From b48f8f09b17b16edb01d4f71e9b398cdc972df2a Mon Sep 17 00:00:00 2001 From: Kostya Serebryany Date: Sat, 26 Mar 2016 00:00:19 +0000 Subject: [PATCH] [asan] bump the scariness score of read-after-frees (based on feedback from the Chrome security team) llvm-svn: 264481 --- compiler-rt/lib/asan/asan_report.cc | 6 +++++- compiler-rt/test/asan/TestCases/Linux/scariness_score_test.cc | 6 +++--- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/compiler-rt/lib/asan/asan_report.cc b/compiler-rt/lib/asan/asan_report.cc index 9a67f2d..9fb9d95 100644 --- a/compiler-rt/lib/asan/asan_report.cc +++ b/compiler-rt/lib/asan/asan_report.cc @@ -1098,6 +1098,8 @@ void ReportGenericError(uptr pc, uptr bp, uptr sp, uptr addr, bool is_write, bool far_from_bounds = false; shadow_val = *shadow_addr; int bug_type_score = 0; + // For use-after-frees reads are almost as bad as writes. + int read_after_free_bonus = 0; switch (shadow_val) { case kAsanHeapLeftRedzoneMagic: case kAsanHeapRightRedzoneMagic: @@ -1109,6 +1111,7 @@ void ReportGenericError(uptr pc, uptr bp, uptr sp, uptr addr, bool is_write, case kAsanHeapFreeMagic: bug_descr = "heap-use-after-free"; bug_type_score = 20; + if (!is_write) read_after_free_bonus = 18; break; case kAsanStackLeftRedzoneMagic: bug_descr = "stack-buffer-underflow"; @@ -1129,6 +1132,7 @@ void ReportGenericError(uptr pc, uptr bp, uptr sp, uptr addr, bool is_write, case kAsanStackAfterReturnMagic: bug_descr = "stack-use-after-return"; bug_type_score = 30; + if (!is_write) read_after_free_bonus = 18; break; case kAsanUserPoisonedMemoryMagic: bug_descr = "use-after-poison"; @@ -1158,7 +1162,7 @@ void ReportGenericError(uptr pc, uptr bp, uptr sp, uptr addr, bool is_write, far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr); break; } - SS.Scare(bug_type_score, bug_descr); + SS.Scare(bug_type_score + read_after_free_bonus, bug_descr); if (far_from_bounds) SS.Scare(10, "far-from-bounds"); } diff --git a/compiler-rt/test/asan/TestCases/Linux/scariness_score_test.cc b/compiler-rt/test/asan/TestCases/Linux/scariness_score_test.cc index 21f42a5..2485413 100644 --- a/compiler-rt/test/asan/TestCases/Linux/scariness_score_test.cc +++ b/compiler-rt/test/asan/TestCases/Linux/scariness_score_test.cc @@ -166,14 +166,14 @@ int main(int argc, char **argv) { // CHECK3: SCARINESS: 33 (2-byte-write-heap-buffer-overflow) // CHECK4: SCARINESS: 52 (8-byte-write-heap-buffer-overflow-far-from-bounds) // CHECK5: SCARINESS: 55 (multi-byte-write-heap-buffer-overflow-far-from-bounds) - // CHECK6: SCARINESS: 22 (1-byte-read-heap-use-after-free) + // CHECK6: SCARINESS: 40 (1-byte-read-heap-use-after-free) // CHECK7: SCARINESS: 46 (4-byte-write-heap-use-after-free) - // CHECK8: SCARINESS: 33 (8-byte-read-heap-use-after-free) + // CHECK8: SCARINESS: 51 (8-byte-read-heap-use-after-free) // CHECK9: SCARINESS: 55 (multi-byte-write-heap-use-after-free) // CHECK10: SCARINESS: 46 (1-byte-write-stack-buffer-overflow) // CHECK11: SCARINESS: 38 (8-byte-read-stack-buffer-overflow) // CHECK12: SCARINESS: 61 (4-byte-write-stack-buffer-overflow-far-from-bounds) - // CHECK13: SCARINESS: 32 (1-byte-read-stack-use-after-return) + // CHECK13: SCARINESS: 50 (1-byte-read-stack-use-after-return) // CHECK14: SCARINESS: 65 (multi-byte-write-stack-use-after-return) // CHECK15: SCARINESS: 31 (1-byte-write-global-buffer-overflow) // CHECK16: SCARINESS: 36 (multi-byte-read-global-buffer-overflow-far-from-bounds) -- 2.7.4