diff options
| author | Alex Shlyapnikov <alekseys@google.com> | 2018-06-29 20:20:17 +0000 |
|---|---|---|
| committer | Alex Shlyapnikov <alekseys@google.com> | 2018-06-29 20:20:17 +0000 |
| commit | 788764ca12520f77cfc51ec53f0bffb0c8a8f328 (patch) | |
| tree | 8c422fceb13b13d44b1f75a0d53da07f0a94592f /llvm/lib/Transforms/Instrumentation/HWAddressSanitizer.cpp | |
| parent | 69ee62cef82eef7d23d2c71fb133ba80cac18339 (diff) | |
| download | bcm5719-llvm-788764ca12520f77cfc51ec53f0bffb0c8a8f328.tar.gz bcm5719-llvm-788764ca12520f77cfc51ec53f0bffb0c8a8f328.zip | |
[HWASan] Do not retag allocas before return from the function.
Summary:
Retagging allocas before returning from the function might help
detecting use after return bugs, but it does not work at all in real
life, when instrumented and non-instrumented code is intermixed.
Consider the following code:
F_non_instrumented() {
T x;
F1_instrumented(&x);
...
}
{
F_instrumented();
F_non_instrumented();
}
- F_instrumented call leaves the stack below the current sp tagged
randomly for UAR detection
- F_non_instrumented allocates its own vars on that tagged stack,
not generating any tags, that is the address of x has tag 0, but the
shadow memory still contains tags left behind by F_instrumented on the
previous step
- F1_instrumented verifies &x before using it and traps on tag mismatch,
0 vs whatever tag was set by F_instrumented
Reviewers: eugenis
Subscribers: srhines, llvm-commits
Differential Revision: https://reviews.llvm.org/D48664
llvm-svn: 336011
Diffstat (limited to 'llvm/lib/Transforms/Instrumentation/HWAddressSanitizer.cpp')
| -rw-r--r-- | llvm/lib/Transforms/Instrumentation/HWAddressSanitizer.cpp | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/llvm/lib/Transforms/Instrumentation/HWAddressSanitizer.cpp b/llvm/lib/Transforms/Instrumentation/HWAddressSanitizer.cpp index a1205d81c91..d62598bb5d4 100644 --- a/llvm/lib/Transforms/Instrumentation/HWAddressSanitizer.cpp +++ b/llvm/lib/Transforms/Instrumentation/HWAddressSanitizer.cpp @@ -95,6 +95,14 @@ static cl::opt<bool> ClInstrumentStack("hwasan-instrument-stack", cl::desc("instrument stack (allocas)"), cl::Hidden, cl::init(true)); +static cl::opt<bool> ClUARRetagToZero( + "hwasan-uar-retag-to-zero", + cl::desc("Clear alloca tags before returning from the function to allow " + "non-instrumented and instrumented function calls mix. When set " + "to false, allocas are retagged before returning from the " + "function to detect use after return."), + cl::Hidden, cl::init(true)); + static cl::opt<bool> ClGenerateTagsWithCalls( "hwasan-generate-tags-with-calls", cl::desc("generate new tags with runtime library calls"), cl::Hidden, @@ -577,6 +585,8 @@ Value *HWAddressSanitizer::getAllocaTag(IRBuilder<> &IRB, Value *StackTag, } Value *HWAddressSanitizer::getUARTag(IRBuilder<> &IRB, Value *StackTag) { + if (ClUARRetagToZero) + return ConstantInt::get(IntptrTy, 0); if (ClGenerateTagsWithCalls) return getNextTagWithCall(IRB); return IRB.CreateXor(StackTag, ConstantInt::get(IntptrTy, 0xFFU)); |
