1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
| //===-- ubsan_handlers_cxx.cpp --------------------------------------------===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
//
// Error logging entry points for the UBSan runtime, which are only used for C++
// compilations. This file is permitted to use language features which require
// linking against a C++ ABI library.
//
//===----------------------------------------------------------------------===//
#include "ubsan_platform.h"
#if CAN_SANITIZE_UB
#include "ubsan_handlers.h"
#include "ubsan_handlers_cxx.h"
#include "ubsan_diag.h"
#include "ubsan_type_hash.h"
#include "sanitizer_common/sanitizer_common.h"
#include "sanitizer_common/sanitizer_suppressions.h"
using namespace __sanitizer;
using namespace __ubsan;
namespace __ubsan {
extern const char *TypeCheckKinds[];
}
// Returns true if UBSan has printed an error report.
static bool HandleDynamicTypeCacheMiss(
DynamicTypeCacheMissData *Data, ValueHandle Pointer, ValueHandle Hash,
ReportOptions Opts) {
if (checkDynamicType((void*)Pointer, Data->TypeInfo, Hash))
// Just a cache miss. The type matches after all.
return false;
// Check if error report should be suppressed.
DynamicTypeInfo DTI = getDynamicTypeInfoFromObject((void*)Pointer);
if (DTI.isValid() && IsVptrCheckSuppressed(DTI.getMostDerivedTypeName()))
return false;
SourceLocation Loc = Data->Loc.acquire();
ErrorType ET = ErrorType::DynamicTypeMismatch;
if (ignoreReport(Loc, Opts, ET))
return false;
ScopedReport R(Opts, Loc, ET);
Diag(Loc, DL_Error, ET,
"%0 address %1 which does not point to an object of type %2")
<< TypeCheckKinds[Data->TypeCheckKind] << (void*)Pointer << Data->Type;
// If possible, say what type it actually points to.
if (!DTI.isValid()) {
if (DTI.getOffset() < -VptrMaxOffsetToTop || DTI.getOffset() > VptrMaxOffsetToTop) {
Diag(Pointer, DL_Note, ET,
"object has a possibly invalid vptr: abs(offset to top) too big")
<< TypeName(DTI.getMostDerivedTypeName())
<< Range(Pointer, Pointer + sizeof(uptr), "possibly invalid vptr");
} else {
Diag(Pointer, DL_Note, ET, "object has invalid vptr")
<< TypeName(DTI.getMostDerivedTypeName())
<< Range(Pointer, Pointer + sizeof(uptr), "invalid vptr");
}
} else if (!DTI.getOffset())
Diag(Pointer, DL_Note, ET, "object is of type %0")
<< TypeName(DTI.getMostDerivedTypeName())
<< Range(Pointer, Pointer + sizeof(uptr), "vptr for %0");
else
// FIXME: Find the type at the specified offset, and include that
// in the note.
Diag(Pointer - DTI.getOffset(), DL_Note, ET,
"object is base class subobject at offset %0 within object of type %1")
<< DTI.getOffset() << TypeName(DTI.getMostDerivedTypeName())
<< TypeName(DTI.getSubobjectTypeName())
<< Range(Pointer, Pointer + sizeof(uptr),
"vptr for %2 base class of %1");
return true;
}
void __ubsan::__ubsan_handle_dynamic_type_cache_miss(
DynamicTypeCacheMissData *Data, ValueHandle Pointer, ValueHandle Hash) {
GET_REPORT_OPTIONS(false);
HandleDynamicTypeCacheMiss(Data, Pointer, Hash, Opts);
}
void __ubsan::__ubsan_handle_dynamic_type_cache_miss_abort(
DynamicTypeCacheMissData *Data, ValueHandle Pointer, ValueHandle Hash) {
// Note: -fsanitize=vptr is always recoverable.
