1 //===-- asan_errors.cc ------------------------------------------*- C++ -*-===//
2 //
3 // This file is distributed under the University of Illinois Open Source
4 // License. See LICENSE.TXT for details.
5 //
6 //===----------------------------------------------------------------------===//
7 //
8 // This file is a part of AddressSanitizer, an address sanity checker.
9 //
10 // ASan implementation for error structures.
11 //===----------------------------------------------------------------------===//
12
13 #include "asan_errors.h"
14 #include <signal.h>
15 #include "asan_descriptions.h"
16 #include "asan_mapping.h"
17 #include "asan_report.h"
18 #include "asan_stack.h"
19 #include "sanitizer_common/sanitizer_stackdepot.h"
20
21 namespace __asan {
22
OnStackUnwind(const SignalContext & sig,const void * callback_context,BufferedStackTrace * stack)23 static void OnStackUnwind(const SignalContext &sig,
24 const void *callback_context,
25 BufferedStackTrace *stack) {
26 bool fast = common_flags()->fast_unwind_on_fatal;
27 #if SANITIZER_FREEBSD || SANITIZER_NETBSD
28 // On FreeBSD the slow unwinding that leverages _Unwind_Backtrace()
29 // yields the call stack of the signal's handler and not of the code
30 // that raised the signal (as it does on Linux).
31 fast = true;
32 #endif
33 // Tests and maybe some users expect that scariness is going to be printed
34 // just before the stack. As only asan has scariness score we have no
35 // corresponding code in the sanitizer_common and we use this callback to
36 // print it.
37 static_cast<const ScarinessScoreBase *>(callback_context)->Print();
38 GetStackTraceWithPcBpAndContext(stack, kStackTraceMax, sig.pc, sig.bp,
39 sig.context, fast);
40 }
41
Print()42 void ErrorDeadlySignal::Print() {
43 ReportDeadlySignal(signal, tid, &OnStackUnwind, &scariness);
44 }
45
Print()46 void ErrorDoubleFree::Print() {
47 Decorator d;
48 Printf("%s", d.Warning());
49 char tname[128];
50 Report(
51 "ERROR: AddressSanitizer: attempting %s on %p in "
52 "thread T%d%s:\n",
53 scariness.GetDescription(), addr_description.addr, tid,
54 ThreadNameWithParenthesis(tid, tname, sizeof(tname)));
55 Printf("%s", d.Default());
56 scariness.Print();
57 GET_STACK_TRACE_FATAL(second_free_stack->trace[0],
58 second_free_stack->top_frame_bp);
59 stack.Print();
60 addr_description.Print();
61 ReportErrorSummary(scariness.GetDescription(), &stack);
62 }
63
Print()64 void ErrorNewDeleteSizeMismatch::Print() {
65 Decorator d;
66 Printf("%s", d.Warning());
67 char tname[128];
68 Report(
69 "ERROR: AddressSanitizer: %s on %p in thread "
70 "T%d%s:\n",
71 scariness.GetDescription(), addr_description.addr, tid,
72 ThreadNameWithParenthesis(tid, tname, sizeof(tname)));
73 Printf("%s object passed to delete has wrong type:\n", d.Default());
74 Printf(
75 " size of the allocated type: %zd bytes;\n"
76 " size of the deallocated type: %zd bytes.\n",
77 addr_description.chunk_access.chunk_size, delete_size);
78 CHECK_GT(free_stack->size, 0);
79 scariness.Print();
80 GET_STACK_TRACE_FATAL(free_stack->trace[0], free_stack->top_frame_bp);
81 stack.Print();
82 addr_description.Print();
83 ReportErrorSummary(scariness.GetDescription(), &stack);
84 Report(
85 "HINT: if you don't care about these errors you may set "
86 "ASAN_OPTIONS=new_delete_type_mismatch=0\n");
87 }
88
Print()89 void ErrorFreeNotMalloced::Print() {
90 Decorator d;
91 Printf("%s", d.Warning());
