This is an archive of the discontinued LLVM Phabricator instance.

Differential D62927

[sanitizers][windows] Rtl-Heap Interception and tests
ClosedPublic

Authored by mcgov on Jun 5 2019, 12:35 PM.

Details

Reviewers
rnk
vitalybuka
zturner
mstorsjo
Summary

Adds interceptors for Rtl(Allocate|Free|Size|ReAllocate)Heap family of functions on windows. Hooking these requires more thorough hooking of the Heap(Alloc|Free|Size|ReAlloc) family. This feature is hidden behind a CMake configuration variable since it will incur a performance penalty due to many calls to RtlValidateHeap and HeapValidate.

The tests that exercise this code are also hidden with an environment variable that will add an available feature. This is a hack since I'm not sure the best way to turn these on and off based on the cmake configuration. I am super open to suggestions on a better way to do this :)

Diff Detail

Event Timeline

mcgov created this revision.Jun 5 2019, 12:35 PM
Herald added a project: Restricted Project. · View Herald TranscriptJun 5 2019, 12:35 PM
Herald added subscribers: llvm-commits, mgorny, kubamracek. · View Herald Transcript
mcgov updated this revision to Diff 203225.Jun 5 2019, 12:36 PM
mcgov updated this revision to Diff 203441.Jun 6 2019, 1:53 PM

updating to mask RTL interception from x64 (not supported yet)

mcgov updated this revision to Diff 203844.Jun 10 2019, 9:25 AM
mcgov planned changes to this revision.Jun 19 2019, 2:12 PM

Modifying to make this option selectable at runtime. This makes it cleaner, without needing config and env var hacks

mcgov updated this revision to Diff 205834.Jun 20 2019, 9:02 AM

Switches CMake config and environment variable to turn tests on to an ASAN_OPTIONS runtime variable. This makes the activation and testing cleaner, as well as the code itself.

mcgov added a comment.Jun 20 2019, 9:03 AM

@rnk @vitalybuka @mstorsjo ready for review :)

vitalybuka added inline comments.Jun 20 2019, 11:03 AM
compiler-rt/lib/asan/asan_malloc_win.cc
53

can you please upload the patch with "arc" tool, otherwise context is not visible

209

Not sure I understand this "if".
Can we get here when windows_hook_rtl_allocators==false?
If true, I don't see much difference after asan_inited set to true.

211

can you please clang-format the patch?

218

I'd expect this check is needed unconditionally, we can get to asan_malloc_usable_size even "if-then" about was executed.

462

Isn't better to use REAL in cases above instead of CHECK(Flags...) ?

mcgov marked 4 inline comments as done.Jun 20 2019, 11:46 AM
mcgov added inline comments.
compiler-rt/lib/asan/asan_malloc_win.cc
53

will do

209

These if's are handling some edge cases when you hook the RTL allocators. There are some allocations which will occur before interception happens, so you have to check where the allocation came from.

I agree these look pretty gross and aren't super clear. I'll see if I can clean it up or write some comments to make them obvious.

211

I have my editor set to format on save/paste but something must have gone wrong. Will make sure the new sections are formatted properly

218

Oh good point, I'll check assertions again file-wide.

462

I need more context on what you mean here, where would it be better?

mcgov updated this revision to Diff 205885.Jun 20 2019, 1:14 PM

Code cleaning, adding comments for clarity

mcgov marked 2 inline comments as done and an inline comment as not done.Jun 20 2019, 1:19 PM

addressing comments from @vitalybuka

compiler-rt/lib/asan/asan_malloc_win.cc
209

I've cleaned these up, they look a little weird at first but the new code makes sure to split up unsupported flags at allocation time when the runtime flag is set. In that case it is enough to check who owns the allocation, since the user can allocate a memory section without the unsupported flags but then use them on a later call to HeapSize or HeapReAlloc. When the RTL interception is turned on it's enough to just check who owns it, since if the user wants to use HEAP_NO_SERIALIZE on Free or Size it will just get ignored in the event ASAN owns the allocation. If the allocation is passed into the RTL library it will pass the flag through.

If the flag is turned off we keep the original behavior of asserting on those illegal flags, since there is no falling back to the original allocator in that version.

That's a lot, does that make sense or am I talking myself into garbage lol

vitalybuka added inline comments.Jun 20 2019, 1:21 PM
compiler-rt/lib/asan/asan_malloc_win.cc
218

this is marked as done, but I don't see a difference.

I expected something like:

if (flags()->windows_hook_rtl_allocators) {
  ...
  REAL...
}
CHECK(dwFlags == 0 && "unsupported heap flags");

without else

mcgov added inline comments.Jun 20 2019, 1:46 PM
compiler-rt/lib/asan/asan_malloc_win.cc
218

Right, I don't think this is actually the behavior that's needed though. It's the same reason as in HeapFree, when the RTL interception is turned on the check for incomaptible flags occurs only on (re)allocation. If the user is trying to pass unsupported flags to Size or Free for an allocation that's owned by the ASAN allocator we still want that size or free to come back to the user code, reguardless of where it lives. It's a weird situation that comes from juggling the original and asan allocator.

mcgov added a comment.Jun 21 2019, 10:46 AM

@vitalybuka Heya, not marking as done but need some feedback from you.

mcgov marked 6 inline comments as done.Jun 24 2019, 12:36 PM

Another bump for review from @rnk or @vitalybuka

The goals of this patch were to enable RTL interception and preserve the current functionality when the option is turned off. This is why there are some weird IF conditions that seem like they should be global. To get the RTL interception to work the way you would expect it required changing some of the ways flags that are passed into the Allocate/Free/ReAllocate/Size functions are handled. This may not be worth much since you can't see the test results (for now) but we have been using this patch internally for a few months now :-)

vitalybuka marked an inline comment as done.Jun 24 2019, 1:31 PM
vitalybuka added inline comments.
.gitignore
48 ↗(On Diff #205885)

Separate patch?

compiler-rt/lib/asan/asan_malloc_win.cc
39

Why these and new constants are macros and not regular consts or constexpr?

277

Leave this to compiler?

template<class ReAllocFunction...> 
static void* SharedReAlloc(ReAllocFunction reallocFunc, ...
280

this should be static on in namespace {}

280

void* SharedReAlloc?

462

Ignore my comment, now I understand your approach.

compiler-rt/lib/asan/asan_win.cc
181

Still shows "Context not available."

218

could you please use consts?

mcgov updated this revision to Diff 206488.Jun 25 2019, 11:25 AM
mcgov marked 4 inline comments as done.

addressing comments from @vitalybuka
changing macros to constexpr
moving private stuff into asan namespace

mcgov added a comment.Jun 25 2019, 11:26 AM

Addressing comments

.gitignore
48 ↗(On Diff #205885)

Sure, I can wrap this up with some other msvc host compat stuff (coming soon)

compiler-rt/lib/asan/asan_malloc_win.cc
39

No reason, I'll switch them

277

I did try this solution first, but we're stuck here because the template parameters would end up being pointers that are not compile-time constants. The arguments that are being pointed to are not the regular HeapAlloc address (which get patched), it's the pointers to the REAL(HeapAlloc) which are not known until hooking is finished.

The templated solution is cleaner but doesn't work in this situation. I will address these other concerns though it should be in the namespace. Thank you for the feedback!

compiler-rt/lib/asan/asan_win.cc
218

been reading too much old win32 code sorry 😂
will fix!

mcgov marked 2 inline comments as done.Jun 28 2019, 3:52 PM

updated consexpr and namespace issue

mcgov added a comment.Jul 3 2019, 10:00 AM

@rnk @vitalybuka

Just pinging again for review to land this if possible.

rnk added a comment.Jul 3 2019, 11:36 AM

I reviewed the code and mostly came up with surface formatting issues. Functionally I think it looks good and the only way to really find out if it works is to ship it. :) So, I think we should fix the surface issues and try to move forward with that.

compiler-rt/lib/asan/asan_malloc_win.cc
269

Please capitalize the type name of the enum, so AllocationOwnership.

280

This is used in one place, I would sink it down to the use.

284

This is only used if RTL allocator hooking is enabled, I'd sink it into the if.

compiler-rt/lib/asan/asan_win.cc
0–1

I think it would be simpler to drop this check and always do the IsTlsInitialized() check. I understand that adding the new heap interceptors is what causes us to run code prior to TLS initialization, but in the future ASan could change again in some other way that causes us to clal ASanTSDGet early and removing an if and defending against that possibility seems good.

Also, this isn't indented correctly, please fix that before committing.

0–1

There should be a space between the ){. I'd recommend using git-clang-format or some other tool to run clang-format to fix these minor issues.

vitalybuka added a comment.Jul 3 2019, 12:33 PM
In D62927#1568926, @rnk wrote:

I reviewed the code and mostly came up with surface formatting issues. Functionally I think it looks good and the only way to really find out if it works is to ship it. :) So, I think we should fix the surface issues and try to move forward with that.

LGTM, @rnk please accept when ready

mcgov updated this revision to Diff 207888.Jul 3 2019, 2:11 PM
mcgov marked 4 inline comments as done.

Updating for RNK comments

Herald added a subscriber: jfb. · View Herald TranscriptJul 3 2019, 2:11 PM
rnk accepted this revision.Jul 3 2019, 2:37 PM

lgtm

This revision is now accepted and ready to land.Jul 3 2019, 2:37 PM
mcgov mentioned this in rL365381: [sanitizers][windows] Rtl-Heap Interception and tests.Jul 8 2019, 12:58 PM
mcgov mentioned this in rGc9fa99d066f0: [sanitizers][windows] Rtl-Heap Interception and tests - Adds interceptors….Jul 8 2019, 1:04 PM
jfb added a comment.Jul 8 2019, 1:21 PM

Reverted in https://reviews.llvm.org/rL365384

because of: http://lab.llvm.org:8011/builders/clang-ppc64be-linux-lnt/builds/28842/steps/build%20stage%201/logs/stdio

/home/buildbots/ppc64be-clang-lnt-test/clang-ppc64be-lnt/llvm/projects/compiler-rt/lib/asan/asan_malloc_win.cc:23:2: error: #error "Missing arch or unsupported platform for Windows."
 #error "Missing arch or unsupported platform for Windows."
  ^~~~~
/home/buildbots/ppc64be-clang-lnt-test/clang-ppc64be-lnt/llvm/projects/compiler-rt/lib/asan/asan_malloc_win.cc:25:10: fatal error: heapapi.h: No such file or directory
 #include <heapapi.h>
          ^~~~~~~~~~~
compilation terminated.
[39/1151] Building CXX object projects/compiler-rt/lib/asan/CMakeFiles/RTAsan.powerpc64.dir/asan_debugging.cc.o
[40/1151] Building CXX object projects/compiler-rt/lib/asan/CMakeFiles/RTAsan.powerpc64.dir/asan_malloc_win.cc.o
FAILED: projects/compiler-rt/lib/asan/CMakeFiles/RTAsan.powerpc64.dir/asan_malloc_win.cc.o 
/usr/bin/c++  -D_DEBUG -D_GNU_SOURCE -D__STDC_CONSTANT_MACROS -D__STDC_FORMAT_MACROS -D__STDC_LIMIT_MACROS -Iprojects/compiler-rt/lib/asan -I/home/buildbots/ppc64be-clang-lnt-test/clang-ppc64be-lnt/llvm/projects/compiler-rt/lib/asan -Iinclude -I/home/buildbots/ppc64be-clang-lnt-test/clang-ppc64be-lnt/llvm/include -I/home/buildbots/ppc64be-clang-lnt-test/clang-ppc64be-lnt/llvm/projects/compiler-rt/lib/asan/.. -fPIC -fvisibility-inlines-hidden -Werror=date-time -std=c++11 -Wall -Wextra -Wno-unused-parameter -Wwrite-strings -Wcast-qual -Wno-missing-field-initializers -pedantic -Wno-long-long -Wimplicit-fallthrough -Wno-maybe-uninitialized -Wno-noexcept-type -Wdelete-non-virtual-dtor -Wno-comment -fdiagnostics-color -ffunction-sections -fdata-sections -Wall -std=c++11 -Wno-unused-parameter -O2    -UNDEBUG  -m64 -fPIC -fno-builtin -fno-exceptions -fomit-frame-pointer -funwind-tables -fno-stack-protector -fvisibility=hidden -fno-lto -O3 -g -Wno-variadic-macros -Wno-non-virtual-dtor -fno-rtti -MD -MT projects/compiler-rt/lib/asan/CMakeFiles/RTAsan.powerpc64.dir/asan_malloc_win.cc.o -MF projects/compiler-rt/lib/asan/CMakeFiles/RTAsan.powerpc64.dir/asan_malloc_win.cc.o.d -o projects/compiler-rt/lib/asan/CMakeFiles/RTAsan.powerpc64.dir/asan_malloc_win.cc.o -c /home/buildbots/ppc64be-clang-lnt-test/clang-ppc64be-lnt/llvm/projects/compiler-rt/lib/asan/asan_malloc_win.cc
/home/buildbots/ppc64be-clang-lnt-test/clang-ppc64be-lnt/llvm/projects/compiler-rt/lib/asan/asan_malloc_win.cc:23:2: error: #error "Missing arch or unsupported platform for Windows."
 #error "Missing arch or unsupported platform for Windows."
  ^~~~~
/home/buildbots/ppc64be-clang-lnt-test/clang-ppc64be-lnt/llvm/projects/compiler-rt/lib/asan/asan_malloc_win.cc:25:10: fatal error: heapapi.h: No such file or directory
 #include <heapapi.h>
          ^~~~~~~~~~~
rnk added a comment.Jul 8 2019, 1:51 PM
In D62927#1574273, @jfb wrote:

Reverted in https://reviews.llvm.org/rL365384

because of: http://lab.llvm.org:8011/builders/clang-ppc64be-linux-lnt/builds/28842/steps/build%20stage%201/logs/stdio

/home/buildbots/ppc64be-clang-lnt-test/clang-ppc64be-lnt/llvm/projects/compiler-rt/lib/asan/asan_malloc_win.cc:23:2: error: #error "Missing arch or unsupported platform for Windows."
 #error "Missing arch or unsupported platform for Windows."
  ^~~~~
/home/buildbots/ppc64be-clang-lnt-test/clang-ppc64be-lnt/llvm/projects/compiler-rt/lib/asan/asan_malloc_win.cc:25:10: fatal error: heapapi.h: No such file or directory
 #include <heapapi.h>
          ^~~~~~~~~~~

This should be easy to fix, the entire asan_malloc_win.cc file should be encapsulated in the #if SANITIZER_WINDOWS block, including this.

