From patchwork Thu Oct 16 08:41:24 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yury Gribov <y.gribov@samsung.com>
X-Patchwork-Id: 400219
Return-Path: 
 <gcc-patches-return-380712-incoming=patchwork.ozlabs.org@gcc.gnu.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from sourceware.org (server1.sourceware.org [209.132.180.131])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id CE1F01400A3
	for <incoming@patchwork.ozlabs.org>;
	Thu, 16 Oct 2014 19:41:43 +1100 (AEDT)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gcc.gnu.org; h=list-id
	:list-unsubscribe:list-archive:list-post:list-help:sender
	:message-id:date:from:mime-version:to:cc:subject:references
	:in-reply-to:content-type; q=dns; s=default; b=DtpGWod7zIW+j7Uf0
	IToPUMOwRGYZrA0z9kpj6K6TQ8FtJ8BI9fKr9vE7cftdV6nfRDlqTirfJVx1KDz6
	enHP1dzHEe3x9tqTUPLfMcACQ8DIKa1mgxas71IH/INXkj84wXmiNvPXX9UCzE83
	3T8pgHYiu76TCe4LdxXXxuLtSY=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=gcc.gnu.org; h=list-id
	:list-unsubscribe:list-archive:list-post:list-help:sender
	:message-id:date:from:mime-version:to:cc:subject:references
	:in-reply-to:content-type; s=default; bh=ci6zZO8yIzwFKWC4LR4te2n
	aV/I=; b=CmG+j7tvPvp/hjcWYmCb0UV2vvhGRBtYlBcQAT3YPwaUxlh7XxTSUu8
	p/RhHsJsf3mKWCd0ptYMZdc77tfdVtZRIXRuhSo1kThPqfgp8VDUcNLOKb+heXd2
	UNBM5idW0RZTGey4ksHL6Dj9dzG1JOXUAuNtSyjiX5tYk51nzTng=
Received: (qmail 11393 invoked by alias); 16 Oct 2014 08:41:26 -0000
Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm
Precedence: bulk
List-Id: <gcc-patches.gcc.gnu.org>
List-Unsubscribe: 
 <mailto:gcc-patches-unsubscribe-incoming=patchwork.ozlabs.org@gcc.gnu.org>
List-Archive: <http://gcc.gnu.org/ml/gcc-patches/>
List-Post: <mailto:gcc-patches@gcc.gnu.org>
List-Help: <mailto:gcc-patches-help@gcc.gnu.org>
Sender: gcc-patches-owner@gcc.gnu.org
Delivered-To: mailing list gcc-patches@gcc.gnu.org
Received: (qmail 11280 invoked by uid 89); 16 Oct 2014 08:41:25 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-1.9 required=5.0 tests=AWL, BAYES_00,
	SPF_HELO_PASS, T_RP_MATCHES_RCVD autolearn=ham version=3.3.2
X-HELO: mailout1.w1.samsung.com
Received: from mailout1.w1.samsung.com (HELO mailout1.w1.samsung.com)
	(210.118.77.11) by sourceware.org
	(qpsmtpd/0.93/v0.84-503-g423c35a) with (DES-CBC3-SHA
	encrypted) ESMTPS; Thu, 16 Oct 2014 08:41:22 +0000
Received: from eucpsbgm1.samsung.com (unknown [203.254.199.244]) by
	mailout1.w1.samsung.com (Oracle Communications Messaging
	Server 7u4-24.01(7.0.4.24.0) 64bit (built Nov 17 2011)) with
	ESMTP id <0NDJ00H7D49OPB20@mailout1.w1.samsung.com> for
	gcc-patches@gcc.gnu.org; Thu, 16 Oct 2014 09:44:12 +0100 (BST)
Received: from eusync3.samsung.com ( [203.254.199.213])	by
	eucpsbgm1.samsung.com (EUCPMTA) with SMTP id
	D1.94.25543.DA48F345; Thu, 16 Oct 2014 09:41:17 +0100 (BST)
Received: from [106.109.9.145] by eusync3.samsung.com (Oracle Communications
	Messaging Server 7u4-23.01(7.0.4.23.0) 64bit (built Aug 10
	2011)) with ESMTPA id <0NDJ004Y544SFW90@eusync3.samsung.com>;
	Thu, 16 Oct 2014 09:41:17 +0100 (BST)
Message-id: <543F84B4.6080908@samsung.com>
Date: Thu, 16 Oct 2014 12:41:24 +0400
From: Yury Gribov <y.gribov@samsung.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
	rv:31.0) Gecko/20100101 Thunderbird/31.1.2
MIME-version: 1.0
To: GCC Patches <gcc-patches@gcc.gnu.org>
Cc: Jakub Jelinek <jakub@redhat.com>, Dmitry Vyukov <dvyukov@google.com>,
	Konstantin Khlebnikov <k.khlebnikov@samsung.com>,
	Andrey Ryabinin <a.ryabinin@samsung.com>,
	Viacheslav Garbuzov <v.garbuzov@samsung.com>
Subject: [PATCH 13/17] Fix for PR 62089
References: <543F831B.4090502@samsung.com>
In-reply-to: <543F831B.4090502@samsung.com>
Content-type: multipart/mixed; boundary=------------020907040204080302050509
X-IsSubscribed: yes

