shylie/llvm-project
1
0
Fork 0
Code Issues Pull Requests Actions 6 Packages Projects Releases Wiki Activity
llvm-project/openmp/runtime/src/ompd-specific.cpp
Roman Lebedev 4709d9d5be
[libomp] ompd_init(): fix heap-buffer-overflow when constructing libompd.so path 
There is no guarantee that the space allocated in `libname`
is enough to accomodate the whole `dl_info.dli_fname`,
because it could e.g. have an suffix  - `.5`,
and that highlights another problem - what it should do about suffxies,
and should it do anything to resolve the symlinks before changing the filename?

```
$ LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/usr/local/lib"  ./src/utilities/rstest/rstest -c /tmp/f49137920.NEF
dl_info.dli_fname "/usr/local/lib/libomp.so.5"
strlen(dl_info.dli_fname) 26
lib_path_length 14
lib_path_length + 12 26
=================================================================
==30949==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000002a at pc 0x000000548648 bp 0x7ffdfa0aa780 sp 0x7ffdfa0a9f40
WRITE of size 27 at 0x60300000002a thread T0
    #0 0x548647 in strcpy (/home/lebedevri/rawspeed/build-Clang-SANITIZE/src/utilities/rstest/rstest+0x548647)
    #1 0x7fb9e3e3d234 in ompd_init() /repositories/llvm-project/openmp/runtime/src/ompd-specific.cpp:102:5
    #2 0x7fb9e3dcb446 in __kmp_do_serial_initialize() /repositories/llvm-project/openmp/runtime/src/kmp_runtime.cpp:6742:3
    #3 0x7fb9e3dcb40b in __kmp_get_global_thread_id_reg /repositories/llvm-project/openmp/runtime/src/kmp_runtime.cpp:251:7
    #4 0x59e035 in main /home/lebedevri/rawspeed/build-Clang-SANITIZE/../src/utilities/rstest/rstest.cpp:491
    #5 0x7fb9e3762d09 in __libc_start_main csu/../csu/libc-start.c:308:16
    #6 0x4df449 in _start (/home/lebedevri/rawspeed/build-Clang-SANITIZE/src/utilities/rstest/rstest+0x4df449)

0x60300000002a is located 0 bytes to the right of 26-byte region [0x603000000010,0x60300000002a)
allocated by thread T0 here:
    #0 0x55cc5d in malloc (/home/lebedevri/rawspeed/build-Clang-SANITIZE/src/utilities/rstest/rstest+0x55cc5d)
    #1 0x7fb9e3e3d224 in ompd_init() /repositories/llvm-project/openmp/runtime/src/ompd-specific.cpp:101:17
    #2 0x7fb9e3762d09 in __libc_start_main csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/lebedevri/rawspeed/build-Clang-SANITIZE/src/utilities/rstest/rstest+0x548647) in strcpy
Shadow bytes around the buggy address:
  0x0c067fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c067fff8000: fa fa 00 00 00[02]fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==30949==ABORTING
Aborted
```
2021-07-13 15:36:46 +03:00

155 lines
4.5 KiB
C++
Raw Blame History

/*
* ompd-specific.cpp -- OpenMP debug support
*/
//===----------------------------------------------------------------------===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
#include "ompd-specific.h"
#if OMPD_SUPPORT
/**
* Declaration of symbols to hold struct size and member offset information
*/
#define ompd_declare_access(t, m) uint64_t ompd_access__##t##__##m;
OMPD_FOREACH_ACCESS(ompd_declare_access)
#undef ompd_declare_access
#define ompd_declare_sizeof_member(t, m) uint64_t ompd_sizeof__##t##__##m;
OMPD_FOREACH_ACCESS(ompd_declare_sizeof_member)
#undef ompd_declare_sizeof_member
#define ompd_declare_bitfield(t, m) uint64_t ompd_bitfield__##t##__##m;
OMPD_FOREACH_BITFIELD(ompd_declare_bitfield)