I would recommend setting up a build and test environment on Linux to flush out these issues prior to committing in the future, since ASan is very platform sensitive. Once you get that working, feel free to reland when you get a chance.

rnk added a comment.Jul 8 2019, 1:57 PM

I noticed the new tests also failed on the sanitizer-windows bot:
http://lab.llvm.org:8011/builders/sanitizer-windows/builds/48066/steps/stage%201%20check/logs/stdio

I haven't looked into it much, but it would be good to investigate that before trying again.

mcgov mentioned this in rL365422: [sanitizers][windows] Rtl-Heap Interception and tests.Jul 8 2019, 6:47 PM
mcgov mentioned this in rG848a19e4eb66: [sanitizers][windows] Rtl-Heap Interception and tests - Adds interceptors….Jul 8 2019, 6:51 PM
mcgov mentioned this in rL365424: [sanitizers][windows] FIX: Rtl-Heap Interception and tests.Jul 8 2019, 6:55 PM
mcgov mentioned this in rG4e636156ef2e: [sanitizers][windows] FIX: Rtl-Heap Interception and tests.
mstorsjo added a comment.Jul 12 2019, 1:40 PM

Sorry for not testing out this commit until it hit the tree and not commenting on this before. This one turned out to break MinGW builds for a few different reasons, that I'll comment on inline.

Unrelated point: Please close the review on/after committing; this is easily handled by mentioning the review in the commit message in the form Differential Revision: https://reviews.llvm.org/D62927. In this case I was surprised why this could have broken anything as the review still wasn't closed.

If fixing these cases with the issues I'm pointing out is too cumbersome, I wouldn't mind adding a large #ifndef __MINGW32__ around the new code. But the release branch is approaching fast, and I'd like to have address sanitizer at least buildable for MinGW in the release (even though issues can be fixed after the branch as well) - having these new interceptors usable is less of a deal.

compiler-rt/lib/asan/asan_malloc_win.cc
18

This needs an || defined(__i386__) for MinGW, and same with defined(__x86_64__) below. And changing the #define _X86_ into #define _X86_ 1 avoids a warning about redefinition to a different value.

25

This file implicitly includes a lot of windows specific headers. See the comment below about "Intentionally not including windows.h here"; this brings back the same issue that was fixed earlier by removing the include of windows.h here, in particular errors like these:

compiler-rt/lib/asan/asan_malloc_win.cc:84:6: error: redeclaration of 'free' cannot add 'dllexport' attribute
void free(void *ptr) {
     ^

To avoid this, we need to make sure we don't see any inline function that uses the function free up to this point, when we redefine it with new attributes.

344

In MinGW, min() isn't defined by the headers included so far. I guess that could be considered a MinGW header bug (it's not defined if __cplusplus is defined - fixing that if necessary should hopefully be doable), but the issue mentioned above about explicitly avoiding windows platform headers might also lead to it being unavailable in MSVC style builds.

407

_Frees_ptr_opt_ is not available/defined in MinGW - can it be left out here, or does that cause errors about mismatching attributes in an MSVC build?

mcgov closed this revision.Jul 12 2019, 9:01 PM
mcgov marked 8 inline comments as done.

@mrstojo no worries! I'm very new and still learning how to be a good contributor so I appreciate feedback on what I'm doing wrong. I will remove the heapapi include and replace with just the function prototypes I needed along with those constants.

I'm closing this review and will open a new one for the mingw32 changes

compiler-rt/lib/asan/asan_malloc_win.cc
18

Will just yank this, we don't need the full include.

25

Whoops! will just replace with the items I need. We should need the function prototypes so if that's correct I'll just yank them out of the header.

344

no trouble, will replace

407

Nope, will remove this. My guess is this is some static analysis macro actually that resolves to nothing anyway, I just missed this was here since it's defined somewhere in that headerm so it shouldn't hurt anything to remove.

alvinhochun mentioned this in D150270: [asan][test][win] Remove `REQUIRES: asan-rtl-heap-interception`.May 10 2023, 6:34 AM
alvinhochun mentioned this in rG51015af77377: [asan][test][win] Remove `REQUIRES: asan-rtl-heap-interception`.May 16 2023, 4:54 AM

Revision Contents

Diff 207888

compiler-rt/lib/asan/asan_flags.inc

Show First 20 LinesShow All 148 Lines▼ Show 20 LinesASAN_FLAG(int, detect_odr_violation, 2,
"have different sizes") "have different sizes")
ASAN_FLAG(const char *, suppressions, "", "Suppressions file name.") ASAN_FLAG(const char *, suppressions, "", "Suppressions file name.")
ASAN_FLAG(bool, halt_on_error, true, ASAN_FLAG(bool, halt_on_error, true,
"Crash the program after printing the first error report " "Crash the program after printing the first error report "
"(WARNING: USE AT YOUR OWN RISK!)") "(WARNING: USE AT YOUR OWN RISK!)")
ASAN_FLAG(bool, allocator_frees_and_returns_null_on_realloc_zero, true, ASAN_FLAG(bool, allocator_frees_and_returns_null_on_realloc_zero, true,
"realloc(p, 0) is equivalent to free(p) by default (Same as the " "realloc(p, 0) is equivalent to free(p) by default (Same as the "
"POSIX standard). If set to false, realloc(p, 0) will return a " "POSIX standard). If set to false, realloc(p, 0) will return a "
"pointer to an allocated space which can not be used.")
ASAN_FLAG(bool, verify_asan_link_order, true,
"pointer to an allocated space which can not be used.") "Check position of ASan runtime in library list (needs to be disabled"
ASAN_FLAG(bool, verify_asan_link_order, true, " when other library has to be preloaded system-wide)")
"Check position of ASan runtime in library list (needs to be disabled" ASAN_FLAG(bool, windows_hook_rtl_allocators, false,
" when other library has to be preloaded system-wide)") "(Windows only) enable hooking of Rtl(Allocate|Free|Size|ReAllocate)Heap.")

compiler-rt/lib/asan/asan_malloc_win.cc

//===-- asan_malloc_win.cc ------------------------------------------------===// //===-- asan_malloc_win.cc ------------------------------------------------===//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// //
// This file is a part of AddressSanitizer, an address sanity checker. // This file is a part of AddressSanitizer, an address sanity checker.
// //
// Windows-specific malloc interception. // Windows-specific malloc interception.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "sanitizer_common/sanitizer_allocator_interface.h"
// Need to include defintions for windows heap api functions,
// these assume windows.h will also be included. This definition
// fixes an error that's thrown if you only include heapapi.h
#if defined(_M_IX86)
mstorsjoUnsubmitted
Not Done
ReplyInline Actions

This needs an || defined(__i386__) for MinGW, and same with defined(__x86_64__) below. And changing the #define _X86_ into #define _X86_ 1 avoids a warning about redefinition to a different value.

mstorsjo: This needs an `|| defined(__i386__)` for MinGW, and same with `defined(__x86_64__)` below. And…
mcgovAuthorUnsubmitted
Done
ReplyInline Actions

Will just yank this, we don't need the full include.

mcgov: Will just yank this, we don't need the full include.
#define _X86_
#elif defined(_M_AMD64)
#define _AMD64_
#else
#error "Missing arch or unsupported platform for Windows."
#endif
#include <heapapi.h>
mstorsjoUnsubmitted
Not Done
ReplyInline Actions

This file implicitly includes a lot of windows specific headers. See the comment below about "Intentionally not including windows.h here"; this brings back the same issue that was fixed earlier by removing the include of windows.h here, in particular errors like these:

compiler-rt/lib/asan/asan_malloc_win.cc:84:6: error: redeclaration of 'free' cannot add 'dllexport' attribute
void free(void *ptr) {
     ^

To avoid this, we need to make sure we don't see any inline function that uses the function free up to this point, when we redefine it with new attributes.

mstorsjo: This file implicitly includes a lot of windows specific headers. See the comment below about…
mcgovAuthorUnsubmitted
Done
ReplyInline Actions

Whoops! will just replace with the items I need. We should need the function prototypes so if that's correct I'll just yank them out of the header.

mcgov: Whoops! will just replace with the items I need. We should need the function prototypes so if…
#include "sanitizer_common/sanitizer_platform.h" #include "sanitizer_common/sanitizer_platform.h"
#if SANITIZER_WINDOWS #if SANITIZER_WINDOWS
// Intentionally not including windows.h here, to avoid the risk of // Intentionally not including windows.h here, to avoid the risk of
// pulling in conflicting declarations of these functions. (With mingw-w64, // pulling in conflicting declarations of these functions. (With mingw-w64,
// there's a risk of windows.h pulling in stdint.h.) // there's a risk of windows.h pulling in stdint.h.)
typedef int BOOL; typedef int BOOL;
typedef void *HANDLE; typedef void *HANDLE;
typedef const void *LPCVOID; typedef const void *LPCVOID;
typedef void *LPVOID; typedef void *LPVOID;
#define HEAP_ZERO_MEMORY 0x00000008 constexpr unsigned long HEAP_ALLOCATE_SUPPORTED_FLAGS = (HEAP_ZERO_MEMORY);
constexpr unsigned long HEAP_ALLOCATE_UNSUPPORTED_FLAGS =
(~HEAP_ALLOCATE_SUPPORTED_FLAGS);
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

Why these and new constants are macros and not regular consts or constexpr?

vitalybuka: Why these and new constants are macros and not regular consts or constexpr?
mcgovAuthorUnsubmitted
Done
ReplyInline Actions

No reason, I'll switch them

mcgov: No reason, I'll switch them
constexpr unsigned long HEAP_FREE_SUPPORTED_FLAGS = (0);
constexpr unsigned long HEAP_FREE_UNSUPPORTED_FLAGS =
(~HEAP_ALLOCATE_SUPPORTED_FLAGS);
constexpr unsigned long HEAP_REALLOC_SUPPORTED_FLAGS =
(HEAP_REALLOC_IN_PLACE_ONLY | HEAP_ZERO_MEMORY);
#define HEAP_REALLOC_IN_PLACE_ONLY 0x00000010 constexpr unsigned long HEAP_REALLOC_UNSUPPORTED_FLAGS =
(~HEAP_ALLOCATE_SUPPORTED_FLAGS);
#include "asan_allocator.h" #include "asan_allocator.h"
#include "asan_interceptors.h" #include "asan_interceptors.h"
#include "asan_internal.h" #include "asan_internal.h"
#include "asan_stack.h" #include "asan_stack.h"
#include "interception/interception.h" #include "interception/interception.h"
vitalybukaUnsubmitted
Done
ReplyInline Actions

can you please upload the patch with "arc" tool, otherwise context is not visible

vitalybuka: can you please upload the patch with "arc" tool, otherwise context is not visible
mcgovAuthorUnsubmitted
Done
ReplyInline Actions

will do

mcgov: will do
#include <stddef.h> #include <stddef.h>
using namespace __asan; // NOLINT using namespace __asan; // NOLINT
// MT: Simply defining functions with the same signature in *.obj // MT: Simply defining functions with the same signature in *.obj
// files overrides the standard functions in the CRT. // files overrides the standard functions in the CRT.
// MD: Memory allocation functions are defined in the CRT .dll, // MD: Memory allocation functions are defined in the CRT .dll,
// so we have to intercept them before they are called for the first time. // so we have to intercept them before they are called for the first time.
▲ Show 20 LinesShow All 104 Lines▼ Show 20 Lines if (new_alloc) {
free(p); free(p);
} }
return new_alloc; return new_alloc;
} }
ALLOCATION_FUNCTION_ATTRIBUTE ALLOCATION_FUNCTION_ATTRIBUTE
void *_recalloc_base(void *p, size_t n, size_t elem_size) { void *_recalloc_base(void *p, size_t n, size_t elem_size) {
return _recalloc(p, n, elem_size); return _recalloc(p, n, elem_size);
}
ALLOCATION_FUNCTION_ATTRIBUTE
void *_expand(void *memblock, size_t size) {
// _expand is used in realloc-like functions to resize the buffer if possible.
// We don't want memory to stand still while resizing buffers, so return 0.
return 0;
}
ALLOCATION_FUNCTION_ATTRIBUTE
void *_expand_dbg(void *memblock, size_t size) {
return _expand(memblock, size);
}
// TODO(timurrrr): Might want to add support for _aligned_* allocation
// functions to detect a bit more bugs. Those functions seem to wrap malloc().
int _CrtDbgReport(int, const char*, int,
const char*, const char*, ...) {
ShowStatsAndAbort();
} }
int _CrtDbgReportW(int reportType, const wchar_t*, int,
const wchar_t*, const wchar_t*, ...) {
ShowStatsAndAbort();
}
int _CrtSetReportMode(int, int) {
return 0;
}
} // extern "C"
#define OWNED_BY_RTL(heap, memory) \
(!__sanitizer_get_ownership(memory) && HeapValidate(heap, 0, memory))
INTERCEPTOR_WINAPI(SIZE_T, HeapSize, HANDLE hHeap, DWORD dwFlags,
vitalybukaUnsubmitted
Done
ReplyInline Actions

Not sure I understand this "if".
Can we get here when windows_hook_rtl_allocators==false?
If true, I don't see much difference after asan_inited set to true.

vitalybuka: Not sure I understand this "if". Can we get here when windows_hook_rtl_allocators==false? If…
mcgovAuthorUnsubmitted
Done
ReplyInline Actions

These if's are handling some edge cases when you hook the RTL allocators. There are some allocations which will occur before interception happens, so you have to check where the allocation came from.

I agree these look pretty gross and aren't super clear. I'll see if I can clean it up or write some comments to make them obvious.

mcgov: These if's are handling some edge cases when you hook the RTL allocators. There are some…
mcgovAuthorUnsubmitted
Done
ReplyInline Actions

I've cleaned these up, they look a little weird at first but the new code makes sure to split up unsupported flags at allocation time when the runtime flag is set. In that case it is enough to check who owns the allocation, since the user can allocate a memory section without the unsupported flags but then use them on a later call to HeapSize or HeapReAlloc. When the RTL interception is turned on it's enough to just check who owns it, since if the user wants to use HEAP_NO_SERIALIZE on Free or Size it will just get ignored in the event ASAN owns the allocation. If the allocation is passed into the RTL library it will pass the flag through.

