[asan] Intercept std::rethrow_exception indirectly

Summary: Fixes Bug 32434 See https://bugs.llvm.org/show_bug.cgi?id=32434 Short summary: std::rethrow_exception does not use __cxa_throw to rethrow the exception, so if it is called from uninstrumented code, it will leave the stack poisoned. This can lead to false positives. Long description: For functions which don't return normally (e.g. via exceptions), asan needs to unpoison the entire stack. It is not known before a call to such a function where execution will continue, some function which don't contain cleanup code like destructors might be skipped. After stack unwinding, execution might continue in uninstrumented code. If the stack has been poisoned before such a function is called, but the stack is unwound during the unconventional return, then zombie redzones (entries) for no longer existing stack variables can remain in the shadow memory. Normally, this is avoided by asan generating a call to asan_handle_no_return before all functions marked as [[noreturn]]. This asan_handle_no_return unpoisons the entire stack. Since these [[noreturn]] functions can be called from uninstrumented code, asan also introduces interceptor functions which call asan_handle_no_return before running the original [[noreturn]] function; for example, cxa_throw is intercepted. If a [[noreturn]] function is called from uninstrumented code (so the stack is left poisoned) and additionally, execution continues in uninstrumented code, new stack variables might be introduced and overlap with the stack variables which have been removed during stack unwinding. Since the redzones are not cleared nor overwritten by uninstrumented code, they remain but now contain invalid data. Now, if the redzones are checked against the new stack variables, false positive reports can occur. This can happen for example by the uninstrumented code calling an intercepted function such as memcpy, or an instrumented function. Intercepting std::rethrow_exception directly is not easily possible since it depends on the C++ standard library implementation (e.g. libcxx vs libstdc++) and the mangled name it produces for this function. As a rather simple workaround, we're intercepting _Unwind_RaiseException for libstdc++. For libcxxabi, we can intercept the ABI function __cxa_rethrow_primary_exception. Patch by Robert Schneider. Reviewers: kcc, eugenis, alekseyshl, vitalybuka Reviewed By: vitalybuka Subscribers: llvm-commits Differential Revision: https://reviews.llvm.org/D42644 llvm-svn: 326132
author: Vitaly Buka <vitalybuka@google.com> 2018-02-26 21:40:19 +0000
committer: Vitaly Buka <vitalybuka@google.com> 2018-02-26 21:40:19 +0000
commit: 781ef03e10120bf3b6a0770a1832a2e7fa37c079 (patch)
tree: af1fe2e513907668f10bfe6e32b8973483455c99 /compiler-rt
parent: 5d3b0e38d649f0843970a689c735c803a6e98d0f (diff)
download: bcm5719-llvm-781ef03e10120bf3b6a0770a1832a2e7fa37c079.tar.gz
bcm5719-llvm-781ef03e10120bf3b6a0770a1832a2e7fa37c079.zip
3 files changed, 115 insertions, 0 deletions
diff --git a/compiler-rt/lib/asan/asan_interceptors.cc b/compiler-rt/lib/asan/asan_interceptors.cc
index c0264590ee1..479cedc32ea 100644
--- a/compiler-rt/lib/asan/asan_interceptors.cc
+++ b/compiler-rt/lib/asan/asan_interceptors.cc
@@ -33,6 +33,11 @@
 #include "sanitizer_common/sanitizer_posix.h"
 #endif
 
+#if ASAN_INTERCEPT__UNWIND_RAISEEXCEPTION || \
+    ASAN_INTERCEPT__SJLJ_UNWIND_RAISEEXCEPTION
+#include <unwind.h>
+#endif
+
 #if defined(__i386) && SANITIZER_LINUX
 #define ASAN_PTHREAD_CREATE_VERSION "GLIBC_2.1"
 #elif defined(__mips__) && SANITIZER_LINUX
@@ -319,6 +324,32 @@ INTERCEPTOR(void, __cxa_throw, void *a, void *b, void *c) {
 }
 #endif
 
