Also includes execution tests for the feature.
Differential Revision: http://reviews.llvm.org/D10269
llvm-svn: 240111
return;
// Check if error report should be suppressed.
- DynamicTypeInfo DTI = getDynamicTypeInfo((void*)Pointer);
+ DynamicTypeInfo DTI = getDynamicTypeInfoFromObject((void*)Pointer);
if (DTI.isValid() && IsVptrCheckSuppressed(DTI.getMostDerivedTypeName()))
return;
HandleDynamicTypeCacheMiss(Data, Pointer, Hash, Opts);
}
+static void HandleCFIBadType(CFIBadTypeData *Data, ValueHandle Vtable,
+ ReportOptions Opts) {
+ SourceLocation Loc = Data->Loc.acquire();
+ ScopedReport R(Opts, Loc);
+ DynamicTypeInfo DTI = getDynamicTypeInfoFromVtable((void*)Vtable);
+
+ static const char *TypeCheckKinds[] = {
+ "virtual call",
+ "non-virtual call",
+ "base-to-derived cast",
+ "cast to unrelated type",
+ };
+
+ Diag(Loc, DL_Error, "control flow integrity check for type %0 failed during "
+ "%1 (vtable address %2)")
+ << Data->Type << TypeCheckKinds[Data->TypeCheckKind] << (void *)Vtable;
+
+ // If possible, say what type it actually points to.
+ if (!DTI.isValid())
+ Diag(Vtable, DL_Note, "invalid vtable");
+ else
+ Diag(Vtable, DL_Note, "vtable is of type %0")
+ << MangledName(DTI.getMostDerivedTypeName());
+}
+
+void __ubsan::__ubsan_handle_cfi_bad_type(CFIBadTypeData *Data,
+ ValueHandle Vtable) {
+ GET_REPORT_OPTIONS(false);
+ HandleCFIBadType(Data, Vtable, Opts);
+}
+
+void __ubsan::__ubsan_handle_cfi_bad_type_abort(CFIBadTypeData *Data,
+ ValueHandle Vtable) {
+ GET_REPORT_OPTIONS(true);
+ HandleCFIBadType(Data, Vtable, Opts);
+}
+
#endif // CAN_SANITIZE_UB
unsigned char TypeCheckKind;
};
+struct CFIBadTypeData {
+ SourceLocation Loc;
+ const TypeDescriptor &Type;
+ unsigned char TypeCheckKind;
+};
+
/// \brief Handle a runtime type check failure, caused by an incorrect vptr.
/// When this handler is called, all we know is that the type was not in the
/// cache; this does not necessarily imply the existence of a bug.
void __ubsan_handle_dynamic_type_cache_miss_abort(
DynamicTypeCacheMissData *Data, ValueHandle Pointer, ValueHandle Hash);
+/// \brief Handle a control flow integrity check failure by printing a
+/// diagnostic.
+extern "C" SANITIZER_INTERFACE_ATTRIBUTE void
+__ubsan_handle_cfi_bad_type(CFIBadTypeData *Data, ValueHandle Vtable);
+extern "C" SANITIZER_INTERFACE_ATTRIBUTE void
+__ubsan_handle_cfi_bad_type_abort(CFIBadTypeData *Data, ValueHandle Vtable);
+
}
#endif // UBSAN_HANDLERS_H
/// The type_info object describing the most-derived class type.
std::type_info *TypeInfo;
};
-VtablePrefix *getVtablePrefix(void *Object) {
- VtablePrefix **VptrPtr = reinterpret_cast<VtablePrefix**>(Object);
- if (!*VptrPtr)
+VtablePrefix *getVtablePrefix(void *Vtable) {
+ VtablePrefix *Vptr = reinterpret_cast<VtablePrefix*>(Vtable);
+ if (!Vptr)
return 0;
- VtablePrefix *Prefix = *VptrPtr - 1;
+ VtablePrefix *Prefix = Vptr - 1;
if (Prefix->Offset > 0 || !Prefix->TypeInfo)
// This can't possibly be a valid vtable.
return 0;
return true;
}
- VtablePrefix *Vtable = getVtablePrefix(Object);
+ void *VtablePtr = *reinterpret_cast<void **>(Object);
+ VtablePrefix *Vtable = getVtablePrefix(VtablePtr);
if (!Vtable)
return false;
return true;
}
-__ubsan::DynamicTypeInfo __ubsan::getDynamicTypeInfo(void *Object) {
- VtablePrefix *Vtable = getVtablePrefix(Object);
+__ubsan::DynamicTypeInfo __ubsan::getDynamicTypeInfoFromObject(void *Object) {
+ void *VtablePtr = *reinterpret_cast<void **>(Object);
+ return getDynamicTypeInfoFromVtable(VtablePtr);
+}
+
+__ubsan::DynamicTypeInfo
+__ubsan::getDynamicTypeInfoFromVtable(void *VtablePtr) {
+ VtablePrefix *Vtable = getVtablePrefix(VtablePtr);
if (!Vtable)
return DynamicTypeInfo(0, 0, 0);
const abi::__class_type_info *ObjectType = findBaseAtOffset(
};
/// \brief Get information about the dynamic type of an object.
