[asan] bump the scariness score of read-after-frees (based on feedback from the Chrome security team)

llvm-svn: 264481

2 files changed, 8 insertions, 4 deletions

diff --git a/compiler-rt/lib/asan/asan_report.cc b/compiler-rt/lib/asan/asan_report.cc
index 9a67f2d1938..9fb9d958c60 100644
--- a/compiler-rt/lib/asan/asan_report.cc
+++ b/compiler-rt/lib/asan/asan_report.cc
@@ -1098,6 +1098,8 @@ void ReportGenericError(uptr pc, uptr bp, uptr sp, uptr addr, bool is_write,
     bool far_from_bounds = false;
     shadow_val = *shadow_addr;
     int bug_type_score = 0;
+    // For use-after-frees reads are almost as bad as writes.
+    int read_after_free_bonus = 0;
     switch (shadow_val) {
       case kAsanHeapLeftRedzoneMagic:
       case kAsanHeapRightRedzoneMagic:
@@ -1109,6 +1111,7 @@ void ReportGenericError(uptr pc, uptr bp, uptr sp, uptr addr, bool is_write,
       case kAsanHeapFreeMagic:
         bug_descr = "heap-use-after-free";
         bug_type_score = 20;
+        if (!is_write) read_after_free_bonus = 18;
         break;
       case kAsanStackLeftRedzoneMagic:
         bug_descr = "stack-buffer-underflow";
@@ -1129,6 +1132,7 @@ void ReportGenericError(uptr pc, uptr bp, uptr sp, uptr addr, bool is_write,
       case kAsanStackAfterReturnMagic:
         bug_descr = "stack-use-after-return";
         bug_type_score = 30;
+        if (!is_write) read_after_free_bonus = 18;
         break;
       case kAsanUserPoisonedMemoryMagic:
         bug_descr = "use-after-poison";
@@ -1158,7 +1162,7 @@ void ReportGenericError(uptr pc, uptr bp, uptr sp, uptr addr, bool is_write,
         far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr);
         break;
     }
-    SS.Scare(bug_type_score, bug_descr);
+    SS.Scare(bug_type_score + read_after_free_bonus, bug_descr);
     if (far_from_bounds)
       SS.Scare(10, "far-from-bounds");
   }
diff --git a/compiler-rt/test/asan/TestCases/Linux/scariness_score_test.cc b/compiler-rt/test/asan/TestCases/Linux/scariness_score_test.cc
index 21f42a5618c..24854132f53 100644
--- a/compiler-rt/test/asan/TestCases/Linux/scariness_score_test.cc
+++ b/compiler-rt/test/asan/TestCases/Linux/scariness_score_test.cc
@@ -166,14 +166,14 @@ int main(int argc, char **argv) {
     // CHECK3: SCARINESS: 33 (2-byte-write-heap-buffer-overflow)
     // CHECK4: SCARINESS: 52 (8-byte-write-heap-buffer-overflow-far-from-bounds)
     // CHECK5: SCARINESS: 55 (multi-byte-write-heap-buffer-overflow-far-from-bounds)
-    // CHECK6: SCARINESS: 22 (1-byte-read-heap-use-after-free)
+    // CHECK6: SCARINESS: 40 (1-byte-read-heap-use-after-free)
     // CHECK7: SCARINESS: 46 (4-byte-write-heap-use-after-free)
-    // CHECK8: SCARINESS: 33 (8-byte-read-heap-use-after-free)
+    // CHECK8: SCARINESS: 51 (8-byte-read-heap-use-after-free)
     // CHECK9: SCARINESS: 55 (multi-byte-write-heap-use-after-free)
     // CHECK10: SCARINESS: 46 (1-byte-write-stack-buffer-overflow)
     // CHECK11: SCARINESS: 38 (8-byte-read-stack-buffer-overflow)
     // CHECK12: SCARINESS: 61 (4-byte-write-stack-buffer-overflow-far-from-bounds)
-    // CHECK13: SCARINESS: 32 (1-byte-read-stack-use-after-return)
+    // CHECK13: SCARINESS: 50 (1-byte-read-stack-use-after-return)
     // CHECK14: SCARINESS: 65 (multi-byte-write-stack-use-after-return)
     // CHECK15: SCARINESS: 31 (1-byte-write-global-buffer-overflow)
     // CHECK16: SCARINESS: 36 (multi-byte-read-global-buffer-overflow-far-from-bounds)