78c5d68029
Historically, alignment and size weren't taken into account when freeing allocations since `free` just takes a pointer. With `free_sized` and `free_aligned_sized`, we can do these size and alignment checks in asan now. This adds a new report type specifically for these functions. Checking is hidden behind a new env flag `free_size_mismatch` which is enabled by default, but downstream users can opt out of it. The bulk of this PR was generated by gemini but thoroughly reviewed and edited by me to the best of my ability.
717 lines
26 KiB
C++
717 lines
26 KiB
C++
//===-- asan_errors.cpp -----------------------------------------*- C++ -*-===//
|
|
//
|
|
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
|
|
// See https://llvm.org/LICENSE.txt for license information.
|
|
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
|
|
//
|
|
//===----------------------------------------------------------------------===//
|
|
//
|
|
// This file is a part of AddressSanitizer, an address sanity checker.
|
|
//
|
|
// ASan implementation for error structures.
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
#include "asan_errors.h"
|
|
|
|
#include "asan_descriptions.h"
|
|
#include "asan_mapping.h"
|
|
#include "asan_poisoning.h"
|
|
#include "asan_report.h"
|
|
#include "asan_stack.h"
|
|
#include "sanitizer_common/sanitizer_stackdepot.h"
|
|
|
|
namespace __asan {
|
|
|
|
static void OnStackUnwind(const SignalContext &sig,
|
|
const void *callback_context,
|
|
BufferedStackTrace *stack) {
|
|
bool fast = common_flags()->fast_unwind_on_fatal;
|
|
#if SANITIZER_FREEBSD || SANITIZER_NETBSD
|
|
// On FreeBSD the slow unwinding that leverages _Unwind_Backtrace()
|
|
// yields the call stack of the signal's handler and not of the code
|
|
// that raised the signal (as it does on Linux).
|
|
fast = true;
|
|
#endif
|
|
// Tests and maybe some users expect that scariness is going to be printed
|
|
// just before the stack. As only asan has scariness score we have no
|
|
// corresponding code in the sanitizer_common and we use this callback to
|
|
// print it.
|
|
static_cast<const ScarinessScoreBase *>(callback_context)->Print();
|
|
stack->Unwind(StackTrace::GetNextInstructionPc(sig.pc), sig.bp, sig.context,
|
|
fast);
|
|
}
|
|
|
|
void ErrorDeadlySignal::Print() {
|
|
ReportDeadlySignal(signal, tid, &OnStackUnwind, &scariness);
|
|
}
|
|
|
|
void ErrorDoubleFree::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
Report("ERROR: AddressSanitizer: attempting %s on %p in thread %s:\n",
|
|
scariness.GetDescription(), (void *)addr_description.addr,
|
|
AsanThreadIdAndName(tid).c_str());
|
|
Printf("%s", d.Default());
|
|
scariness.Print();
|
|
GET_STACK_TRACE_FATAL(second_free_stack->trace[0],
|
|
second_free_stack->top_frame_bp);
|
|
stack.Print();
|
|
addr_description.Print();
|
|
ReportErrorSummary(scariness.GetDescription(), &stack);
|
|
}
|
|
|
|
void ErrorNewDeleteTypeMismatch::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
Report("ERROR: AddressSanitizer: %s on %p in thread %s:\n",
|
|
scariness.GetDescription(), (void *)addr_description.addr,
|
|
AsanThreadIdAndName(tid).c_str());
|
|
Printf("%s object passed to delete has wrong type:\n", d.Default());
|
|
if (delete_size != 0) {
|
|
Printf(
|
|
" size of the allocated type: %zd bytes;\n"
|
|
" size of the deallocated type: %zd bytes.\n",
|
|
addr_description.chunk_access.chunk_size, delete_size);
|
|
}
|
|
const uptr user_alignment =
|
|
addr_description.chunk_access.user_requested_alignment;
|
|
if (delete_alignment != user_alignment) {
|
|
char user_alignment_str[32];
|
|
