search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
[clang][extract-api] Emit "navigator" property of "name" in SymbolGraph
[llvm-project.git] / compiler-rt / lib / hwasan / hwasan_report.cpp
blob66d3d155d409438cf6e46c59ee746fbded3fad18
1 //===-- hwasan_report.cpp -------------------------------------------------===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This file is a part of HWAddressSanitizer.
10 //
11 // Error reporting.
12 //===----------------------------------------------------------------------===//
13
14 #include "hwasan_report.h"
15
16 #include <dlfcn.h>
17
18 #include "hwasan.h"
19 #include "hwasan_allocator.h"
20 #include "hwasan_globals.h"
21 #include "hwasan_mapping.h"
22 #include "hwasan_thread.h"
23 #include "hwasan_thread_list.h"
24 #include "sanitizer_common/sanitizer_allocator_internal.h"
25 #include "sanitizer_common/sanitizer_common.h"
26 #include "sanitizer_common/sanitizer_flags.h"
27 #include "sanitizer_common/sanitizer_mutex.h"
28 #include "sanitizer_common/sanitizer_report_decorator.h"
29 #include "sanitizer_common/sanitizer_stackdepot.h"
30 #include "sanitizer_common/sanitizer_stacktrace_printer.h"
31 #include "sanitizer_common/sanitizer_symbolizer.h"
32
33 using namespace __sanitizer;
34
35 namespace __hwasan {
36
37 class ScopedReport {
38 public:
39 ScopedReport(bool fatal = false) : error_message_(1), fatal(fatal) {
40 Lock lock(&error_message_lock_);
41 error_message_ptr_ = fatal ? &error_message_ : nullptr;
42 ++hwasan_report_count;
43 }
44
45 ~ScopedReport() {
46 void (*report_cb)(const char *);
47 {
48 Lock lock(&error_message_lock_);
49 report_cb = error_report_callback_;
50 error_message_ptr_ = nullptr;
51 }
52 if (report_cb)
53 report_cb(error_message_.data());
54 if (fatal)
55 SetAbortMessage(error_message_.data());
56 if (common_flags()->print_module_map >= 2 ||
57 (fatal && common_flags()->print_module_map))
58 DumpProcessMap();
59 if (fatal)
60 Die();
61 }
62
63 static void MaybeAppendToErrorMessage(const char *msg) {
64 Lock lock(&error_message_lock_);
65 if (!error_message_ptr_)
66 return;
67 uptr len = internal_strlen(msg);
68 uptr old_size = error_message_ptr_->size();
69 error_message_ptr_->resize(old_size + len);
70 // overwrite old trailing '\0', keep new trailing '\0' untouched.
71 internal_memcpy(&(*error_message_ptr_)[old_size - 1], msg, len);
72 }
73
74 static void SetErrorReportCallback(void (*callback)(const char *)) {
75 Lock lock(&error_message_lock_);
76 error_report_callback_ = callback;
77 }
78
79 private:
80 ScopedErrorReportLock error_report_lock_;
81 InternalMmapVector<char> error_message_;
82 bool fatal;
83
84 static InternalMmapVector<char> *error_message_ptr_;
85 static Mutex error_message_lock_;
86 static void (*error_report_callback_)(const char *);
87 };
88
89 InternalMmapVector<char> *ScopedReport::error_message_ptr_;
90 Mutex ScopedReport::error_message_lock_;
91 void (*ScopedReport::error_report_callback_)(const char *);
92
93 // If there is an active ScopedReport, append to its error message.
94 void AppendToErrorMessageBuffer(const char *buffer) {
95 ScopedReport::MaybeAppendToErrorMessage(buffer);
96 }
97
98 static StackTrace GetStackTraceFromId(u32 id) {
99 CHECK(id);
100 StackTrace res = StackDepotGet(id);
101 CHECK(res.trace);
102 return res;
103 }
104
105 // A RAII object that holds a copy of the current thread stack ring buffer.
106 // The actual stack buffer may change while we are iterating over it (for
107 // example, Printf may call syslog() which can itself be built with hwasan).
