From patchwork Wed Aug 13 10:09:33 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yury Gribov X-Patchwork-Id: 379570 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from sourceware.org (server1.sourceware.org [209.132.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id CE18014008B for ; Wed, 13 Aug 2014 20:09:41 +1000 (EST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gcc.gnu.org; h=list-id :list-unsubscribe:list-archive:list-post:list-help:sender :message-id:date:from:mime-version:to:cc:subject:content-type; q=dns; s=default; b=EpDmVD2IVHP5IKam4wX3KClY5EQnGKYmmsXMewrDdYS ZjVcTtQGBcDqU4oxz+d8mF/Zqc8ErGkx6/Tv/RJ+Uf9VW4pVO2n2DovVVi/p89/X rZtE/IZxkMQOl6jxyNryFnzM0qL7owoRGn9km9xUMDahRaRw7KCj0do/YGfK+htQ = DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=gcc.gnu.org; h=list-id :list-unsubscribe:list-archive:list-post:list-help:sender :message-id:date:from:mime-version:to:cc:subject:content-type; s=default; bh=kgb+jflLu8SG+DWWYPUVTlaQp4M=; b=wQuqIab9qbDgUYFun FLuYwZiIcMolv6HFDRN/99DGhX5CpHaYMNgkplIKx4ono8YTGkfNx5uQcS3xOrV+ 5iTBYv/kUrfpbvH9dpI9KClnN/vRkLGkG8YRPtQ4gTvmBf2+dxMugFYM54doszF4 W3E4mKTxIEvyydfEtt8vyLtEOU= Received: (qmail 15966 invoked by alias); 13 Aug 2014 10:09:35 -0000 Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Archive: List-Post: List-Help: Sender: gcc-patches-owner@gcc.gnu.org Delivered-To: mailing list gcc-patches@gcc.gnu.org Received: (qmail 15957 invoked by uid 89); 13 Aug 2014 10:09:34 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-2.1 required=5.0 tests=AWL, BAYES_00, RP_MATCHES_RCVD, SPF_HELO_PASS, T_HDRS_LCASE, T_MANY_HDRS_LCASE autolearn=ham version=3.3.2 X-HELO: mailout3.w1.samsung.com Received: from mailout3.w1.samsung.com (HELO mailout3.w1.samsung.com) (210.118.77.13) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with (DES-CBC3-SHA encrypted) ESMTPS; Wed, 13 Aug 2014 10:09:31 +0000 Received: from eucpsbgm2.samsung.com (unknown [203.254.199.245]) by mailout3.w1.samsung.com (Oracle Communications Messaging Server 7u4-24.01(7.0.4.24.0) 64bit (built Nov 17 2011)) with ESMTP id <0NA800ATAPJQ7350@mailout3.w1.samsung.com> for gcc-patches@gcc.gnu.org; Wed, 13 Aug 2014 11:09:26 +0100 (BST) Received: from eusync1.samsung.com ( [203.254.199.211]) by eucpsbgm2.samsung.com (EUCPMTA) with SMTP id 1F.E7.15956.6593BE35; Wed, 13 Aug 2014 11:09:26 +0100 (BST) Received: from [106.109.9.145] by eusync1.samsung.com (Oracle Communications Messaging Server 7u4-23.01(7.0.4.23.0) 64bit (built Aug 10 2011)) with ESMTPA id <0NA8005U0PJPQ070@eusync1.samsung.com>; Wed, 13 Aug 2014 11:09:26 +0100 (BST) Message-id: <53EB395D.2060604@samsung.com> Date: Wed, 13 Aug 2014 14:09:33 +0400 From: Yury Gribov User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0 MIME-version: 1.0 To: GCC Patches Cc: Jakub Jelinek , Viacheslav Garbuzov Subject: [PATCH] Fix for PR/62089 (enable missing Asan checks) Content-type: multipart/mixed; boundary=------------000008030902010000030408 X-IsSubscribed: yes Hi all, GCC Asan may currently fail to generate checks for accesses to wide structure fields due to unfortunate intermix with code that handles bitfields. This patch fixes it and also adds a bunch of tests. Bootstrapped, regtested and asan-bootstrapped on x64. Ok to commit? -Y commit 5a10147cef710e6f43365567615f37261d7e70c5 Author: Yury Gribov Date: Mon Aug 11 15:09:45 2014 +0400 2014-08-12 Yury Gribov gcc/ PR sanitizer/62089 * asan.c (instrument_derefs): Fix bitfield check. gcc/testsuite/ PR sanitizer/62089 * c-c++-common/asan/pr62089.c: New test. * c-c++-common/asan/bitfield-1.c: New test. * c-c++-common/asan/bitfield-2.c: New test. * c-c++-common/asan/bitfield-3.c: New test. * c-c++-common/asan/bitfield-4.c: New test. diff --git a/gcc/asan.c b/gcc/asan.c index 4e6f438..b38264b 100644 --- a/gcc/asan.c +++ b/gcc/asan.c @@ -1690,9 +1690,7 @@ instrument_derefs (gimple_stmt_iterator *iter, tree t, int volatilep = 0, unsignedp = 0; tree inner = get_inner_reference (t, &bitsize, &bitpos, &offset, &mode, &unsignedp, &volatilep, false); - if (((size_in_bytes & (size_in_bytes - 1)) == 0 - && (bitpos % (size_in_bytes * BITS_PER_UNIT))) - || bitsize != size_in_bytes * BITS_PER_UNIT) + if (bitpos % BITS_PER_UNIT || bitsize != size_in_bytes * BITS_PER_UNIT) { if (TREE_CODE (t) == COMPONENT_REF && DECL_BIT_FIELD_REPRESENTATIVE (TREE_OPERAND (t, 1)) != NULL_TREE) @@ -1704,8 +1702,6 @@ instrument_derefs (gimple_stmt_iterator *iter, tree t, } return; } - if (bitpos % BITS_PER_UNIT) - return; if (TREE_CODE (inner) == VAR_DECL && offset == NULL_TREE diff --git a/gcc/testsuite/c-c++-common/asan/bitfield-1.c b/gcc/testsuite/c-c++-common/asan/bitfield-1.c new file mode 100644 index 0000000..b3f300c --- /dev/null +++ b/gcc/testsuite/c-c++-common/asan/bitfield-1.c @@ -0,0 +1,25 @@ +/* Check that Asan correctly instruments bitfields with non-round size. */ + +/* { dg-do run } */ +/* { dg-shouldfail "asan" } */ + +struct A +{ + char base; + int : 4; + long x : 7; +}; + +int __attribute__ ((noinline, noclone)) +f (void *p) { + return ((struct A *)p)->x; +} + +int +main () +{ + char a = 0; + return f (&a); +} + +/* { dg-output "ERROR: AddressSanitizer: stack-buffer-overflow" } */ diff --git a/gcc/testsuite/c-c++-common/asan/bitfield-2.c b/gcc/testsuite/c-c++-common/asan/bitfield-2.c new file mode 100644 index 0000000..8ab0f80 --- /dev/null +++ b/gcc/testsuite/c-c++-common/asan/bitfield-2.c @@ -0,0 +1,25 @@ +/* Check that Asan correctly instruments bitfields with non-round offset. */ + +/* { dg-do run } */ +/* { dg-shouldfail "asan" } */ + +struct A +{ + char base; + int : 7; + int x : 8; +}; + +int __attribute__ ((noinline, noclone)) +f (void *p) { + return ((struct A *)p)->x; +} + +int +main () +{ + char a = 0; + return f (&a); +} + +/* { dg-output "ERROR: AddressSanitizer: stack-buffer-overflow" } */ diff --git a/gcc/testsuite/c-c++-common/asan/bitfield-3.c b/gcc/testsuite/c-c++-common/asan/bitfield-3.c new file mode 100644 index 0000000..c590778 --- /dev/null +++ b/gcc/testsuite/c-c++-common/asan/bitfield-3.c @@ -0,0 +1,25 @@ +/* Check that Asan correctly instruments bitfields with round offset. */ + +/* { dg-do run } */ +/* { dg-shouldfail "asan" } */ + +struct A +{ + char base; + int : 8; + int x : 8; +}; + +int __attribute__ ((noinline, noclone)) +f (void *p) { + return ((struct A *)p)->x; +} + +int +main () +{ + char a = 0; + return f (&a); +} + +/* { dg-output "ERROR: AddressSanitizer: stack-buffer-overflow" } */ diff --git a/gcc/testsuite/c-c++-common/asan/bitfield-4.c b/gcc/testsuite/c-c++-common/asan/bitfield-4.c new file mode 100644 index 0000000..94de9a4 --- /dev/null +++ b/gcc/testsuite/c-c++-common/asan/bitfield-4.c @@ -0,0 +1,25 @@ +/* Check that Asan correctly instruments bitfields with round offset. */ + +/* { dg-do run } */ +/* { dg-shouldfail "asan" } */ + +struct A +{ + char base; + int : 0; + int x : 8; +}; + +int __attribute__ ((noinline, noclone)) +f (void *p) { + return ((struct A *)p)->x; +} + +int +main () +{ + char a = 0; + return f (&a); +} + +/* { dg-output "ERROR: AddressSanitizer: stack-buffer-overflow" } */ diff --git a/gcc/testsuite/c-c++-common/asan/pr62089.c b/gcc/testsuite/c-c++-common/asan/pr62089.c new file mode 100644 index 0000000..22b877b --- /dev/null +++ b/gcc/testsuite/c-c++-common/asan/pr62089.c @@ -0,0 +1,37 @@ +/* { dg-do run } */ +/* { dg-shouldfail "asan" } */ + +#include + +struct vfsmount {}; +struct dentry {}; + +struct path { + struct vfsmount *mnt; + struct dentry *dentry; +}; + +struct fs_struct { + int users; + int lock; + int seq; + int umask; + int in_exec; + struct path root, pwd; +}; + +void __attribute__((noinline, noclone)) +copy_fs_struct(struct fs_struct *a, struct fs_struct *b) { + a->root = b->root; +} + +struct fs_struct a, b; + +int +main () { + __asan_poison_memory_region (&a.root, sizeof (a.root)); + copy_fs_struct (&a, &b); + return 0; +} + +/* { dg-output "ERROR: AddressSanitizer: use-after-poison" } */