char delete_alignment_str[32];
|
|
internal_snprintf(user_alignment_str, sizeof(user_alignment_str),
|
|
"%zd bytes", user_alignment);
|
|
internal_snprintf(delete_alignment_str, sizeof(delete_alignment_str),
|
|
"%zd bytes", delete_alignment);
|
|
static const char *kDefaultAlignment = "default-aligned";
|
|
Printf(
|
|
" alignment of the allocated type: %s;\n"
|
|
" alignment of the deallocated type: %s.\n",
|
|
user_alignment > 0 ? user_alignment_str : kDefaultAlignment,
|
|
delete_alignment > 0 ? delete_alignment_str : kDefaultAlignment);
|
|
}
|
|
CHECK_GT(free_stack->size, 0);
|
|
scariness.Print();
|
|
GET_STACK_TRACE_FATAL(free_stack->trace[0], free_stack->top_frame_bp);
|
|
stack.Print();
|
|
addr_description.Print();
|
|
ReportErrorSummary(scariness.GetDescription(), &stack);
|
|
Report(
|
|
"HINT: if you don't care about these errors you may set "
|
|
"ASAN_OPTIONS=new_delete_type_mismatch=0\n");
|
|
}
|
|
|
|
void ErrorFreeSizeMismatch::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
Report("ERROR: AddressSanitizer: %s on %p in thread %s:\n",
|
|
scariness.GetDescription(), (void*)addr_description.addr,
|
|
AsanThreadIdAndName(tid).c_str());
|
|
Printf("%s object passed to %s has wrong size or alignment:\n", d.Default(),
|
|
(isFreeAlignedSized() ? "free_aligned_sized" : "free_sized"));
|
|
if (delete_size != 0) {
|
|
Printf(
|
|
" size of the allocation: %zd bytes;\n"
|
|
" size of the deallocation: %zd bytes.\n",
|
|
addr_description.chunk_access.chunk_size, delete_size);
|
|
}
|
|
const uptr user_alignment =
|
|
addr_description.chunk_access.user_requested_alignment;
|
|
if (isFreeAlignedSized() && delete_alignment != user_alignment) {
|
|
char user_alignment_str[32];
|
|
char delete_alignment_str[32];
|
|
internal_snprintf(user_alignment_str, sizeof(user_alignment_str),
|
|
"%zd bytes", user_alignment);
|
|
internal_snprintf(delete_alignment_str, sizeof(delete_alignment_str),
|
|
"%zd bytes", delete_alignment);
|
|
static const char* kDefaultAlignment = "default-aligned";
|
|
Printf(
|
|
" alignment of the allocation: %s;\n"
|
|
" alignment of the deallocation: %s.\n",
|
|
user_alignment > 0 ? user_alignment_str : kDefaultAlignment,
|
|
delete_alignment > 0 ? delete_alignment_str : kDefaultAlignment);
|
|
}
|
|
CHECK_GT(free_stack->size, 0);
|
|
scariness.Print();
|
|
GET_STACK_TRACE_FATAL(free_stack->trace[0], free_stack->top_frame_bp);
|
|
stack.Print();
|
|
addr_description.Print();
|
|
ReportErrorSummary(scariness.GetDescription(), &stack);
|
|
Report(
|
|
"HINT: if you don't care about these errors you may set "
|
|
"ASAN_OPTIONS=free_size_mismatch=0\n");
|
|
}
|
|
|
|
void ErrorFreeNotMalloced::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
Report(
|
|
"ERROR: AddressSanitizer: attempting free on address "
|
|
"which was not malloc()-ed: %p in thread %s\n",
|
|
(void *)addr_description.Address(), AsanThreadIdAndName(tid).c_str());
|
|
Printf("%s", d.Default());
|
|
CHECK_GT(free_stack->size, 0);
|
|
scariness.Print();
|
|
GET_STACK_TRACE_FATAL(free_stack->trace[0], free_stack->top_frame_bp);
|
|
stack.Print();
|
|
addr_description.Print();
|
|
ReportErrorSummary(scariness.GetDescription(), &stack);
|
|
}
|
|
|
|
void ErrorAllocTypeMismatch::Print() {
|
|
static const char *alloc_names[] = {"INVALID", "malloc", "operator new",
|
|
"operator new []"};
|
|
static const char *dealloc_names[] = {"INVALID", "free", "operator delete",
|
|
"operator delete []"};
|
|
CHECK_NE(alloc_type, dealloc_type);
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
Report("ERROR: AddressSanitizer: %s (%s vs %s) on %p\n",
|
|
scariness.GetDescription(), alloc_names[alloc_type],
