mirror of
https://github.com/intel/llvm.git
synced 2026-01-19 09:31:59 +08:00
6a89439423
The fixes a TOCTOU bug in the code that initializes shadow memory in
ASAN:
4b05581bae/compiler-rt/lib/asan/asan_shadow_setup.cpp (L66-L91)
1. During initialization, we call `FindDynamicShadowStart` to search the
memory mapping for enough space to dynamically allocate shadow memory.
2. We call `MemoryRangeIsAvailable(shadow_start, kHighShadowEnd);`,
which goes into `MemoryMappingLayout`.
3. We actually map the shadow with `ReserveShadowMemoryRange`.
In step 2, `MemoryMappingLayout` makes various allocations using the
internal allocator. This can cause the allocator to map more memory! In
some cases, this can actually allocate memory that overlaps with the
shadow region returned by` FindDynamicShadowStart` in step 1. This is
not actually fatal, but it memory corruption; MAP_FIXED is allowed to
overlap other regions, and the effect is any overlapping memory is
zeroed.
------
To address this, this PR implements `MemoryRangeIsAvailable` on Darwin
without any heap allocations:
- Move `IntervalsAreSeparate` into sanitizer_common.h
- Guard existing sanitizer_posix implementation of
`MemoryRangeIsAvailable` behind !SANITIZER_APPLE
- `IsAddressInMappedRegion` in sanitizer_mac becomes
`MemoryRangeIsAvailable`, which also checks for overlap with the DYLD
shared cache.
After this fix, it should be possible to re-land #166005, which
triggered this issue on the x86 iOS simulators.
rdar://164208439
Compiler-RT ================================ This directory and its subdirectories contain source code for the compiler support routines. Compiler-RT is open source software. You may freely distribute it under the terms of the license agreement found in LICENSE.txt. ================================