asan_poisoning.cpp source code [compiler-rt/lib/asan/asan_poisoning.cpp]

1	//===-- asan_poisoning.cpp ------------------------------------------------===//
2	//
3	// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4	// See https://llvm.org/LICENSE.txt for license information.
5	// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6	//
7	//===----------------------------------------------------------------------===//
8	//
9	// This file is a part of AddressSanitizer, an address sanity checker.
10	//
11	// Shadow memory poisoning by ASan RTL and by user application.
12	//===----------------------------------------------------------------------===//
13
14	#include "asan_poisoning.h"
15
16	#include "asan_report.h"
17	#include "asan_stack.h"
18	#include "sanitizer_common/sanitizer_atomic.h"
19	#include "sanitizer_common/sanitizer_flags.h"
20	#include "sanitizer_common/sanitizer_interface_internal.h"
21	#include "sanitizer_common/sanitizer_libc.h"
22
23	namespace __asan {
24
25	static atomic_uint8_t can_poison_memory;
26
27	void SetCanPoisonMemory(bool value) {
28	atomic_store(a: &can_poison_memory, v: value, mo: memory_order_release);
29	}
30
31	bool CanPoisonMemory() {
32	return atomic_load(a: &can_poison_memory, mo: memory_order_acquire);
33	}
34
35	void PoisonShadow(uptr addr, uptr size, u8 value) {
36	if (value && !CanPoisonMemory()) return;
37	CHECK(AddrIsAlignedByGranularity(addr));
38	CHECK(AddrIsInMem(addr));
39	CHECK(AddrIsAlignedByGranularity(addr + size));
40	CHECK(AddrIsInMem(addr + size - ASAN_SHADOW_GRANULARITY));
41	CHECK(REAL(memset));
42	FastPoisonShadow(aligned_beg: addr, aligned_size: size, value);
43	}
44
45	void PoisonShadowPartialRightRedzone(uptr addr,
46	uptr size,
47	uptr redzone_size,
48	u8 value) {
49	if (!CanPoisonMemory()) return;
50	CHECK(AddrIsAlignedByGranularity(addr));
51	CHECK(AddrIsInMem(addr));
52	FastPoisonShadowPartialRightRedzone(aligned_addr: addr, size, redzone_size, value);
53	}
54
55	struct ShadowSegmentEndpoint {
56	u8 *chunk;
57	s8 offset; // in [0, ASAN_SHADOW_GRANULARITY)
58	s8 value; // = chunk;*
59
60	explicit ShadowSegmentEndpoint(uptr address) {
61	chunk = (u8*)MemToShadow(p: address);
62	offset = address & (ASAN_SHADOW_GRANULARITY - `1`);
63	value = *chunk;
64	}
65	};
66
67	void AsanPoisonOrUnpoisonIntraObjectRedzone(uptr ptr, uptr size, bool poison) {
68	uptr end = ptr + size;
69	if (Verbosity()) {
70	Printf(format: "__asan_%spoison_intra_object_redzone [%p,%p) %zd\n",
71	poison ? "" : "un", (void )ptr, (void* *)end, size);
72	if (Verbosity() >= `2`)
73	PRINT_CURRENT_STACK();
74	}
75	CHECK(size);
76	CHECK_LE(size, `4096`);
77	CHECK(IsAligned(end, ASAN_SHADOW_GRANULARITY));
78	if (!IsAligned(a: ptr, ASAN_SHADOW_GRANULARITY)) {
79	(u8 )MemToShadow(p: ptr) =
80	poison ? static_cast<u8>(ptr % ASAN_SHADOW_GRANULARITY) : `0`;
81	ptr \|= ASAN_SHADOW_GRANULARITY - `1`;
82	ptr++;
83	}
84	for (; ptr < end; ptr += ASAN_SHADOW_GRANULARITY)
85	(u8)MemToShadow(p: ptr) = poison ? kAsanIntraObjectRedzone : `0`;
86	}
87
88	} // namespace __asan
89
90	// ---------------------- Interface ---------------- {{{1
91	using namespace __asan;
92
93	// Current implementation of __asan_(un)poison_memory_region doesn't check
94	// that user program (un)poisons the memory it owns. It poisons memory
95	// conservatively, and unpoisons progressively to make sure asan shadow
96	// mapping invariant is preserved (see detailed mapping description here:
97	// https://github.com/google/sanitizers/wiki/AddressSanitizerAlgorithm).