92 char tname[128];
93 Report(
94 "ERROR: AddressSanitizer: attempting free on address "
95 "which was not malloc()-ed: %p in thread T%d%s\n",
96 addr_description.Address(), tid,
97 ThreadNameWithParenthesis(tid, tname, sizeof(tname)));
98 Printf("%s", d.Default());
99 CHECK_GT(free_stack->size, 0);
100 scariness.Print();
101 GET_STACK_TRACE_FATAL(free_stack->trace[0], free_stack->top_frame_bp);
102 stack.Print();
103 addr_description.Print();
104 ReportErrorSummary(scariness.GetDescription(), &stack);
105 }
106
Print()107 void ErrorAllocTypeMismatch::Print() {
108 static const char *alloc_names[] = {"INVALID", "malloc", "operator new",
109 "operator new []"};
110 static const char *dealloc_names[] = {"INVALID", "free", "operator delete",
111 "operator delete []"};
112 CHECK_NE(alloc_type, dealloc_type);
113 Decorator d;
114 Printf("%s", d.Warning());
115 Report("ERROR: AddressSanitizer: %s (%s vs %s) on %p\n",
116 scariness.GetDescription(),
117 alloc_names[alloc_type], dealloc_names[dealloc_type],
118 addr_description.addr);
119 Printf("%s", d.Default());
120 CHECK_GT(dealloc_stack->size, 0);
121 scariness.Print();
122 GET_STACK_TRACE_FATAL(dealloc_stack->trace[0], dealloc_stack->top_frame_bp);
123 stack.Print();
124 addr_description.Print();
125 ReportErrorSummary(scariness.GetDescription(), &stack);
126 Report(
127 "HINT: if you don't care about these errors you may set "
128 "ASAN_OPTIONS=alloc_dealloc_mismatch=0\n");
129 }
130
Print()131 void ErrorMallocUsableSizeNotOwned::Print() {
132 Decorator d;
133 Printf("%s", d.Warning());
134 Report(
135 "ERROR: AddressSanitizer: attempting to call malloc_usable_size() for "
136 "pointer which is not owned: %p\n",
137 addr_description.Address());
138 Printf("%s", d.Default());
139 stack->Print();
140 addr_description.Print();
141 ReportErrorSummary(scariness.GetDescription(), stack);
142 }
143
Print()144 void ErrorSanitizerGetAllocatedSizeNotOwned::Print() {
145 Decorator d;
146 Printf("%s", d.Warning());
147 Report(
148 "ERROR: AddressSanitizer: attempting to call "
149 "__sanitizer_get_allocated_size() for pointer which is not owned: %p\n",
150 addr_description.Address());
151 Printf("%s", d.Default());
152 stack->Print();
153 addr_description.Print();
154 ReportErrorSummary(scariness.GetDescription(), stack);
155 }
156
Print()157 void ErrorStringFunctionMemoryRangesOverlap::Print() {
158 Decorator d;
159 char bug_type[100];
160 internal_snprintf(bug_type, sizeof(bug_type), "%s-param-overlap", function);
161 Printf("%s", d.Warning());
162 Report(
163 "ERROR: AddressSanitizer: %s: memory ranges [%p,%p) and [%p, %p) "
164 "overlap\n",
165 bug_type, addr1_description.Address(),
166 addr1_description.Address() + length1, addr2_description.Address(),
167 addr2_description.Address() + length2);
168 Printf("%s", d.Default());
169 scariness.Print();
170 stack->Print();
171 addr1_description.Print();
172 addr2_description.Print();
173 ReportErrorSummary(bug_type, stack);
174 }
175
Print()176 void ErrorStringFunctionSizeOverflow::Print() {
177 Decorator d;
178 Printf("%s", d.Warning());
179 Report("ERROR: AddressSanitizer: %s: (size=%zd)\n",
180 scariness.GetDescription(), size);
181 Printf("%s", d.Default());
182 scariness.Print();
183 stack->Print();
184 addr_description.Print();
185 ReportErrorSummary(scariness.GetDescription(), stack);
186 }
187
Print()188 void ErrorBadParamsToAnnotateContiguousContainer::Print() {