#undef ompd_declare_bitfield
#define ompd_declare_sizeof(t) uint64_t ompd_sizeof__##t;
OMPD_FOREACH_SIZEOF(ompd_declare_sizeof)
#undef ompd_declare_sizeof
volatile const char **ompd_dll_locations = NULL;
uint64_t ompd_state = 0;
char *ompd_env_block = NULL;
ompd_size_t ompd_env_block_size = 0;
void ompd_init() {
static int ompd_initialized = 0;
if (ompd_initialized)
return;
/**
* Calculate member offsets for structs and unions
*/
#define ompd_init_access(t, m) \
ompd_access__##t##__##m = (uint64_t) & (((t *)0)->m);
OMPD_FOREACH_ACCESS(ompd_init_access)
#undef ompd_init_access
/**
* Create bit mask for bitfield access
*/
#define ompd_init_bitfield(t, m) \
ompd_bitfield__##t##__##m = 0; \
((t *)(&ompd_bitfield__##t##__##m))->m = 1;
OMPD_FOREACH_BITFIELD(ompd_init_bitfield)
#undef ompd_init_bitfield
/**
* Calculate type size information
*/
#define ompd_init_sizeof_member(t, m) \
ompd_sizeof__##t##__##m = sizeof(((t *)0)->m);
OMPD_FOREACH_ACCESS(ompd_init_sizeof_member)
#undef ompd_init_sizeof_member
#define ompd_init_sizeof(t) ompd_sizeof__##t = sizeof(t);
OMPD_FOREACH_SIZEOF(ompd_init_sizeof)
#undef ompd_init_sizeof
char *libname = NULL;
#if KMP_OS_UNIX
// Find the location of libomp.so thru dladdr and replace the libomp with
// libompd to get the full path of libompd
Dl_info dl_info;
int ret = dladdr((void *)ompd_init, &dl_info);
if (!ret) {
fprintf(stderr, "%s\n", dlerror());
}
int lib_path_length;
if (strrchr(dl_info.dli_fname, '/')) {
lib_path_length = strrchr(dl_info.dli_fname, '/') - dl_info.dli_fname;
libname =
(char *)malloc(lib_path_length + 12 /*for '/libompd.so' and '\0'*/);
strncpy(libname, dl_info.dli_fname, lib_path_length);
memcpy(libname + lib_path_length, "/libompd.so\0", 12);
}
#endif
const char *ompd_env_var = getenv("OMP_DEBUG");
if (ompd_env_var && !strcmp(ompd_env_var, "enabled")) {
fprintf(stderr, "OMP_OMPD active\n");
ompt_enabled.enabled = 1;
ompd_state |= OMPD_ENABLE_BP;
}
ompd_initialized = 1;
ompd_dll_locations = (volatile const char **)malloc(3 * sizeof(const char *));
ompd_dll_locations[0] = "libompd.so";
ompd_dll_locations[1] = libname;
ompd_dll_locations[2] = NULL;
ompd_dll_locations_valid();
}
void __attribute__((noinline)) ompd_dll_locations_valid(void) {
/* naive way of implementing hard to opt-out empty function
we might want to use a separate object file? */
asm("");
}
void ompd_bp_parallel_begin(void) {
/* naive way of implementing hard to opt-out empty function
we might want to use a separate object file? */
asm("");
}
void ompd_bp_parallel_end(void) {
/* naive way of implementing hard to opt-out empty function
we might want to use a separate object file? */
asm("");
}
void ompd_bp_task_begin(void) {
/* naive way of implementing hard to opt-out empty function
we might want to use a separate object file? */
asm("");
}
void ompd_bp_task_end(void) {
/* naive way of implementing hard to opt-out empty function
we might want to use a separate object file? */
asm("");
}
void ompd_bp_thread_begin(void) {
/* naive way of implementing hard to opt-out empty function
we might want to use a separate object file? */
asm("");
}
void ompd_bp_thread_end(void) {
/* naive way of implementing hard to opt-out empty function
we might want to use a separate object file? */
asm("");
}
#endif /* OMPD_SUPPORT */
Reference in New Issue View Git Blame Copy Permalink