Difference from mainline: replaced non-C-friendly bool with unsigned 
char (see patch 0001 for explanation).

2014-10-15  Yury Gribov  <y.gribov@samsung.com>

	Backport from mainline
	2014-08-18  Yury Gribov  <y.gribov@samsung.com>

	PR sanitizer/62089

	* asan.c (instrument_derefs): Fix bitfield check.

	* c-c++-common/asan/pr62089.c: New test.
	* c-c++-common/asan/bitfield-1.c: New test.
	* c-c++-common/asan/bitfield-2.c: New test.
	* c-c++-common/asan/bitfield-3.c: New test.
	* c-c++-common/asan/bitfield-4.c: New test.

diff --git a/gcc/asan.c b/gcc/asan.c
index f55b024..e445470 100644
--- a/gcc/asan.c
+++ b/gcc/asan.c
@@ -1688,21 +1688,19 @@ instrument_derefs (gimple_stmt_iterator *iter, tree t,
   int volatilep = 0, unsignedp = 0;
   tree inner = get_inner_reference (t, &bitsize, &bitpos, &offset,
 				    &mode, &unsignedp, &volatilep, false);
-  if (((size_in_bytes & (size_in_bytes - 1)) == 0
-       && (bitpos % (size_in_bytes * BITS_PER_UNIT)))
-      || bitsize != size_in_bytes * BITS_PER_UNIT)
+
+  if (TREE_CODE (t) == COMPONENT_REF
+      && DECL_BIT_FIELD_REPRESENTATIVE (TREE_OPERAND (t, 1)) != NULL_TREE)
     {
-      if (TREE_CODE (t) == COMPONENT_REF
-	  && DECL_BIT_FIELD_REPRESENTATIVE (TREE_OPERAND (t, 1)) != NULL_TREE)
-	{
-	  tree repr = DECL_BIT_FIELD_REPRESENTATIVE (TREE_OPERAND (t, 1));
-	  instrument_derefs (iter, build3 (COMPONENT_REF, TREE_TYPE (repr),
-					   TREE_OPERAND (t, 0), repr,
-					   NULL_TREE), location, is_store);
-	}
+      tree repr = DECL_BIT_FIELD_REPRESENTATIVE (TREE_OPERAND (t, 1));
+      instrument_derefs (iter, build3 (COMPONENT_REF, TREE_TYPE (repr),
+				       TREE_OPERAND (t, 0), repr,
+				       NULL_TREE), location, is_store);
       return;
     }
-  if (bitpos % BITS_PER_UNIT)
+
+  if (bitpos % BITS_PER_UNIT
+      || bitsize != size_in_bytes * BITS_PER_UNIT)
     return;
 