-DynamicTypeInfo getDynamicTypeInfo(void *Object);
+DynamicTypeInfo getDynamicTypeInfoFromObject(void *Object);
+
+/// \brief Get information about the dynamic type of an object from its vtable.
+DynamicTypeInfo getDynamicTypeInfoFromVtable(void *Vtable);
/// \brief Check whether the dynamic type of \p Object has a \p Type subobject
/// at offset 0.
FileCheck
clang
not
+ ubsan
)
if(LLVM_ENABLE_PIC AND LLVM_BINUTILS_INCDIR)
list(APPEND CFI_TEST_DEPS
// RUN: %clangxx -o %t %t1.o %t2.o
// RUN: %t 2>&1 | FileCheck --check-prefix=NCFI %s
+// RUN: %clangxx_cfi_diag -c -DTU1 -o %t1.o %s
+// RUN: %clangxx_cfi_diag -c -DTU2 -o %t2.o %S/../cfi/anon-namespace.cpp
+// RUN: %clangxx_cfi_diag -o %t %t1.o %t2.o
+// RUN: %t 2>&1 | FileCheck --check-prefix=CFI-DIAG %s
+
// Tests that the CFI mechanism treats classes in the anonymous namespace in
// different translation units as having distinct identities. This is done by
// compiling two translation units TU1 and TU2 containing a class named B in an
// NCFI: 1
fprintf(stderr, "1\n");
+ // CFI-DIAG: runtime error: control flow integrity check for type '(anonymous namespace)::B' failed during base-to-derived cast
+ // CFI-DIAG-NEXT: note: vtable is of type '(anonymous namespace)::B'
+ // CFI-DIAG: runtime error: control flow integrity check for type '(anonymous namespace)::B' failed during virtual call
+ // CFI-DIAG-NEXT: note: vtable is of type '(anonymous namespace)::B'
((B *)a)->f(); // UB here
// CFI-NOT: 2
// RUN: %t g 2>&1 | FileCheck --check-prefix=PASS %s
// RUN: %t h 2>&1 | FileCheck --check-prefix=PASS %s
+// RUN: %clangxx_cfi_diag -o %t %s
+// RUN: %t a 2>&1 | FileCheck --check-prefix=CFI-DIAG-D %s
+// RUN: %t b 2>&1 | FileCheck --check-prefix=CFI-DIAG-D %s
+// RUN: %t c 2>&1 | FileCheck --check-prefix=CFI-DIAG-D %s
+// RUN: %t g 2>&1 | FileCheck --check-prefix=CFI-DIAG-U %s
+
// Tests that the CFI enforcement detects bad casts.
#include <stdio.h>
fprintf(stderr, "1\n");
A a;
+
+ // CFI-DIAG-D: runtime error: control flow integrity check for type 'B' failed during base-to-derived cast
+ // CFI-DIAG-D-NEXT: note: vtable is of type 'A'
+
+ // CFI-DIAG-U: runtime error: control flow integrity check for type 'B' failed during cast to unrelated type
+ // CFI-DIAG-U-NEXT: note: vtable is of type 'A'
+
switch (argv[1][0]) {
case 'a':
static_cast<B *>(&a); // UB
config.substitutions.append((r"%clangxx ", clangxx + ' '))
if config.lto_supported:
- config.substitutions.append((r"%clangxx_cfi ", ' '.join(config.lto_launch + [clangxx] + config.lto_flags + ['-fsanitize=cfi '])))
+ clangxx_cfi = ' '.join(config.lto_launch + [clangxx] + config.lto_flags + ['-fsanitize=cfi '])
+ config.substitutions.append((r"%clangxx_cfi ", clangxx_cfi))
+ config.substitutions.append((r"%clangxx_cfi_diag ", clangxx_cfi + '-fno-sanitize-trap=cfi -fsanitize-recover=cfi '))
else:
config.unsupported = True
// RUN: %t 2>&1 | FileCheck --check-prefix=NCFI %s
// RUN: %t x 2>&1 | FileCheck --check-prefix=NCFI %s
+// RUN: %clangxx_cfi_diag -o %t %s
+// RUN: %t 2>&1 | FileCheck --check-prefix=CFI-DIAG2 %s
+// RUN: %t x 2>&1 | FileCheck --check-prefix=CFI-DIAG1 %s
+
// Tests that the CFI mechanism is sensitive to multiple inheritance and only
// permits calls via virtual tables for the correct base class.
