On 11/11/19 5:03 PM, Matthew Malcomson wrote:
Ah!
My apologies -- I sent up a series with a few documentation mistakes.
(the others were wording problems so less noticeable)
That's fine, I fixed that very easily.
Right now, I can confirm using a aarch64 KVM with the following linux kernel:
5.4.0-rc6-3.g7068448-default works. I haven't tried HWASAN bootstrap, but I can
run almost all hwasan.exp tests.
There are 2 exceptions:
FAIL: gcc.dg/hwasan/stack-tagging-basic-1.c -O2 -flto -fuse-linker-plugin
-fno-fat-lto-objects execution test
FAIL: gcc.dg/hwasan/large-aligned-1.c -O2 -flto -fuse-linker-plugin
-fno-fat-lto-objects execution test
These fail due to unused value of a function that returns int. The attached
patch fixes that.
I'm planning to make a proper comments about the series starting next week.
For the meantime, I have some libsanitizer upstream suggestions
that you can may be discuss. It's mostly about
shadow memory dump differences in between ASAN and HWASAN:
Let's consider one example:
$ cat malloc.c
#include <stdlib.h>
int main(int argc, char **argv)
{
char *ptr = malloc (argc);
return ptr[1];
}
$ gcc malloc.c -fsanitize=address && ./a.out
=================================================================
==7319==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xffffaca007b1
at pc 0x0000004007a0 bp 0xfffff26df150 sp 0xfffff26df168
READ of size 1 at 0xffffaca007b1 thread T0
#0 0x40079c in main (/home/marxin/Programming/gcc/a.out+0x40079c)
#1 0xffffb0d3d3e8 in __libc_start_main (/lib64/libc.so.6+0x243e8)
#2 0x400670 (/home/marxin/Programming/gcc/a.out+0x400670)
0xffffaca007b1 is located 0 bytes to the right of 1-byte region
[0xffffaca007b0,0xffffaca007b1)
allocated by thread T0 here:
#0 0xffffb0f2bdbc in __interceptor_malloc
../../../../libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x400748 in main (/home/marxin/Programming/gcc/a.out+0x400748)
#2 0xffffb0d3d3e8 in __libc_start_main (/lib64/libc.so.6+0x243e8)
#3 0x400670 (/home/marxin/Programming/gcc/a.out+0x400670)
SUMMARY: AddressSanitizer: heap-buffer-overflow
(/home/marxin/Programming/gcc/a.out+0x40079c) in main
Shadow bytes around the buggy address:
0x200ff59400a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x200ff59400b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x200ff59400c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x200ff59400d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x200ff59400e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x200ff59400f0: fa fa fa fa fa fa[01]fa fa fa fa fa fa fa fa fa
0x200ff5940100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x200ff5940110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x200ff5940120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x200ff5940130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x200ff5940140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==7319==ABORTING
$ gcc malloc.c -fsanitize=hwaddress && ./a.out
==7329==ERROR: HWAddressSanitizer: tag-mismatch on address 0xefdeffffe001 at pc
0xffff804bbcd0
READ of size 1 at 0xefdeffffe001 tags: 03/01 (ptr/mem) in thread T0
#0 0xffff804bbccc in SigTrap<0>
../../../../libsanitizer/hwasan/hwasan_checks.h:27
#1 0xffff804bbccc in CheckAddress<(__hwasan::ErrorAction)0,
(__hwasan::AccessType)0, 0> ../../../../libsanitizer/hwasan/hwasan_checks.h:88
#2 0xffff804bbccc in __hwasan_load1
../../../../libsanitizer/hwasan/hwasan.cpp:469
#3 0x4007d4 in main (/home/marxin/Programming/gcc/a.out+0x4007d4)
#4 0xffff8035e3e8 in __libc_start_main (/lib64/libc.so.6+0x243e8)
#5 0x4006b0 (/home/marxin/Programming/gcc/a.out+0x4006b0)
[0xefdeffffe000,0xefdeffffe020) is a small allocated heap chunk; size: 32
offset: 1
0xefdeffffe001 is located 0 bytes to the right of 1-byte region
[0xefdeffffe000,0xefdeffffe001)
allocated here:
#0 0xffff804bd81c in __sanitizer_malloc
../../../../libsanitizer/hwasan/hwasan_interceptors.cpp:169
#1 0x4007b8 in main (/home/marxin/Programming/gcc/a.out+0x4007b8)
#2 0xffff8035e3e8 in __libc_start_main (/lib64/libc.so.6+0x243e8)
#3 0x4006b0 (/home/marxin/Programming/gcc/a.out+0x4006b0)
Thread: T0 0xeffe00002000 stack: [0xffffd63c2000,0xffffd6bc2000) sz: 8388608
tls: [0xffff80e25020,0xffff80e25790)
Memory tags around the buggy address (one tag corresponds to 16 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>[01] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <=
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Tags for short granules around the buggy address (one tag corresponds to 16
bytes):
.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..
=>[03] .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. <=
.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..
See
https://clang.llvm.org/docs/HardwareAssistedAddressSanitizerDesign.html#short-granules
for a description of short granule tags
SUMMARY: HWAddressSanitizer: tag-mismatch
../../../../libsanitizer/hwasan/hwasan_checks.h:27 in SigTrap<0>
Improvements I see:
a) HWASAN uses less compact dump (2 spaces compared to one)
b) HWASAN is not using colors and it would be handy to know which color is used for
"uninitialized" tags
and I would mark the 2 compares tags in dumps (ptr/mem)
c) "Tags for short granules around the buggy address" dump is using a dot
notation which seems a bit misleading
d) For HWASAN address offset is missing for each line in both shadow memory and
the pointer
Thanks,
Martin
I'm attaching the entire updated patch series (with the other
documentation fixes in it too) and the fixed patch for just this part in
case you just want to compile and test right now.
diff --git a/gcc/testsuite/gcc.dg/hwasan/large-aligned-0.c b/gcc/testsuite/gcc.dg/hwasan/large-aligned-0.c
index aba79e0acf3..03465fd20b9 100644
--- a/gcc/testsuite/gcc.dg/hwasan/large-aligned-0.c
+++ b/gcc/testsuite/gcc.dg/hwasan/large-aligned-0.c
@@ -21,10 +21,13 @@ handle_large_alignment (int num)
#ifndef ARG
#define ARG 1
#endif
+
+int global;
+
int __attribute__ ((noinline))
main ()
{
- handle_large_alignment (ARG);
+ global += handle_large_alignment (ARG);
return 0;
}
diff --git a/gcc/testsuite/gcc.dg/hwasan/stack-tagging-basic-0.c b/gcc/testsuite/gcc.dg/hwasan/stack-tagging-basic-0.c
index 050a3eda7aa..3087bd596f9 100644
--- a/gcc/testsuite/gcc.dg/hwasan/stack-tagging-basic-0.c
+++ b/gcc/testsuite/gcc.dg/hwasan/stack-tagging-basic-0.c
@@ -25,9 +25,12 @@ using_stack (int num)
#ifndef ARG
#define ARG 0
#endif
+
+int global;
+
int __attribute__ ((noinline))
main ()
{
- using_stack (ARG);
+ global += using_stack (ARG);
return 0;
}