98	//
99	// if user asks to poison region [left, right), the program poisons*
100	// at least [left, AlignDown(right)).
101	// if user asks to unpoison region [left, right), the program unpoisons*
102	// at most [AlignDown(left), right).
103	void __asan_poison_memory_region(void const volatile *addr, uptr size) {
104	if (!flags()->allow_user_poisoning \|\| size == `0`) return;
105	uptr beg_addr = (uptr)addr;
106	uptr end_addr = beg_addr + size;
107	VPrintf(`3`, "Trying to poison memory region [%p, %p)\n", (void *)beg_addr,
108	(void *)end_addr);
109	ShadowSegmentEndpoint beg(beg_addr);
110	ShadowSegmentEndpoint end(end_addr);
111	if (beg.chunk == end.chunk) {
112	CHECK_LT(beg.offset, end.offset);
113	s8 value = beg.value;
114	CHECK_EQ(value, end.value);
115	// We can only poison memory if the byte in end.offset is unaddressable.
116	// No need to re-poison memory if it is poisoned already.
117	if (value > `0` && value <= end.offset) {
118	if (beg.offset > `0`) {
119	*beg.chunk = Min(a: value, b: beg.offset);
120	} else {
121	*beg.chunk = kAsanUserPoisonedMemoryMagic;
122	}
123	}
124	return;
125	}
126	CHECK_LT(beg.chunk, end.chunk);
127	if (beg.offset > `0`) {
128	// Mark bytes from beg.offset as unaddressable.
129	if (beg.value == `0`) {
130	*beg.chunk = beg.offset;
131	} else {
132	*beg.chunk = Min(a: beg.value, b: beg.offset);
133	}
134	beg.chunk++;
135	}
136	REAL(memset)(beg.chunk, kAsanUserPoisonedMemoryMagic, end.chunk - beg.chunk);
137	// Poison if byte in end.offset is unaddressable.
138	if (end.value > `0` && end.value <= end.offset) {
139	*end.chunk = kAsanUserPoisonedMemoryMagic;
140	}
141	}
142
143	void __asan_unpoison_memory_region(void const volatile *addr, uptr size) {
144	if (!flags()->allow_user_poisoning \|\| size == `0`) return;
145	uptr beg_addr = (uptr)addr;
146	uptr end_addr = beg_addr + size;
147	VPrintf(`3`, "Trying to unpoison memory region [%p, %p)\n", (void *)beg_addr,
148	(void *)end_addr);
149	ShadowSegmentEndpoint beg(beg_addr);
150	ShadowSegmentEndpoint end(end_addr);
151	if (beg.chunk == end.chunk) {
152	CHECK_LT(beg.offset, end.offset);
153	s8 value = beg.value;
154	CHECK_EQ(value, end.value);
155	// We unpoison memory bytes up to enbytes up to end.offset if it is not
156	// unpoisoned already.
157	if (value != `0`) {
158	*beg.chunk = Max(a: value, b: end.offset);
159	}
160	return;
161	}
162	CHECK_LT(beg.chunk, end.chunk);
163	REAL(memset)(beg.chunk, `0`, end.chunk - beg.chunk);
164	if (end.offset > `0` && end.value != `0`) {
165	*end.chunk = Max(a: end.value, b: end.offset);
166	}
167	}
168
169	int __asan_address_is_poisoned(void const volatile *addr) {
170	return __asan::AddressIsPoisoned(a: (uptr)addr);
171	}
172
173	uptr __asan_region_is_poisoned(uptr beg, uptr size) {
174	if (!size)
175	return `0`;
176	uptr end = beg + size;
177	if (!AddrIsInMem(a: beg))
178	return beg;
179	if (!AddrIsInMem(a: end))
180	return end;
181	CHECK_LT(beg, end);
182	uptr aligned_b = RoundUpTo(size: beg, ASAN_SHADOW_GRANULARITY);
183	uptr aligned_e = RoundDownTo(x: end, ASAN_SHADOW_GRANULARITY);
184	uptr shadow_beg = MemToShadow(p: aligned_b);
185	uptr shadow_end = MemToShadow(p: aligned_e);
186	// First check the first and the last application bytes,
187	// then check the ASAN_SHADOW_GRANULARITY-aligned region by calling
188	// mem_is_zero on the corresponding shadow.