if (argc > 1) {
A *a = c;
+ // CFI-DIAG1: runtime error: control flow integrity check for type 'B' failed during cast to unrelated type
+ // CFI-DIAG1-NEXT: note: vtable is of type 'C'
((B *)a)->g(); // UB here
} else {
+ // CFI-DIAG2: runtime error: control flow integrity check for type 'A' failed during cast to unrelated type
+ // CFI-DIAG2-NEXT: note: vtable is of type 'C'
B *b = c;
((A *)b)->f(); // UB here
}
// RUN: %clangxx -o %t %s
// RUN: %t 2>&1 | FileCheck --check-prefix=NCFI %s
+// RUN: %clangxx_cfi_diag -o %t %s
+// RUN: %t 2>&1 | FileCheck --check-prefix=CFI-DIAG %s
+
// Tests that the CFI mechanism crashes the program when making a non-virtual
// call to an object of the wrong class, by casting a pointer to such an object
// and attempting to make a call through it.
#include "utils.h"
struct A {
- virtual void f();
+ virtual void v();
};
-void A::f() {}
+void A::v() {}
struct B {
void f();
// NCFI: 1
fprintf(stderr, "1\n");
+ // CFI-DIAG: runtime error: control flow integrity check for type 'B' failed during non-virtual call
+ // CFI-DIAG-NEXT: note: vtable is of type 'A'
((B *)a)->f(); // UB here
// CFI-NOT: 2
// RUN: %clangxx -o %t %s
// RUN: %t 2>&1 | FileCheck --check-prefix=NCFI %s
+// RUN: %clangxx_cfi_diag -o %t %s
+// RUN: %t 2>&1 | FileCheck --check-prefix=CFI-DIAG %s
+
// Tests that the CFI mechanism crashes the program when a virtual table is
// replaced with a compatible table of function pointers that does not belong to
// any class, by manually overwriting the virtual table of an object and
fprintf(stderr, "foo\n");
}
-void *fake_vtable[] = { (void *)&foo };
+void *fake_vtable[] = { 0, 0, (void *)&foo };
int main() {
#ifdef B32
#endif
A *a = new A;
- *((void **)a) = fake_vtable; // UB here
+ *((void **)a) = fake_vtable + 2; // UB here
break_optimization(a);
// CFI: 1
// CFI-NOT: foo
// NCFI: foo
+ // CFI-DIAG: runtime error: control flow integrity check for type 'A' failed during virtual call
+ // CFI-DIAG-NEXT: note: invalid vtable
a->f();
// CFI-NOT: 2
// RUN: %clangxx_cfi -O3 -DBM -o %t %s
// RUN: not --crash %t 2>&1 | FileCheck --check-prefix=CFI %s
+// RUN: %clangxx_cfi_diag -o %t %s
+// RUN: %t 2>&1 | FileCheck --check-prefix=CFI-DIAG %s
+
// RUN: %clangxx -o %t %s
// RUN: %t 2>&1 | FileCheck --check-prefix=NCFI %s
// NCFI: 1
fprintf(stderr, "1\n");
+ // CFI-DIAG: runtime error: control flow integrity check for type 'B' failed during cast to unrelated type
+ // CFI-DIAG-NEXT: note: vtable is of type 'A'
+ // CFI-DIAG: runtime error: control flow integrity check for type 'B' failed during virtual call
+ // CFI-DIAG-NEXT: note: vtable is of type 'A'
((B *)a)->f(); // UB here
// CFI-NOT: 2
// RUN: %clangxx -o %t %s
// RUN: %t 2>&1 | FileCheck --check-prefix=NCFI %s
+// RUN: %clangxx_cfi_diag -o %t %s
+// RUN: %t 2>&1 | FileCheck --check-prefix=CFI-DIAG %s
+
// Tests that the CFI enforcement also applies to virtual destructor calls made
// via 'delete'.
// NCFI: 1
fprintf(stderr, "1\n");
+ // CFI-DIAG: runtime error: control flow integrity check for type 'B' failed during virtual call
+ // CFI-DIAG-NEXT: note: vtable is of type 'A'
delete (B *)a; // UB here
// CFI-NOT: 2