#include "hwasan_mapping.h"
#include "hwasan_thread.h"
#include "hwasan_poisoning.h"
+#include "hwasan_report.h"
namespace __hwasan {
return user_ptr;
}
+static bool PointerAndMemoryTagsMatch(void *user_ptr) {
+ CHECK(user_ptr);
+ tag_t ptr_tag = GetTagFromPointer(reinterpret_cast<uptr>(user_ptr));
+ tag_t mem_tag = *reinterpret_cast<tag_t *>(
+ MEM_TO_SHADOW(GetAddressFromPointer(user_ptr)));
+ return ptr_tag == mem_tag;
+}
+
void HwasanDeallocate(StackTrace *stack, void *user_ptr) {
CHECK(user_ptr);
HWASAN_FREE_HOOK(user_ptr);
void *p = GetAddressFromPointer(user_ptr);
+ if (!PointerAndMemoryTagsMatch(user_ptr))
+ ReportInvalidFree(stack, reinterpret_cast<uptr>(user_ptr));
Metadata *meta = reinterpret_cast<Metadata *>(allocator.GetMetaData(p));
uptr size = meta->requested_size;
meta->state = CHUNK_FREE;
t ? t->GenerateRandomTag() : kFallbackAllocTag);
}
if (new_size > old_size) {
- tag_t tag = GetTagFromPointer((uptr)user_old_p);
+ tag_t tag = GetTagFromPointer(reinterpret_cast<uptr>(user_old_p));
TagMemoryAligned((uptr)old_p + old_size, new_size - old_size, tag);
}
return user_old_p;
// DescribeMemoryRange(start, size);
}
+static void PrintTagsAroundAddr(tag_t *tag_ptr) {
+ Printf(
+ "Memory tags around the buggy address (one tag corresponds to %zd "
+ "bytes):\n", kShadowAlignment);
+
+ const uptr row_len = 16; // better be power of two.
+ const uptr num_rows = 11;
+ tag_t *center_row_beg = reinterpret_cast<tag_t *>(
+ RoundDownTo(reinterpret_cast<uptr>(tag_ptr), row_len));
+ tag_t *beg_row = center_row_beg - row_len * (num_rows / 2);
+ tag_t *end_row = center_row_beg + row_len * (num_rows / 2);
+ for (tag_t *row = beg_row; row < end_row; row += row_len) {
+ Printf("%s", row == center_row_beg ? "=>" : " ");
+ for (uptr i = 0; i < row_len; i++) {
+ Printf("%s", row + i == tag_ptr ? "[" : " ");
+ Printf("%02x", row[i]);
+ Printf("%s", row + i == tag_ptr ? "]" : " ");
+ }
+ Printf("%s\n", row == center_row_beg ? "<=" : " ");
+ }
+}
+
+void ReportInvalidFree(StackTrace *stack, uptr addr) {
+ ScopedErrorReportLock l;
+ uptr address = GetAddressFromPointer(addr);
+ tag_t ptr_tag = GetTagFromPointer(addr);
+ tag_t *tag_ptr = reinterpret_cast<tag_t*>(MEM_TO_SHADOW(address));
+ tag_t mem_tag = *tag_ptr;
+ Decorator d;
+ Printf("%s", d.Error());
+ uptr pc = stack->size ? stack->trace[0] : 0;
+ const char *bug_type = "invalid-free";
+ Report("ERROR: %s: %s on address %p at pc %p\n", SanitizerToolName, bug_type,
+ address, pc);
+ Printf("%s", d.Access());
+ Printf("tags: %02x/%02x (ptr/mem)\n", ptr_tag, mem_tag);
+ Printf("%s", d.Default());
+
+ stack->Print();
+
+ PrintAddressDescription(address, 0);
+
+ PrintTagsAroundAddr(tag_ptr);
+
+ ReportErrorSummary(bug_type, stack);
+ Die();
+}
+
void ReportTagMismatch(StackTrace *stack, uptr addr, uptr access_size,
bool is_store) {
ScopedErrorReportLock l;
// TODO: when possible, try to print heap-use-after-free, etc.
const char *bug_type = "tag-mismatch";
uptr pc = stack->size ? stack->trace[0] : 0;
- Report("ERROR: %s: %s on address %p at pc %p\n", SanitizerToolName, bug_type, address, pc);
+ Report("ERROR: %s: %s on address %p at pc %p\n", SanitizerToolName, bug_type,
+ address, pc);
tag_t ptr_tag = GetTagFromPointer(addr);
tag_t *tag_ptr = reinterpret_cast<tag_t*>(MEM_TO_SHADOW(address));
PrintAddressDescription(address, access_size);
- Printf(
- "Memory tags around the buggy address (one tag corresponds to %zd "
- "bytes):\n", kShadowAlignment);
-
- const uptr row_len = 16; // better be power of two.
- const uptr num_rows = 11;
- tag_t *center_row_beg = reinterpret_cast<tag_t *>(
- RoundDownTo(reinterpret_cast<uptr>(tag_ptr), row_len));
- tag_t *beg_row = center_row_beg - row_len * (num_rows / 2);
- tag_t *end_row = center_row_beg + row_len * (num_rows / 2);
- for (tag_t *row = beg_row; row < end_row; row += row_len) {
- Printf("%s", row == center_row_beg ? "=>" : " ");
- for (uptr i = 0; i < row_len; i++) {
- Printf("%s", row + i == tag_ptr ? "[" : " ");
- Printf("%02x", row[i]);
- Printf("%s", row + i == tag_ptr ? "]" : " ");
- }
- Printf("%s\n", row == center_row_beg ? "<=" : " ");
- }
+ PrintTagsAroundAddr(tag_ptr);
ReportErrorSummary(bug_type, stack);
}