_memalign: "
|
|
"%zd, alignment must be a power of two and a multiple of sizeof(void*) "
|
|
"== %zd (thread %s)\n",
|
|
alignment, sizeof(void *), AsanThreadIdAndName(tid).c_str());
|
|
Printf("%s", d.Default());
|
|
stack->Print();
|
|
PrintHintAllocatorCannotReturnNull();
|
|
ReportErrorSummary(scariness.GetDescription(), stack);
|
|
}
|
|
|
|
void ErrorAllocationSizeTooBig::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
Report(
|
|
"ERROR: AddressSanitizer: requested allocation size 0x%zx (0x%zx after "
|
|
"adjustments for alignment, red zones etc.) exceeds maximum supported "
|
|
"size of 0x%zx (thread %s)\n",
|
|
user_size, total_size, max_size, AsanThreadIdAndName(tid).c_str());
|
|
Printf("%s", d.Default());
|
|
stack->Print();
|
|
PrintHintAllocatorCannotReturnNull();
|
|
ReportErrorSummary(scariness.GetDescription(), stack);
|
|
}
|
|
|
|
void ErrorRssLimitExceeded::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
Report(
|
|
"ERROR: AddressSanitizer: specified RSS limit exceeded, currently set to "
|
|
"soft_rss_limit_mb=%zd\n", common_flags()->soft_rss_limit_mb);
|
|
Printf("%s", d.Default());
|
|
stack->Print();
|
|
PrintHintAllocatorCannotReturnNull();
|
|
ReportErrorSummary(scariness.GetDescription(), stack);
|
|
}
|
|
|
|
void ErrorOutOfMemory::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
ERROR_OOM("allocator is trying to allocate 0x%zx bytes\n", requested_size);
|
|
Printf("%s", d.Default());
|
|
stack->Print();
|
|
PrintHintAllocatorCannotReturnNull();
|
|
ReportErrorSummary(scariness.GetDescription(), stack);
|
|
}
|
|
|
|
void ErrorStringFunctionMemoryRangesOverlap::Print() {
|
|
Decorator d;
|
|
char bug_type[100];
|
|
internal_snprintf(bug_type, sizeof(bug_type), "%s-param-overlap", function);
|
|
Printf("%s", d.Error());
|
|
Report(
|
|
"ERROR: AddressSanitizer: %s: memory ranges [%p,%p) and [%p, %p) "
|
|
"overlap\n",
|
|
bug_type, (void *)addr1_description.Address(),
|
|
(void *)(addr1_description.Address() + length1),
|
|
(void *)addr2_description.Address(),
|
|
(void *)(addr2_description.Address() + length2));
|
|
Printf("%s", d.Default());
|
|
scariness.Print();
|
|
stack->Print();
|
|
addr1_description.Print();
|
|
addr2_description.Print();
|
|
ReportErrorSummary(bug_type, stack);
|
|
}
|
|
|
|
void ErrorStringFunctionSizeOverflow::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
Report("ERROR: AddressSanitizer: %s: (size=%zd)\n",
|
|
scariness.GetDescription(), size);
|
|
Printf("%s", d.Default());
|
|
scariness.Print();
|
|
stack->Print();
|
|
addr_description.Print();
|
|
ReportErrorSummary(scariness.GetDescription(), stack);
|
|
}
|
|
|
|
void ErrorBadParamsToAnnotateContiguousContainer::Print() {
|
|
Report(
|
|
"ERROR: AddressSanitizer: bad parameters to "
|
|
"__sanitizer_annotate_contiguous_container:\n"
|
|
" beg : %p\n"
|
|
" end : %p\n"
|
|
" old_mid : %p\n"
|
|
" new_mid : %p\n",
|
|
(void *)beg, (void *)end, (void *)old_mid, (void *)new_mid);
|
|
stack->Print();
|
|
ReportErrorSummary(scariness.GetDescription(), stack);
|
|
}
|
|
|
|
void ErrorBadParamsToAnnotateDoubleEndedContiguousContainer::Print() {
|
|
Report(
|
|
"ERROR: AddressSanitizer: bad parameters to "
|
|
"__sanitizer_annotate_double_ended_contiguous_container:\n"
|
|
" storage_beg : %p\n"
|
|
" storage_end : %p\n"
|
|
" old_container_beg : %p\n"
|
|
" old_container_end : %p\n"
|
|
" new_container_beg : %p\n"
|
|
" new_container_end : %p\n",
|
|
(void *)storage_beg, (void *)storage_end, (void *)old_container_beg,
|
|