If the flag is turned off we keep the original behavior of asserting on those illegal flags, since there is no falling back to the original allocator in that version.

That's a lot, does that make sense or am I talking myself into garbage lol

mcgov: I've cleaned these up, they look a little weird at first but the new code makes sure to split…
ALLOCATION_FUNCTION_ATTRIBUTE LPCVOID lpMem) {
void *_expand(void *memblock, size_t size) { // If the RTL allocators are hooked we need to check whether the ASAN
vitalybukaUnsubmitted
Done
ReplyInline Actions

can you please clang-format the patch?

vitalybuka: can you please clang-format the patch?
mcgovAuthorUnsubmitted
Done
ReplyInline Actions

I have my editor set to format on save/paste but something must have gone wrong. Will make sure the new sections are formatted properly

mcgov: I have my editor set to format on save/paste but something must have gone wrong. Will make sure…
// _expand is used in realloc-like functions to resize the buffer if possible. // allocator owns the pointer we're about to use. Allocations occur before
// We don't want memory to stand still while resizing buffers, so return 0. // interception takes place, so if it is not owned by the RTL heap we can
return 0; // pass it to the ASAN heap for inspection.
} if (flags()->windows_hook_rtl_allocators) {
if (!asan_inited || OWNED_BY_RTL(hHeap, lpMem))
ALLOCATION_FUNCTION_ATTRIBUTE return REAL(HeapSize)(hHeap, dwFlags, lpMem);
void *_expand_dbg(void *memblock, size_t size) { } else {
vitalybukaUnsubmitted
Done
ReplyInline Actions

I'd expect this check is needed unconditionally, we can get to asan_malloc_usable_size even "if-then" about was executed.

vitalybuka: I'd expect this check is needed unconditionally, we can get to asan_malloc_usable_size even "if…
mcgovAuthorUnsubmitted
Done
ReplyInline Actions

Oh good point, I'll check assertions again file-wide.

mcgov: Oh good point, I'll check assertions again file-wide.
vitalybukaUnsubmitted
Done
ReplyInline Actions

this is marked as done, but I don't see a difference.

I expected something like:

if (flags()->windows_hook_rtl_allocators) {
  ...
  REAL...
}
CHECK(dwFlags == 0 && "unsupported heap flags");

without else

vitalybuka: this is marked as done, but I don't see a difference. I expected something like: ``` if (flags…
mcgovAuthorUnsubmitted
Done
ReplyInline Actions

Right, I don't think this is actually the behavior that's needed though. It's the same reason as in HeapFree, when the RTL interception is turned on the check for incomaptible flags occurs only on (re)allocation. If the user is trying to pass unsupported flags to Size or Free for an allocation that's owned by the ASAN allocator we still want that size or free to come back to the user code, reguardless of where it lives. It's a weird situation that comes from juggling the original and asan allocator.

mcgov: Right, I don't think this is actually the behavior that's needed though. It's the same reason…
CHECK(dwFlags == 0 && "unsupported heap flags");
}
return _expand(memblock, size); GET_CURRENT_PC_BP_SP;
} (void)sp;
return asan_malloc_usable_size(lpMem, pc, bp);
// TODO(timurrrr): Might want to add support for _aligned_* allocation }
INTERCEPTOR_WINAPI(LPVOID, HeapAlloc, HANDLE hHeap, DWORD dwFlags,
SIZE_T dwBytes) {
// If the ASAN runtime is not initialized, or we encounter an unsupported
// flag, fall back to the original allocator.
if (flags()->windows_hook_rtl_allocators) {
if (UNLIKELY(!asan_inited ||
(dwFlags & HEAP_ALLOCATE_UNSUPPORTED_FLAGS) != 0)) {
// functions to detect a bit more bugs. Those functions seem to wrap malloc(). return REAL(HeapAlloc)(hHeap, dwFlags, dwBytes);
}
int _CrtDbgReport(int, const char*, int, } else {
const char*, const char*, ...) { // In the case that we don't hook the rtl allocators,
ShowStatsAndAbort(); // this becomes an assert since there is no failover to the original
} // allocator.
CHECK((HEAP_ALLOCATE_UNSUPPORTED_FLAGS & dwFlags) != 0 &&
"unsupported flags");
}
GET_STACK_TRACE_MALLOC;
void *p = asan_malloc(dwBytes, &stack);
// Reading MSDN suggests that the *entire* usable allocation is zeroed out.
// Otherwise it is difficult to HeapReAlloc with HEAP_ZERO_MEMORY.
// https://blogs.msdn.microsoft.com/oldnewthing/20120316-00/?p=8083
if (p && (dwFlags & HEAP_ZERO_MEMORY)) {
int _CrtDbgReportW(int reportType, const wchar_t*, int, GET_CURRENT_PC_BP_SP;
const wchar_t*, const wchar_t*, ...) { (void)sp;
ShowStatsAndAbort(); auto usable_size = asan_malloc_usable_size(p, pc, bp);
internal_memset(p, 0, usable_size);
}
return p;
}
INTERCEPTOR_WINAPI(BOOL, HeapFree, HANDLE hHeap, DWORD dwFlags, LPVOID lpMem) {
// Heap allocations happen before this function is hooked, so we must fall
// back to the original function if the pointer is not from the ASAN heap,
// or unsupported flags are provided.
if (flags()->windows_hook_rtl_allocators) {
if (OWNED_BY_RTL(hHeap, lpMem))
return REAL(HeapFree)(hHeap, dwFlags, lpMem);
} else {
CHECK((HEAP_FREE_UNSUPPORTED_FLAGS & dwFlags) != 0 && "unsupported flags");
}
GET_STACK_TRACE_FREE;
asan_free(lpMem, &stack, FROM_MALLOC);
return true;
}
rnkUnsubmitted
Done
ReplyInline Actions

Please capitalize the type name of the enum, so AllocationOwnership.

rnk: Please capitalize the type name of the enum, so AllocationOwnership.
namespace __asan {
using AllocFunction = LPVOID(WINAPI *)(HANDLE, DWORD, SIZE_T);
using ReAllocFunction = LPVOID(WINAPI *)(HANDLE, DWORD, LPVOID, SIZE_T);
using SizeFunction = SIZE_T(WINAPI *)(HANDLE, DWORD, LPVOID);
using FreeFunction = BOOL(WINAPI *)(HANDLE, DWORD, LPVOID);
void *SharedReAlloc(ReAllocFunction reallocFunc, SizeFunction heapSizeFunc,
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

Leave this to compiler?

template<class ReAllocFunction...> 
static void* SharedReAlloc(ReAllocFunction reallocFunc, ...
vitalybuka: Leave this to compiler? ``` template<class ReAllocFunction...> static void* SharedReAlloc…
mcgovAuthorUnsubmitted
Done
ReplyInline Actions

I did try this solution first, but we're stuck here because the template parameters would end up being pointers that are not compile-time constants. The arguments that are being pointed to are not the regular HeapAlloc address (which get patched), it's the pointers to the REAL(HeapAlloc) which are not known until hooking is finished.

The templated solution is cleaner but doesn't work in this situation. I will address these other concerns though it should be in the namespace. Thank you for the feedback!

mcgov: I did try this solution first, but we're stuck here because the template parameters would end…
FreeFunction freeFunc, AllocFunction allocFunc,
HANDLE hHeap, DWORD dwFlags, LPVOID lpMem, SIZE_T dwBytes) {
CHECK(reallocFunc && heapSizeFunc && freeFunc && allocFunc);
vitalybukaUnsubmitted
Done
ReplyInline Actions

this should be static on in namespace {}

vitalybuka: this should be static on in namespace {}
vitalybukaUnsubmitted
Done
ReplyInline Actions

void* SharedReAlloc?

vitalybuka: void* SharedReAlloc?
rnkUnsubmitted
Done
ReplyInline Actions

This is used in one place, I would sink it down to the use.

rnk: This is used in one place, I would sink it down to the use.
GET_STACK_TRACE_MALLOC;
GET_CURRENT_PC_BP_SP;
(void)sp;
if (flags()->windows_hook_rtl_allocators) {
rnkUnsubmitted
Done
ReplyInline Actions

This is only used if RTL allocator hooking is enabled, I'd sink it into the if.

rnk: This is only used if RTL allocator hooking is enabled, I'd sink it into the if.
enum AllocationOwnership { NEITHER = 0, ASAN = 1, RTL = 2 };
AllocationOwnership ownershipState;
bool owned_rtlalloc = false;
bool owned_asan = __sanitizer_get_ownership(lpMem);
if (!owned_asan)
owned_rtlalloc = HeapValidate(hHeap, 0, lpMem);
if (owned_asan && !owned_rtlalloc)
ownershipState = ASAN;
else if (!owned_asan && owned_rtlalloc)
ownershipState = RTL;
else if (!owned_asan && !owned_rtlalloc)
ownershipState = NEITHER;
// If this heap block which was allocated before the ASAN
// runtime came up, use the real HeapFree function.
if (UNLIKELY(!asan_inited)) {
return reallocFunc(hHeap, dwFlags, lpMem, dwBytes);
}
bool only_asan_supported_flags =
(HEAP_REALLOC_UNSUPPORTED_FLAGS & dwFlags) == 0;
if (ownershipState == RTL ||
(ownershipState == NEITHER && !only_asan_supported_flags)) {
if (only_asan_supported_flags) {
// if this is a conversion to ASAN upported flags, transfer this
// allocation to the ASAN allocator
void *replacement_alloc;
if (dwFlags & HEAP_ZERO_MEMORY)
replacement_alloc = asan_calloc(1, dwBytes, &stack);
else
replacement_alloc = asan_malloc(dwBytes, &stack);
if (replacement_alloc) {
size_t old_size = heapSizeFunc(hHeap, dwFlags, lpMem);
if (old_size == ((SIZE_T)0) - 1) {
asan_free(replacement_alloc, &stack, FROM_MALLOC);
return nullptr;
}
REAL(memcpy)(replacement_alloc, lpMem, old_size);
freeFunc(hHeap, dwFlags, lpMem);
}
return replacement_alloc;
} } else {
// owned by rtl or neither with unsupported ASAN flags,
int _CrtSetReportMode(int, int) { // just pass back to original allocator
return 0; CHECK(ownershipState == RTL || ownershipState == NEITHER);
} CHECK(!only_asan_supported_flags);
} // extern "C" return reallocFunc(hHeap, dwFlags, lpMem, dwBytes);
}
INTERCEPTOR_WINAPI(LPVOID, HeapAlloc, HANDLE hHeap, DWORD dwFlags, }
SIZE_T dwBytes) {
if (ownershipState == ASAN && !only_asan_supported_flags) {
GET_STACK_TRACE_MALLOC; // Conversion to unsupported flags allocation,
void *p = asan_malloc(dwBytes, &stack); // transfer this allocation back to the original allocator.
// Reading MSDN suggests that the *entire* usable allocation is zeroed out. void *replacement_alloc = allocFunc(hHeap, dwFlags, dwBytes);
size_t old_usable_size = 0;
// Otherwise it is difficult to HeapReAlloc with HEAP_ZERO_MEMORY. if (replacement_alloc) {
// https://blogs.msdn.microsoft.com/oldnewthing/20120316-00/?p=8083 old_usable_size = asan_malloc_usable_size(lpMem, pc, bp);
if (dwFlags == HEAP_ZERO_MEMORY) REAL(memcpy)(replacement_alloc, lpMem, min(dwBytes, old_usable_size));
mstorsjoUnsubmitted
Not Done
ReplyInline Actions

In MinGW, min() isn't defined by the headers included so far. I guess that could be considered a MinGW header bug (it's not defined if __cplusplus is defined - fixing that if necessary should hopefully be doable), but the issue mentioned above about explicitly avoiding windows platform headers might also lead to it being unavailable in MSVC style builds.

mstorsjo: In MinGW, `min()` isn't defined by the headers included so far. I guess that could be…
mcgovAuthorUnsubmitted
Done
ReplyInline Actions

no trouble, will replace

mcgov: no trouble, will replace
internal_memset(p, 0, asan_mz_size(p)); asan_free(lpMem, &stack, FROM_MALLOC);
else }
CHECK(dwFlags == 0 && "unsupported heap flags"); return replacement_alloc;
return p; }
}
CHECK((ownershipState == ASAN || ownershipState == NEITHER) &&
only_asan_supported_flags);
INTERCEPTOR_WINAPI(BOOL, HeapFree, HANDLE hHeap, DWORD dwFlags, LPVOID lpMem) { // At this point we should either be ASAN owned with ASAN supported flags
CHECK(dwFlags == 0 && "unsupported heap flags"); // or we owned by neither and have supported flags.
GET_STACK_TRACE_FREE; // Pass through even when it's neither since this could be a null realloc or
asan_free(lpMem, &stack, FROM_MALLOC); // UAF that ASAN needs to catch.
} else {
CHECK((HEAP_REALLOC_UNSUPPORTED_FLAGS & dwFlags) != 0 &&
"unsupported flags");
}
// asan_realloc will never reallocate in place, so for now this flag is
// unsupported until we figure out a way to fake this.
if (dwFlags & HEAP_REALLOC_IN_PLACE_ONLY)
return nullptr;
// HeapReAlloc and HeapAlloc both happily accept 0 sized allocations.
// passing a 0 size into asan_realloc will free the allocation.
// To avoid this and keep behavior consistent, fudge the size if 0.
// (asan_malloc already does this)
if (dwBytes == 0)
dwBytes = 1;
size_t old_size;
if (dwFlags & HEAP_ZERO_MEMORY)
old_size = asan_malloc_usable_size(lpMem, pc, bp);
void *ptr = asan_realloc(lpMem, dwBytes, &stack);
if (ptr == nullptr)
return nullptr;
if (dwFlags & HEAP_ZERO_MEMORY) {
size_t new_size = asan_malloc_usable_size(ptr, pc, bp);
if (old_size < new_size)
REAL(memset)(((u8 *)ptr) + old_size, 0, new_size - old_size);
}
return ptr;
}
} // namespace __asan
INTERCEPTOR_WINAPI(LPVOID, HeapReAlloc, HANDLE hHeap, DWORD dwFlags,
LPVOID lpMem, SIZE_T dwBytes) {
return true; return SharedReAlloc(REAL(HeapReAlloc), (SizeFunction)REAL(HeapSize),
} REAL(HeapFree), REAL(HeapAlloc), hHeap, dwFlags, lpMem,
dwBytes);
}
// The following functions are undocumented and subject to change.
// However, hooking them is necessary to hook Windows heap
// allocations with detours and their definitions are unlikely to change.
// Comments in /minkernel/ntos/rtl/heappublic.c indicate that these functions
// are part of the heap's public interface.
typedef ULONG LOGICAL;
// This function is documented as part of the Driver Development Kit but *not*
// the Windows Development Kit.
NTSYSAPI LOGICAL RtlFreeHeap(PVOID HeapHandle, ULONG Flags,
_Frees_ptr_opt_ PVOID BaseAddress);
mstorsjoUnsubmitted
Not Done
ReplyInline Actions