189 Report(
190 "ERROR: AddressSanitizer: bad parameters to "
191 "__sanitizer_annotate_contiguous_container:\n"
192 " beg : %p\n"
193 " end : %p\n"
194 " old_mid : %p\n"
195 " new_mid : %p\n",
196 beg, end, old_mid, new_mid);
197 uptr granularity = SHADOW_GRANULARITY;
198 if (!IsAligned(beg, granularity))
199 Report("ERROR: beg is not aligned by %d\n", granularity);
200 stack->Print();
201 ReportErrorSummary(scariness.GetDescription(), stack);
202 }
203
Print()204 void ErrorODRViolation::Print() {
205 Decorator d;
206 Printf("%s", d.Warning());
207 Report("ERROR: AddressSanitizer: %s (%p):\n", scariness.GetDescription(),
208 global1.beg);
209 Printf("%s", d.Default());
210 InternalScopedString g1_loc(256), g2_loc(256);
211 PrintGlobalLocation(&g1_loc, global1);
212 PrintGlobalLocation(&g2_loc, global2);
213 Printf(" [1] size=%zd '%s' %s\n", global1.size,
214 MaybeDemangleGlobalName(global1.name), g1_loc.data());
215 Printf(" [2] size=%zd '%s' %s\n", global2.size,
216 MaybeDemangleGlobalName(global2.name), g2_loc.data());
217 if (stack_id1 && stack_id2) {
218 Printf("These globals were registered at these points:\n");
219 Printf(" [1]:\n");
220 StackDepotGet(stack_id1).Print();
221 Printf(" [2]:\n");
222 StackDepotGet(stack_id2).Print();
223 }
224 Report(
225 "HINT: if you don't care about these errors you may set "
226 "ASAN_OPTIONS=detect_odr_violation=0\n");
227 InternalScopedString error_msg(256);
228 error_msg.append("%s: global '%s' at %s", scariness.GetDescription(),
229 MaybeDemangleGlobalName(global1.name), g1_loc.data());
230 ReportErrorSummary(error_msg.data());
231 }
232
Print()233 void ErrorInvalidPointerPair::Print() {
234 Decorator d;
235 Printf("%s", d.Warning());
236 Report("ERROR: AddressSanitizer: %s: %p %p\n", scariness.GetDescription(),
237 addr1_description.Address(), addr2_description.Address());
238 Printf("%s", d.Default());
239 GET_STACK_TRACE_FATAL(pc, bp);
240 stack.Print();
241 addr1_description.Print();
242 addr2_description.Print();
243 ReportErrorSummary(scariness.GetDescription(), &stack);
244 }
245
AdjacentShadowValuesAreFullyPoisoned(u8 * s)246 static bool AdjacentShadowValuesAreFullyPoisoned(u8 *s) {
247 return s[-1] > 127 && s[1] > 127;
248 }
249
ErrorGeneric(u32 tid,uptr pc_,uptr bp_,uptr sp_,uptr addr,bool is_write_,uptr access_size_)250 ErrorGeneric::ErrorGeneric(u32 tid, uptr pc_, uptr bp_, uptr sp_, uptr addr,
251 bool is_write_, uptr access_size_)
252 : ErrorBase(tid),
253 addr_description(addr, access_size_, /*shouldLockThreadRegistry=*/false),
254 pc(pc_),
255 bp(bp_),
256 sp(sp_),
257 access_size(access_size_),
258 is_write(is_write_),
259 shadow_val(0) {
260 scariness.Clear();
261 if (access_size) {
262 if (access_size <= 9) {
263 char desr[] = "?-byte";
264 desr[0] = '0' + access_size;
265 scariness.Scare(access_size + access_size / 2, desr);
266 } else if (access_size >= 10) {
267 scariness.Scare(15, "multi-byte");
268 }
269 is_write ? scariness.Scare(20, "write") : scariness.Scare(1, "read");
270
271 // Determine the error type.
272 bug_descr = "unknown-crash";
273 if (AddrIsInMem(addr)) {
274 u8 *shadow_addr = (u8 *)MemToShadow(addr);
275 // If we are accessing 16 bytes, look at the second shadow byte.
276 if (*shadow_addr == 0 && access_size > SHADOW_GRANULARITY) shadow_addr++;
277 // If we are in the partial right redzone, look at the next shadow byte.
