compiler-rt/test/hwasan/TestCases/heap-buffer-overflow-into.c

   1 // RUN: %clang_hwasan  %s -o %t
   2 // RUN: not %run %t   5  10  26 2>&1 | FileCheck %s --check-prefixes=CHECK,CHECK_SMALL,CHECK5
   3 // RUN: not %run %t   7  10  26 2>&1 | FileCheck %s --check-prefixes=CHECK,CHECK_SMALL,CHECK7
   4 // RUN: not %run %t   8  20  26 2>&1 | FileCheck %s --check-prefixes=CHECK,CHECK_SMALL,CHECK8
   5 // RUN: not %run %t 295 300  26 2>&1 | FileCheck %s --check-prefixes=CHECK,CHECK_SMALL,CHECK295
   6 // RUN: not %run %t   1 550 550 2>&1 | FileCheck %s --check-prefixes=CHECK,CHECK_SMALL,CHECK1
   7
   8 // Full granule.
   9 // RUN: not %run %t  32  20  26 2>&1 | FileCheck %s --check-prefixes=CHECK,CHECK_FULL,CHECK32
  10
  11 #include <sanitizer/hwasan_interface.h>
  12 #include <stdio.h>
  13 #include <stdlib.h>
  14 #include <string.h>
  15
  16 int main(int argc, char **argv) {
  17   __hwasan_enable_allocator_tagging();
  18   if (argc < 2) {
  19     fprintf(stderr, "Invalid number of arguments.");
  20     abort();
  21   }
  22   int read_offset = atoi(argv[1]);
  23   int size = atoi(argv[2]);
  24   int access_size = atoi(argv[3]);
  25   while (1) {
  26     char *volatile x = (char *)malloc(size);
  27     if (__hwasan_test_shadow(x, size + 1) == size)
  28       memset(x + read_offset, 0, access_size);
  29     free(x);
  30   }
  31
  32   // CHECK_SMALL: WRITE of size {{26|550}} at {{.*}} tags: [[TAG:[0-9a-f]+]]/{{[0-9a-f]+}}([[TAG]]) (ptr/mem)
  33   // CHECK_FULL: WRITE of size 26 at {{.*}} tags: [[TAG:[0-9a-f]+]]/00 (ptr/mem)
  34
  35   // CHECK5: Invalid access starting at offset 5
  36   // CHECK5: is located 5 bytes inside a 10-byte region
  37   // CHECK7: Invalid access starting at offset 3
  38   // CHECK7: is located 7 bytes inside a 10-byte region
  39   // CHECK8: Invalid access starting at offset 12
  40   // CHECK8: is located 8 bytes inside a 20-byte region
  41   // CHECK295: Invalid access starting at offset 5
  42   // CHECK295: is located 295 bytes inside a 300-byte region
  43   // CHECK1: Invalid access starting at offset 549
  44   // CHECK1: is located 1 bytes inside a 550-byte region
  45
  46   // CHECK32-NOT: Invalid access starting at offset
  47   // CHECK32: is located 12 bytes after a 20-byte region
  48
  49   // CHECK-LABEL: Memory tags around the buggy address
  50   // CHECK5: =>{{.*}}[0a]
  51   // CHECK7: =>{{.*}}[0a]
  52   // CHECK8: =>{{.*}}[04]
  53   // CHECK295: =>{{.*}}[0c]
  54   // CHECK1: =>{{.*}}[06]
  55
  56   // CHECK32: =>{{.*}}[00]
  57
  58   // CHECK-LABEL: Tags for short granules around the buggy address
  59   // CHECK_SMALL: =>{{.*}}{{\[}}[[TAG]]{{\]}}
  60   // CHECK_FULL: =>{{.*}}[..]
  61 }