_Frees_ptr_opt_ is not available/defined in MinGW - can it be left out here, or does that cause errors about mismatching attributes in an MSVC build?

mstorsjo: `_Frees_ptr_opt_` is not available/defined in MinGW - can it be left out here, or does that…
mcgovAuthorUnsubmitted
Done
ReplyInline Actions

Nope, will remove this. My guess is this is some static analysis macro actually that resolves to nothing anyway, I just missed this was here since it's defined somewhere in that headerm so it shouldn't hurt anything to remove.

mcgov: Nope, will remove this. My guess is this is some static analysis macro actually that resolves…
// This function is documented as part of the Driver Development Kit but *not*
// the Windows Development Kit.
NTSYSAPI PVOID RtlAllocateHeap(PVOID HeapHandle, ULONG Flags, SIZE_T Size);
// This function is completely undocumented.
PVOID
RtlReAllocateHeap(PVOID HeapHandle, ULONG Flags, PVOID BaseAddress,
SIZE_T Size);
// This function is completely undocumented.
SIZE_T
RtlSizeHeap(PVOID HeapHandle, ULONG Flags, PVOID BaseAddress);
INTERCEPTOR_WINAPI(SIZE_T, RtlSizeHeap, HANDLE HeapHandle, ULONG Flags,
PVOID BaseAddress) {
if (!flags()->windows_hook_rtl_allocators ||
UNLIKELY(!asan_inited || OWNED_BY_RTL(HeapHandle, BaseAddress))) {
return REAL(RtlSizeHeap)(HeapHandle, Flags, BaseAddress);
}
GET_CURRENT_PC_BP_SP;
(void)sp;
return asan_malloc_usable_size(BaseAddress, pc, bp);
}
INTERCEPTOR_WINAPI(BOOL, RtlFreeHeap, HANDLE HeapHandle, ULONG Flags,
PVOID BaseAddress) {
// Heap allocations happen before this function is hooked, so we must fall
// back to the original function if the pointer is not from the ASAN heap, or
// unsupported flags are provided.
if (!flags()->windows_hook_rtl_allocators ||
UNLIKELY((HEAP_FREE_UNSUPPORTED_FLAGS & Flags) != 0 ||
OWNED_BY_RTL(HeapHandle, BaseAddress))) {
return REAL(RtlFreeHeap)(HeapHandle, Flags, BaseAddress);
}
GET_STACK_TRACE_FREE;
INTERCEPTOR_WINAPI(LPVOID, HeapReAlloc, HANDLE hHeap, DWORD dwFlags, asan_free(BaseAddress, &stack, FROM_MALLOC);
LPVOID lpMem, SIZE_T dwBytes) { return true;
GET_STACK_TRACE_MALLOC; }
GET_CURRENT_PC_BP_SP;
(void)sp; INTERCEPTOR_WINAPI(PVOID, RtlAllocateHeap, HANDLE HeapHandle, DWORD Flags,
// Realloc should never reallocate in place. SIZE_T Size) {
if (dwFlags & HEAP_REALLOC_IN_PLACE_ONLY) // If the ASAN runtime is not initialized, or we encounter an unsupported
return nullptr; // flag, fall back to the original allocator.
CHECK(dwFlags == 0 && "unsupported heap flags"); if (!flags()->windows_hook_rtl_allocators ||
// HeapReAlloc and HeapAlloc both happily accept 0 sized allocations. UNLIKELY(!asan_inited ||
// passing a 0 size into asan_realloc will free the allocation. (Flags & HEAP_ALLOCATE_UNSUPPORTED_FLAGS) != 0)) {
// To avoid this and keep behavior consistent, fudge the size if 0. return REAL(RtlAllocateHeap)(HeapHandle, Flags, Size);
// (asan_malloc already does this) }
if (dwBytes == 0) GET_STACK_TRACE_MALLOC;
dwBytes = 1; void *p;
size_t old_size; // Reading MSDN suggests that the *entire* usable allocation is zeroed out.
if (dwFlags & HEAP_ZERO_MEMORY) // Otherwise it is difficult to HeapReAlloc with HEAP_ZERO_MEMORY.
old_size = asan_malloc_usable_size(lpMem, pc, bp); // https://blogs.msdn.microsoft.com/oldnewthing/20120316-00/?p=8083
void *ptr = asan_realloc(lpMem, dwBytes, &stack); if (Flags & HEAP_ZERO_MEMORY) {
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

Isn't better to use REAL in cases above instead of CHECK(Flags...) ?

vitalybuka: Isn't better to use REAL in cases above instead of CHECK(Flags...) ?
mcgovAuthorUnsubmitted
Not Done
ReplyInline Actions

I need more context on what you mean here, where would it be better?

mcgov: I need more context on what you mean here, where would it be better?
vitalybukaUnsubmitted
Done
ReplyInline Actions

Ignore my comment, now I understand your approach.

vitalybuka: Ignore my comment, now I understand your approach.
if (ptr == nullptr) p = asan_calloc(Size, 1, &stack);
return nullptr; } else {
p = asan_malloc(Size, &stack);
if (dwFlags & HEAP_ZERO_MEMORY) { }
size_t new_size = asan_malloc_usable_size(ptr, pc, bp); return p;
if (old_size < new_size) }
REAL(memset)(((u8 *)ptr) + old_size, 0, new_size - old_size);
} INTERCEPTOR_WINAPI(PVOID, RtlReAllocateHeap, HANDLE HeapHandle, ULONG Flags,
return ptr; PVOID BaseAddress, SIZE_T Size) {
} // If it's actually a heap block which was allocated before the ASAN runtime
// came up, use the real RtlFreeHeap function.
INTERCEPTOR_WINAPI(SIZE_T, HeapSize, HANDLE hHeap, DWORD dwFlags, if (!flags()->windows_hook_rtl_allocators)
LPCVOID lpMem) { return REAL(RtlReAllocateHeap)(HeapHandle, Flags, BaseAddress, Size);
CHECK(dwFlags == 0 && "unsupported heap flags");
GET_CURRENT_PC_BP_SP; return SharedReAlloc(REAL(RtlReAllocateHeap), REAL(RtlSizeHeap),
(void)sp; REAL(RtlFreeHeap), REAL(RtlAllocateHeap), HeapHandle,
Flags, BaseAddress, Size);
}
namespace __asan {
static void TryToOverrideFunction(const char *fname, uptr new_func) {
// Failure here is not fatal. The CRT may not be present, and different CRT
// versions use different symbols.
if (!__interception::OverrideFunction(fname, new_func))
VPrintf(2, "Failed to override function %s\n", fname);
}
return asan_malloc_usable_size(lpMem, pc, bp);
} void ReplaceSystemMalloc() {
#if defined(ASAN_DYNAMIC)
namespace __asan { TryToOverrideFunction("free", (uptr)free);
TryToOverrideFunction("_free_base", (uptr)free);
static void TryToOverrideFunction(const char *fname, uptr new_func) { TryToOverrideFunction("malloc", (uptr)malloc);
// Failure here is not fatal. The CRT may not be present, and different CRT TryToOverrideFunction("_malloc_base", (uptr)malloc);
// versions use different symbols. TryToOverrideFunction("_malloc_crt", (uptr)malloc);
if (!__interception::OverrideFunction(fname, new_func)) TryToOverrideFunction("calloc", (uptr)calloc);
VPrintf(2, "Failed to override function %s\n", fname); TryToOverrideFunction("_calloc_base", (uptr)calloc);
TryToOverrideFunction("_calloc_crt", (uptr)calloc);
TryToOverrideFunction("realloc", (uptr)realloc);
TryToOverrideFunction("_realloc_base", (uptr)realloc);
TryToOverrideFunction("_realloc_crt", (uptr)realloc);
TryToOverrideFunction("_recalloc", (uptr)_recalloc);
TryToOverrideFunction("_recalloc_base", (uptr)_recalloc);
TryToOverrideFunction("_recalloc_crt", (uptr)_recalloc);
TryToOverrideFunction("_msize", (uptr)_msize);
TryToOverrideFunction("_msize_base", (uptr)_msize);
} TryToOverrideFunction("_expand", (uptr)_expand);
TryToOverrideFunction("_expand_base", (uptr)_expand);
void ReplaceSystemMalloc() {
#if defined(ASAN_DYNAMIC) if (flags()->windows_hook_rtl_allocators) {
TryToOverrideFunction("free", (uptr)free); INTERCEPT_FUNCTION(HeapSize);
TryToOverrideFunction("_free_base", (uptr)free); INTERCEPT_FUNCTION(HeapFree);
TryToOverrideFunction("malloc", (uptr)malloc); INTERCEPT_FUNCTION(HeapReAlloc);
TryToOverrideFunction("_malloc_base", (uptr)malloc); INTERCEPT_FUNCTION(HeapAlloc);
TryToOverrideFunction("_malloc_crt", (uptr)malloc);
TryToOverrideFunction("calloc", (uptr)calloc); // Undocumented functions must be intercepted by name, not by symbol.
TryToOverrideFunction("_calloc_base", (uptr)calloc); __interception::OverrideFunction("RtlSizeHeap", (uptr)WRAP(RtlSizeHeap),
TryToOverrideFunction("_calloc_crt", (uptr)calloc); (uptr *)&REAL(RtlSizeHeap));
TryToOverrideFunction("realloc", (uptr)realloc); __interception::OverrideFunction("RtlFreeHeap", (uptr)WRAP(RtlFreeHeap),
TryToOverrideFunction("_realloc_base", (uptr)realloc); (uptr *)&REAL(RtlFreeHeap));
TryToOverrideFunction("_realloc_crt", (uptr)realloc); __interception::OverrideFunction("RtlReAllocateHeap",
TryToOverrideFunction("_recalloc", (uptr)_recalloc); (uptr)WRAP(RtlReAllocateHeap),
TryToOverrideFunction("_recalloc_base", (uptr)_recalloc); (uptr *)&REAL(RtlReAllocateHeap));
TryToOverrideFunction("_recalloc_crt", (uptr)_recalloc); __interception::OverrideFunction("RtlAllocateHeap",
TryToOverrideFunction("_msize", (uptr)_msize); (uptr)WRAP(RtlAllocateHeap),
TryToOverrideFunction("_msize_base", (uptr)_msize); (uptr *)&REAL(RtlAllocateHeap));
TryToOverrideFunction("_expand", (uptr)_expand); } else {
TryToOverrideFunction("_expand_base", (uptr)_expand); #define INTERCEPT_UCRT_FUNCTION(func) \
if (!INTERCEPT_FUNCTION_DLLIMPORT("ucrtbase.dll", \
// Recent versions of ucrtbase.dll appear to be built with PGO and LTCG, which "api-ms-win-core-heap-l1-1-0.dll", func)) \
// enable cross-module inlining. This means our _malloc_base hook won't catch VPrintf(2, "Failed to intercept ucrtbase.dll import %s\n", #func);
// all CRT allocations. This code here patches the import table of INTERCEPT_UCRT_FUNCTION(HeapAlloc);
// ucrtbase.dll so that all attempts to use the lower-level win32 heap INTERCEPT_UCRT_FUNCTION(HeapFree);
// allocation API will be directed to ASan's heap. We don't currently INTERCEPT_UCRT_FUNCTION(HeapReAlloc);
// intercept all calls to HeapAlloc. If we did, we would have to check on INTERCEPT_UCRT_FUNCTION(HeapSize);
// HeapFree whether the pointer came from ASan of from the system. #undef INTERCEPT_UCRT_FUNCTION
#define INTERCEPT_UCRT_FUNCTION(func) \ }
if (!INTERCEPT_FUNCTION_DLLIMPORT("ucrtbase.dll", \ // Recent versions of ucrtbase.dll appear to be built with PGO and LTCG, which
"api-ms-win-core-heap-l1-1-0.dll", func)) \ // enable cross-module inlining. This means our _malloc_base hook won't catch
VPrintf(2, "Failed to intercept ucrtbase.dll import %s\n", #func); // all CRT allocations. This code here patches the import table of
INTERCEPT_UCRT_FUNCTION(HeapAlloc); // ucrtbase.dll so that all attempts to use the lower-level win32 heap
INTERCEPT_UCRT_FUNCTION(HeapFree); // allocation API will be directed to ASan's heap. We don't currently
INTERCEPT_UCRT_FUNCTION(HeapReAlloc); // intercept all calls to HeapAlloc. If we did, we would have to check on
INTERCEPT_UCRT_FUNCTION(HeapSize); // HeapFree whether the pointer came from ASan of from the system.
#undef INTERCEPT_UCRT_FUNCTION
#endif #endif // defined(ASAN_DYNAMIC)
} }
} // namespace __asan } // namespace __asan
#endif // _WIN32 #endif // _WIN32

compiler-rt/lib/asan/asan_win.cc

//===-- asan_win.cc -------------------------------------------------------===// //===-- asan_win.cc -------------------------------------------------------===//
rnkUnsubmitted
Done
ReplyInline Actions

I think it would be simpler to drop this check and always do the IsTlsInitialized() check. I understand that adding the new heap interceptors is what causes us to run code prior to TLS initialization, but in the future ASan could change again in some other way that causes us to clal ASanTSDGet early and removing an if and defending against that possibility seems good.