108 class SavedStackAllocations {
109 public:
110 SavedStackAllocations(StackAllocationsRingBuffer *rb) {
111 uptr size = rb->size() * sizeof(uptr);
112 void *storage =
113 MmapAlignedOrDieOnFatalError(size, size * 2, "saved stack allocations");
114 new (&rb_) StackAllocationsRingBuffer(*rb, storage);
115 }
116
117 ~SavedStackAllocations() {
118 StackAllocationsRingBuffer *rb = get();
119 UnmapOrDie(rb->StartOfStorage(), rb->size() * sizeof(uptr));
120 }
121
122 StackAllocationsRingBuffer *get() {
123 return (StackAllocationsRingBuffer *)&rb_;
124 }
125
126 private:
127 uptr rb_;
128 };
129
130 class Decorator: public __sanitizer::SanitizerCommonDecorator {
131 public:
132 Decorator() : SanitizerCommonDecorator() { }
133 const char *Access() { return Blue(); }
134 const char *Allocation() const { return Magenta(); }
135 const char *Origin() const { return Magenta(); }
136 const char *Name() const { return Green(); }
137 const char *Location() { return Green(); }
138 const char *Thread() { return Green(); }
139 };
140
141 static bool FindHeapAllocation(HeapAllocationsRingBuffer *rb, uptr tagged_addr,
142 HeapAllocationRecord *har, uptr *ring_index,
143 uptr *num_matching_addrs,
144 uptr *num_matching_addrs_4b) {
145 if (!rb) return false;
146
147 *num_matching_addrs = 0;
148 *num_matching_addrs_4b = 0;
149 for (uptr i = 0, size = rb->size(); i < size; i++) {
150 auto h = (*rb)[i];
151 if (h.tagged_addr <= tagged_addr &&
152 h.tagged_addr + h.requested_size > tagged_addr) {
153 *har = h;
154 *ring_index = i;
155 return true;
156 }
157
158 // Measure the number of heap ring buffer entries that would have matched
159 // if we had only one entry per address (e.g. if the ring buffer data was
160 // stored at the address itself). This will help us tune the allocator
161 // implementation for MTE.
162 if (UntagAddr(h.tagged_addr) <= UntagAddr(tagged_addr) &&
163 UntagAddr(h.tagged_addr) + h.requested_size > UntagAddr(tagged_addr)) {
164 ++*num_matching_addrs;
165 }
166
167 // Measure the number of heap ring buffer entries that would have matched
168 // if we only had 4 tag bits, which is the case for MTE.
169 auto untag_4b = [](uptr p) {
170 return p & ((1ULL << 60) - 1);
171 };
172 if (untag_4b(h.tagged_addr) <= untag_4b(tagged_addr) &&
173 untag_4b(h.tagged_addr) + h.requested_size > untag_4b(tagged_addr)) {
174 ++*num_matching_addrs_4b;
175 }
176 }
177 return false;
178 }
179
180 static void PrintStackAllocations(StackAllocationsRingBuffer *sa,
181 tag_t addr_tag, uptr untagged_addr) {
182 uptr frames = Min((uptr)flags()->stack_history_size, sa->size());
183 bool found_local = false;
184 for (uptr i = 0; i < frames; i++) {
185 const uptr *record_addr = &(*sa)[i];
186 uptr record = *record_addr;
187 if (!record)
188 break;
189 tag_t base_tag =
190 reinterpret_cast<uptr>(record_addr) >> kRecordAddrBaseTagShift;
191 uptr fp = (record >> kRecordFPShift) << kRecordFPLShift;
192 uptr pc_mask = (1ULL << kRecordFPShift) - 1;
193 uptr pc = record & pc_mask;
194 FrameInfo frame;
195 if (Symbolizer::GetOrInit()->SymbolizeFrame(pc, &frame)) {
196 for (LocalInfo &local : frame.locals) {
197 if (!local.has_frame_offset || !local.has_size || !local.has_tag_offset)
198 continue;
199 tag_t obj_tag = base_tag ^ local.tag_offset;
200 if (obj_tag != addr_tag)
201 continue;
202 // Calculate the offset from the object address to the faulting
203 // address. Because we only store bits 4-19 of FP (bits 0-3 are
204 // guaranteed to be zero), the calculation is performed mod 2^20 and may
205 // harmlessly underflow if the address mod 2^20 is below the object
206 // address.
207 uptr obj_offset =
208 (untagged_addr - fp - local.frame_offset) & (kRecordFPModulus - 1);
209 if (obj_offset >= local.size)
210 continue;
211 if (!found_local) {
212 Printf("Potentially referenced stack objects:\n");
213 found_local = true;
214 }
215 Printf(" %s in %s %s:%d\n", local.name, local.function_name,
216 local.decl_file, local.decl_line);
217 }
218 frame.Clear();
219 }
220 }
221
222 if (found_local)
223 return;
224
225 // We didn't find any locals. Most likely we don't have symbols, so dump
226 // the information that we have for offline analysis.