|
|
dealloc_names[dealloc_type], (void *)addr_description.Address());
|
|
Printf("%s", d.Default());
|
|
CHECK_GT(dealloc_stack->size, 0);
|
|
scariness.Print();
|
|
GET_STACK_TRACE_FATAL(dealloc_stack->trace[0], dealloc_stack->top_frame_bp);
|
|
stack.Print();
|
|
addr_description.Print();
|
|
ReportErrorSummary(scariness.GetDescription(), &stack);
|
|
Report(
|
|
"HINT: if you don't care about these errors you may set "
|
|
"ASAN_OPTIONS=alloc_dealloc_mismatch=0\n");
|
|
}
|
|
|
|
void ErrorMallocUsableSizeNotOwned::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
Report(
|
|
"ERROR: AddressSanitizer: attempting to call malloc_usable_size() for "
|
|
"pointer which is not owned: %p\n",
|
|
(void *)addr_description.Address());
|
|
Printf("%s", d.Default());
|
|
stack->Print();
|
|
addr_description.Print();
|
|
ReportErrorSummary(scariness.GetDescription(), stack);
|
|
}
|
|
|
|
void ErrorSanitizerGetAllocatedSizeNotOwned::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
Report(
|
|
"ERROR: AddressSanitizer: attempting to call "
|
|
"__sanitizer_get_allocated_size() for pointer which is not owned: %p\n",
|
|
(void *)addr_description.Address());
|
|
Printf("%s", d.Default());
|
|
stack->Print();
|
|
addr_description.Print();
|
|
ReportErrorSummary(scariness.GetDescription(), stack);
|
|
}
|
|
|
|
void ErrorCallocOverflow::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
Report(
|
|
"ERROR: AddressSanitizer: calloc parameters overflow: count * size "
|
|
"(%zd * %zd) cannot be represented in type size_t (thread %s)\n",
|
|
count, size, AsanThreadIdAndName(tid).c_str());
|
|
Printf("%s", d.Default());
|
|
stack->Print();
|
|
PrintHintAllocatorCannotReturnNull();
|
|
ReportErrorSummary(scariness.GetDescription(), stack);
|
|
}
|
|
|
|
void ErrorReallocArrayOverflow::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
Report(
|
|
"ERROR: AddressSanitizer: reallocarray parameters overflow: count * size "
|
|
"(%zd * %zd) cannot be represented in type size_t (thread %s)\n",
|
|
count, size, AsanThreadIdAndName(tid).c_str());
|
|
Printf("%s", d.Default());
|
|
stack->Print();
|
|
PrintHintAllocatorCannotReturnNull();
|
|
ReportErrorSummary(scariness.GetDescription(), stack);
|
|
}
|
|
|
|
void ErrorPvallocOverflow::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
Report(
|
|
"ERROR: AddressSanitizer: pvalloc parameters overflow: size 0x%zx "
|
|
"rounded up to system page size 0x%zx cannot be represented in type "
|
|
"size_t (thread %s)\n",
|
|
size, GetPageSizeCached(), AsanThreadIdAndName(tid).c_str());
|
|
Printf("%s", d.Default());
|
|
stack->Print();
|
|
PrintHintAllocatorCannotReturnNull();
|
|
ReportErrorSummary(scariness.GetDescription(), stack);
|
|
}
|
|
|
|
void ErrorInvalidAllocationAlignment::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
Report(
|
|
"ERROR: AddressSanitizer: invalid allocation alignment: %zd, "
|
|
"alignment must be a power of two (thread %s)\n",
|
|
alignment, AsanThreadIdAndName(tid).c_str());
|
|
Printf("%s", d.Default());
|
|
stack->Print();
|
|
PrintHintAllocatorCannotReturnNull();
|
|
ReportErrorSummary(scariness.GetDescription(), stack);
|
|
}
|
|
|
|
void ErrorInvalidAlignedAllocAlignment::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
#if SANITIZER_POSIX
|
|
Report("ERROR: AddressSanitizer: invalid alignment requested in "
|
|
"aligned_alloc: %zd, alignment must be a power of two and the "
|
|
"requested size 0x%zx must be a multiple of alignment "
|
|
"(thread %s)\n", alignment, size, AsanThreadIdAndName(tid).c_str());
|
|
#else
|
|