189	if (!__asan::AddressIsPoisoned(a: beg) && !__asan::AddressIsPoisoned(a: end - `1`) &&
190	(shadow_end <= shadow_beg \|\|
191	__sanitizer::mem_is_zero(mem: (const char *)shadow_beg,
192	size: shadow_end - shadow_beg)))
193	return `0`;
194	// The fast check failed, so we have a poisoned byte somewhere.
195	// Find it slowly.
196	for (; beg < end; beg++)
197	if (__asan::AddressIsPoisoned(a: beg))
198	return beg;
199	UNREACHABLE("mem_is_zero returned false, but poisoned byte was not found");
200	return `0`;
201	}
202
203	#define CHECK_SMALL_REGION(p, size, isWrite) \
204	do { \
205	uptr __p = reinterpret_cast<uptr>(p); \
206	uptr __size = size; \
207	if (UNLIKELY(__asan::AddressIsPoisoned(__p) \|\| \
208	__asan::AddressIsPoisoned(__p + __size - 1))) { \
209	GET_CURRENT_PC_BP_SP; \
210	uptr __bad = __asan_region_is_poisoned(__p, __size); \
211	__asan_report_error(pc, bp, sp, __bad, isWrite, __size, 0);\
212	} \
213	} while (false)
214
215
216	extern "C" SANITIZER_INTERFACE_ATTRIBUTE
217	u16 __sanitizer_unaligned_load16(const uu16 *p) {
218	CHECK_SMALL_REGION(p, sizeof(p), false*);
219	return *p;
220	}
221
222	extern "C" SANITIZER_INTERFACE_ATTRIBUTE
223	u32 __sanitizer_unaligned_load32(const uu32 *p) {
224	CHECK_SMALL_REGION(p, sizeof(p), false*);
225	return *p;
226	}
227
228	extern "C" SANITIZER_INTERFACE_ATTRIBUTE
229	u64 __sanitizer_unaligned_load64(const uu64 *p) {
230	CHECK_SMALL_REGION(p, sizeof(p), false*);
231	return *p;
232	}
233
234	extern "C" SANITIZER_INTERFACE_ATTRIBUTE
235	void __sanitizer_unaligned_store16(uu16 *p, u16 x) {
236	CHECK_SMALL_REGION(p, sizeof(p), true*);
237	*p = x;
238	}
239
240	extern "C" SANITIZER_INTERFACE_ATTRIBUTE
241	void __sanitizer_unaligned_store32(uu32 *p, u32 x) {
242	CHECK_SMALL_REGION(p, sizeof(p), true*);
243	*p = x;
244	}
245
246	extern "C" SANITIZER_INTERFACE_ATTRIBUTE
247	void __sanitizer_unaligned_store64(uu64 *p, u64 x) {
248	CHECK_SMALL_REGION(p, sizeof(p), true*);
249	*p = x;
250	}
251
252	extern "C" SANITIZER_INTERFACE_ATTRIBUTE
253	void __asan_poison_cxx_array_cookie(uptr p) {
254	if (SANITIZER_WORDSIZE != `64`) return;
255	if (!flags()->poison_array_cookie) return;
256	uptr s = MEM_TO_SHADOW(p);
257	*reinterpret_cast<u8*>(s) = kAsanArrayCookieMagic;
258	}
259
260	extern "C" SANITIZER_INTERFACE_ATTRIBUTE
261	uptr __asan_load_cxx_array_cookie(uptr *p) {
262	if (SANITIZER_WORDSIZE != `64`) return *p;
263	if (!flags()->poison_array_cookie) return *p;
264	uptr s = MEM_TO_SHADOW(reinterpret_cast<uptr>(p));
265	u8 sval = *reinterpret_cast<u8*>(s);
266	if (sval == kAsanArrayCookieMagic) return *p;
267	// If sval is not kAsanArrayCookieMagic it can only be freed memory,
268	// which means that we are going to get double-free. So, return 0 to avoid
269	// infinite loop of destructors. We don't want to report a double-free here
270	// though, so print a warning just in case.
271	// CHECK_EQ(sval, kAsanHeapFreeMagic);
272	if (sval == kAsanHeapFreeMagic) {
273	Report(format: "AddressSanitizer: loaded array cookie from free-d memory; "
274	"expect a double-free report\n");
275	return `0`;
276	}
277	// The cookie may remain unpoisoned if e.g. it comes from a custom
278	// operator new defined inside a class.
