From 5b332abd66c3d6e7ef84326989ab17eb99ae24d4 Mon Sep 17 00:00:00 2001
From: Evgeniy Stepanov <eugeni.stepanov@gmail.com>
Date: Fri, 7 Sep 2018 00:27:11 +0000
Subject: [PATCH] [hwasan] Fix malloc overflow detection.

Check size limit before rounding up, otherwise malloc((size_t)-1)
would happily allocate 0 bytes.

Steal a nice test case from scudo.

llvm-svn: 341612
---
 compiler-rt/lib/hwasan/hwasan_allocator.cc  | 16 +++---
 compiler-rt/test/hwasan/TestCases/sizes.cpp | 80 +++++++++++++++++++++++++++++
 2 files changed, 89 insertions(+), 7 deletions(-)
 create mode 100644 compiler-rt/test/hwasan/TestCases/sizes.cpp

diff --git a/compiler-rt/lib/hwasan/hwasan_allocator.cc b/compiler-rt/lib/hwasan/hwasan_allocator.cc
index c9783b7..b9c379e 100644
--- a/compiler-rt/lib/hwasan/hwasan_allocator.cc
+++ b/compiler-rt/lib/hwasan/hwasan_allocator.cc
@@ -65,22 +65,24 @@ void AllocatorSwallowThreadLocalCache(AllocatorCache *cache) {
 
 static uptr TaggedSize(uptr size) {
   if (!size) size = 1;
-  return RoundUpTo(size, kShadowAlignment);
+  uptr new_size = RoundUpTo(size, kShadowAlignment);
+  CHECK_GE(new_size, size);
+  return new_size;
 }
 
 static void *HwasanAllocate(StackTrace *stack, uptr orig_size, uptr alignment,
                             bool zeroise) {
-  alignment = Max(alignment, kShadowAlignment);
-  uptr size = TaggedSize(orig_size);
-
-  if (size > kMaxAllowedMallocSize) {
+  if (orig_size > kMaxAllowedMallocSize) {
     if (AllocatorMayReturnNull()) {
       Report("WARNING: HWAddressSanitizer failed to allocate 0x%zx bytes\n",
-             size);
+             orig_size);
       return nullptr;
     }
-    ReportAllocationSizeTooBig(size, kMaxAllowedMallocSize, stack);
+    ReportAllocationSizeTooBig(orig_size, kMaxAllowedMallocSize, stack);
   }
+
+  alignment = Max(alignment, kShadowAlignment);
+  uptr size = TaggedSize(orig_size);
   Thread *t = GetCurrentThread();
   void *allocated;
   if (t) {
diff --git a/compiler-rt/test/hwasan/TestCases/sizes.cpp b/compiler-rt/test/hwasan/TestCases/sizes.cpp
new file mode 100644
index 0000000..52217de
--- /dev/null
+++ b/compiler-rt/test/hwasan/TestCases/sizes.cpp
@@ -0,0 +1,80 @@
+// RUN: %clangxx_hwasan %s -lstdc++ -o %t
+// RUN: %env_hwasan_opts=allocator_may_return_null=0 not %run %t malloc 2>&1          | FileCheck %s --check-prefix=CHECK-max
+// RUN: %env_hwasan_opts=allocator_may_return_null=1     %run %t malloc 2>&1
+// RUN: %env_hwasan_opts=allocator_may_return_null=0 not %run %t malloc max 2>&1      | FileCheck %s --check-prefix=CHECK-max
+// RUN: %env_hwasan_opts=allocator_may_return_null=1     %run %t malloc max 2>&1
+// RUN: %env_hwasan_opts=allocator_may_return_null=0 not %run %t calloc 2>&1          | FileCheck %s --check-prefix=CHECK-calloc
+// RUN: %env_hwasan_opts=allocator_may_return_null=1     %run %t calloc 2>&1
+// RUN: %env_hwasan_opts=allocator_may_return_null=0 not %run %t new 2>&1             | FileCheck %s --check-prefix=CHECK-max
+// RUN: %env_hwasan_opts=allocator_may_return_null=1 not %run %t new 2>&1             | FileCheck %s --check-prefix=CHECK-oom
+// RUN: %env_hwasan_opts=allocator_may_return_null=0 not %run %t new max 2>&1         | FileCheck %s --check-prefix=CHECK-max
+// RUN: %env_hwasan_opts=allocator_may_return_null=1 not %run %t new max 2>&1         | FileCheck %s --check-prefix=CHECK-oom
+// RUN: %env_hwasan_opts=allocator_may_return_null=0 not %run %t new-nothrow 2>&1     | FileCheck %s --check-prefix=CHECK-max
+// RUN: %env_hwasan_opts=allocator_may_return_null=1     %run %t new-nothrow 2>&1
+// RUN: %env_hwasan_opts=allocator_may_return_null=0 not %run %t new-nothrow max 2>&1 | FileCheck %s --check-prefix=CHECK-max
+// RUN: %env_hwasan_opts=allocator_may_return_null=1     %run %t new-nothrow max 2>&1
+// RUN:                                                 %run %t usable 2>&1
+
+// Tests for various edge cases related to sizes, notably the maximum size the
+// allocator can allocate. Tests that an integer overflow in the parameters of
+// calloc is caught.
+
+#include <assert.h>
+#include <malloc.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <limits>
+#include <new>
+
+#include <sanitizer/allocator_interface.h>
+
+int main(int argc, char **argv) {
+  assert(argc <= 3);
+  bool test_size_max = argc == 3 && !strcmp(argv[2], "max");
+
+  static const size_t kMaxAllowedMallocSize = 1ULL << 40;
+  static const size_t kChunkHeaderSize = 16;
+
+  size_t MallocSize = test_size_max ? std::numeric_limits<size_t>::max()
+                                    : kMaxAllowedMallocSize;
+
+  if (!strcmp(argv[1], "malloc")) {
+    void *p = malloc(MallocSize);
+    assert(!p);
+    p = malloc(kMaxAllowedMallocSize - kChunkHeaderSize);
+    assert(!p);
+  } else if (!strcmp(argv[1], "calloc")) {
+    // Trigger an overflow in calloc.
+    size_t size = std::numeric_limits<size_t>::max();
+    void *p = calloc((size / 0x1000) + 1, 0x1000);
+    assert(!p);
+  } else if (!strcmp(argv[1], "new")) {
+    void *p = operator new(MallocSize);
+    assert(!p);
+  } else if (!strcmp(argv[1], "new-nothrow")) {
+    void *p = operator new(MallocSize, std::nothrow);
+    assert(!p);
+  } else if (!strcmp(argv[1], "usable")) {
+    // Playing with the actual usable size of a chunk.
+    void *p = malloc(1007);
+    assert(p);
+    size_t size = __sanitizer_get_allocated_size(p);
+    assert(size >= 1007);
+    memset(p, 'A', size);
+    p = realloc(p, 2014);
+    assert(p);
+    size = __sanitizer_get_allocated_size(p);
+    assert(size >= 2014);
+    memset(p, 'B', size);
+    free(p);
+  } else {
+    assert(0);
+  }
+
+  return 0;
+}
+
+// CHECK-max: {{ERROR: HWAddressSanitizer: requested allocation size .* exceeds maximum supported size}}
+// CHECK-oom: ERROR: HWAddressSanitizer: allocator is out of memory
+// CHECK-calloc: ERROR: HWAddressSanitizer: calloc parameters overflow
-- 
2.7.4