Report("ERROR: AddressSanitizer: invalid alignment requested in "
|
|
"aligned_alloc: %zd, the requested size 0x%zx must be a multiple of "
|
|
"alignment (thread %s)\n", alignment, size,
|
|
AsanThreadIdAndName(tid).c_str());
|
|
#endif
|
|
Printf("%s", d.Default());
|
|
stack->Print();
|
|
PrintHintAllocatorCannotReturnNull();
|
|
ReportErrorSummary(scariness.GetDescription(), stack);
|
|
}
|
|
|
|
void ErrorInvalidPosixMemalignAlignment::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
Report(
|
|
"ERROR: AddressSanitizer: invalid alignment requested in posix_memalign: "
|
|
"%zd, alignment must be a power of two and a multiple of sizeof(void*) "
|
|
"== %zd (thread %s)\n",
|
|
alignment, sizeof(void *), AsanThreadIdAndName(tid).c_str());
|
|
Printf("%s", d.Default());
|
|
stack->Print();
|
|
PrintHintAllocatorCannotReturnNull();
|
|
ReportErrorSummary(scariness.GetDescription(), stack);
|
|
}
|
|
|
|
void ErrorAllocationSizeTooBig::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
Report(
|
|
"ERROR: AddressSanitizer: requested allocation size 0x%zx (0x%zx after "
|
|
"adjustments for alignment, red zones etc.) exceeds maximum supported "
|
|
"size of 0x%zx (thread %s)\n",
|
|
user_size, total_size, max_size, AsanThreadIdAndName(tid).c_str());
|
|
Printf("%s", d.Default());
|
|
stack->Print();
|
|
PrintHintAllocatorCannotReturnNull();
|
|
ReportErrorSummary(scariness.GetDescription(), stack);
|
|
}
|
|
|
|
void ErrorRssLimitExceeded::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
Report(
|
|
"ERROR: AddressSanitizer: specified RSS limit exceeded, currently set to "
|
|
"soft_rss_limit_mb=%zd\n", common_flags()->soft_rss_limit_mb);
|
|
Printf("%s", d.Default());
|
|
stack->Print();
|
|
PrintHintAllocatorCannotReturnNull();
|
|
ReportErrorSummary(scariness.GetDescription(), stack);
|
|
}
|
|
|
|
void ErrorOutOfMemory::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
ERROR_OOM("allocator is trying to allocate 0x%zx bytes\n", requested_size);
|
|
Printf("%s", d.Default());
|
|
stack->Print();
|
|
PrintHintAllocatorCannotReturnNull();
|
|
ReportErrorSummary(scariness.GetDescription(), stack);
|
|
}
|
|
|
|
void ErrorStringFunctionMemoryRangesOverlap::Print() {
|
|
Decorator d;
|
|
char bug_type[100];
|
|
internal_snprintf(bug_type, sizeof(bug_type), "%s-param-overlap", function);
|
|
Printf("%s", d.Error());
|
|
Report(
|
|
"ERROR: AddressSanitizer: %s: memory ranges [%p,%p) and [%p, %p) "
|
|
"overlap\n",
|
|
bug_type, (void *)addr1_description.Address(),
|
|
(void *)(addr1_description.Address() + length1),
|
|
(void *)addr2_description.Address(),
|
|
(void *)(addr2_description.Address() + length2));
|
|
Printf("%s", d.Default());
|
|
scariness.Print();
|
|
stack->Print();
|
|
addr1_description.Print();
|
|
addr2_description.Print();
|
|
ReportErrorSummary(bug_type, stack);
|
|
}
|
|
|
|
void ErrorStringFunctionSizeOverflow::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
Report("ERROR: AddressSanitizer: %s: (size=%zd)\n",
|
|
scariness.GetDescription(), size);
|
|
Printf("%s", d.Default());
|
|
scariness.Print();
|
|
stack->Print();
|
|
addr_description.Print();
|
|
ReportErrorSummary(scariness.GetDescription(), stack);
|
|
}
|
|
|
|
void ErrorBadParamsToAnnotateContiguousContainer::Print() {
|
|
Report(
|
|
"ERROR: AddressSanitizer: bad parameters to "
|
|
"__sanitizer_annotate_contiguous_container:\n"
|
|
" beg : %p\n"
|
|
" end : %p\n"
|
|
" old_mid : %p\n"
|
|
" new_mid : %p\n",
|
|
(void *)beg, (void *)end, (void *)old_mid, (void *)new_mid);
|
|
stack->Print();
|
|
ReportErrorSummary(scariness.GetDescription(), stack);
|
|
}
|
|
|
|