GET_REPORT_OPTIONS(false);
if (HandleDynamicTypeCacheMiss(Data, Pointer, Hash, Opts))
Die();
}
namespace __ubsan {
void __ubsan_handle_cfi_bad_type(CFICheckFailData *Data, ValueHandle Vtable,
bool ValidVtable, ReportOptions Opts) {
SourceLocation Loc = Data->Loc.acquire();
ErrorType ET = ErrorType::CFIBadType;
if (ignoreReport(Loc, Opts, ET))
return;
ScopedReport R(Opts, Loc, ET);
DynamicTypeInfo DTI = ValidVtable
? getDynamicTypeInfoFromVtable((void *)Vtable)
: DynamicTypeInfo(0, 0, 0);
const char *CheckKindStr;
switch (Data->CheckKind) {
case CFITCK_VCall:
CheckKindStr = "virtual call";
break;
case CFITCK_NVCall:
CheckKindStr = "non-virtual call";
break;
case CFITCK_DerivedCast:
CheckKindStr = "base-to-derived cast";
break;
case CFITCK_UnrelatedCast:
CheckKindStr = "cast to unrelated type";
break;
case CFITCK_VMFCall:
CheckKindStr = "virtual pointer to member function call";
break;
case CFITCK_ICall:
case CFITCK_NVMFCall:
Die();
}
Diag(Loc, DL_Error, ET,
"control flow integrity check for type %0 failed during "
"%1 (vtable address %2)")
<< Data->Type << CheckKindStr << (void *)Vtable;
// If possible, say what type it actually points to.
if (!DTI.isValid())
Diag(Vtable, DL_Note, ET, "invalid vtable");
else
Diag(Vtable, DL_Note, ET, "vtable is of type %0")
<< TypeName(DTI.getMostDerivedTypeName());
// If the failure involved different DSOs for the check location and vtable,
// report the DSO names.
const char *DstModule = Symbolizer::GetOrInit()->GetModuleNameForPc(Vtable);
if (!DstModule)
DstModule = "(unknown)";
const char *SrcModule = Symbolizer::GetOrInit()->GetModuleNameForPc(Opts.pc);
if (!SrcModule)
SrcModule = "(unknown)";
if (internal_strcmp(SrcModule, DstModule))
Diag(Loc, DL_Note, ET, "check failed in %0, vtable located in %1")
<< SrcModule << DstModule;
}
static bool handleFunctionTypeMismatch(FunctionTypeMismatchData *Data,
ValueHandle Function,
ValueHandle calleeRTTI,
ValueHandle fnRTTI, ReportOptions Opts) {
if (checkTypeInfoEquality(reinterpret_cast<void *>(calleeRTTI),
reinterpret_cast<void *>(fnRTTI)))
return false;
SourceLocation CallLoc = Data->Loc.acquire();
ErrorType ET = ErrorType::FunctionTypeMismatch;
if (ignoreReport(CallLoc, Opts, ET))
return true;
ScopedReport R(Opts, CallLoc, ET);
SymbolizedStackHolder FLoc(getSymbolizedLocation(Function));
const char *FName = FLoc.get()->info.function;
if (!FName)
FName = "(unknown)";
Diag(CallLoc, DL_Error, ET,
"call to function %0 through pointer to incorrect function type %1")
<< FName << Data->Type;
Diag(FLoc, DL_Note, ET, "%0 defined here") << FName;
return true;
}
void __ubsan_handle_function_type_mismatch_v1(FunctionTypeMismatchData *Data,
ValueHandle Function,
ValueHandle calleeRTTI,
ValueHandle fnRTTI) {
GET_REPORT_OPTIONS(false);
handleFunctionTypeMismatch(Data, Function, calleeRTTI, fnRTTI, Opts);
}
void __ubsan_handle_function_type_mismatch_v1_abort(
FunctionTypeMismatchData *Data, ValueHandle Function,
ValueHandle calleeRTTI, ValueHandle fnRTTI) {
GET_REPORT_OPTIONS(true);
if (handleFunctionTypeMismatch(Data, Function, calleeRTTI, fnRTTI, Opts))
Die();
}
} // namespace __ubsan
#endif // CAN_SANITIZE_UB
|