278 if (*shadow_addr > 0 && *shadow_addr < 128) shadow_addr++;
279 bool far_from_bounds = false;
280 shadow_val = *shadow_addr;
281 int bug_type_score = 0;
282 // For use-after-frees reads are almost as bad as writes.
283 int read_after_free_bonus = 0;
284 switch (shadow_val) {
285 case kAsanHeapLeftRedzoneMagic:
286 case kAsanArrayCookieMagic:
287 bug_descr = "heap-buffer-overflow";
288 bug_type_score = 10;
289 far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr);
290 break;
291 case kAsanHeapFreeMagic:
292 bug_descr = "heap-use-after-free";
293 bug_type_score = 20;
294 if (!is_write) read_after_free_bonus = 18;
295 break;
296 case kAsanStackLeftRedzoneMagic:
297 bug_descr = "stack-buffer-underflow";
298 bug_type_score = 25;
299 far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr);
300 break;
301 case kAsanInitializationOrderMagic:
302 bug_descr = "initialization-order-fiasco";
303 bug_type_score = 1;
304 break;
305 case kAsanStackMidRedzoneMagic:
306 case kAsanStackRightRedzoneMagic:
307 bug_descr = "stack-buffer-overflow";
308 bug_type_score = 25;
309 far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr);
310 break;
311 case kAsanStackAfterReturnMagic:
312 bug_descr = "stack-use-after-return";
313 bug_type_score = 30;
314 if (!is_write) read_after_free_bonus = 18;
315 break;
316 case kAsanUserPoisonedMemoryMagic:
317 bug_descr = "use-after-poison";
318 bug_type_score = 20;
319 break;
320 case kAsanContiguousContainerOOBMagic:
321 bug_descr = "container-overflow";
322 bug_type_score = 10;
323 break;
324 case kAsanStackUseAfterScopeMagic:
325 bug_descr = "stack-use-after-scope";
326 bug_type_score = 10;
327 break;
328 case kAsanGlobalRedzoneMagic:
329 bug_descr = "global-buffer-overflow";
330 bug_type_score = 10;
331 far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr);
332 break;
333 case kAsanIntraObjectRedzone:
334 bug_descr = "intra-object-overflow";
335 bug_type_score = 10;
336 break;
337 case kAsanAllocaLeftMagic:
338 case kAsanAllocaRightMagic:
339 bug_descr = "dynamic-stack-buffer-overflow";
340 bug_type_score = 25;
341 far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr);
342 break;
343 }
344 scariness.Scare(bug_type_score + read_after_free_bonus, bug_descr);
345 if (far_from_bounds) scariness.Scare(10, "far-from-bounds");
346 }
347 }
348 }
349
PrintContainerOverflowHint()350 static void PrintContainerOverflowHint() {
351 Printf("HINT: if you don't care about these errors you may set "
352 "ASAN_OPTIONS=detect_container_overflow=0.\n"
353 "If you suspect a false positive see also: "
354 "https://github.com/google/sanitizers/wiki/"
355 "AddressSanitizerContainerOverflow.\n");
356 }
357
PrintShadowByte(InternalScopedString * str,const char * before,u8 byte,const char * after="\\n")358 static void PrintShadowByte(InternalScopedString *str, const char *before,
359 u8 byte, const char *after = "\n") {
360 PrintMemoryByte(str, before, byte, /*in_shadow*/true, after);
361 }
362
PrintLegend(InternalScopedString * str)363 static void PrintLegend(InternalScopedString *str) {
364 str->append(
365 "Shadow byte legend (one shadow byte represents %d "
366 "application bytes):\n",
367 (int)SHADOW_GRANULARITY);
368 PrintShadowByte(str, " Addressable: ", 0);
369 str->append(" Partially addressable: ");
370 for (u8 i = 1; i < SHADOW_GRANULARITY; i++) PrintShadowByte(str, "", i, " ");
371 str->append("\n");
372 PrintShadowByte(str, " Heap left redzone: ",