void ErrorBadParamsToAnnotateDoubleEndedContiguousContainer::Print() {
|
|
Report(
|
|
"ERROR: AddressSanitizer: bad parameters to "
|
|
"__sanitizer_annotate_double_ended_contiguous_container:\n"
|
|
" storage_beg : %p\n"
|
|
" storage_end : %p\n"
|
|
" old_container_beg : %p\n"
|
|
" old_container_end : %p\n"
|
|
" new_container_beg : %p\n"
|
|
" new_container_end : %p\n",
|
|
(void *)storage_beg, (void *)storage_end, (void *)old_container_beg,
|
|
(void *)old_container_end, (void *)new_container_beg,
|
|
(void *)new_container_end);
|
|
stack->Print();
|
|
ReportErrorSummary(scariness.GetDescription(), stack);
|
|
}
|
|
|
|
void ErrorBadParamsToCopyContiguousContainerAnnotations::Print() {
|
|
Report(
|
|
"ERROR: AddressSanitizer: bad parameters to "
|
|
"__sanitizer_copy_contiguous_container_annotations:\n"
|
|
" src_storage_beg : %p\n"
|
|
" src_storage_end : %p\n"
|
|
" dst_storage_beg : %p\n"
|
|
" new_storage_end : %p\n",
|
|
(void *)old_storage_beg, (void *)old_storage_end, (void *)new_storage_beg,
|
|
(void *)new_storage_end);
|
|
stack->Print();
|
|
ReportErrorSummary(scariness.GetDescription(), stack);
|
|
}
|
|
|
|
void ErrorODRViolation::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
Report("ERROR: AddressSanitizer: %s (%p):\n", scariness.GetDescription(),
|
|
(void *)global1.beg);
|
|
Printf("%s", d.Default());
|
|
InternalScopedString g1_loc;
|
|
InternalScopedString g2_loc;
|
|
PrintGlobalLocation(&g1_loc, global1, /*print_module_name=*/true);
|
|
PrintGlobalLocation(&g2_loc, global2, /*print_module_name=*/true);
|
|
Printf(" [1] size=%zd '%s' %s\n", global1.size,
|
|
MaybeDemangleGlobalName(global1.name), g1_loc.data());
|
|
Printf(" [2] size=%zd '%s' %s\n", global2.size,
|
|
MaybeDemangleGlobalName(global2.name), g2_loc.data());
|
|
if (stack_id1 && stack_id2) {
|
|
Printf("These globals were registered at these points:\n");
|
|
Printf(" [1]:\n");
|
|
StackDepotGet(stack_id1).Print();
|
|
Printf(" [2]:\n");
|
|
StackDepotGet(stack_id2).Print();
|
|
}
|
|
Report(
|
|
"HINT: if you don't care about these errors you may set "
|
|
"ASAN_OPTIONS=detect_odr_violation=0\n");
|
|
InternalScopedString error_msg;
|
|
error_msg.AppendF("%s: global '%s' at %s", scariness.GetDescription(),
|
|
MaybeDemangleGlobalName(global1.name), g1_loc.data());
|
|
ReportErrorSummary(error_msg.data());
|
|
}
|
|
|
|
void ErrorInvalidPointerPair::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
Report("ERROR: AddressSanitizer: %s: %p %p\n", scariness.GetDescription(),
|
|
(void *)addr1_description.Address(),
|
|
(void *)addr2_description.Address());
|
|
Printf("%s", d.Default());
|
|
GET_STACK_TRACE_FATAL(pc, bp);
|
|
stack.Print();
|
|
addr1_description.Print();
|
|
addr2_description.Print();
|
|
ReportErrorSummary(scariness.GetDescription(), &stack);
|
|
}
|
|
|
|
static bool AdjacentShadowValuesAreFullyPoisoned(u8 *s) {
|
|
return s[-1] > 127 && s[1] > 127;
|
|
}
|
|
|
|
ErrorGeneric::ErrorGeneric(u32 tid, uptr pc_, uptr bp_, uptr sp_, uptr addr,
|
|
bool is_write_, uptr access_size_)
|
|
: ErrorBase(tid),
|
|
addr_description(addr, access_size_, /*shouldLockThreadRegistry=*/false),
|
|
pc(pc_),
|
|
bp(bp_),
|
|
sp(sp_),
|
|
access_size(access_size_),
|
|
is_write(is_write_),
|
|
shadow_val(0) {
|
|
scariness.Clear();
|
|
if (access_size) {
|
|
if (access_size <= 9) {
|
|
char desr[] = "?-byte";
|
|
desr[0] = '0' + access_size;
|
|
scariness.Scare(access_size + access_size / 2, desr);
|
|
} else if (access_size >= 10) {
|
|
scariness.Scare(15, "multi-byte");
|
|
}
|
|
is_write ? scariness.Scare(20, "write") : scariness.Scare(1, "read");
|
|
|
|
// Determine the error type.
