1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
|
// Checks that we do not print a faraway buffer overrun if we find a
// use-after-free.
// RUN: %clang_hwasan -O0 %s -o %t
// RUN: not %run %t 2>&1 | FileCheck %s --check-prefix=CHECK
// REQUIRES: stable-runtime
#include <sanitizer/hwasan_interface.h>
#include <stdio.h>
#include <stdlib.h>
#define ALLOC_ATTEMPTS 256
char *Untag(void *x) {
return (char *)__hwasan_tag_pointer(x, 0);
}
void *FindMatch(void *ptrs[ALLOC_ATTEMPTS], void *value) {
for (int i = 0; i < ALLOC_ATTEMPTS; ++i) {
if (!ptrs[i])
return NULL;
int distance = Untag(value) - Untag(ptrs[i]);
// Leave at least one granule of gap to the allocation.
if (abs(distance) < 1000 && abs(distance) > 32)
return ptrs[i];
}
return NULL;
}
int main(int argc, char **argv) {
__hwasan_enable_allocator_tagging();
void *ptrs[ALLOC_ATTEMPTS] = {};
// Find two allocations that are close enough so that they would be
// candidates as buffer overflows for each other.
void *one;
void *other;
for (int i = 0; i < ALLOC_ATTEMPTS; ++i) {
one = malloc(16);
other = FindMatch(ptrs, one);
ptrs[i] = one;
if (other)
break;
}
if (!other) {
fprintf(stderr, "Could not find closeby allocations.\n");
abort();
}
__hwasan_tag_memory(Untag(one), 3, 16);
__hwasan_tag_memory(Untag(other), 3, 16);
// Tag potential adjaceant allocations with a mismatching tag, otherwise this
// test would flake.
__hwasan_tag_memory(Untag(one) + 16, 4, 16);
__hwasan_tag_memory(Untag(one) - 16, 4, 16);
void *retagged_one = __hwasan_tag_pointer(one, 3);
free(retagged_one);
volatile char *ptr = (char *)retagged_one;
*ptr = 1;
}
// CHECK-NOT: Cause: heap-buffer-overflow
// CHECK: Cause: use-after-free
// CHECK-NOT: Cause: heap-buffer-overflow
|