Also, this isn't indented correctly, please fix that before committing.

rnk: I think it would be simpler to drop this check and always do the `IsTlsInitialized()` check. I…
rnkUnsubmitted
Not Done
ReplyInline Actions

There should be a space between the ){. I'd recommend using git-clang-format or some other tool to run clang-format to fix these minor issues.

rnk: There should be a space between the `){`. I'd recommend using `git-clang-format` or some other…
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// //
// This file is a part of AddressSanitizer, an address sanity checker. // This file is a part of AddressSanitizer, an address sanity checker.
// //
// Windows-specific details. // Windows-specific details.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "sanitizer_common/sanitizer_platform.h" #include "sanitizer_common/sanitizer_platform.h"
#if SANITIZER_WINDOWS #if SANITIZER_WINDOWS
#define WIN32_LEAN_AND_MEAN #define WIN32_LEAN_AND_MEAN
#include <windows.h> #include <windows.h>
#include <stdlib.h> #include <stdlib.h>
#include "asan_interceptors.h" #include "asan_interceptors.h"
#include "asan_internal.h" #include "asan_internal.h"
#include "asan_mapping.h"
#include "asan_report.h" #include "asan_report.h"
#include "asan_stack.h" #include "asan_stack.h"
#include "asan_thread.h" #include "asan_thread.h"
#include "asan_mapping.h"
#include "sanitizer_common/sanitizer_libc.h" #include "sanitizer_common/sanitizer_libc.h"
#include "sanitizer_common/sanitizer_mutex.h" #include "sanitizer_common/sanitizer_mutex.h"
#include "sanitizer_common/sanitizer_win.h" #include "sanitizer_common/sanitizer_win.h"
#include "sanitizer_common/sanitizer_win_defs.h" #include "sanitizer_common/sanitizer_win_defs.h"
using namespace __asan; // NOLINT using namespace __asan; // NOLINT
extern "C" { extern "C" {
Show All 37 Lines if (user_seh_handler)
return user_seh_handler(info); return user_seh_handler(info);
// Bubble out to the default exception filter. // Bubble out to the default exception filter.
if (default_seh_handler) if (default_seh_handler)
return default_seh_handler(info); return default_seh_handler(info);
return EXCEPTION_CONTINUE_SEARCH; return EXCEPTION_CONTINUE_SEARCH;
} }
INTERCEPTOR_WINAPI(LPTOP_LEVEL_EXCEPTION_FILTER, SetUnhandledExceptionFilter, INTERCEPTOR_WINAPI(LPTOP_LEVEL_EXCEPTION_FILTER, SetUnhandledExceptionFilter,
LPTOP_LEVEL_EXCEPTION_FILTER ExceptionFilter) { LPTOP_LEVEL_EXCEPTION_FILTER ExceptionFilter) {
CHECK(REAL(SetUnhandledExceptionFilter)); CHECK(REAL(SetUnhandledExceptionFilter));
if (ExceptionFilter == &SEHHandler) if (ExceptionFilter == &SEHHandler)
return REAL(SetUnhandledExceptionFilter)(ExceptionFilter); return REAL(SetUnhandledExceptionFilter)(ExceptionFilter);
// We record the user provided exception handler to be called for all the // We record the user provided exception handler to be called for all the
// exceptions unhandled by asan. // exceptions unhandled by asan.
Swap(ExceptionFilter, user_seh_handler); Swap(ExceptionFilter, user_seh_handler);
return ExceptionFilter; return ExceptionFilter;
} }
Show All 38 Lines
INTERCEPTOR(int, _except_handler4, void *a, void *b, void *c, void *d) { INTERCEPTOR(int, _except_handler4, void *a, void *b, void *c, void *d) {
CHECK(REAL(_except_handler4)); CHECK(REAL(_except_handler4));
__asan_handle_no_return(); __asan_handle_no_return();
return REAL(_except_handler4)(a, b, c, d); return REAL(_except_handler4)(a, b, c, d);
} }
#endif #endif
static thread_return_t THREAD_CALLING_CONV asan_thread_start(void *arg) { static thread_return_t THREAD_CALLING_CONV asan_thread_start(void *arg) {
AsanThread *t = (AsanThread*)arg; AsanThread *t = (AsanThread *)arg;
SetCurrentThread(t); SetCurrentThread(t);
return t->ThreadStart(GetTid(), /* signal_thread_is_registered */ nullptr); return t->ThreadStart(GetTid(), /* signal_thread_is_registered */ nullptr);
} }
INTERCEPTOR_WINAPI(HANDLE, CreateThread, LPSECURITY_ATTRIBUTES security, INTERCEPTOR_WINAPI(HANDLE, CreateThread, LPSECURITY_ATTRIBUTES security,
SIZE_T stack_size, LPTHREAD_START_ROUTINE start_routine, SIZE_T stack_size, LPTHREAD_START_ROUTINE start_routine,
void *arg, DWORD thr_flags, DWORD *tid) { void *arg, DWORD thr_flags, DWORD *tid) {
// Strict init-order checking is thread-hostile. // Strict init-order checking is thread-hostile.
Show All 13 Lines
// }}} // }}}
namespace __asan { namespace __asan {
void InitializePlatformInterceptors() { void InitializePlatformInterceptors() {
// The interceptors were not designed to be removable, so we have to keep this // The interceptors were not designed to be removable, so we have to keep this
// module alive for the life of the process. // module alive for the life of the process.
HMODULE pinned; HMODULE pinned;
CHECK(GetModuleHandleExW(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS | CHECK(GetModuleHandleExW(
GET_MODULE_HANDLE_EX_FLAG_PIN, GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS | GET_MODULE_HANDLE_EX_FLAG_PIN,
(LPCWSTR)&InitializePlatformInterceptors, (LPCWSTR)&InitializePlatformInterceptors, &pinned));
&pinned));
ASAN_INTERCEPT_FUNC(CreateThread); ASAN_INTERCEPT_FUNC(CreateThread);
ASAN_INTERCEPT_FUNC(SetUnhandledExceptionFilter); ASAN_INTERCEPT_FUNC(SetUnhandledExceptionFilter);
#ifdef _WIN64 #ifdef _WIN64
ASAN_INTERCEPT_FUNC(__C_specific_handler); ASAN_INTERCEPT_FUNC(__C_specific_handler);
#else #else
ASAN_INTERCEPT_FUNC(_except_handler3); ASAN_INTERCEPT_FUNC(_except_handler3);
ASAN_INTERCEPT_FUNC(_except_handler4); ASAN_INTERCEPT_FUNC(_except_handler4);
#endif #endif
// Try to intercept kernel32!RaiseException, and if that fails, intercept // Try to intercept kernel32!RaiseException, and if that fails, intercept
// ntdll!RtlRaiseException instead. // ntdll!RtlRaiseException instead.
if (!::__interception::OverrideFunction("RaiseException", if (!::__interception::OverrideFunction("RaiseException",
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

Still shows "Context not available."

vitalybuka: Still shows "Context not available."
(uptr)WRAP(RaiseException), (uptr)WRAP(RaiseException),
(uptr *)&REAL(RaiseException))) { (uptr *)&REAL(RaiseException))) {
CHECK(::__interception::OverrideFunction("RtlRaiseException", CHECK(::__interception::OverrideFunction("RtlRaiseException",
(uptr)WRAP(RtlRaiseException), (uptr)WRAP(RtlRaiseException),
(uptr *)&REAL(RtlRaiseException))); (uptr *)&REAL(RtlRaiseException)));
} }
} }
void AsanApplyToGlobals(globals_op_fptr op, const void *needle) { void AsanApplyToGlobals(globals_op_fptr op, const void *needle) {
UNIMPLEMENTED(); UNIMPLEMENTED();
} }
// ---------------------- TSD ---------------- {{{ // ---------------------- TSD ---------------- {{{
static bool tsd_key_inited = false; static bool tsd_key_inited = false;
static __declspec(thread) void *fake_tsd = 0; static __declspec(thread) void *fake_tsd = 0;
// https://docs.microsoft.com/en-us/windows/desktop/api/winternl/ns-winternl-_teb
// "[This structure may be altered in future versions of Windows. Applications
// should use the alternate functions listed in this topic.]"
typedef struct _TEB {
PVOID Reserved1[12];
// PVOID ThreadLocalStoragePointer; is here, at the last field in Reserved1.
PVOID ProcessEnvironmentBlock;
PVOID Reserved2[399];
BYTE Reserved3[1952];
PVOID TlsSlots[64];
BYTE Reserved4[8];
PVOID Reserved5[26];
PVOID ReservedForOle;
PVOID Reserved6[4];
PVOID TlsExpansionSlots;
} TEB, *PTEB;
constexpr size_t TEB_RESERVED_FIELDS_THREAD_LOCAL_STORAGE_OFFSET = 11;
BOOL IsTlsInitialized() {
PTEB teb = (PTEB)NtCurrentTeb();
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

could you please use consts?

vitalybuka: could you please use consts?
mcgovAuthorUnsubmitted
Done
ReplyInline Actions

been reading too much old win32 code sorry 😂
will fix!

mcgov: been reading too much old win32 code sorry 😂 will fix!
return teb->Reserved1[TEB_RESERVED_FIELDS_THREAD_LOCAL_STORAGE_OFFSET] !=
nullptr;
}
void AsanTSDInit(void (*destructor)(void *tsd)) { void AsanTSDInit(void (*destructor)(void *tsd)) {
// FIXME: we're ignoring the destructor for now. // FIXME: we're ignoring the destructor for now.
tsd_key_inited = true; tsd_key_inited = true;
} }
void *AsanTSDGet() { void *AsanTSDGet() {
CHECK(tsd_key_inited); CHECK(tsd_key_inited);
return fake_tsd; return IsTlsInitialized() ? fake_tsd : nullptr;
} }
void AsanTSDSet(void *tsd) { void AsanTSDSet(void *tsd) {
CHECK(tsd_key_inited); CHECK(tsd_key_inited);
fake_tsd = tsd; fake_tsd = tsd;
} }
void PlatformTSDDtor(void *tsd) { void PlatformTSDDtor(void *tsd) { AsanThread::TSDDtor(tsd); }
AsanThread::TSDDtor(tsd);
}
// }}} // }}}
// ---------------------- Various stuff ---------------- {{{ // ---------------------- Various stuff ---------------- {{{
void *AsanDoesNotSupportStaticLinkage() { void *AsanDoesNotSupportStaticLinkage() {
#if defined(_DEBUG) #if defined(_DEBUG)
#error Please build the runtime with a non-debug CRT: /MD or /MT #error Please build the runtime with a non-debug CRT: /MD or /MT
#endif #endif
return 0; return 0;
Show All 14 Lines
void AsanCheckDynamicRTPrereqs() {} void AsanCheckDynamicRTPrereqs() {}
void AsanCheckIncompatibleRT() {} void AsanCheckIncompatibleRT() {}
void ReadContextStack(void *context, uptr *stack, uptr *ssize) { void ReadContextStack(void *context, uptr *stack, uptr *ssize) {
UNIMPLEMENTED(); UNIMPLEMENTED();
} }
void AsanOnDeadlySignal(int, void *siginfo, void *context) { void AsanOnDeadlySignal(int, void *siginfo, void *context) { UNIMPLEMENTED(); }
UNIMPLEMENTED();
}
#if SANITIZER_WINDOWS64 #if SANITIZER_WINDOWS64
// Exception handler for dealing with shadow memory. // Exception handler for dealing with shadow memory.
static LONG CALLBACK static LONG CALLBACK
ShadowExceptionHandler(PEXCEPTION_POINTERS exception_pointers) { ShadowExceptionHandler(PEXCEPTION_POINTERS exception_pointers) {
uptr page_size = GetPageSizeCached(); uptr page_size = GetPageSizeCached();
// Only handle access violations. // Only handle access violations.
if (exception_pointers->ExceptionRecord->ExceptionCode != if (exception_pointers->ExceptionRecord->ExceptionCode !=
EXCEPTION_ACCESS_VIOLATION) { EXCEPTION_ACCESS_VIOLATION ||
exception_pointers->ExceptionRecord->NumberParameters < 2) {
__asan_handle_no_return();
return EXCEPTION_CONTINUE_SEARCH; return EXCEPTION_CONTINUE_SEARCH;
} }
// Only handle access violations that land within the shadow memory. // Only handle access violations that land within the shadow memory.
uptr addr = uptr addr =
(uptr)(exception_pointers->ExceptionRecord->ExceptionInformation[1]); (uptr)(exception_pointers->ExceptionRecord->ExceptionInformation[1]);
// Check valid shadow range. // Check valid shadow range.
if (!AddrIsInShadow(addr)) return EXCEPTION_CONTINUE_SEARCH; if (!AddrIsInShadow(addr)) {
__asan_handle_no_return();
return EXCEPTION_CONTINUE_SEARCH;
}
// This is an access violation while trying to read from the shadow. Commit // This is an access violation while trying to read from the shadow. Commit
// the relevant page and let execution continue. // the relevant page and let execution continue.
// Determine the address of the page that is being accessed. // Determine the address of the page that is being accessed.
uptr page = RoundDownTo(addr, page_size); uptr page = RoundDownTo(addr, page_size);
// Commit the page. // Commit the page.
uptr result = uptr result =
(uptr)::VirtualAlloc((LPVOID)page, page_size, MEM_COMMIT, PAGE_READWRITE); (uptr)::VirtualAlloc((LPVOID)page, page_size, MEM_COMMIT, PAGE_READWRITE);
if (result != page) return EXCEPTION_CONTINUE_SEARCH; if (result != page)
return EXCEPTION_CONTINUE_SEARCH;
// The page mapping succeeded, so continue execution as usual. // The page mapping succeeded, so continue execution as usual.
return EXCEPTION_CONTINUE_EXECUTION; return EXCEPTION_CONTINUE_EXECUTION;
} }
#endif #endif
void InitializePlatformExceptionHandlers() { void InitializePlatformExceptionHandlers() {
#if SANITIZER_WINDOWS64 #if SANITIZER_WINDOWS64
// On Win64, we map memory on demand with access violation handler. // On Win64, we map memory on demand with access violation handler.
// Install our exception handler. // Install our exception handler.
CHECK(AddVectoredExceptionHandler(TRUE, &ShadowExceptionHandler)); CHECK(AddVectoredExceptionHandler(TRUE, &ShadowExceptionHandler));
#endif #endif
} }
bool IsSystemHeapAddress(uptr addr) { bool IsSystemHeapAddress(uptr addr) {
return ::HeapValidate(GetProcessHeap(), 0, (void*)addr) != FALSE; return ::HeapValidate(GetProcessHeap(), 0, (void *)addr) != FALSE;
} }
// We want to install our own exception handler (EH) to print helpful reports // We want to install our own exception handler (EH) to print helpful reports
// on access violations and whatnot. Unfortunately, the CRT initializers assume // on access violations and whatnot. Unfortunately, the CRT initializers assume
// they are run before any user code and drop any previously-installed EHs on // they are run before any user code and drop any previously-installed EHs on
// the floor, so we can't install our handler inside __asan_init. // the floor, so we can't install our handler inside __asan_init.
// (See crt0dat.c in the CRT sources for the details) // (See crt0dat.c in the CRT sources for the details)
// //
// Things get even more complicated with the dynamic runtime, as it finishes its // Things get even more complicated with the dynamic runtime, as it finishes its
// initialization before the .exe module CRT begins to initialize. // initialization before the .exe module CRT begins to initialize.
// //
// For the static runtime (-MT), it's enough to put a callback to // For the static runtime (-MT), it's enough to put a callback to
// __asan_set_seh_filter in the last section for C initializers. // __asan_set_seh_filter in the last section for C initializers.
// //
// For the dynamic runtime (-MD), we want link the same // For the dynamic runtime (-MD), we want link the same
// asan_dynamic_runtime_thunk.lib to all the modules, thus __asan_set_seh_filter // asan_dynamic_runtime_thunk.lib to all the modules, thus __asan_set_seh_filter
// will be called for each instrumented module. This ensures that at least one // will be called for each instrumented module. This ensures that at least one
// __asan_set_seh_filter call happens after the .exe module CRT is initialized. // __asan_set_seh_filter call happens after the .exe module CRT is initialized.
extern "C" SANITIZER_INTERFACE_ATTRIBUTE extern "C" SANITIZER_INTERFACE_ATTRIBUTE int __asan_set_seh_filter() {
int __asan_set_seh_filter() {
// We should only store the previous handler if it's not our own handler in // We should only store the previous handler if it's not our own handler in
// order to avoid loops in the EH chain. // order to avoid loops in the EH chain.
auto prev_seh_handler = SetUnhandledExceptionFilter(SEHHandler); auto prev_seh_handler = SetUnhandledExceptionFilter(SEHHandler);
if (prev_seh_handler != &SEHHandler) if (prev_seh_handler != &SEHHandler)
default_seh_handler = prev_seh_handler; default_seh_handler = prev_seh_handler;
return 0; return 0;
} }
Show All 17 Lines
__declspec(allocate(".CRT$XCAB")) int (*__intercept_seh)() = __declspec(allocate(".CRT$XCAB")) int (*__intercept_seh)() =
__asan_set_seh_filter; __asan_set_seh_filter;
// Piggyback on the TLS initialization callback directory to initialize asan as // Piggyback on the TLS initialization callback directory to initialize asan as
// early as possible. Initializers in .CRT$XL* are called directly by ntdll, // early as possible. Initializers in .CRT$XL* are called directly by ntdll,
// which run before the CRT. Users also add code to .CRT$XLC, so it's important // which run before the CRT. Users also add code to .CRT$XLC, so it's important
// to run our initializers first. // to run our initializers first.
static void NTAPI asan_thread_init(void *module, DWORD reason, void *reserved) { static void NTAPI asan_thread_init(void *module, DWORD reason, void *reserved) {
if (reason == DLL_PROCESS_ATTACH) __asan_init(); if (reason == DLL_PROCESS_ATTACH)
__asan_init();
} }
#pragma section(".CRT$XLAB", long, read) // NOLINT #pragma section(".CRT$XLAB", long, read) // NOLINT
__declspec(allocate(".CRT$XLAB")) void (NTAPI *__asan_tls_init)(void *, __declspec(allocate(".CRT$XLAB")) void(NTAPI *__asan_tls_init)(
unsigned long, void *) = asan_thread_init; void *, unsigned long, void *) = asan_thread_init;
#endif #endif
static void NTAPI asan_thread_exit(void *module, DWORD reason, void *reserved) { static void NTAPI asan_thread_exit(void *module, DWORD reason, void *reserved) {
if (reason == DLL_THREAD_DETACH) { if (reason == DLL_THREAD_DETACH) {
// Unpoison the thread's stack because the memory may be re-used. // Unpoison the thread's stack because the memory may be re-used.
NT_TIB *tib = (NT_TIB *)NtCurrentTeb(); NT_TIB *tib = (NT_TIB *)NtCurrentTeb();
uptr stackSize = (uptr)tib->StackBase - (uptr)tib->StackLimit; uptr stackSize = (uptr)tib->StackBase - (uptr)tib->StackLimit;
__asan_unpoison_memory_region(tib->StackLimit, stackSize); __asan_unpoison_memory_region(tib->StackLimit, stackSize);
} }
} }
#pragma section(".CRT$XLY", long, read) // NOLINT #pragma section(".CRT$XLY", long, read) // NOLINT
__declspec(allocate(".CRT$XLY")) void (NTAPI *__asan_tls_exit)(void *, __declspec(allocate(".CRT$XLY")) void(NTAPI *__asan_tls_exit)(
unsigned long, void *) = asan_thread_exit; void *, unsigned long, void *) = asan_thread_exit;
WIN_FORCE_LINK(__asan_dso_reg_hook) WIN_FORCE_LINK(__asan_dso_reg_hook)
// }}} // }}}
} // namespace __asan } // namespace __asan
#endif // SANITIZER_WINDOWS #endif // SANITIZER_WINDOWS