+#if ASAN_INTERCEPT___CXA_RETHROW_PRIMARY_EXCEPTION
+INTERCEPTOR(void, __cxa_rethrow_primary_exception, void *a) {
+  CHECK(REAL(__cxa_rethrow_primary_exception));
+  __asan_handle_no_return();
+  REAL(__cxa_rethrow_primary_exception)(a);
+}
+#endif
+
+#if ASAN_INTERCEPT__UNWIND_RAISEEXCEPTION
+INTERCEPTOR(_Unwind_Reason_Code, _Unwind_RaiseException,
+            struct _Unwind_Exception *object) {
+  CHECK(REAL(_Unwind_RaiseException));
+  __asan_handle_no_return();
+  return REAL(_Unwind_RaiseException)(object);
+}
+#endif
+
+#if ASAN_INTERCEPT__SJLJ_UNWIND_RAISEEXCEPTION
+INTERCEPTOR(_Unwind_Reason_Code, _Unwind_SjLj_RaiseException,
+            struct _Unwind_Exception *object) {
+  CHECK(REAL(_Unwind_SjLj_RaiseException));
+  __asan_handle_no_return();
+  return REAL(_Unwind_SjLj_RaiseException)(object);
+}
+#endif
+
 #if ASAN_INTERCEPT_INDEX
 # if ASAN_USE_ALIAS_ATTRIBUTE_FOR_INDEX
 INTERCEPTOR(char*, index, const char *string, int c)
@@ -599,6 +630,17 @@ void InitializeAsanInterceptors() {
 #if ASAN_INTERCEPT___CXA_THROW
   ASAN_INTERCEPT_FUNC(__cxa_throw);
 #endif
+#if ASAN_INTERCEPT___CXA_RETHROW_PRIMARY_EXCEPTION
+  ASAN_INTERCEPT_FUNC(__cxa_rethrow_primary_exception);
+#endif
+  // Indirectly intercept std::rethrow_exception.
+#if ASAN_INTERCEPT__UNWIND_RAISEEXCEPTION
+  INTERCEPT_FUNCTION(_Unwind_RaiseException);
+#endif
+  // Indirectly intercept std::rethrow_exception.
+#if ASAN_INTERCEPT__UNWIND_SJLJ_RAISEEXCEPTION
+  INTERCEPT_FUNCTION(_Unwind_SjLj_RaiseException);
+#endif
 
   // Intercept threading-related functions
 #if ASAN_INTERCEPT_PTHREAD_CREATE
diff --git a/compiler-rt/lib/asan/asan_interceptors.h b/compiler-rt/lib/asan/asan_interceptors.h
index e13bdecfded..e4ed09551c0 100644
--- a/compiler-rt/lib/asan/asan_interceptors.h
+++ b/compiler-rt/lib/asan/asan_interceptors.h
@@ -85,8 +85,17 @@ void InitializePlatformInterceptors();
     !(SANITIZER_ANDROID && defined(__i386)) && \
     !SANITIZER_SOLARIS
 # define ASAN_INTERCEPT___CXA_THROW 1
+# define ASAN_INTERCEPT___CXA_RETHROW_PRIMARY_EXCEPTION 1
+# ifdef _GLIBCXX_SJLJ_EXCEPTIONS
+#  define ASAN_INTERCEPT__UNWIND_SJLJ_RAISEEXCEPTION 1
+# else
+#  define ASAN_INTERCEPT__UNWIND_RAISEEXCEPTION 1
+# endif
 #else
 # define ASAN_INTERCEPT___CXA_THROW 0
+# define ASAN_INTERCEPT___CXA_RETHROW_PRIMARY_EXCEPTION 0
+# define ASAN_INTERCEPT__UNWIND_RAISEEXCEPTION 0
+# define ASAN_INTERCEPT__UNWIND_SJLJ_RAISEEXCEPTION 0
 #endif
 