|
|
bug_descr = "unknown-crash";
|
|
if (AddrIsInMem(addr)) {
|
|
u8 *shadow_addr = (u8 *)MemToShadow(addr);
|
|
// If we are accessing 16 bytes, look at the second shadow byte.
|
|
if (*shadow_addr == 0 && access_size > ASAN_SHADOW_GRANULARITY)
|
|
shadow_addr++;
|
|
// If we are in the partial right redzone, look at the next shadow byte.
|
|
if (*shadow_addr > 0 && *shadow_addr < 128) shadow_addr++;
|
|
bool far_from_bounds = false;
|
|
shadow_val = *shadow_addr;
|
|
int bug_type_score = 0;
|
|
// For use-after-frees reads are almost as bad as writes.
|
|
int read_after_free_bonus = 0;
|
|
switch (shadow_val) {
|
|
case kAsanHeapLeftRedzoneMagic:
|
|
case kAsanArrayCookieMagic:
|
|
bug_descr = "heap-buffer-overflow";
|
|
bug_type_score = 10;
|
|
far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr);
|
|
break;
|
|
case kAsanHeapFreeMagic:
|
|
bug_descr = "heap-use-after-free";
|
|
bug_type_score = 20;
|
|
if (!is_write) read_after_free_bonus = 18;
|
|
break;
|
|
case kAsanStackLeftRedzoneMagic:
|
|
bug_descr = "stack-buffer-underflow";
|
|
bug_type_score = 25;
|
|
far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr);
|
|
break;
|
|
case kAsanInitializationOrderMagic:
|
|
bug_descr = "initialization-order-fiasco";
|
|
bug_type_score = 1;
|
|
break;
|
|
case kAsanStackMidRedzoneMagic:
|
|
case kAsanStackRightRedzoneMagic:
|
|
bug_descr = "stack-buffer-overflow";
|
|
bug_type_score = 25;
|
|
far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr);
|
|
break;
|
|
case kAsanStackAfterReturnMagic:
|
|
bug_descr = "stack-use-after-return";
|
|
bug_type_score = 30;
|
|
if (!is_write) read_after_free_bonus = 18;
|
|
break;
|
|
case kAsanUserPoisonedMemoryMagic:
|
|
bug_descr = "use-after-poison";
|
|
bug_type_score = 20;
|
|
break;
|
|
case kAsanContiguousContainerOOBMagic:
|
|
bug_descr = "container-overflow";
|
|
bug_type_score = 10;
|
|
break;
|
|
case kAsanStackUseAfterScopeMagic:
|
|
bug_descr = "stack-use-after-scope";
|
|
bug_type_score = 10;
|
|
break;
|
|
case kAsanGlobalRedzoneMagic:
|
|
bug_descr = "global-buffer-overflow";
|
|
bug_type_score = 10;
|
|
far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr);
|
|
break;
|
|
case kAsanIntraObjectRedzone:
|
|
bug_descr = "intra-object-overflow";
|
|
bug_type_score = 10;
|
|
break;
|
|
case kAsanAllocaLeftMagic:
|
|
case kAsanAllocaRightMagic:
|
|
bug_descr = "dynamic-stack-buffer-overflow";
|
|
bug_type_score = 25;
|
|
far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr);
|
|
break;
|
|
}
|
|
scariness.Scare(bug_type_score + read_after_free_bonus, bug_descr);
|
|
if (far_from_bounds) scariness.Scare(10, "far-from-bounds");
|
|
}
|
|
}
|
|
}
|
|
|
|
static void PrintContainerOverflowHint() {
|
|
Printf(
|
|
"HINT: if you don't care about these errors you may set "
|
|
"ASAN_OPTIONS=detect_container_overflow=0.\n"
|
|
"Or if supported by the container library, pass "
|
|
"-D__SANITIZER_DISABLE_CONTAINER_OVERFLOW__ to the compiler to disable "
|
|
" instrumentation.\n"
|
|
"If you suspect a false positive see also: "
|
|
"https://github.com/google/sanitizers/wiki/"