227 InternalScopedString frame_desc;
228 Printf("Previously allocated frames:\n");
229 for (uptr i = 0; i < frames; i++) {
230 const uptr *record_addr = &(*sa)[i];
231 uptr record = *record_addr;
232 if (!record)
233 break;
234 uptr pc_mask = (1ULL << 48) - 1;
235 uptr pc = record & pc_mask;
236 frame_desc.append(" record_addr:0x%zx record:0x%zx",
237 reinterpret_cast<uptr>(record_addr), record);
238 if (SymbolizedStack *frame = Symbolizer::GetOrInit()->SymbolizePC(pc)) {
239 RenderFrame(&frame_desc, " %F %L", 0, frame->info.address, &frame->info,
240 common_flags()->symbolize_vs_style,
241 common_flags()->strip_path_prefix);
242 frame->ClearAll();
243 }
244 Printf("%s\n", frame_desc.data());
245 frame_desc.clear();
246 }
247 }
248
249 // Returns true if tag == *tag_ptr, reading tags from short granules if
250 // necessary. This may return a false positive if tags 1-15 are used as a
251 // regular tag rather than a short granule marker.
252 static bool TagsEqual(tag_t tag, tag_t *tag_ptr) {
253 if (tag == *tag_ptr)
254 return true;
255 if (*tag_ptr == 0 || *tag_ptr > kShadowAlignment - 1)
256 return false;
257 uptr mem = ShadowToMem(reinterpret_cast<uptr>(tag_ptr));
258 tag_t inline_tag = *reinterpret_cast<tag_t *>(mem + kShadowAlignment - 1);
259 return tag == inline_tag;
260 }
261
262 // HWASan globals store the size of the global in the descriptor. In cases where
263 // we don't have a binary with symbols, we can't grab the size of the global
264 // from the debug info - but we might be able to retrieve it from the
265 // descriptor. Returns zero if the lookup failed.
266 static uptr GetGlobalSizeFromDescriptor(uptr ptr) {
267 // Find the ELF object that this global resides in.
268 Dl_info info;
269 if (dladdr(reinterpret_cast<void *>(ptr), &info) == 0)
270 return 0;
271 auto *ehdr = reinterpret_cast<const ElfW(Ehdr) *>(info.dli_fbase);
272 auto *phdr_begin = reinterpret_cast<const ElfW(Phdr) *>(
273 reinterpret_cast<const u8 *>(ehdr) + ehdr->e_phoff);
274
275 // Get the load bias. This is normally the same as the dli_fbase address on
276 // position-independent code, but can be different on non-PIE executables,
277 // binaries using LLD's partitioning feature, or binaries compiled with a
278 // linker script.
279 ElfW(Addr) load_bias = 0;
280 for (const auto &phdr :
281 ArrayRef<const ElfW(Phdr)>(phdr_begin, phdr_begin + ehdr->e_phnum)) {
282 if (phdr.p_type != PT_LOAD || phdr.p_offset != 0)
283 continue;
284 load_bias = reinterpret_cast<ElfW(Addr)>(ehdr) - phdr.p_vaddr;
285 break;
286 }
287
288 // Walk all globals in this ELF object, looking for the one we're interested
289 // in. Once we find it, we can stop iterating and return the size of the
290 // global we're interested in.
291 for (const hwasan_global &global :
292 HwasanGlobalsFor(load_bias, phdr_begin, ehdr->e_phnum))
293 if (global.addr() <= ptr && ptr < global.addr() + global.size())
294 return global.size();
295
296 return 0;
297 }
298
299 static void ShowHeapOrGlobalCandidate(uptr untagged_addr, tag_t *candidate,
300 tag_t *left, tag_t *right) {
301 Decorator d;
302 uptr mem = ShadowToMem(reinterpret_cast<uptr>(candidate));
303 HwasanChunkView chunk = FindHeapChunkByAddress(mem);
304 if (chunk.IsAllocated()) {
305 uptr offset;
306 const char *whence;
307 if (untagged_addr < chunk.End() && untagged_addr >= chunk.Beg()) {
308 offset = untagged_addr - chunk.Beg();
309 whence = "inside";
310 } else if (candidate == left) {
311 offset = untagged_addr - chunk.End();
312 whence = "to the right of";
313 } else {
314 offset = chunk.Beg() - untagged_addr;
315 whence = "to the left of";
316 }
317 Printf("%s", d.Error());
318 Printf("\nCause: heap-buffer-overflow\n");
319 Printf("%s", d.Default());
320 Printf("%s", d.Location());
321 Printf("%p is located %zd bytes %s %zd-byte region [%p,%p)\n",
322 untagged_addr, offset, whence, chunk.UsedSize(), chunk.Beg(),
323 chunk.End());
324 Printf("%s", d.Allocation());
325 Printf("allocated here:\n");
326 Printf("%s", d.Default());
327 GetStackTraceFromId(chunk.GetAllocStackId()).Print();
328 return;
329 }
330 // Check whether the address points into a loaded library. If so, this is
331 // most likely a global variable.