373 kAsanHeapLeftRedzoneMagic);
374 PrintShadowByte(str, " Freed heap region: ", kAsanHeapFreeMagic);
375 PrintShadowByte(str, " Stack left redzone: ",
376 kAsanStackLeftRedzoneMagic);
377 PrintShadowByte(str, " Stack mid redzone: ",
378 kAsanStackMidRedzoneMagic);
379 PrintShadowByte(str, " Stack right redzone: ",
380 kAsanStackRightRedzoneMagic);
381 PrintShadowByte(str, " Stack after return: ",
382 kAsanStackAfterReturnMagic);
383 PrintShadowByte(str, " Stack use after scope: ",
384 kAsanStackUseAfterScopeMagic);
385 PrintShadowByte(str, " Global redzone: ", kAsanGlobalRedzoneMagic);
386 PrintShadowByte(str, " Global init order: ",
387 kAsanInitializationOrderMagic);
388 PrintShadowByte(str, " Poisoned by user: ",
389 kAsanUserPoisonedMemoryMagic);
390 PrintShadowByte(str, " Container overflow: ",
391 kAsanContiguousContainerOOBMagic);
392 PrintShadowByte(str, " Array cookie: ",
393 kAsanArrayCookieMagic);
394 PrintShadowByte(str, " Intra object redzone: ",
395 kAsanIntraObjectRedzone);
396 PrintShadowByte(str, " ASan internal: ", kAsanInternalHeapMagic);
397 PrintShadowByte(str, " Left alloca redzone: ", kAsanAllocaLeftMagic);
398 PrintShadowByte(str, " Right alloca redzone: ", kAsanAllocaRightMagic);
399 }
400
PrintShadowBytes(InternalScopedString * str,const char * before,u8 * bytes,u8 * guilty,uptr n)401 static void PrintShadowBytes(InternalScopedString *str, const char *before,
402 u8 *bytes, u8 *guilty, uptr n) {
403 Decorator d;
404 if (before) str->append("%s%p:", before, bytes);
405 for (uptr i = 0; i < n; i++) {
406 u8 *p = bytes + i;
407 const char *before =
408 p == guilty ? "[" : (p - 1 == guilty && i != 0) ? "" : " ";
409 const char *after = p == guilty ? "]" : "";
410 PrintShadowByte(str, before, *p, after);
411 }
412 str->append("\n");
413 }
414
PrintShadowMemoryForAddress(uptr addr)415 static void PrintShadowMemoryForAddress(uptr addr) {
416 if (!AddrIsInMem(addr)) return;
417 uptr shadow_addr = MemToShadow(addr);
418 const uptr n_bytes_per_row = 16;
419 uptr aligned_shadow = shadow_addr & ~(n_bytes_per_row - 1);
420 InternalScopedString str(4096 * 8);
421 str.append("Shadow bytes around the buggy address:\n");
422 for (int i = -5; i <= 5; i++) {
423 const char *prefix = (i == 0) ? "=>" : " ";
424 PrintShadowBytes(&str, prefix, (u8 *)(aligned_shadow + i * n_bytes_per_row),
425 (u8 *)shadow_addr, n_bytes_per_row);
426 }
427 if (flags()->print_legend) PrintLegend(&str);
428 Printf("%s", str.data());
429 }
430
Print()431 void ErrorGeneric::Print() {
432 Decorator d;
433 Printf("%s", d.Warning());
434 uptr addr = addr_description.Address();
435 Report("ERROR: AddressSanitizer: %s on address %p at pc %p bp %p sp %p\n",
436 bug_descr, (void *)addr, pc, bp, sp);
437 Printf("%s", d.Default());
438
439 char tname[128];
440 Printf("%s%s of size %zu at %p thread T%d%s%s\n", d.Access(),
441 access_size ? (is_write ? "WRITE" : "READ") : "ACCESS", access_size,
442 (void *)addr, tid,
443 ThreadNameWithParenthesis(tid, tname, sizeof(tname)), d.Default());
444
445 scariness.Print();
446 GET_STACK_TRACE_FATAL(pc, bp);
447 stack.Print();
448
449 // Pass bug_descr because we have a special case for
450 // initialization-order-fiasco
451 addr_description.Print(bug_descr);
452 if (shadow_val == kAsanContiguousContainerOOBMagic)
453 PrintContainerOverflowHint();
454 ReportErrorSummary(bug_descr, &stack);
455 PrintShadowMemoryForAddress(addr);
456 }
457
458 } // namespace __asan
459