|
|
"AddressSanitizerContainerOverflow.\n");
|
|
}
|
|
|
|
static void PrintShadowByte(InternalScopedString *str, const char *before,
|
|
u8 byte, const char *after = "\n") {
|
|
PrintMemoryByte(str, before, byte, /*in_shadow*/true, after);
|
|
}
|
|
|
|
static void PrintLegend(InternalScopedString *str) {
|
|
str->AppendF(
|
|
"Shadow byte legend (one shadow byte represents %d "
|
|
"application bytes):\n",
|
|
(int)ASAN_SHADOW_GRANULARITY);
|
|
PrintShadowByte(str, " Addressable: ", 0);
|
|
str->AppendF(" Partially addressable: ");
|
|
for (u8 i = 1; i < ASAN_SHADOW_GRANULARITY; i++)
|
|
PrintShadowByte(str, "", i, " ");
|
|
str->AppendF("\n");
|
|
PrintShadowByte(str, " Heap left redzone: ",
|
|
kAsanHeapLeftRedzoneMagic);
|
|
PrintShadowByte(str, " Freed heap region: ", kAsanHeapFreeMagic);
|
|
PrintShadowByte(str, " Stack left redzone: ",
|
|
kAsanStackLeftRedzoneMagic);
|
|
PrintShadowByte(str, " Stack mid redzone: ",
|
|
kAsanStackMidRedzoneMagic);
|
|
PrintShadowByte(str, " Stack right redzone: ",
|
|
kAsanStackRightRedzoneMagic);
|
|
PrintShadowByte(str, " Stack after return: ",
|
|
kAsanStackAfterReturnMagic);
|
|
PrintShadowByte(str, " Stack use after scope: ",
|
|
kAsanStackUseAfterScopeMagic);
|
|
PrintShadowByte(str, " Global redzone: ", kAsanGlobalRedzoneMagic);
|
|
PrintShadowByte(str, " Global init order: ",
|
|
kAsanInitializationOrderMagic);
|
|
PrintShadowByte(str, " Poisoned by user: ",
|
|
kAsanUserPoisonedMemoryMagic);
|
|
PrintShadowByte(str, " Container overflow: ",
|
|
kAsanContiguousContainerOOBMagic);
|
|
PrintShadowByte(str, " Array cookie: ",
|
|
kAsanArrayCookieMagic);
|
|
PrintShadowByte(str, " Intra object redzone: ",
|
|
kAsanIntraObjectRedzone);
|
|
PrintShadowByte(str, " ASan internal: ", kAsanInternalHeapMagic);
|
|
PrintShadowByte(str, " Left alloca redzone: ", kAsanAllocaLeftMagic);
|
|
PrintShadowByte(str, " Right alloca redzone: ", kAsanAllocaRightMagic);
|
|
}
|
|
|
|
static void PrintShadowBytes(InternalScopedString *str, const char *before,
|
|
u8 *bytes, u8 *guilty, uptr n) {
|
|
Decorator d;
|
|
if (before)
|
|
str->AppendF("%s%p:", before,
|
|
(void *)ShadowToMem(reinterpret_cast<uptr>(bytes)));
|
|
for (uptr i = 0; i < n; i++) {
|
|
u8 *p = bytes + i;
|
|
const char *before =
|
|
p == guilty ? "[" : (p - 1 == guilty && i != 0) ? "" : " ";
|
|
const char *after = p == guilty ? "]" : "";
|
|
PrintShadowByte(str, before, *p, after);
|
|
}
|
|
str->AppendF("\n");
|
|
}
|
|
|
|
static void PrintShadowMemoryForAddress(uptr addr) {
|
|
if (!AddrIsInMem(addr)) return;
|
|
uptr shadow_addr = MemToShadow(addr);
|
|
const uptr n_bytes_per_row = 16;
|
|
uptr aligned_shadow = shadow_addr & ~(n_bytes_per_row - 1);
|
|
InternalScopedString str;
|
|
str.AppendF("Shadow bytes around the buggy address:\n");
|
|
for (int i = -5; i <= 5; i++) {
|
|
uptr row_shadow_addr = aligned_shadow + i * n_bytes_per_row;
|
|
// Skip rows that would be outside the shadow range. This can happen when
|
|
// the user address is near the bottom, top, or shadow gap of the address
|
|
// space.
