compiler-rt/test/hwasan/TestCases/heap-buffer-overflow.c

   1 // RUN: %clang_hwasan  %s -o %t
   2 // RUN: not %run %t 40 2>&1 | FileCheck %s --check-prefix=CHECK40
   3 // RUN: not %run %t 80 2>&1 | FileCheck %s --check-prefix=CHECK80
   4 // RUN: not %run %t -30 2>&1 | FileCheck %s --check-prefix=CHECKm30
   5 // RUN: not %run %t -30 1000000 2>&1 | FileCheck %s --check-prefix=CHECKMm30
   6 // RUN: not %run %t 1000000 1000000 2>&1 | FileCheck %s --check-prefix=CHECKM
   7
   8 // Test OOB within the granule.
   9 // RUN: not %run %t 31 2>&1 | FileCheck %s --check-prefix=CHECK31
  10 // RUN: not %run %t 30 20 2>&1 | FileCheck %s --check-prefix=CHECK20
  11
  12 #include <stdlib.h>
  13 #include <stdio.h>
  14 #include <sanitizer/hwasan_interface.h>
  15
  16 static volatile char sink;
  17
  18 int main(int argc, char **argv) {
  19   __hwasan_enable_allocator_tagging();
  20   int offset = argc < 2 ? 40 : atoi(argv[1]);
  21   int size = argc < 3 ? 30 : atoi(argv[2]);
  22   char * volatile x = (char*)malloc(size);
  23   fprintf(stderr, "base: %p access: %p\n", x, &x[offset]);
  24   sink = x[offset];
  25
  26 #if defined(__x86_64__)
  27   // Aliasing mode doesn't support the secondary allocator, so we fake a HWASan
  28   // report instead of disabling the entire test.
  29   if (size == 1000000) {
  30     fprintf(stderr, "is a large allocated heap chunk; size: 1003520 offset: %d\n",
  31             offset);
  32     fprintf(stderr, "Cause: heap-buffer-overflow\n");
  33     fprintf(stderr, "is located %s a 1000000-byte region\n",
  34             offset == -30 ? "30 bytes before" : "0 bytes after");
  35     return -1;
  36   }
  37 #endif
  38
  39   // CHECK40: allocated heap chunk; size: 32 offset: 8
  40   // CHECK40: Cause: heap-buffer-overflow
  41   // CHECK40: is located 10 bytes after a 30-byte region
  42   //
  43   // CHECK80: allocated heap chunk; size: 32 offset: 16
  44   // CHECK80: Cause: heap-buffer-overflow
  45   // CHECK80: is located 50 bytes after a 30-byte region
  46   //
  47   // CHECKm30: Cause: heap-buffer-overflow
  48   // CHECKm30: is located 30 bytes before a 30-byte region
  49   //
  50   // CHECKMm30: is a large allocated heap chunk; size: 1003520 offset: -30
  51   // CHECKMm30: Cause: heap-buffer-overflow
  52   // CHECKMm30: is located 30 bytes before a 1000000-byte region
  53   //
  54   // CHECKM: is a large allocated heap chunk; size: 1003520 offset: 1000000
  55   // CHECKM: Cause: heap-buffer-overflow
  56   // CHECKM: is located 0 bytes after a 1000000-byte region
  57   //
  58   // CHECK31: tags: [[TAG:..]]/0e([[TAG]]) (ptr/mem)
  59   // CHECK31-NOT: Invalid access starting at offset
  60   // CHECK31: Cause: heap-buffer-overflow
  61   // CHECK31: is located 1 bytes after a 30-byte region
  62   // CHECK31: Memory tags around the buggy address
  63   // CHECK31: [0e]
  64   // CHECK31: Tags for short granules around the buggy address
  65   // CHECK31: {{\[}}[[TAG]]]
  66   //
  67   // CHECK20-NOT: Invalid access starting at offset
  68   // CHECK20: Cause: heap-buffer-overflow
  69   // CHECK20: is located 10 bytes after a 20-byte region [0x{{.*}}0,0x{{.*}}4)
  70   free(x);
  71 }