[ASan][OSX] Make sure the zones created by malloc_create_zone() are write-protected.

Add a test.

llvm-svn: 185140

2 files changed, 24 insertions, 0 deletions

diff --git a/compiler-rt/lib/asan/asan_malloc_mac.cc b/compiler-rt/lib/asan/asan_malloc_mac.cc
index 9fb200e512d..89e14714106 100644
--- a/compiler-rt/lib/asan/asan_malloc_mac.cc
+++ b/compiler-rt/lib/asan/asan_malloc_mac.cc
@@ -19,6 +19,7 @@
 #include <CoreFoundation/CFBase.h>
 #include <dlfcn.h>
 #include <malloc/malloc.h>
+#include <sys/mman.h>
 
 #include "asan_allocator.h"
 #include "asan_interceptors.h"
@@ -49,6 +50,9 @@ INTERCEPTOR(malloc_zone_t *, malloc_create_zone,
                                     &stack, FROM_MALLOC);
   internal_memcpy(new_zone, &asan_zone, sizeof(asan_zone));
   new_zone->zone_name = NULL;  // The name will be changed anyway.
+  // Prevent the client app from overwriting the zone contents.
+  // Library functions that need to modify the zone will set PROT_WRITE on it.
+  mprotect(new_zone, allocated_size, PROT_READ);
   return new_zone;
 }
 
diff --git a/compiler-rt/lib/asan/lit_tests/TestCases/Darwin/malloc_zone-protected.cc b/compiler-rt/lib/asan/lit_tests/TestCases/Darwin/malloc_zone-protected.cc
new file mode 100644
index 00000000000..bc21797f952
--- /dev/null
+++ b/compiler-rt/lib/asan/lit_tests/TestCases/Darwin/malloc_zone-protected.cc
@@ -0,0 +1,20 @@
+// Make sure the zones created by malloc_create_zone() are write-protected.
+#include <malloc/malloc.h>
+#include <stdio.h>
+
+// RUN: %clangxx_asan %s -o %t
+// RUN: %t 2>&1 | FileCheck %s
+
+
+void *pwn(malloc_zone_t *unused_zone, size_t unused_size) {
+  printf("PWNED\n");
+  return NULL;
+}
+
+int main() {
+  malloc_zone_t *zone = malloc_create_zone(0, 0);
+  zone->malloc = pwn;
+  void *v = malloc_zone_malloc(zone, 1);
+  // CHECK-NOT: PWNED
+  return 0;
+}