   if (TREE_CODE (inner) == VAR_DECL
diff --git a/gcc/testsuite/c-c++-common/asan/bitfield-1.c b/gcc/testsuite/c-c++-common/asan/bitfield-1.c
new file mode 100644
index 0000000..b3f300c
--- /dev/null
+++ b/gcc/testsuite/c-c++-common/asan/bitfield-1.c
@@ -0,0 +1,25 @@
+/* Check that Asan correctly instruments bitfields with non-round size.  */
+
+/* { dg-do run } */
+/* { dg-shouldfail "asan" } */
+
+struct A
+{
+  char base;
+  int : 4;
+  long x : 7;
+};
+
+int __attribute__ ((noinline, noclone))
+f (void *p) {
+  return ((struct A *)p)->x;
+}
+
+int
+main ()
+{
+  char a = 0;
+  return f (&a);
+}
+
+/* { dg-output "ERROR: AddressSanitizer: stack-buffer-overflow" } */
diff --git a/gcc/testsuite/c-c++-common/asan/bitfield-2.c b/gcc/testsuite/c-c++-common/asan/bitfield-2.c
new file mode 100644
index 0000000..8ab0f80
--- /dev/null
+++ b/gcc/testsuite/c-c++-common/asan/bitfield-2.c
@@ -0,0 +1,25 @@
+/* Check that Asan correctly instruments bitfields with non-round offset.  */
+
+/* { dg-do run } */
+/* { dg-shouldfail "asan" } */
+
+struct A
+{
+  char base;
+  int : 7;
+  int x : 8;
+};
+
+int __attribute__ ((noinline, noclone))
+f (void *p) {
+  return ((struct A *)p)->x;
+}
+
+int
+main ()
+{
+  char a = 0;
+  return f (&a);
+}
+
+/* { dg-output "ERROR: AddressSanitizer: stack-buffer-overflow" } */
diff --git a/gcc/testsuite/c-c++-common/asan/bitfield-3.c b/gcc/testsuite/c-c++-common/asan/bitfield-3.c
new file mode 100644
index 0000000..c590778
--- /dev/null
+++ b/gcc/testsuite/c-c++-common/asan/bitfield-3.c
@@ -0,0 +1,25 @@
+/* Check that Asan correctly instruments bitfields with round offset.  */
+
+/* { dg-do run } */
+/* { dg-shouldfail "asan" } */
+
+struct A
+{
+  char base;
+  int : 8;
+  int x : 8;
+};
+
+int __attribute__ ((noinline, noclone))
+f (void *p) {
+  return ((struct A *)p)->x;
+}
+
+int
+main ()
+{
+  char a = 0;
+  return f (&a);
+}
+
+/* { dg-output "ERROR: AddressSanitizer: stack-buffer-overflow" } */
diff --git a/gcc/testsuite/c-c++-common/asan/bitfield-4.c b/gcc/testsuite/c-c++-common/asan/bitfield-4.c
new file mode 100644
index 0000000..94de9a4
--- /dev/null
+++ b/gcc/testsuite/c-c++-common/asan/bitfield-4.c
@@ -0,0 +1,25 @@
+/* Check that Asan correctly instruments bitfields with round offset.  */
+
+/* { dg-do run } */
+/* { dg-shouldfail "asan" } */
+
+struct A
+{
+  char base;
+  int : 0;
+  int x : 8;
+};
+
+int __attribute__ ((noinline, noclone))
+f (void *p) {
+  return ((struct A *)p)->x;
+}
+
+int
+main ()
+{
+  char a = 0;
+  return f (&a);
+}
+
+/* { dg-output "ERROR: AddressSanitizer: stack-buffer-overflow" } */
diff --git a/gcc/testsuite/c-c++-common/asan/pr62089.c b/gcc/testsuite/c-c++-common/asan/pr62089.c
new file mode 100644
index 0000000..6c25ea4
--- /dev/null
+++ b/gcc/testsuite/c-c++-common/asan/pr62089.c
@@ -0,0 +1,41 @@
+/* { dg-do run } */
+/* { dg-shouldfail "asan" } */
+
+#ifndef __cplusplus
+#define bool unsigned char
+#endif
+
+#include <sanitizer/asan_interface.h>
+
+struct vfsmount {};
+struct dentry {};
+
+struct path {
+  struct vfsmount *mnt;
+  struct dentry *dentry;
+};
+
+struct fs_struct {
+  int users;
+  int lock;
+  int seq;
+  int umask;
+  int in_exec;
+  struct path root, pwd;
+};
+
+void __attribute__((noinline, noclone))
+copy_fs_struct(struct fs_struct *a, struct fs_struct *b) {
+  a->root = b->root;
+}
+
+struct fs_struct a, b;
+
+int
+main () {
+  __asan_poison_memory_region (&a.root, sizeof (a.root));
+  copy_fs_struct (&a, &b);
+  return 0;
+}
+
+/* { dg-output "ERROR: AddressSanitizer: use-after-poison" } */