shylie/llvm-project
1
0
Fork 0
Code Issues Pull Requests Actions 6 Packages Projects Releases Wiki Activity
llvm-project/compiler-rt/test/asan/TestCases/wild_pointer.cpp
Roman Vinogradov 2caba086ab
[ASan] Fix overflow and last byte handling in __asan_region_is_poisoned (#183900) 
__asan_region_is_poisoned() uses an exclusive end address
(end = beg + size) to validate the region [beg, end) and to compute
the aligned inner shadow region. This causes correctness issue
near memory range upper boundary and could trigger address space
overflow on 32-bit targets.

1. Incorrect handling of the last byte of a memory range

   The implementation checks AddrIsInMem(end) instead of the last
   application byte (end - 1). For regions ending at the last byte
   of Low/Mid/HighMem (e.g. __asan_region_is_poisoned(kHighMemEnd, 1)),
   this returns end (kHighMemEnd + 1) instead of the original 
   pointer. This behavior is inconsistent with the function’s 
   semantics and with __asan_address_is_poisoned().

2) address space overflow and invalid shadow range

If a region ends at the top of the virtual address space (kHighMemEnd),
   e.g. on 32-bit targets, end = beg + size could wrap to 0.
   This violated the invariant beg < end and could trigger
   the CHECK failure.

   Additionally, overflow in RoundUpTo alignment computations
   for aligned_b could produce an invalid shadow region spanning
   LowShadow to HighShadow across ShadowGap, leading mem_is_zero()
   to access unmapped memory and crash.

Fix by switching to an inclusive last byte:

  last = beg + size - 1

All checks are now performed on beg and last. The aligned inner 
shadow region is also computed from [beg, last]. Additional guard 
for aligned_b prevents the mapping to shadow if aligned_b is wrapped
(in this case the aligned inner region is also empty and doesn't 
require the shadow scan via mem_is_zero()).

This fixes incorrect return values at memory range ends and 
prevents overflow related crashes on 32-bit targets.

Test is extended to cover these boundary cases.

---------

Co-authored-by: Vitaly Buka <vitalybuka@gmail.com>
2026-03-18 09:43:19 -07:00

33 lines
990 B
C++
Raw Blame History

// RUN: %clangxx_asan %s -o %t
// RUN: not %run %t 2>&1 | FileCheck %s
// REQUIRES: asan-64-bits
#include <inttypes.h>
#include <stdarg.h>
#include <stdint.h>
#include <stdio.h>
#include <string.h>
int main() {
char *p = new char;
char *dest = new char;
const size_t offset = 0x4567890123456789;
// The output here needs to match the output from the sanitizer runtime,
// which includes 0x and prints hex in lower case.
//
// On Windows, %p omits %0x and prints hex characters in upper case,
// so we use PRIxPTR instead of %p.
fprintf(stderr, "Expected bad addr: %#" PRIxPTR "\n",
reinterpret_cast<uintptr_t>(p + offset - 1));
// Flush it so the output came out before the asan report.
fflush(stderr);
memmove(dest, p, offset);
return 0;
}
// CHECK: Expected bad addr: [[ADDR:0x[0-9,a-f]+]]
// CHECK: AddressSanitizer: unknown-crash on address [[ADDR]]
// CHECK: Address [[ADDR]] is a wild pointer inside of access range of size 0x4567890123456789
Reference in New Issue View Git Blame Copy Permalink