(void *)old_container_end, (void *)new_container_beg,
|
|
(void *)new_container_end);
|
|
stack->Print();
|
|
ReportErrorSummary(scariness.GetDescription(), stack);
|
|
}
|
|
|
|
void ErrorBadParamsToCopyContiguousContainerAnnotations::Print() {
|
|
Report(
|
|
"ERROR: AddressSanitizer: bad parameters to "
|
|
"__sanitizer_copy_contiguous_container_annotations:\n"
|
|
" src_storage_beg : %p\n"
|
|
" src_storage_end : %p\n"
|
|
" dst_storage_beg : %p\n"
|
|
" new_storage_end : %p\n",
|
|
(void *)old_storage_beg, (void *)old_storage_end, (void *)new_storage_beg,
|
|
(void *)new_storage_end);
|
|
stack->Print();
|
|
ReportErrorSummary(scariness.GetDescription(), stack);
|
|
}
|
|
|
|
void ErrorODRViolation::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
Report("ERROR: AddressSanitizer: %s (%p):\n", scariness.GetDescription(),
|
|
(void *)global1.beg);
|
|
Printf("%s", d.Default());
|
|
InternalScopedString g1_loc;
|
|
InternalScopedString g2_loc;
|
|
PrintGlobalLocation(&g1_loc, global1, /*print_module_name=*/true);
|
|
PrintGlobalLocation(&g2_loc, global2, /*print_module_name=*/true);
|
|
Printf(" [1] size=%zd '%s' %s\n", global1.size,
|
|
MaybeDemangleGlobalName(global1.name), g1_loc.data());
|
|
Printf(" [2] size=%zd '%s' %s\n", global2.size,
|
|
MaybeDemangleGlobalName(global2.name), g2_loc.data());
|
|
if (stack_id1 && stack_id2) {
|
|
Printf("These globals were registered at these points:\n");
|
|
Printf(" [1]:\n");
|
|
StackDepotGet(stack_id1).Print();
|
|
Printf(" [2]:\n");
|
|
StackDepotGet(stack_id2).Print();
|
|
}
|
|
Report(
|
|
"HINT: if you don't care about these errors you may set "
|
|
"ASAN_OPTIONS=detect_odr_violation=0\n");
|
|
InternalScopedString error_msg;
|
|
error_msg.AppendF("%s: global '%s' at %s", scariness.GetDescription(),
|
|
MaybeDemangleGlobalName(global1.name), g1_loc.data());
|
|
ReportErrorSummary(error_msg.data());
|
|
}
|
|
|
|
void ErrorInvalidPointerPair::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
Report("ERROR: AddressSanitizer: %s: %p %p\n", scariness.GetDescription(),
|
|
(void *)addr1_description.Address(),
|
|
(void *)addr2_description.Address());
|
|
Printf("%s", d.Default());
|
|
GET_STACK_TRACE_FATAL(pc, bp);
|
|
stack.Print();
|
|
addr1_description.Print();
|
|
addr2_description.Print();
|
|
ReportErrorSummary(scariness.GetDescription(), &stack);
|
|
}
|
|
|
|
static bool AdjacentShadowValuesAreFullyPoisoned(u8 *s) {
|
|
return s[-1] > 127 && s[1] > 127;
|
|
}
|
|
|
|
ErrorGeneric::ErrorGeneric(u32 tid, uptr pc_, uptr bp_, uptr sp_, uptr addr,
|
|
bool is_write_, uptr access_size_)
|
|
: ErrorBase(tid),
|
|
addr_description(addr, access_size_, /*shouldLockThreadRegistry=*/false),
|
|
pc(pc_),
|
|
bp(bp_),
|
|
sp(sp_),
|
|
access_size(access_size_),
|
|
is_write(is_write_),
|
|
shadow_val(0) {
|
|
scariness.Clear();
|
|
if (access_size) {
|
|
if (access_size <= 9) {
|
|
char desr[] = "?-byte";
|
|
desr[0] = '0' + access_size;
|
|
scariness.Scare(access_size + access_size / 2, desr);
|
|
} else if (access_size >= 10) {
|
|
scariness.Scare(15, "multi-byte");
|
|
}
|
|
is_write ? scariness.Scare(20, "write") : scariness.Scare(1, "read");
|
|
|
|
// Determine the error type.
|
|
bug_descr = "unknown-crash";
|
|
if (AddrIsInMem(addr)) {
|
|
u8 *shadow_addr = (u8 *)MemToShadow(addr);
|
|
// If we are accessing 16 bytes, look at the second shadow byte.
|
|
if (*shadow_addr == 0 && access_size > ASAN_SHADOW_GRANULARITY)
|
|
shadow_addr++;
|
|
// If we are in the partial right redzone, look at the next shadow byte.