279	return *p;
280	}
281
282	// This is a simplified version of __asan_(un)poison_memory_region, which
283	// assumes that left border of region to be poisoned is properly aligned.
284	static void PoisonAlignedStackMemory(uptr addr, uptr size, bool do_poison) {
285	if (size == `0`) return;
286	uptr aligned_size = size & ~(ASAN_SHADOW_GRANULARITY - `1`);
287	PoisonShadow(addr, size: aligned_size,
288	value: do_poison ? kAsanStackUseAfterScopeMagic : `0`);
289	if (size == aligned_size)
290	return;
291	s8 end_offset = (s8)(size - aligned_size);
292	s8* shadow_end = (s8*)MemToShadow(p: addr + aligned_size);
293	s8 end_value = *shadow_end;
294	if (do_poison) {
295	// If possible, mark all the bytes mapping to last shadow byte as
296	// unaddressable.
297	if (end_value > `0` && end_value <= end_offset)
298	*shadow_end = (s8)kAsanStackUseAfterScopeMagic;
299	} else {
300	// If necessary, mark few first bytes mapping to last shadow byte
301	// as addressable
302	if (end_value != `0`)
303	*shadow_end = Max(a: end_value, b: end_offset);
304	}
305	}
306
307	void __asan_set_shadow_00(uptr addr, uptr size) {
308	REAL(memset)((void *)addr, `0`, size);
309	}
310
311	void __asan_set_shadow_01(uptr addr, uptr size) {
312	REAL(memset)((void *)addr, `0x01`, size);
313	}
314
315	void __asan_set_shadow_02(uptr addr, uptr size) {
316	REAL(memset)((void *)addr, `0x02`, size);
317	}
318
319	void __asan_set_shadow_03(uptr addr, uptr size) {
320	REAL(memset)((void *)addr, `0x03`, size);
321	}
322
323	void __asan_set_shadow_04(uptr addr, uptr size) {
324	REAL(memset)((void *)addr, `0x04`, size);
325	}
326
327	void __asan_set_shadow_05(uptr addr, uptr size) {
328	REAL(memset)((void *)addr, `0x05`, size);
329	}
330
331	void __asan_set_shadow_06(uptr addr, uptr size) {
332	REAL(memset)((void *)addr, `0x06`, size);
333	}
334
335	void __asan_set_shadow_07(uptr addr, uptr size) {
336	REAL(memset)((void *)addr, `0x07`, size);
337	}
338
339	void __asan_set_shadow_f1(uptr addr, uptr size) {
340	REAL(memset)((void *)addr, `0xf1`, size);
341	}
342
343	void __asan_set_shadow_f2(uptr addr, uptr size) {
344	REAL(memset)((void *)addr, `0xf2`, size);
345	}
346
347	void __asan_set_shadow_f3(uptr addr, uptr size) {
348	REAL(memset)((void *)addr, `0xf3`, size);
349	}
350
351	void __asan_set_shadow_f5(uptr addr, uptr size) {
352	REAL(memset)((void *)addr, `0xf5`, size);
353	}
354
355	void __asan_set_shadow_f8(uptr addr, uptr size) {
356	REAL(memset)((void *)addr, `0xf8`, size);
357	}
358
359	void __asan_poison_stack_memory(uptr addr, uptr size) {
360	VReport(`1`, "poisoning: %p %zx\n", (void *)addr, size);
361	PoisonAlignedStackMemory(addr, size, do_poison: true);
362	}
363
364	void __asan_unpoison_stack_memory(uptr addr, uptr size) {
365	VReport(`1`, "unpoisoning: %p %zx\n", (void *)addr, size);
366	PoisonAlignedStackMemory(addr, size, do_poison: false);
367	}
368
369	static void FixUnalignedStorage(uptr storage_beg, uptr storage_end,
370	uptr &old_beg, uptr &old_end, uptr &new_beg,
371	uptr &new_end) {
372	constexpr uptr granularity = ASAN_SHADOW_GRANULARITY;
373	if (UNLIKELY(!AddrIsAlignedByGranularity(storage_end))) {
374	uptr end_down = RoundDownTo(x: storage_end, boundary: granularity);
375	// Ignore the last unaligned granule if the storage is followed by
376	// unpoisoned byte, because we can't poison the prefix anyway. Don't call
377	// AddressIsPoisoned at all if container changes does not affect the last
378	// granule at all.