332 const char *module_name;
333 uptr module_address;
334 Symbolizer *sym = Symbolizer::GetOrInit();
335 if (sym->GetModuleNameAndOffsetForPC(mem, &module_name, &module_address)) {
336 Printf("%s", d.Error());
337 Printf("\nCause: global-overflow\n");
338 Printf("%s", d.Default());
339 DataInfo info;
340 Printf("%s", d.Location());
341 if (sym->SymbolizeData(mem, &info) && info.start) {
342 Printf(
343 "%p is located %zd bytes to the %s of %zd-byte global variable "
344 "%s [%p,%p) in %s\n",
345 untagged_addr,
346 candidate == left ? untagged_addr - (info.start + info.size)
347 : info.start - untagged_addr,
348 candidate == left ? "right" : "left", info.size, info.name,
349 info.start, info.start + info.size, module_name);
350 } else {
351 uptr size = GetGlobalSizeFromDescriptor(mem);
352 if (size == 0)
353 // We couldn't find the size of the global from the descriptors.
354 Printf(
355 "%p is located to the %s of a global variable in "
356 "\n #0 0x%x (%s+0x%x)\n",
357 untagged_addr, candidate == left ? "right" : "left", mem,
358 module_name, module_address);
359 else
360 Printf(
361 "%p is located to the %s of a %zd-byte global variable in "
362 "\n #0 0x%x (%s+0x%x)\n",
363 untagged_addr, candidate == left ? "right" : "left", size, mem,
364 module_name, module_address);
365 }
366 Printf("%s", d.Default());
367 }
368 }
369
370 void PrintAddressDescription(
371 uptr tagged_addr, uptr access_size,
372 StackAllocationsRingBuffer *current_stack_allocations) {
373 Decorator d;
374 int num_descriptions_printed = 0;
375 uptr untagged_addr = UntagAddr(tagged_addr);
376
377 if (MemIsShadow(untagged_addr)) {
378 Printf("%s%p is HWAsan shadow memory.\n%s", d.Location(), untagged_addr,
379 d.Default());
380 return;
381 }
382
383 // Print some very basic information about the address, if it's a heap.
384 HwasanChunkView chunk = FindHeapChunkByAddress(untagged_addr);
385 if (uptr beg = chunk.Beg()) {
386 uptr size = chunk.ActualSize();
387 Printf("%s[%p,%p) is a %s %s heap chunk; "
388 "size: %zd offset: %zd\n%s",
389 d.Location(),
390 beg, beg + size,
391 chunk.FromSmallHeap() ? "small" : "large",
392 chunk.IsAllocated() ? "allocated" : "unallocated",
393 size, untagged_addr - beg,
394 d.Default());
395 }
396
397 tag_t addr_tag = GetTagFromPointer(tagged_addr);
398
399 bool on_stack = false;
400 // Check stack first. If the address is on the stack of a live thread, we
401 // know it cannot be a heap / global overflow.
402 hwasanThreadList().VisitAllLiveThreads([&](Thread *t) {
403 if (t->AddrIsInStack(untagged_addr)) {
404 on_stack = true;
405 // TODO(fmayer): figure out how to distinguish use-after-return and
406 // stack-buffer-overflow.