|
|
if (*shadow_addr > 0 && *shadow_addr < 128) shadow_addr++;
|
|
bool far_from_bounds = false;
|
|
shadow_val = *shadow_addr;
|
|
int bug_type_score = 0;
|
|
// For use-after-frees reads are almost as bad as writes.
|
|
int read_after_free_bonus = 0;
|
|
switch (shadow_val) {
|
|
case kAsanHeapLeftRedzoneMagic:
|
|
case kAsanArrayCookieMagic:
|
|
bug_descr = "heap-buffer-overflow";
|
|
bug_type_score = 10;
|
|
far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr);
|
|
break;
|
|
case kAsanHeapFreeMagic:
|
|
bug_descr = "heap-use-after-free";
|
|
bug_type_score = 20;
|
|
if (!is_write) read_after_free_bonus = 18;
|
|
break;
|
|
case kAsanStackLeftRedzoneMagic:
|
|
bug_descr = "stack-buffer-underflow";
|
|
bug_type_score = 25;
|
|
far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr);
|
|
break;
|
|
case kAsanInitializationOrderMagic:
|
|
bug_descr = "initialization-order-fiasco";
|
|
bug_type_score = 1;
|
|
break;
|
|
case kAsanStackMidRedzoneMagic:
|
|
case kAsanStackRightRedzoneMagic:
|
|
bug_descr = "stack-buffer-overflow";
|
|
bug_type_score = 25;
|
|
far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr);
|
|
break;
|
|
case kAsanStackAfterReturnMagic:
|
|
bug_descr = "stack-use-after-return";
|
|
bug_type_score = 30;
|
|
if (!is_write) read_after_free_bonus = 18;
|
|
break;
|
|
case kAsanUserPoisonedMemoryMagic:
|
|
bug_descr = "use-after-poison";
|
|
bug_type_score = 20;
|
|
break;
|
|
case kAsanContiguousContainerOOBMagic:
|
|
bug_descr = "container-overflow";
|
|
bug_type_score = 10;
|
|
break;
|
|
case kAsanStackUseAfterScopeMagic:
|
|
bug_descr = "stack-use-after-scope";
|
|
bug_type_score = 10;
|
|
break;
|
|
case kAsanGlobalRedzoneMagic:
|
|
bug_descr = "global-buffer-overflow";
|
|
bug_type_score = 10;
|
|
far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr);
|
|
break;
|
|
case kAsanIntraObjectRedzone:
|
|
bug_descr = "intra-object-overflow";
|
|
bug_type_score = 10;
|
|
break;
|
|
case kAsanAllocaLeftMagic:
|
|
case kAsanAllocaRightMagic:
|
|
bug_descr = "dynamic-stack-buffer-overflow";
|
|
bug_type_score = 25;
|
|
far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr);
|
|
break;
|
|
}
|
|
scariness.Scare(bug_type_score + read_after_free_bonus, bug_descr);
|
|
if (far_from_bounds) scariness.Scare(10, "far-from-bounds");
|
|
}
|
|
}
|
|
}
|
|
|
|
static void PrintContainerOverflowHint() {
|
|
Printf("HINT: if you don't care about these errors you may set "
|
|
"ASAN_OPTIONS=detect_container_overflow=0.\n"
|
|
"If you suspect a false positive see also: "
|
|
"https://github.com/google/sanitizers/wiki/"
|
|
"AddressSanitizerContainerOverflow.\n");
|
|
}
|
|
|
|
static void PrintShadowByte(InternalScopedString *str, const char *before,
|
|
u8 byte, const char *after = "\n") {
|
|
PrintMemoryByte(str, before, byte, /*in_shadow*/true, after);
|
|
}
|
|
|
|
static void PrintLegend(InternalScopedString *str) {
|
|
str->AppendF(
|
|
"Shadow byte legend (one shadow byte represents %d "
|
|
"application bytes):\n",
|
|
(int)ASAN_SHADOW_GRANULARITY);
|
|
PrintShadowByte(str, " Addressable: ", 0);
|
|
str->AppendF(" Partially addressable: ");
|
|
for (u8 i = 1; i < ASAN_SHADOW_GRANULARITY; i++)
|
|
PrintShadowByte(str, "", i, " ");
|
|
str->AppendF("\n");
|
|
PrintShadowByte(str, " Heap left redzone: ",
|
|
kAsanHeapLeftRedzoneMagic);
|
|
PrintShadowByte(str, " Freed heap region: ", kAsanHeapFreeMagic);
|
|
PrintShadowByte(str, " Stack left redzone: ",