379	if ((((old_end != new_end) && Max(a: old_end, b: new_end) > end_down) \|\|
380	((old_beg != new_beg) && Max(a: old_beg, b: new_beg) > end_down)) &&
381	!AddressIsPoisoned(a: storage_end)) {
382	old_beg = Min(a: end_down, b: old_beg);
383	old_end = Min(a: end_down, b: old_end);
384	new_beg = Min(a: end_down, b: new_beg);
385	new_end = Min(a: end_down, b: new_end);
386	}
387	}
388
389	// Handle misaligned begin and cut it off.
390	if (UNLIKELY(!AddrIsAlignedByGranularity(storage_beg))) {
391	uptr beg_up = RoundUpTo(size: storage_beg, boundary: granularity);
392	// The first unaligned granule needs special handling only if we had bytes
393	// there before and will have none after.
394	if ((new_beg == new_end \|\| new_beg >= beg_up) && old_beg != old_end &&
395	old_beg < beg_up) {
396	// Keep granule prefix outside of the storage unpoisoned.
397	uptr beg_down = RoundDownTo(x: storage_beg, boundary: granularity);
398	(u8 )MemToShadow(p: beg_down) = storage_beg - beg_down;
399	old_beg = Max(a: beg_up, b: old_beg);
400	old_end = Max(a: beg_up, b: old_end);
401	new_beg = Max(a: beg_up, b: new_beg);
402	new_end = Max(a: beg_up, b: new_end);
403	}
404	}
405	}
406
407	void __sanitizer_annotate_contiguous_container(const void *beg_p,
408	const void *end_p,
409	const void *old_mid_p,
410	const void *new_mid_p) {
411	if (!flags()->detect_container_overflow)
412	return;
413	VPrintf(`2`, "contiguous_container: %p %p %p %p\n", beg_p, end_p, old_mid_p,
414	new_mid_p);
415	uptr storage_beg = reinterpret_cast<uptr>(beg_p);
416	uptr storage_end = reinterpret_cast<uptr>(end_p);
417	uptr old_end = reinterpret_cast<uptr>(old_mid_p);
418	uptr new_end = reinterpret_cast<uptr>(new_mid_p);
419	uptr old_beg = storage_beg;
420	uptr new_beg = storage_beg;
421	uptr granularity = ASAN_SHADOW_GRANULARITY;
422	if (!(storage_beg <= old_end && storage_beg <= new_end &&
423	old_end <= storage_end && new_end <= storage_end)) {
424	GET_STACK_TRACE_FATAL_HERE;
425	ReportBadParamsToAnnotateContiguousContainer(beg: storage_beg, end: storage_end,
426	old_mid: old_end, new_mid: new_end, stack: &stack);
427	}
428	CHECK_LE(storage_end - storage_beg,
429	FIRST_32_SECOND_64(`1UL` << `30`, `1ULL` << `40`)); // Sanity check.
430
431	if (old_end == new_end)
432	return; // Nothing to do here.
433
434	FixUnalignedStorage(storage_beg, storage_end, old_beg, old_end, new_beg,
435	new_end);
436
437	uptr a = RoundDownTo(x: Min(a: old_end, b: new_end), boundary: granularity);
438	uptr c = RoundUpTo(size: Max(a: old_end, b: new_end), boundary: granularity);
439	uptr d1 = RoundDownTo(x: old_end, boundary: granularity);
440	// uptr d2 = RoundUpTo(old_mid, granularity);
441	// Currently we should be in this state:
442	// [a, d1) is good, [d2, c) is bad, [d1, d2) is partially good.
443	// Make a quick sanity check that we are indeed in this state.
444	//
445	// FIXME: Two of these three checks are disabled until we fix
446	// https://github.com/google/sanitizers/issues/258.
447	// if (d1 != d2)
448	// DCHECK_EQ((u8)MemToShadow(d1), old_mid - d1);
449	//
450	// NOTE: curly brackets for the "if" below to silence a MSVC warning.
