diff options
| author | Chris Lattner <sabre@nondot.org> | 2010-07-20 20:19:24 +0000 |
|---|---|---|
| committer | Chris Lattner <sabre@nondot.org> | 2010-07-20 20:19:24 +0000 |
| commit | 26008e07dea3ca4e4ee1f7634923059ea7f17f7a (patch) | |
| tree | 8c49fce66759baecc9e1497120a425d04adc8af6 /clang/lib/CodeGen/CodeGenFunction.cpp | |
| parent | 47a0f0d56f7a229bf2646c7b69fbe1ed43b87715 (diff) | |
| download | bcm5719-llvm-26008e07dea3ca4e4ee1f7634923059ea7f17f7a.tar.gz bcm5719-llvm-26008e07dea3ca4e4ee1f7634923059ea7f17f7a.zip | |
implement rdar://5739832 - operator new should check for overflow in multiply,
causing clang to compile this code into something that correctly throws a
length error, fixing a potential integer overflow security attack:
void *test(long N) {
return new int[N];
}
int main() {
test(1L << 62);
}
We do this even when exceptions are disabled, because it is better for the
code to abort than for the attack to succeed.
This is heavily based on a patch that Fariborz wrote.
llvm-svn: 108915
Diffstat (limited to 'clang/lib/CodeGen/CodeGenFunction.cpp')
| -rw-r--r-- | clang/lib/CodeGen/CodeGenFunction.cpp | 40 |
1 files changed, 39 insertions, 1 deletions
diff --git a/clang/lib/CodeGen/CodeGenFunction.cpp b/clang/lib/CodeGen/CodeGenFunction.cpp index eb6c4361be8..5e5e2a49cc2 100644 --- a/clang/lib/CodeGen/CodeGenFunction.cpp +++ b/clang/lib/CodeGen/CodeGenFunction.cpp @@ -36,7 +36,7 @@ CodeGenFunction::CodeGenFunction(CodeGenModule &cgm) DidCallStackSave(false), UnreachableBlock(0), CXXThisDecl(0), CXXThisValue(0), CXXVTTDecl(0), CXXVTTValue(0), ConditionalBranchLevel(0), TerminateLandingPad(0), TerminateHandler(0), - TrapBB(0) { + TrapBB(0), ThrowLengthErrorBB(0) { // Get some frequently used types. LLVMPointerWidth = Target.getPointerWidth(0); @@ -155,6 +155,13 @@ void CodeGenFunction::FinishFunction(SourceLocation EndLoc) { Builder.ClearInsertionPoint(); } + // If someone called operator new[] and needs a throw_length_error block, emit + // it at the end of the function. + if (ThrowLengthErrorBB) { + EmitBlock(ThrowLengthErrorBB); + Builder.ClearInsertionPoint(); + } + // Remove the AllocaInsertPt instruction, which is just a convenience for us. llvm::Instruction *Ptr = AllocaInsertPt; AllocaInsertPt = 0; @@ -178,6 +185,37 @@ void CodeGenFunction::FinishFunction(SourceLocation EndLoc) { EmitDeclMetadata(); } +/// getThrowLengthErrorBB - Create a basic block that will call +/// std::__throw_length_error to throw a std::length_error exception. +llvm::BasicBlock *CodeGenFunction::getThrowLengthErrorBB() { + if (ThrowLengthErrorBB) return ThrowLengthErrorBB; + + llvm::IRBuilder<>::InsertPoint SavedIP = Builder.saveIP(); + + ThrowLengthErrorBB = createBasicBlock("throw_length_error"); + Builder.SetInsertPoint(ThrowLengthErrorBB); + + // Call to void std::__throw_length_error("length_error"); + const llvm::Type *ResultType = Builder.getVoidTy(); + const llvm::Type *PtrToInt8Ty = Builder.getInt8PtrTy(); + std::vector<const llvm::Type*> ArgTys(1, PtrToInt8Ty); + llvm::Constant *Fn = + CGM.CreateRuntimeFunction(llvm::FunctionType::get(ResultType, ArgTys, false), + "_ZSt20__throw_length_errorPKc"); + + llvm::Value *C = CGM.GetAddrOfConstantCString("length_error"); + C = Builder.CreateStructGEP(C, 0, "arraydecay"); + llvm::CallInst *TheCall = Builder.CreateCall(Fn, C); + TheCall->setDoesNotReturn(); + + Builder.CreateUnreachable(); + + + Builder.restoreIP(SavedIP); + return ThrowLengthErrorBB; +} + + /// ShouldInstrumentFunction - Return true if the current function should be /// instrumented with __cyg_profile_func_* calls bool CodeGenFunction::ShouldInstrumentFunction() { |