|
|
kAsanStackLeftRedzoneMagic);
|
|
PrintShadowByte(str, " Stack mid redzone: ",
|
|
kAsanStackMidRedzoneMagic);
|
|
PrintShadowByte(str, " Stack right redzone: ",
|
|
kAsanStackRightRedzoneMagic);
|
|
PrintShadowByte(str, " Stack after return: ",
|
|
kAsanStackAfterReturnMagic);
|
|
PrintShadowByte(str, " Stack use after scope: ",
|
|
kAsanStackUseAfterScopeMagic);
|
|
PrintShadowByte(str, " Global redzone: ", kAsanGlobalRedzoneMagic);
|
|
PrintShadowByte(str, " Global init order: ",
|
|
kAsanInitializationOrderMagic);
|
|
PrintShadowByte(str, " Poisoned by user: ",
|
|
kAsanUserPoisonedMemoryMagic);
|
|
PrintShadowByte(str, " Container overflow: ",
|
|
kAsanContiguousContainerOOBMagic);
|
|
PrintShadowByte(str, " Array cookie: ",
|
|
kAsanArrayCookieMagic);
|
|
PrintShadowByte(str, " Intra object redzone: ",
|
|
kAsanIntraObjectRedzone);
|
|
PrintShadowByte(str, " ASan internal: ", kAsanInternalHeapMagic);
|
|
PrintShadowByte(str, " Left alloca redzone: ", kAsanAllocaLeftMagic);
|
|
PrintShadowByte(str, " Right alloca redzone: ", kAsanAllocaRightMagic);
|
|
}
|
|
|
|
static void PrintShadowBytes(InternalScopedString *str, const char *before,
|
|
u8 *bytes, u8 *guilty, uptr n) {
|
|
Decorator d;
|
|
if (before)
|
|
str->AppendF("%s%p:", before,
|
|
(void *)ShadowToMem(reinterpret_cast<uptr>(bytes)));
|
|
for (uptr i = 0; i < n; i++) {
|
|
u8 *p = bytes + i;
|
|
const char *before =
|
|
p == guilty ? "[" : (p - 1 == guilty && i != 0) ? "" : " ";
|
|
const char *after = p == guilty ? "]" : "";
|
|
PrintShadowByte(str, before, *p, after);
|
|
}
|
|
str->AppendF("\n");
|
|
}
|
|
|
|
static void PrintShadowMemoryForAddress(uptr addr) {
|
|
if (!AddrIsInMem(addr)) return;
|
|
uptr shadow_addr = MemToShadow(addr);
|
|
const uptr n_bytes_per_row = 16;
|
|
uptr aligned_shadow = shadow_addr & ~(n_bytes_per_row - 1);
|
|
InternalScopedString str;
|
|
str.AppendF("Shadow bytes around the buggy address:\n");
|
|
for (int i = -5; i <= 5; i++) {
|
|
uptr row_shadow_addr = aligned_shadow + i * n_bytes_per_row;
|
|
// Skip rows that would be outside the shadow range. This can happen when
|
|
// the user address is near the bottom, top, or shadow gap of the address
|
|
// space.
|
|
if (!AddrIsInShadow(row_shadow_addr)) continue;
|
|
const char *prefix = (i == 0) ? "=>" : " ";
|
|
PrintShadowBytes(&str, prefix, (u8 *)row_shadow_addr, (u8 *)shadow_addr,
|
|
n_bytes_per_row);
|
|
}
|
|
if (flags()->print_legend) PrintLegend(&str);
|
|
Printf("%s", str.data());
|
|
}
|
|
|
|
void ErrorGeneric::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
uptr addr = addr_description.Address();
|
|
Report("ERROR: AddressSanitizer: %s on address %p at pc %p bp %p sp %p\n",
|
|
bug_descr, (void *)addr, (void *)pc, (void *)bp, (void *)sp);
|
|
Printf("%s", d.Default());
|
|
|
|
Printf("%s%s of size %zu at %p thread %s%s\n", d.Access(),
|
|
access_size ? (is_write ? "WRITE" : "READ") : "ACCESS", access_size,
|
|
(void *)addr, AsanThreadIdAndName(tid).c_str(), d.Default());
|
|
|
|
scariness.Print();
|
|
GET_STACK_TRACE_FATAL(pc, bp);
|
|
stack.Print();
|
|
|
|
// Pass bug_descr because we have a special case for
|
|
// initialization-order-fiasco
|
|
addr_description.Print(bug_descr);
|
|
if (shadow_val == kAsanContiguousContainerOOBMagic)
|
|
PrintContainerOverflowHint();
|
|
ReportErrorSummary(bug_descr, &stack);
|
|
PrintShadowMemoryForAddress(addr);
|
|
}
|
|
|
|
} // namespace __asan
|