407 Printf("%s", d.Error());
408 Printf("\nCause: stack tag-mismatch\n");
409 Printf("%s", d.Location());
410 Printf("Address %p is located in stack of thread T%zd\n", untagged_addr,
411 t->unique_id());
412 Printf("%s", d.Default());
413 t->Announce();
414
415 auto *sa = (t == GetCurrentThread() && current_stack_allocations)
416 ? current_stack_allocations
417 : t->stack_allocations();
418 PrintStackAllocations(sa, addr_tag, untagged_addr);
419 num_descriptions_printed++;
420 }
421 });
422
423 // Check if this looks like a heap buffer overflow by scanning
424 // the shadow left and right and looking for the first adjacent
425 // object with a different memory tag. If that tag matches addr_tag,
426 // check the allocator if it has a live chunk there.
427 tag_t *tag_ptr = reinterpret_cast<tag_t*>(MemToShadow(untagged_addr));
428 tag_t *candidate = nullptr, *left = tag_ptr, *right = tag_ptr;
429 uptr candidate_distance = 0;
430 for (; candidate_distance < 1000; candidate_distance++) {
431 if (MemIsShadow(reinterpret_cast<uptr>(left)) &&
432 TagsEqual(addr_tag, left)) {
433 candidate = left;
434 break;
435 }
436 --left;
437 if (MemIsShadow(reinterpret_cast<uptr>(right)) &&
438 TagsEqual(addr_tag, right)) {
439 candidate = right;
440 break;
441 }
442 ++right;
443 }
444
445 constexpr auto kCloseCandidateDistance = 1;
446
447 if (!on_stack && candidate && candidate_distance <= kCloseCandidateDistance) {
448 ShowHeapOrGlobalCandidate(untagged_addr, candidate, left, right);
449 num_descriptions_printed++;
450 }
451
452 hwasanThreadList().VisitAllLiveThreads([&](Thread *t) {
453 // Scan all threads' ring buffers to find if it's a heap-use-after-free.
454 HeapAllocationRecord har;
455 uptr ring_index, num_matching_addrs, num_matching_addrs_4b;
456 if (FindHeapAllocation(t->heap_allocations(), tagged_addr, &har,
457 &ring_index, &num_matching_addrs,
458 &num_matching_addrs_4b)) {
459 Printf("%s", d.Error());
460 Printf("\nCause: use-after-free\n");
461 Printf("%s", d.Location());
462 Printf("%p is located %zd bytes inside of %zd-byte region [%p,%p)\n",
463 untagged_addr, untagged_addr - UntagAddr(har.tagged_addr),
464 har.requested_size, UntagAddr(har.tagged_addr),
465 UntagAddr(har.tagged_addr) + har.requested_size);
466 Printf("%s", d.Allocation());
467 Printf("freed by thread T%zd here:\n", t->unique_id());
468 Printf("%s", d.Default());
469 GetStackTraceFromId(har.free_context_id).Print();
470
471 Printf("%s", d.Allocation());
472 Printf("previously allocated here:\n", t);
473 Printf("%s", d.Default());
474 GetStackTraceFromId(har.alloc_context_id).Print();
475
476 // Print a developer note: the index of this heap object
477 // in the thread's deallocation ring buffer.
478 Printf("hwasan_dev_note_heap_rb_distance: %zd %zd\n", ring_index + 1,
479 flags()->heap_history_size);
480 Printf("hwasan_dev_note_num_matching_addrs: %zd\n", num_matching_addrs);
481 Printf("hwasan_dev_note_num_matching_addrs_4b: %zd\n",
482 num_matching_addrs_4b);
483
484 t->Announce();
485 num_descriptions_printed++;
486 }
487 });
488
489 if (candidate && num_descriptions_printed == 0) {
490 ShowHeapOrGlobalCandidate(untagged_addr, candidate, left, right);
491 num_descriptions_printed++;
492 }
493
494 // Print the remaining threads, as an extra information, 1 line per thread.
495 hwasanThreadList().VisitAllLiveThreads([&](Thread *t) { t->Announce(); });
496
497 if (!num_descriptions_printed)
498 // We exhausted our possibilities. Bail out.
499 Printf("HWAddressSanitizer can not describe address in more detail.\n");
500 if (num_descriptions_printed > 1) {
501 Printf(
502 "There are %d potential causes, printed above in order "
503 "of likeliness.\n",
504 num_descriptions_printed);
505 }
506 }
507
508 void ReportStats() {}
509
510 static void PrintTagInfoAroundAddr(tag_t *tag_ptr, uptr num_rows,
511 void (*print_tag)(InternalScopedString &s,
512 tag_t *tag)) {
513 const uptr row_len = 16; // better be power of two.