 #if !SANITIZER_WINDOWS
diff --git a/compiler-rt/test/asan/TestCases/intercept-rethrow-exception.cc b/compiler-rt/test/asan/TestCases/intercept-rethrow-exception.cc
new file mode 100644
index 00000000000..fa9ea7d3b09
--- /dev/null
+++ b/compiler-rt/test/asan/TestCases/intercept-rethrow-exception.cc
@@ -0,0 +1,64 @@
+// Regression test for
+// https://bugs.llvm.org/show_bug.cgi?id=32434
+
+// RUN: %clangxx_asan -O0 %s -o %t
+// RUN: %run %t
+
+#include <assert.h>
+#include <exception>
+#include <sanitizer/asan_interface.h>
+
+namespace {
+
+// Not instrumented because std::rethrow_exception is a [[noreturn]] function,
+// for which the compiler would emit a call to __asan_handle_no_return which
+// unpoisons the stack.
+// We emulate here some code not compiled with asan. This function is not
+// [[noreturn]] because the scenario we're emulating doesn't always throw. If it
+// were [[noreturn]], the calling code would emit a call to
+// __asan_handle_no_return.
+void __attribute__((no_sanitize("address")))
+uninstrumented_rethrow_exception(std::exception_ptr const &exc_ptr) {
+  std::rethrow_exception(exc_ptr);
+}
+
+char *poisoned1;
+char *poisoned2;
+
+// Create redzones for stack variables in shadow memory and call
+// std::rethrow_exception which should unpoison the entire stack.
+void create_redzones_and_throw(std::exception_ptr const &exc_ptr) {
+  char a[100];
+  poisoned1 = a - 1;
+  poisoned2 = a + sizeof(a);
+  assert(__asan_address_is_poisoned(poisoned1));
+  assert(__asan_address_is_poisoned(poisoned2));
+  uninstrumented_rethrow_exception(exc_ptr);
+}
+
+} // namespace
+
+// Check that std::rethrow_exception is intercepted by asan and the interception
+// unpoisons the stack.
+// If std::rethrow_exception is NOT intercepted, then calls to this function
+// from instrumented code will still unpoison the stack because
+// std::rethrow_exception is a [[noreturn]] function and any [[noreturn]]
+// function call will be instrumented with __asan_handle_no_return.
+// However, calls to std::rethrow_exception from UNinstrumented code will not
+// unpoison the stack, so we need to intercept std::rethrow_exception to
+// unpoison the stack.
+int main() {
+  // In some implementations of std::make_exception_ptr, e.g. libstdc++ prior to
+  // gcc 7, this function calls __cxa_throw. The __cxa_throw is intercepted by
+  // asan to unpoison the entire stack; since this test essentially tests that
+  // the stack is unpoisoned by a call to std::rethrow_exception, we need to
+  // generate the exception_ptr BEFORE we have the local variables poison the
+  // stack.
+  std::exception_ptr my_exception_ptr = std::make_exception_ptr("up");
+
+  try {
+    create_redzones_and_throw(my_exception_ptr);
+  } catch(char const *) {
+    assert(!__asan_region_is_poisoned(poisoned1, poisoned2 - poisoned1 + 1));
+  }
+}
author	Vitaly Buka <vitalybuka@google.com>	2018-02-26 21:40:19 +0000
committer	Vitaly Buka <vitalybuka@google.com>	2018-02-26 21:40:19 +0000
commit	781ef03e10120bf3b6a0770a1832a2e7fa37c079 (patch)
tree	af1fe2e513907668f10bfe6e32b8973483455c99 /compiler-rt
parent	5d3b0e38d649f0843970a689c735c803a6e98d0f (diff)
download	bcm5719-llvm-781ef03e10120bf3b6a0770a1832a2e7fa37c079.tar.gz bcm5719-llvm-781ef03e10120bf3b6a0770a1832a2e7fa37c079.zip