|
|
if (!AddrIsInShadow(row_shadow_addr)) continue;
|
|
const char *prefix = (i == 0) ? "=>" : " ";
|
|
PrintShadowBytes(&str, prefix, (u8 *)row_shadow_addr, (u8 *)shadow_addr,
|
|
n_bytes_per_row);
|
|
}
|
|
if (flags()->print_legend) PrintLegend(&str);
|
|
Printf("%s", str.data());
|
|
}
|
|
|
|
static void CheckPoisonRecords(uptr addr) {
|
|
if (!AddrIsInMem(addr))
|
|
return;
|
|
|
|
u8 *shadow_addr = (u8 *)MemToShadow(addr);
|
|
// If we are in the partial right redzone, look at the next shadow byte.
|
|
if (*shadow_addr > 0 && *shadow_addr < 128)
|
|
shadow_addr++;
|
|
u8 shadow_val = *shadow_addr;
|
|
|
|
if (shadow_val != kAsanUserPoisonedMemoryMagic)
|
|
return;
|
|
|
|
Printf("\n");
|
|
|
|
if (flags()->poison_history_size <= 0) {
|
|
Printf(
|
|
"NOTE: the stack trace above identifies the code that *accessed* "
|
|
"the poisoned memory.\n");
|
|
Printf(
|
|
"To identify the code that *poisoned* the memory, try the "
|
|
"experimental setting ASAN_OPTIONS=poison_history_size=<size>.\n");
|
|
return;
|
|
}
|
|
|
|
PoisonRecord record;
|
|
if (FindPoisonRecord(addr, record)) {
|
|
StackTrace poison_stack = StackDepotGet(record.stack_id);
|
|
if (poison_stack.size > 0) {
|
|
Printf("Memory was manually poisoned by thread T%u:\n", record.thread_id);
|
|
poison_stack.Print();
|
|
}
|
|
} else {
|
|
Printf("ERROR: no matching poison tracking record found.\n");
|
|
Printf("Try a larger value for ASAN_OPTIONS=poison_history_size=<size>.\n");
|
|
}
|
|
}
|
|
|
|
void ErrorGeneric::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
uptr addr = addr_description.Address();
|
|
Report("ERROR: AddressSanitizer: %s on address %p at pc %p bp %p sp %p\n",
|
|
bug_descr, (void *)addr, (void *)pc, (void *)bp, (void *)sp);
|
|
Printf("%s", d.Default());
|
|
|
|
Printf("%s%s of size %zu at %p thread %s%s\n", d.Access(),
|
|
access_size ? (is_write ? "WRITE" : "READ") : "ACCESS", access_size,
|
|
(void *)addr, AsanThreadIdAndName(tid).c_str(), d.Default());
|
|
|
|
scariness.Print();
|
|
GET_STACK_TRACE_FATAL(pc, bp);
|
|
stack.Print();
|
|
|
|
// Pass bug_descr because we have a special case for
|
|
// initialization-order-fiasco
|
|
addr_description.Print(bug_descr);
|
|
if (shadow_val == kAsanContiguousContainerOOBMagic)
|
|
PrintContainerOverflowHint();
|
|
ReportErrorSummary(bug_descr, &stack);
|
|
PrintShadowMemoryForAddress(addr);
|
|
|
|
// This is an experimental flag, hence we don't make a special handler.
|
|
CheckPoisonRecords(addr);
|
|
}
|
|
|
|
} // namespace __asan
|