514 tag_t *center_row_beg = reinterpret_cast<tag_t *>(
515 RoundDownTo(reinterpret_cast<uptr>(tag_ptr), row_len));
516 tag_t *beg_row = center_row_beg - row_len * (num_rows / 2);
517 tag_t *end_row = center_row_beg + row_len * ((num_rows + 1) / 2);
518 InternalScopedString s;
519 for (tag_t *row = beg_row; row < end_row; row += row_len) {
520 s.append("%s", row == center_row_beg ? "=>" : " ");
521 s.append("%p:", (void *)row);
522 for (uptr i = 0; i < row_len; i++) {
523 s.append("%s", row + i == tag_ptr ? "[" : " ");
524 print_tag(s, &row[i]);
525 s.append("%s", row + i == tag_ptr ? "]" : " ");
526 }
527 s.append("\n");
528 }
529 Printf("%s", s.data());
530 }
531
532 static void PrintTagsAroundAddr(tag_t *tag_ptr) {
533 Printf(
534 "Memory tags around the buggy address (one tag corresponds to %zd "
535 "bytes):\n", kShadowAlignment);
536 PrintTagInfoAroundAddr(tag_ptr, 17, [](InternalScopedString &s, tag_t *tag) {
537 s.append("%02x", *tag);
538 });
539
540 Printf(
541 "Tags for short granules around the buggy address (one tag corresponds "
542 "to %zd bytes):\n",
543 kShadowAlignment);
544 PrintTagInfoAroundAddr(tag_ptr, 3, [](InternalScopedString &s, tag_t *tag) {
545 if (*tag >= 1 && *tag <= kShadowAlignment) {
546 uptr granule_addr = ShadowToMem(reinterpret_cast<uptr>(tag));
547 s.append("%02x",
548 *reinterpret_cast<u8 *>(granule_addr + kShadowAlignment - 1));
549 } else {
550 s.append("..");
551 }
552 });
553 Printf(
554 "See "
555 "https://clang.llvm.org/docs/"
556 "HardwareAssistedAddressSanitizerDesign.html#short-granules for a "
557 "description of short granule tags\n");
558 }
559
560 uptr GetTopPc(StackTrace *stack) {
561 return stack->size ? StackTrace::GetPreviousInstructionPc(stack->trace[0])
562 : 0;
563 }
564
565 void ReportInvalidFree(StackTrace *stack, uptr tagged_addr) {
566 ScopedReport R(flags()->halt_on_error);
567
568 uptr untagged_addr = UntagAddr(tagged_addr);
569 tag_t ptr_tag = GetTagFromPointer(tagged_addr);
570 tag_t *tag_ptr = nullptr;
571 tag_t mem_tag = 0;
572 if (MemIsApp(untagged_addr)) {
573 tag_ptr = reinterpret_cast<tag_t *>(MemToShadow(untagged_addr));
574 if (MemIsShadow(reinterpret_cast<uptr>(tag_ptr)))
575 mem_tag = *tag_ptr;
576 else
577 tag_ptr = nullptr;
578 }
579 Decorator d;
580 Printf("%s", d.Error());
581 uptr pc = GetTopPc(stack);
582 const char *bug_type = "invalid-free";
583 const Thread *thread = GetCurrentThread();
584 if (thread) {
585 Report("ERROR: %s: %s on address %p at pc %p on thread T%zd\n",
586 SanitizerToolName, bug_type, untagged_addr, pc, thread->unique_id());
587 } else {
588 Report("ERROR: %s: %s on address %p at pc %p on unknown thread\n",
589 SanitizerToolName, bug_type, untagged_addr, pc);
590 }
591 Printf("%s", d.Access());
592 if (tag_ptr)
593 Printf("tags: %02x/%02x (ptr/mem)\n", ptr_tag, mem_tag);
594 Printf("%s", d.Default());
595
596 stack->Print();
597
598 PrintAddressDescription(tagged_addr, 0, nullptr);
599
600 if (tag_ptr)
601 PrintTagsAroundAddr(tag_ptr);
602
603 ReportErrorSummary(bug_type, stack);
604 }
605
606 void ReportTailOverwritten(StackTrace *stack, uptr tagged_addr, uptr orig_size,
607 const u8 *expected) {
608 uptr tail_size = kShadowAlignment - (orig_size % kShadowAlignment);
609 u8 actual_expected[kShadowAlignment];
610 internal_memcpy(actual_expected, expected, tail_size);
611 tag_t ptr_tag = GetTagFromPointer(tagged_addr);
612 // Short granule is stashed in the last byte of the magic string. To avoid
613 // confusion, make the expected magic string contain the short granule tag.