compiler-rt/test/asan/TestCases/Windows/dll_host.cc

Show All 26 Lines
// IMPORT: __asan_wrap_HeapAlloc // IMPORT: __asan_wrap_HeapAlloc
// IMPORT: __asan_wrap_HeapFree // IMPORT: __asan_wrap_HeapFree
// IMPORT: __asan_wrap_HeapReAlloc // IMPORT: __asan_wrap_HeapReAlloc
// IMPORT: __asan_wrap_HeapSize // IMPORT: __asan_wrap_HeapSize
// IMPORT: __asan_wrap_CreateThread // IMPORT: __asan_wrap_CreateThread
// IMPORT: __asan_wrap_RaiseException // IMPORT: __asan_wrap_RaiseException
// IMPORT: __asan_wrap_RtlRaiseException // IMPORT: __asan_wrap_RtlRaiseException
// IMPORT: __asan_wrap_SetUnhandledExceptionFilter // IMPORT: __asan_wrap_SetUnhandledExceptionFilter
// IMPORT: __asan_wrap_RtlSizeHeap
// IMPORT: __asan_wrap_RtlAllocateHeap
// IMPORT: __asan_wrap_RtlReAllocateHeap
// IMPORT: __asan_wrap_RtlFreeHeap
// //
// RUN: cat %t.imports1 %t.imports2 | sort | uniq > %t.imports-sorted // RUN: cat %t.imports1 %t.imports2 | sort | uniq > %t.imports-sorted
// RUN: cat %t.exports1 %t.exports2 | sort | uniq > %t.exports-sorted // RUN: cat %t.exports1 %t.exports2 | sort | uniq > %t.exports-sorted
// //
// Now make sure the DLL thunk imports everything: // Now make sure the DLL thunk imports everything:
// RUN: echo // RUN: echo
// RUN: echo "=== NOTE === If you see a mismatch below, please update asan_win_dll_thunk.cc" // RUN: echo "=== NOTE === If you see a mismatch below, please update asan_win_dll_thunk.cc"
// RUN: diff %t.imports-sorted %t.exports-sorted // RUN: diff %t.imports-sorted %t.exports-sorted
Show All 33 Lines

compiler-rt/test/asan/TestCases/Windows/dll_unload.cc

  • This file was added.
#include <stdio.h>
#include <windows.h>
// RUN: %clang_cl_asan -LD /Od -DDLL %s -Fe%t.dll
// RUN: %clang_cl /Od -DEXE %s -Fe%te.exe
// RUN: %env_asan_opts=windows_hook_rtl_allocators=true not %run %te.exe %t.dll 2>&1 | FileCheck %s
// REQUIRES: asan-dynamic-runtime
// REQUIRES: asan-32-bits
#include <cassert>
#include <stdio.h>
#include <windows.h>
extern "C" {
#if defined(EXE)
int main(int argc, char **argv) {
void *region_without_hooks = HeapAlloc(GetProcessHeap(), 0, 10);
HMODULE lib = LoadLibraryA(argv[1]);
assert(lib != INVALID_HANDLE_VALUE);
void *region_w_hooks = HeapAlloc(GetProcessHeap(), 0, 10);
assert(region_w_hooks != nullptr);
assert(0 != FreeLibrary(lib));
fprintf(stderr, "WITHOUT:0x%08x\n", (unsigned int)region_without_hooks);
fprintf(stderr, "WITH:0x%08x\n", (unsigned int)region_w_hooks);
assert(0 != HeapFree(GetProcessHeap(), 0, region_without_hooks));
assert(0 != HeapFree(GetProcessHeap(), 0, region_w_hooks));
HeapFree(GetProcessHeap(), 0, region_w_hooks); //will dump
}
#elif defined(DLL)
// This global is registered at startup.
BOOL WINAPI DllMain(HMODULE, DWORD reason, LPVOID) {
fprintf(stderr, "in DLL(reason=%d)\n", (int)reason);
fflush(0);
return TRUE;
}
// CHECK: in DLL(reason=1)
// CHECK: in DLL(reason=0)
// CHECK: WITHOUT:[[WITHOUT:0x[0-9a-fA-F]+]]
// CHECK: WITH:[[WITH:0x[0-9a-fA-F]+]]
// CHECK: AddressSanitizer: attempting double-free on [[WITH]] in thread T0:
#else
#error oops!
#endif
}

compiler-rt/test/asan/TestCases/Windows/heapalloc.cc

  • This file was added.
// XFAIL: asan-64-bits
// RUN: %clang_cl_asan -O0 %s -Fe%t
// RUN: %env_asan_opts=windows_hook_rtl_allocators=true not %run %t 2>&1 | FileCheck %s
#include <windows.h>
int main() {
char *buffer;
buffer = (char *)HeapAlloc(GetProcessHeap(), 0, 32),
buffer[33] = 'a';
// CHECK: AddressSanitizer: heap-buffer-overflow on address [[ADDR:0x[0-9a-f]+]]
// CHECK: WRITE of size 1 at [[ADDR]] thread T0
}

compiler-rt/test/asan/TestCases/Windows/heapalloc_dll_double_free.cc

  • This file was added.
#include <stdio.h>
#include <windows.h>
// RUN: %clang_cl_asan -LD /Od -DDLL %s -Fe%t.dll
// RUN: %clang_cl /Od -DEXE %s -Fe%te.exe
// RUN: %env_asan_opts=windows_hook_rtl_allocators=true not %run %te.exe %t.dll 2>&1 | FileCheck %s
// REQUIRES: asan-dynamic-runtime
// REQUIRES: asan-32-bits
#include <cassert>
#include <stdio.h>
#include <windows.h>
extern "C" {
#if defined(EXE)
int main(int argc, char **argv) {
void *region_without_hooks = HeapAlloc(GetProcessHeap(), 0, 10);
HMODULE lib = LoadLibraryA(argv[1]);
assert(lib != INVALID_HANDLE_VALUE);
assert(0 != FreeLibrary(lib));
assert(0 != HeapFree(GetProcessHeap(), 0, region_without_hooks));
assert(0 != HeapFree(GetProcessHeap(), 0, region_without_hooks));
}
#elif defined(DLL)
// This global is registered at startup.
BOOL WINAPI DllMain(HMODULE, DWORD reason, LPVOID) {
fprintf(stderr, "in DLL(reason=%d)\n", (int)reason);
fflush(0);
return TRUE;
}
// CHECK: in DLL(reason=1)
// CHECK: in DLL(reason=0)
// CHECK: AddressSanitizer: nested bug in the same thread, aborting.
#else
#error oops!
#endif
}

compiler-rt/test/asan/TestCases/Windows/heapalloc_dll_unload_realloc_uaf.cc

  • This file was added.
#include <stdio.h>
#include <windows.h>
// RUN: %clang_cl_asan -LD /Od -DDLL %s -Fe%t.dll
// RUN: %clang_cl /Od -DEXE %s -Fe%te.exe
// RUN: %env_asan_opts=windows_hook_rtl_allocators=true not %run %te.exe %t.dll 2>&1 | FileCheck %s
// REQUIRES: asan-dynamic-runtime
// REQUIRES: asan-32-bits
#include <cassert>
#include <stdio.h>
#include <windows.h>
extern "C" {
#if defined(EXE)
int main(int argc, char **argv) {
void *region_without_hooks = HeapAlloc(GetProcessHeap(), 0, 10);
HMODULE lib = LoadLibraryA(argv[1]);
assert(lib != INVALID_HANDLE_VALUE);
assert(0 != FreeLibrary(lib));
assert(0 != HeapFree(GetProcessHeap(), 0, region_without_hooks));
HeapReAlloc(GetProcessHeap(), 0, region_without_hooks, 100); //should throw nested error
}
#elif defined(DLL)
// This global is registered at startup.
BOOL WINAPI DllMain(HMODULE, DWORD reason, LPVOID) {
fprintf(stderr, "in DLL(reason=%d)\n", (int)reason);
fflush(0);
return TRUE;
}
// CHECK: in DLL(reason=1)
// CHECK: in DLL(reason=0)
// CHECK: AddressSanitizer: nested bug in the same thread, aborting.
#else
#error oops!
#endif
}

compiler-rt/test/asan/TestCases/Windows/heapalloc_doublefree.cc

  • This file was added.
// RUN: %clang_cl_asan -O0 %s -Fe%t
// RUN: %env_asan_opts=windows_hook_rtl_allocators=true not %run %t 2>&1 | FileCheck %s
// XFAIL: asan-64-bits
#include <cassert>
#include <windows.h>
int main() {
void *allocation = HeapAlloc(GetProcessHeap(), 0, 10);
assert(allocation != 0);
assert(HeapFree(GetProcessHeap(), 0, allocation));
HeapFree(GetProcessHeap(), 0, allocation); //will dump
assert(0 && "HeapFree double free should produce an ASAN dump\n");
return 0;
}
// CHECK: AddressSanitizer: attempting double-free on [[addr:0x[0-9a-fA-F]+]] in thread T0:
No newline at end of file

