On Mon, Nov 28, 2016 at 3:06 PM, steven shi <shijunj...@gmail.com> wrote:
> Hello,
> I'm porting the Asan RT lib to my firmware, and I meet a issue to block my
> shadow memory checking work correctly. I have to update the Asan core logic
> macro to let it works in my side, and I hope some expert could help me
> understand below code correctly.
>
> LLVM Asan use below macro to check whether the addr shadow memory is
> poisoned or not. My issue is about the line 166 condition: (size >=
> SHADOW_GRANULARITY || ...), and I have to update it as (s >=
> SHADOW_GRANULARITY || ...). I think the "size" is just from hard code
> INTERFACE function name definition (e.g. ASAN_MEMORY_ACCESS_CALLBACK(load,
> false, 16)), and its values are one of {1,2,4,8,16}. So, for __asan_load8
> and __asan_load16 with 8 granularity, the "size" will be 8 and 16, and (size
>>= SHADOW_GRANULARITY) will always be true, isn't it wrong? My understanding
> is we need check the addr shadow memory value here to make sure the addr's
> shadow memory value is less than its covered SHADOW_GRANULARITY bound.
> Appreciate any clarification about this code.
> I think the "size" is just from hard code INTERFACE function name definition
> (e.g. ASAN_MEMORY_ACCESS_CALLBACK(load, false, 16)), and its values are one
> of {1,2,4,8,16}
That's true and correct.
If access size is 8 or 16, then we just compare shadow value s with 0.
If it's not zero, we report bug.
For accesses of size 1, 2, 4 we need more complex check: s != 0 &&
((s8)((addr & (SHADOW_GRANULARITY - 1)) + size - 1)) >= (s8)s)
> http://llvm.org/svn/llvm-project/compiler-rt/trunk/lib/asan/asan_rtl.cc
> line 161:
> #define ASAN_MEMORY_ACCESS_CALLBACK_BODY(type, is_write, size, exp_arg,
> fatal) \
> uptr sp = MEM_TO_SHADOW(addr);
> \
> uptr s = size <= SHADOW_GRANULARITY ? *reinterpret_cast<u8 *>(sp)
> \
> : *reinterpret_cast<u16 *>(sp);
> \
> if (UNLIKELY(s)) {
> \
> if (UNLIKELY(size >= SHADOW_GRANULARITY ||
> \
> ((s8)((addr & (SHADOW_GRANULARITY - 1)) + size - 1)) >=
> \
> (s8)s)) {
> \
> if (__asan_test_only_reported_buggy_pointer) {
> \
> *__asan_test_only_reported_buggy_pointer = addr;
> \
> } else {
> \
> GET_CALLER_PC_BP_SP;
> \
> ReportGenericError(pc, bp, sp, addr, is_write, size, exp_arg,
> \
> fatal);
> \
> }
> \
> }
> \
> }
>
> My updated version:
>
> #define ASAN_MEMORY_ACCESS_CALLBACK_BODY(type, is_write, size, exp_arg,
> fatal) \
> uptr sp = MEM_TO_SHADOW(addr);
> \
> uptr s = size <= SHADOW_GRANULARITY ? *reinterpret_cast<u8 *>(sp)
> \
> : *reinterpret_cast<u16 *>(sp);
> \
> if (UNLIKELY(s)) {
> \
> if (UNLIKELY(s>= SHADOW_GRANULARITY || \
> ((s8)((addr & (SHADOW_GRANULARITY - 1)) + size - 1)) >=
> \
> (s8)s)) {
> \
> if (__asan_test_only_reported_buggy_pointer) {
> \
> *__asan_test_only_reported_buggy_pointer = addr;
> \
> } else {
> \
> GET_CALLER_PC_BP_SP;
> \
> ReportGenericError(pc, bp, sp, addr, is_write, size, exp_arg,
> \
> fatal);
> \
> }
> \
> }
> \
> }
>
> --
> You received this message because you are subscribed to the Google Groups
> "address-sanitizer" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to address-sanitizer+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups
"address-sanitizer" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to address-sanitizer+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