614 if (orig_size % kShadowAlignment != 0) {
615 actual_expected[tail_size - 1] = ptr_tag;
616 }
617
618 ScopedReport R(flags()->halt_on_error);
619 Decorator d;
620 uptr untagged_addr = UntagAddr(tagged_addr);
621 Printf("%s", d.Error());
622 const char *bug_type = "allocation-tail-overwritten";
623 Report("ERROR: %s: %s; heap object [%p,%p) of size %zd\n", SanitizerToolName,
624 bug_type, untagged_addr, untagged_addr + orig_size, orig_size);
625 Printf("\n%s", d.Default());
626 Printf(
627 "Stack of invalid access unknown. Issue detected at deallocation "
628 "time.\n");
629 Printf("%s", d.Allocation());
630 Printf("deallocated here:\n");
631 Printf("%s", d.Default());
632 stack->Print();
633 HwasanChunkView chunk = FindHeapChunkByAddress(untagged_addr);
634 if (chunk.Beg()) {
635 Printf("%s", d.Allocation());
636 Printf("allocated here:\n");
637 Printf("%s", d.Default());
638 GetStackTraceFromId(chunk.GetAllocStackId()).Print();
639 }
640
641 InternalScopedString s;
642 CHECK_GT(tail_size, 0U);
643 CHECK_LT(tail_size, kShadowAlignment);
644 u8 *tail = reinterpret_cast<u8*>(untagged_addr + orig_size);
645 s.append("Tail contains: ");
646 for (uptr i = 0; i < kShadowAlignment - tail_size; i++)
647 s.append(".. ");
648 for (uptr i = 0; i < tail_size; i++)
649 s.append("%02x ", tail[i]);
650 s.append("\n");
651 s.append("Expected: ");
652 for (uptr i = 0; i < kShadowAlignment - tail_size; i++)
653 s.append(".. ");
654 for (uptr i = 0; i < tail_size; i++) s.append("%02x ", actual_expected[i]);
655 s.append("\n");
656 s.append(" ");
657 for (uptr i = 0; i < kShadowAlignment - tail_size; i++)
658 s.append(" ");
659 for (uptr i = 0; i < tail_size; i++)
660 s.append("%s ", actual_expected[i] != tail[i] ? "^^" : " ");
661
662 s.append("\nThis error occurs when a buffer overflow overwrites memory\n"
663 "to the right of a heap object, but within the %zd-byte granule, e.g.\n"
664 " char *x = new char[20];\n"
665 " x[25] = 42;\n"
666 "%s does not detect such bugs in uninstrumented code at the time of write,"
667 "\nbut can detect them at the time of free/delete.\n"
668 "To disable this feature set HWASAN_OPTIONS=free_checks_tail_magic=0\n",
669 kShadowAlignment, SanitizerToolName);
670 Printf("%s", s.data());
671 GetCurrentThread()->Announce();
672
673 tag_t *tag_ptr = reinterpret_cast<tag_t*>(MemToShadow(untagged_addr));
674 PrintTagsAroundAddr(tag_ptr);
675
676 ReportErrorSummary(bug_type, stack);
677 }
678
679 void ReportTagMismatch(StackTrace *stack, uptr tagged_addr, uptr access_size,
680 bool is_store, bool fatal, uptr *registers_frame) {
681 ScopedReport R(fatal);
682 SavedStackAllocations current_stack_allocations(
683 GetCurrentThread()->stack_allocations());
684
685 Decorator d;
686 uptr untagged_addr = UntagAddr(tagged_addr);
687 // TODO: when possible, try to print heap-use-after-free, etc.
688 const char *bug_type = "tag-mismatch";
689 uptr pc = GetTopPc(stack);
690 Printf("%s", d.Error());
691 Report("ERROR: %s: %s on address %p at pc %p\n", SanitizerToolName, bug_type,
692 untagged_addr, pc);
693
694 Thread *t = GetCurrentThread();
695
696 sptr offset =
697 __hwasan_test_shadow(reinterpret_cast<void *>(tagged_addr), access_size);
698 CHECK(offset >= 0 && offset < static_cast<sptr>(access_size));
699 tag_t ptr_tag = GetTagFromPointer(tagged_addr);
700 tag_t *tag_ptr =
701 reinterpret_cast<tag_t *>(MemToShadow(untagged_addr + offset));
702 tag_t mem_tag = *tag_ptr;
703
704 Printf("%s", d.Access());
705 if (mem_tag && mem_tag < kShadowAlignment) {
706 tag_t *granule_ptr = reinterpret_cast<tag_t *>((untagged_addr + offset) &
707 ~(kShadowAlignment - 1));
708 // If offset is 0, (untagged_addr + offset) is not aligned to granules.