compiler-rt/test/asan/TestCases/Windows/heapalloc_flags_fallback.cc

  • This file was added.
// RUN: %clang_cl_asan -O0 %s -Fe%t
// RUN: %run %t 2>&1 | FileCheck %s
// RUN: %env_asan_opts=windows_hook_rtl_allocators=true %run %t 2>&1 | FileCheck %s
// XFAIL: asan-64-bits
#include <assert.h>
#include <stdio.h>
#include <windows.h>
extern "C" int
__sanitizer_get_ownership(const volatile void *p);
int main() {
char *buffer;
buffer = (char *)HeapAlloc(GetProcessHeap(), HEAP_GENERATE_EXCEPTIONS, 32);
buffer[0] = 'a';
assert(!__sanitizer_get_ownership(buffer));
HeapFree(GetProcessHeap(), 0, buffer);
puts("Okay");
// CHECK: Okay
}

compiler-rt/test/asan/TestCases/Windows/heapalloc_huge.cc

  • This file was added.
// RUN: %clang_cl_asan -O0 %s -Fe%t
// RUN: %env_asan_opts=allocator_may_return_null=true %run %t
// RUN: %env_asan_opts=allocator_may_return_null=true:windows_hook_rtl_allocators=true %run %t
// XFAIL: asan-64-bits
#include <windows.h>
int main() {
void *nope = HeapAlloc(GetProcessHeap(), 0, ((size_t)0) - 1);
return (nope == nullptr) ? 0 : 1;
}
No newline at end of file

compiler-rt/test/asan/TestCases/Windows/heapalloc_rtl_transfer.cc

  • This file was added.
#include "sanitizer\allocator_interface.h"
#include <cassert>
#include <stdio.h>
#include <windows.h>
// RUN: %clang_cl_asan %s -o%t
// RUN: %env_asan_opts=windows_hook_rtl_allocators=true %run %t 2>&1 | FileCheck %s
// XFAIL: asan-64-bits
using AllocateFunctionPtr = PVOID(__stdcall *)(PVOID, ULONG, SIZE_T);
using ReAllocateFunctionPtr = PVOID(__stdcall *)(PVOID, ULONG, PVOID, SIZE_T);
using FreeFunctionPtr = PVOID(__stdcall *)(PVOID, ULONG, PVOID);
int main() {
HMODULE NtDllHandle = GetModuleHandle("ntdll.dll");
if (!NtDllHandle) {
puts("Couldn't load ntdll??");
return -1;
}
auto RtlAllocateHeap_ptr = (AllocateFunctionPtr)GetProcAddress(NtDllHandle, "RtlAllocateHeap");
if (RtlAllocateHeap_ptr == 0) {
puts("Couldn't find RtlAllocateHeap");
return -1;
}
auto RtlReAllocateHeap_ptr = (ReAllocateFunctionPtr)GetProcAddress(NtDllHandle, "RtlReAllocateHeap");
if (RtlReAllocateHeap_ptr == 0) {
puts("Couldn't find RtlReAllocateHeap");
return -1;
}
//owned by rtl
void *alloc = RtlAllocateHeap_ptr(GetProcessHeap(),
HEAP_GENERATE_EXCEPTIONS | HEAP_ZERO_MEMORY, 100);
assert(alloc);
for (int i = 0; i < 100; i++) {
assert(((char *)alloc)[i] == 0);
((char *)alloc)[i] = '\xcc';
}
// still owned by rtl
alloc = RtlReAllocateHeap_ptr(GetProcessHeap(),
HEAP_GENERATE_EXCEPTIONS | HEAP_ZERO_MEMORY, alloc, 500);
assert(alloc && !__sanitizer_get_ownership(alloc) && HeapValidate(GetProcessHeap(), 0, alloc));
for (int i = 0; i < 100; i++) {
assert(((char *)alloc)[i] == '\xcc');
}
for (int i = 100; i < 500; i++) {
assert(((char *)alloc)[i] == 0);
((char *)alloc)[i] = '\xcc';
}
//convert to asan owned
void *realloc = RtlReAllocateHeap_ptr(GetProcessHeap(),
HEAP_ZERO_MEMORY, alloc, 600);
alloc = nullptr;
assert(realloc && __sanitizer_get_ownership(realloc));
for (int i = 0; i < 500; i++) {
assert(((char *)realloc)[i] == '\xcc');
}
for (int i = 500; i < 600; i++) {
assert(((char *)realloc)[i] == 0);
((char *)realloc)[i] = '\xcc';
}
realloc = RtlReAllocateHeap_ptr(GetProcessHeap(),
HEAP_ZERO_MEMORY, realloc, 2048);
assert(realloc && __sanitizer_get_ownership(realloc));
for (int i = 0; i < 600; i++) {
assert(((char *)realloc)[i] == '\xcc');
}
for (int i = 600; i < 2048; i++) {
assert(((char *)realloc)[i] == 0);
((char *)realloc)[i] = '\xcc';
}
//convert back to rtl owned;
alloc = RtlReAllocateHeap_ptr(GetProcessHeap(),
HEAP_ZERO_MEMORY | HEAP_GENERATE_EXCEPTIONS, realloc, 100);
assert(alloc && !__sanitizer_get_ownership(alloc) && HeapValidate(GetProcessHeap(), 0, alloc));
for (int i = 0; i < 100; i++) {
assert(((char *)alloc)[i] == '\xcc');
((char *)alloc)[i] = 0;
}
auto usable_size = HeapSize(GetProcessHeap(), 0, alloc);
for (int i = 100; i < usable_size; i++) {
assert(((char *)alloc)[i] == 0);
}
printf("Success\n");
}
// CHECK-NOT: Assertion failed:
// CHECK-NOT: AddressSanitizer
// CHECK: Success
No newline at end of file

compiler-rt/test/asan/TestCases/Windows/heapalloc_sanity.cc

  • This file was added.
// RUN: %clang_cl_asan -O0 %s -Fe%t
// RUN: %run %t 2>&1 | FileCheck %s
#include <stdio.h>
#include <windows.h>
int main() {
char *buffer;
buffer = (char *)HeapAlloc(GetProcessHeap(), 0, 32),
buffer[0] = 'a';
HeapFree(GetProcessHeap(), 0, buffer);
puts("Okay");
// CHECK: Okay
}

compiler-rt/test/asan/TestCases/Windows/heapalloc_transfer.cc

  • This file was added.
#include "sanitizer\allocator_interface.h"
#include <cassert>
#include <stdio.h>
#include <windows.h>
// RUN: %clang_cl_asan %s -o%t
// RUN: %env_asan_opts=windows_hook_rtl_allocators=true %run %t 2>&1 | FileCheck %s
// XFAIL: asan-64-bits
int main() {
//owned by rtl
void *alloc = HeapAlloc(GetProcessHeap(), HEAP_GENERATE_EXCEPTIONS, 100);
assert(alloc);
// still owned by rtl
alloc = HeapReAlloc(GetProcessHeap(), HEAP_GENERATE_EXCEPTIONS, alloc, 100);
assert(alloc && !__sanitizer_get_ownership(alloc) && HeapValidate(GetProcessHeap(), 0, alloc));
//convert to asan owned
void *realloc = HeapReAlloc(GetProcessHeap(), 0, alloc, 500);
alloc = nullptr;
assert(realloc && __sanitizer_get_ownership(realloc));
//convert back to rtl owned;
alloc = HeapReAlloc(GetProcessHeap(), HEAP_GENERATE_EXCEPTIONS, realloc, 100);
assert(alloc && !__sanitizer_get_ownership(alloc) && HeapValidate(GetProcessHeap(), 0, alloc));
printf("Success\n");
}
// CHECK-NOT: assert
// CHECK-NOT: AddressSanitizer
// CHECK: Success
No newline at end of file

compiler-rt/test/asan/TestCases/Windows/heapalloc_uaf.cc

  • This file was added.
// RUN: %clang_cl_asan -O0 %s -Fe%t
// RUN: %env_asan_opts=windows_hook_rtl_allocators=true not %run %t 2>&1 | FileCheck %s
// XFAIL: asan-64-bits
#include <windows.h>
int main() {
char *buffer;
buffer = (char *)HeapAlloc(GetProcessHeap(), 0, 32),
HeapFree(GetProcessHeap(), 0, buffer);
buffer[0] = 'a';
// CHECK: AddressSanitizer: heap-use-after-free on address [[ADDR:0x[0-9a-f]+]]
// CHECK: WRITE of size 1 at [[ADDR]] thread T0
}

compiler-rt/test/asan/TestCases/Windows/heapalloc_zero_size.cc

  • This file was added.
// RUN: %clang_cl_asan /Od -o %t %s
// RUN: %env_asan_opts=windows_hook_rtl_allocators=true %run %t 2>&1 | FileCheck %s
// RUN: %env_asan_opts=windows_hook_rtl_allocators=false %run %t 2>&1 | FileCheck %s
// RUN: %clang_cl /Od -o %t %s
// RUN: %run %t 2>&1 | FileCheck %s
// XFAIL: asan-64-bits
#include <cassert>
#include <stdio.h>
#include <windows.h>
int main() {
HANDLE heap = HeapCreate(0, 0, 0);
void *ptr = HeapAlloc(heap, 0, 4);
assert(ptr);
void *ptr2 = HeapReAlloc(heap, 0, ptr, 0);
assert(ptr2);
HeapFree(heap, 0, ptr2);
fprintf(stderr, "passed!\n");
}
// CHECK-NOT: double-free
// CHECK-NOT: AddressSanitizer
// CHECK: passed!

compiler-rt/test/asan/TestCases/Windows/heaprealloc.cc

  • This file was added.
// RUN: %clang_cl_asan -O0 %s -Fe%t
// RUN: %env_asan_opts=windows_hook_rtl_allocators=true not %run %t 2>&1 | FileCheck %s
// XFAIL: asan-64-bits
#include <stdio.h>
#include <windows.h>
int main() {
char *oldbuf;
size_t sz = 8;
HANDLE procHeap = GetProcessHeap();
oldbuf = (char *)HeapAlloc(procHeap, 0, sz);
char *newbuf = oldbuf;
while (oldbuf == newbuf) {
sz *= 2;
newbuf = (char *)HeapReAlloc(procHeap, 0, oldbuf, sz);
}
newbuf[0] = 'a';
oldbuf[0] = 'a';
// CHECK: AddressSanitizer: heap-use-after-free on address [[ADDR:0x[0-9a-f]+]]
// CHECK: WRITE of size 1 at [[WRITE2:0x[0-9a-f]+]] thread T0
// CHECK: #0 {{0x[0-9a-f]+ in main.*}}:[[@LINE-3]]
}

compiler-rt/test/asan/TestCases/Windows/heaprealloc_alloc_zero.cc

  • This file was added.
// RUN: %clang_cl_asan /Od /MT -o %t %s
// RUN: %env_asan_opts=windows_hook_rtl_allocators=true %run %t 2>&1 | FileCheck %s
// XFAIL: asan-64-bits
#include <cassert>
#include <iostream>
#include <windows.h>
int main() {
void *ptr = malloc(0);
if (ptr)
std::cerr << "allocated!\n";
((char *)ptr)[0] = '\xff'; //check this 'allocate 1 instead of 0' hack hasn't changed
free(ptr);
/*
HeapAlloc hack for our asan interceptor is to change 0
sized allocations to size 1 to avoid weird inconsistencies
between how realloc and heaprealloc handle 0 size allocations.
Note this test relies on these instructions being intercepted.
Without ASAN HeapRealloc on line 27 would return a ptr whose
HeapSize would be 0. This test makes sure that the underlying behavior
of our hack hasn't changed underneath us.
We can get rid of the test (or change it to test for the correct
behavior) once we fix the interceptor or write a different allocator
to handle 0 sized allocations properly by default.
*/
ptr = HeapAlloc(GetProcessHeap(), 0, 0);
if (!ptr)
return 1;
void *ptr2 = HeapReAlloc(GetProcessHeap(), 0, ptr, 0);
if (!ptr2)
return 1;
size_t heapsize = HeapSize(GetProcessHeap(), 0, ptr2);
if (heapsize != 1) { // will be 0 without ASAN turned on
std::cerr << "HeapAlloc size failure! " << heapsize << " != 1\n";
return 1;
}
void *ptr3 = HeapReAlloc(GetProcessHeap(), 0, ptr2, 3);
if (!ptr3)
return 1;
heapsize = HeapSize(GetProcessHeap(), 0, ptr3);
if (heapsize != 3) {
std::cerr << "HeapAlloc size failure! " << heapsize << " != 3\n";
return 1;
}
HeapFree(GetProcessHeap(), 0, ptr3);
return 0;
}
// CHECK: allocated!
// CHECK-NOT: heap-buffer-overflow
// CHECK-NOT: AddressSanitizer
// CHECK-NOT: HeapAlloc size failure!
No newline at end of file

compiler-rt/test/asan/TestCases/Windows/heaprealloc_zero_size.cc

// RUN: %clang_cl_asan /Od -o %t %s // RUN: %clang_cl_asan /Od -o %t %s
// RUN: %run %t 2>&1 | FileCheck %s // RUN: %env_asan_opts=windows_hook_rtl_allocators=true %run %t 2>&1 | FileCheck %s
// RUN: %env_asan_opts=windows_hook_rtl_allocators=false %run %t 2>&1 | FileCheck %s
// RUN: %clang_cl /Od -o %t %s // RUN: %clang_cl /Od -o %t %s
// RUN: %run %t 2>&1 | FileCheck %s // RUN: %run %t 2>&1 | FileCheck %s
// XFAIL: asan-64-bits
#include <cassert> #include <cassert>
#include <stdio.h> #include <stdio.h>
#include<windows.h> #include<windows.h>
int main() { int main() {
HANDLE heap = HeapCreate(0, 0, 0); HANDLE heap = HeapCreate(0, 0, 0);
void *ptr = HeapAlloc(heap, 0, 4); void *ptr = HeapAlloc(heap, 0, 4);
assert(ptr); assert(ptr);
void *ptr2 = HeapReAlloc(heap, 0, ptr, 0); void *ptr2 = HeapReAlloc(heap, 0, ptr, 0);
assert(ptr2); assert(ptr2);
HeapFree(heap, 0, ptr2); HeapFree(heap, 0, ptr2);
fprintf(stderr, "passed!\n"); fprintf(stderr, "passed!\n");
} }
// CHECK-NOT: double-free // CHECK-NOT: double-free
// CHECK-NOT: AddressSanitizer // CHECK-NOT: AddressSanitizer
No newline at end of file No newline at end of file