709 // This is the offset of the leftmost accessed byte within the bad granule.
710 u8 in_granule_offset = (untagged_addr + offset) & (kShadowAlignment - 1);
711 tag_t short_tag = granule_ptr[kShadowAlignment - 1];
712 // The first mismatch was a short granule that matched the ptr_tag.
713 if (short_tag == ptr_tag) {
714 // If the access starts after the end of the short granule, then the first
715 // bad byte is the first byte of the access; otherwise it is the first
716 // byte past the end of the short granule
717 if (mem_tag > in_granule_offset) {
718 offset += mem_tag - in_granule_offset;
719 }
720 }
721 Printf(
722 "%s of size %zu at %p tags: %02x/%02x(%02x) (ptr/mem) in thread T%zd\n",
723 is_store ? "WRITE" : "READ", access_size, untagged_addr, ptr_tag,
724 mem_tag, short_tag, t->unique_id());
725 } else {
726 Printf("%s of size %zu at %p tags: %02x/%02x (ptr/mem) in thread T%zd\n",
727 is_store ? "WRITE" : "READ", access_size, untagged_addr, ptr_tag,
728 mem_tag, t->unique_id());
729 }
730 if (offset != 0)
731 Printf("Invalid access starting at offset %zu\n", offset);
732 Printf("%s", d.Default());
733
734 stack->Print();
735
736 PrintAddressDescription(tagged_addr, access_size,
737 current_stack_allocations.get());
738 t->Announce();
739
740 PrintTagsAroundAddr(tag_ptr);
741
742 if (registers_frame)
743 ReportRegisters(registers_frame, pc);
744
745 ReportErrorSummary(bug_type, stack);
746 }
747
748 // See the frame breakdown defined in __hwasan_tag_mismatch (from
749 // hwasan_tag_mismatch_aarch64.S).
750 void ReportRegisters(uptr *frame, uptr pc) {
751 Printf("Registers where the failure occurred (pc %p):\n", pc);
752
753 // We explicitly print a single line (4 registers/line) each iteration to
754 // reduce the amount of logcat error messages printed. Each Printf() will
755 // result in a new logcat line, irrespective of whether a newline is present,
756 // and so we wish to reduce the number of Printf() calls we have to make.
757 Printf(" x0 %016llx x1 %016llx x2 %016llx x3 %016llx\n",
758 frame[0], frame[1], frame[2], frame[3]);
759 Printf(" x4 %016llx x5 %016llx x6 %016llx x7 %016llx\n",
760 frame[4], frame[5], frame[6], frame[7]);
761 Printf(" x8 %016llx x9 %016llx x10 %016llx x11 %016llx\n",
762 frame[8], frame[9], frame[10], frame[11]);
763 Printf(" x12 %016llx x13 %016llx x14 %016llx x15 %016llx\n",
764 frame[12], frame[13], frame[14], frame[15]);
765 Printf(" x16 %016llx x17 %016llx x18 %016llx x19 %016llx\n",
766 frame[16], frame[17], frame[18], frame[19]);
767 Printf(" x20 %016llx x21 %016llx x22 %016llx x23 %016llx\n",
768 frame[20], frame[21], frame[22], frame[23]);
769 Printf(" x24 %016llx x25 %016llx x26 %016llx x27 %016llx\n",
770 frame[24], frame[25], frame[26], frame[27]);
771 // hwasan_check* reduces the stack pointer by 256, then __hwasan_tag_mismatch
772 // passes it to this function.
773 Printf(" x28 %016llx x29 %016llx x30 %016llx sp %016llx\n", frame[28],
774 frame[29], frame[30], reinterpret_cast<u8 *>(frame) + 256);
775 }
776
777 } // namespace __hwasan
778
779 void __hwasan_set_error_report_callback(void (*callback)(const char *)) {
780 __hwasan::ScopedReport::SetErrorReportCallback(callback);
781 }
LLVM monorepo