compiler-rt/test/asan/TestCases/Windows/queue_user_work_item_report.cc

// RUN: %clang_cl_asan -O0 %s -Fe%t // RUN: %clang_cl_asan -O0 %s -Fe%t
// RUN: not %run %t 2>&1 | FileCheck %s // RUN: not %run %t 2>&1 | FileCheck %s
#include <windows.h> #include <windows.h>
HANDLE done; HANDLE done;
DWORD CALLBACK work_item(LPVOID) { DWORD CALLBACK work_item(LPVOID) {
int subscript = -1; int subscript = -1;
volatile char stack_buffer[42]; volatile char stack_buffer[42];
stack_buffer[subscript] = 42; stack_buffer[subscript] = 42;
// CHECK: AddressSanitizer: stack-buffer-underflow on address [[ADDR:0x[0-9a-f]+]] // CHECK: AddressSanitizer: stack-buffer-underflow on address [[ADDR:0x[0-9a-f]+]]
// CHECK: WRITE of size 1 at [[ADDR]] thread T1 // CHECK: WRITE of size 1 at [[ADDR]] thread T{{[0-9]+}}
// CHECK: {{#0 .* work_item.*queue_user_work_item_report.cc}}:[[@LINE-3]] // CHECK: {{#0 .* work_item.*queue_user_work_item_report.cc}}:[[@LINE-3]]
SetEvent(done); SetEvent(done);
return 0; return 0;
} }
int main(int argc, char **argv) { int main(int argc, char **argv) {
done = CreateEvent(0, false, false, "job is done"); done = CreateEvent(0, false, false, "job is done");
if (!done) if (!done)
return 1; return 1;
// CHECK-NOT: Thread T1 created // CHECK-NOT: Thread T1 created
QueueUserWorkItem(&work_item, nullptr, 0); QueueUserWorkItem(&work_item, nullptr, 0);
if (WAIT_OBJECT_0 != WaitForSingleObject(done, 10 * 1000)) if (WAIT_OBJECT_0 != WaitForSingleObject(done, 10 * 1000))
return 2; return 2;
} }

compiler-rt/test/asan/TestCases/Windows/rtlallocateheap.cc

  • This file was added.
// RUN: %clang_cl_asan -O0 %s -Fe%t /MD
// RUN: %env_asan_opts=windows_hook_rtl_allocators=true not %run %t 2>&1 | FileCheck %s
// XFAIL: asan-64-bits
// REQUIRES: asan-rtl-heap-interception
#include <stdio.h>
#include <windows.h>
using AllocateFunctionPtr = PVOID(__stdcall *)(PVOID, ULONG, SIZE_T);
using FreeFunctionPtr = PVOID(__stdcall *)(PVOID, ULONG, PVOID);
int main() {
HMODULE NtDllHandle = GetModuleHandle("ntdll.dll");
if (!NtDllHandle) {
puts("Couldn't load ntdll??");
return -1;
}
auto RtlAllocateHeap_ptr = (AllocateFunctionPtr)GetProcAddress(NtDllHandle, "RtlAllocateHeap");
if (RtlAllocateHeap_ptr == 0) {
puts("Couldn't RtlAllocateHeap");
return -1;
}
char *buffer;
buffer = (char *)RtlAllocateHeap_ptr(GetProcessHeap(), 0, 32),
buffer[33] = 'a';
// CHECK: AddressSanitizer: heap-buffer-overflow on address [[ADDR:0x[0-9a-f]+]]
// CHECK: WRITE of size 1 at [[ADDR]] thread T0
}

compiler-rt/test/asan/TestCases/Windows/rtlallocateheap_dll_unload_double_free.cc

  • This file was added.
// RUN: %clang_cl_asan -LD /Od -DDLL %s -Fe%t.dll
// RUN: %clang_cl /Od -DEXE %s -Fe%te.exe
// RUN: %env_asan_opts=windows_hook_rtl_allocators=true not %run %te.exe %t.dll 2>&1 | FileCheck %s
// REQUIRES: asan-dynamic-runtime
// REQUIRES: asan-32-bits
// REQUIRES: asan-rtl-heap-interception
#include <cassert>
#include <stdio.h>
#include <windows.h>
extern "C" {
#if defined(EXE)
using AllocateFunctionPtr = PVOID(__stdcall *)(PVOID, ULONG, SIZE_T);
using FreeFunctionPtr = PVOID(__stdcall *)(PVOID, ULONG, PVOID);
int main(int argc, char **argv) {
HMODULE NtDllHandle = GetModuleHandle("ntdll.dll");
if (!NtDllHandle) {
puts("Couldn't load ntdll??");
return -1;
}
auto RtlAllocateHeap_ptr =
(AllocateFunctionPtr)GetProcAddress(NtDllHandle, "RtlAllocateHeap");
if (RtlAllocateHeap_ptr == 0) {
puts("Couldn't RtlAllocateHeap");
return -1;
}
auto RtlFreeHeap_ptr =
(FreeFunctionPtr)GetProcAddress(NtDllHandle, "RtlFreeHeap");
if (RtlFreeHeap_ptr == 0) {
puts("Couldn't get RtlFreeHeap");
return -1;
}
char *buffer;
buffer = (char *)RtlAllocateHeap_ptr(GetProcessHeap(), 0, 32);
HMODULE lib = LoadLibraryA(argv[1]);
assert(lib != INVALID_HANDLE_VALUE);
assert(0 != FreeLibrary(lib));
if (!RtlFreeHeap_ptr(GetProcessHeap(), 0, buffer)) {
puts("Couldn't RtlFreeHeap");
return -1;
}
// Because this pointer was allocated pre-hooking,
// this will dump as a nested bug. Asan attempts to free
// the pointer and AV's, so the ASAN exception handler
// will dump as a 'nested bug'.
RtlFreeHeap_ptr(GetProcessHeap(), 0, buffer);
}
#elif defined(DLL)
// This global is registered at startup.
BOOL WINAPI DllMain(HMODULE, DWORD reason, LPVOID) {
fprintf(stderr, "in DLL(reason=%d)\n", (int)reason);
fflush(0);
return TRUE;
}
// CHECK: in DLL(reason=1)
// CHECK: in DLL(reason=0)
// CHECK: AddressSanitizer: nested bug in the same thread, aborting.
#else
#error oops!
#endif
}

compiler-rt/test/asan/TestCases/Windows/rtlallocateheap_dll_unload_realloc.cc

  • This file was added.
// RUN: %clang_cl_asan -LD /Od -DDLL %s -Fe%t.dll
// RUN: %clang_cl /Od -DEXE %s -Fe%te.exe
// RUN: %env_asan_opts=windows_hook_rtl_allocators=true not %run %te.exe %t.dll 2>&1 | FileCheck %s
// REQUIRES: asan-dynamic-runtime
// REQUIRES: asan-32-bits
// REQUIRES: asan-rtl-heap-interception
#include <cassert>
#include <stdio.h>
#include <windows.h>
extern "C" {
#if defined(EXE)
using AllocateFunctionPtr = PVOID(__stdcall *)(PVOID, ULONG, SIZE_T);
using FreeFunctionPtr = PVOID(__stdcall *)(PVOID, ULONG, PVOID);
using RtlReAllocateHeapPtr = PVOID(__stdcall *)(PVOID, ULONG, PVOID, SIZE_T);
int main(int argc, char **argv) {
HMODULE NtDllHandle = GetModuleHandle("ntdll.dll");
if (!NtDllHandle) {
puts("Couldn't load ntdll??");
return -1;
}
auto RtlAllocateHeap_ptr =
(AllocateFunctionPtr)GetProcAddress(NtDllHandle, "RtlAllocateHeap");
if (RtlAllocateHeap_ptr == 0) {
puts("Couldn't RtlAllocateHeap");
return -1;
}
auto RtlFreeHeap_ptr =
(FreeFunctionPtr)GetProcAddress(NtDllHandle, "RtlFreeHeap");
if (RtlFreeHeap_ptr == 0) {
puts("Couldn't get RtlFreeHeap");
return -1;
}
auto RtlReAllocateHeap_ptr =
(RtlReAllocateHeapPtr)GetProcAddress(NtDllHandle, "RtlReAllocateHeap");
if (RtlReAllocateHeap_ptr == 0) {
puts("Couldn't get rtlreallocateheap\n");
return -1;
}
char *buffer;
buffer = (char *)RtlAllocateHeap_ptr(GetProcessHeap(), 0, 32);
HMODULE lib = LoadLibraryA(argv[1]);
assert(lib != INVALID_HANDLE_VALUE);
assert(0 != FreeLibrary(lib));
if (!RtlFreeHeap_ptr(GetProcessHeap(), 0, buffer)) {
puts("Couldn't RtlFreeHeap");
return -1;
}
RtlReAllocateHeap_ptr(GetProcessHeap(), 0, buffer, 100); // should dump
}
#elif defined(DLL)
// This global is registered at startup.
BOOL WINAPI DllMain(HMODULE, DWORD reason, LPVOID) {
fprintf(stderr, "in DLL(reason=%d)\n", (int)reason);
fflush(0);
return TRUE;
}
// CHECK: in DLL(reason=1)
// CHECK: in DLL(reason=0)
// CHECK: AddressSanitizer: nested bug in the same thread, aborting.
#else
#error oops!
#endif
}

compiler-rt/test/asan/TestCases/Windows/rtlallocateheap_flags_fallback.cc

  • This file was added.
// RUN: %clang_cl_asan -O0 %s -Fe%t /MD
// RUN: %env_asan_opts=windows_hook_rtl_allocators=true %run %t 2>&1 | FileCheck %s
// XFAIL: asan-64-bits
// REQUIRES: asan-rtl-heap-interception
#include <assert.h>
#include <stdio.h>
#include <windows.h>
extern "C" int __sanitizer_get_ownership(const volatile void *p);
using AllocateFunctionPtr = PVOID(__stdcall *)(PVOID, ULONG, SIZE_T);
using FreeFunctionPtr = PVOID(__stdcall *)(PVOID, ULONG, PVOID);
int main() {
HMODULE NtDllHandle = GetModuleHandle("ntdll.dll");
if (!NtDllHandle) {
puts("Couldn't load ntdll??");
return -1;
}
auto RtlAllocateHeap_ptr = (AllocateFunctionPtr)GetProcAddress(NtDllHandle, "RtlAllocateHeap");
if (RtlAllocateHeap_ptr == 0) {
puts("Couldn't RtlAllocateHeap");
return -1;
}
auto RtlFreeHeap_ptr = (FreeFunctionPtr)GetProcAddress(NtDllHandle, "RtlFreeHeap");
if (RtlFreeHeap_ptr == 0) {
puts("Couldn't RtlFreeHeap");
return -1;
}
char *winbuf;
char *asanbuf;
winbuf = (char *)RtlAllocateHeap_ptr(GetProcessHeap(), HEAP_GENERATE_EXCEPTIONS, 32),
asanbuf = (char *)RtlAllocateHeap_ptr(GetProcessHeap(), 0, 32),
winbuf[0] = 'a';
assert(!__sanitizer_get_ownership(winbuf));
assert(__sanitizer_get_ownership(asanbuf));
RtlFreeHeap_ptr(GetProcessHeap(), 0, winbuf);
RtlFreeHeap_ptr(GetProcessHeap(), 0, asanbuf);
puts("Okay");
// CHECK: Okay
}

compiler-rt/test/asan/TestCases/Windows/rtlallocateheap_zero.cc

  • This file was added.
// RUN: %clang_cl_asan -O0 %s -Fe%t /MD
// RUN: %env_asan_opts=windows_hook_rtl_allocators=true not %run %t 2>&1 | FileCheck %s
// XFAIL: asan-64-bits
// REQUIRES: asan-rtl-heap-interception
#include <assert.h>
#include <stdio.h>
#include <windows.h>
using AllocateFunctionPtr = PVOID(__stdcall *)(PVOID, ULONG, SIZE_T);
using ReAllocateFunctionPtr = PVOID(__stdcall *)(PVOID, ULONG, PVOID, SIZE_T);
using FreeFunctionPtr = PVOID(__stdcall *)(PVOID, ULONG, PVOID);
int main() {
HMODULE NtDllHandle = GetModuleHandle("ntdll.dll");
if (!NtDllHandle) {
puts("Couldn't load ntdll??");
return -1;
}
auto RtlAllocateHeap_ptr = (AllocateFunctionPtr)GetProcAddress(NtDllHandle, "RtlAllocateHeap");
if (RtlAllocateHeap_ptr == 0) {
puts("Couldn't find RtlAllocateHeap");
return -1;
}
auto RtlReAllocateHeap_ptr = (ReAllocateFunctionPtr)GetProcAddress(NtDllHandle, "RtlReAllocateHeap");
if (RtlReAllocateHeap_ptr == 0) {
puts("Couldn't find RtlReAllocateHeap");
return -1;
}
char *buffer;
SIZE_T buffer_size = 32;
SIZE_T new_buffer_size = buffer_size * 2;
buffer = (char *)RtlAllocateHeap_ptr(GetProcessHeap(), HEAP_ZERO_MEMORY, buffer_size);
assert(buffer != nullptr);
// Check that the buffer is zeroed.
for (SIZE_T i = 0; i < buffer_size; ++i) {
assert(buffer[i] == 0);
}
memset(buffer, 0xcc, buffer_size);
// Zero the newly allocated memory.
buffer = (char *)RtlReAllocateHeap_ptr(GetProcessHeap(), HEAP_ZERO_MEMORY, buffer, new_buffer_size);
assert(buffer != nullptr);
// Check that the first part of the buffer still has the old contents.
for (SIZE_T i = 0; i < buffer_size; ++i) {
assert(buffer[i] == (char)0xcc);
}
// Check that the new part of the buffer is zeroed.
for (SIZE_T i = buffer_size; i < new_buffer_size; ++i) {
assert(buffer[i] == 0x0);
}
// Shrink the buffer back down.
buffer = (char *)RtlReAllocateHeap_ptr(GetProcessHeap(), HEAP_ZERO_MEMORY, buffer, buffer_size);
assert(buffer != nullptr);
// Check that the first part of the buffer still has the old contents.
for (SIZE_T i = 0; i < buffer_size; ++i) {
assert(buffer[i] == (char)0xcc);
}
buffer[buffer_size + 1] = 'a';
// CHECK: AddressSanitizer: heap-buffer-overflow on address [[ADDR:0x[0-9a-f]+]]
// CHECK: WRITE of size 1 at [[ADDR]] thread T0
}