451	if (a + granularity <= d1) {
452	DCHECK_EQ((u8 )MemToShadow(a), `0`);
453	}
454	// if (d2 + granularity <= c && c <= end)
455	// DCHECK_EQ((u8 )MemToShadow(c - granularity),
456	// kAsanContiguousContainerOOBMagic);
457
458	uptr b1 = RoundDownTo(x: new_end, boundary: granularity);
459	uptr b2 = RoundUpTo(size: new_end, boundary: granularity);
460	// New state:
461	// [a, b1) is good, [b2, c) is bad, [b1, b2) is partially good.
462	if (b1 > a)
463	PoisonShadow(addr: a, size: b1 - a, value: `0`);
464	else if (c > b2)
465	PoisonShadow(addr: b2, size: c - b2, value: kAsanContiguousContainerOOBMagic);
466	if (b1 != b2) {
467	CHECK_EQ(b2 - b1, granularity);
468	(u8 )MemToShadow(p: b1) = static_cast<u8>(new_end - b1);
469	}
470	}
471
472	// Annotates a double ended contiguous memory area like std::deque's chunk.
473	// It allows detecting buggy accesses to allocated but not used begining
474	// or end items of such a container.
475	void __sanitizer_annotate_double_ended_contiguous_container(
476	const void storage_beg_p, const* void *storage_end_p,
477	const void old_container_beg_p, const* void *old_container_end_p,
478	const void new_container_beg_p, const* void *new_container_end_p) {
479	if (!flags()->detect_container_overflow)
480	return;
481
482	VPrintf(`2`, "contiguous_container: %p %p %p %p %p %p\n", storage_beg_p,
483	storage_end_p, old_container_beg_p, old_container_end_p,
484	new_container_beg_p, new_container_end_p);
485
486	uptr storage_beg = reinterpret_cast<uptr>(storage_beg_p);
487	uptr storage_end = reinterpret_cast<uptr>(storage_end_p);
488	uptr old_beg = reinterpret_cast<uptr>(old_container_beg_p);
489	uptr old_end = reinterpret_cast<uptr>(old_container_end_p);
490	uptr new_beg = reinterpret_cast<uptr>(new_container_beg_p);
491	uptr new_end = reinterpret_cast<uptr>(new_container_end_p);
492
493	constexpr uptr granularity = ASAN_SHADOW_GRANULARITY;
494
495	if (!(old_beg <= old_end && new_beg <= new_end) \|\|
496	!(storage_beg <= new_beg && new_end <= storage_end) \|\|
497	!(storage_beg <= old_beg && old_end <= storage_end)) {
498	GET_STACK_TRACE_FATAL_HERE;
499	ReportBadParamsToAnnotateDoubleEndedContiguousContainer(
500	storage_beg, storage_end, old_container_beg: old_beg, old_container_end: old_end, new_container_beg: new_beg, new_container_end: new_end, stack: &stack);
501	}
502	CHECK_LE(storage_end - storage_beg,
503	FIRST_32_SECOND_64(`1UL` << `30`, `1ULL` << `40`)); // Sanity check.
504
505	if ((old_beg == old_end && new_beg == new_end) \|\|
506	(old_beg == new_beg && old_end == new_end))
507	return; // Nothing to do here.
508
509	FixUnalignedStorage(storage_beg, storage_end, old_beg, old_end, new_beg,
510	new_end);
511
512	// Handle non-intersecting new/old containers separately have simpler
513	// intersecting case.
514	if (old_beg == old_end \|\| new_beg == new_end \|\| new_end <= old_beg \|\|
515	old_end <= new_beg) {
516	if (old_beg != old_end) {
517	// Poisoning the old container.
518	uptr a = RoundDownTo(x: old_beg, boundary: granularity);
519	uptr b = RoundUpTo(size: old_end, boundary: granularity);
520	PoisonShadow(addr: a, size: b - a, value: kAsanContiguousContainerOOBMagic);
521	}
522
523	if (new_beg != new_end) {
524	// Unpoisoning the new container.
525	uptr a = RoundDownTo(x: new_beg, boundary: granularity);
526	uptr b = RoundDownTo(x: new_end, boundary: granularity);
527	PoisonShadow(addr: a, size: b - a, value: `0`);
528	if (!AddrIsAlignedByGranularity(a: new_end))
529	(u8 )MemToShadow(p: b) = static_cast<u8>(new_end - b);
530	}
531
532	return;
533	}
534
535	// Intersection of old and new containers is not empty.
536	CHECK_LT(new_beg, old_end);
537	CHECK_GT(new_end, old_beg);
538
539	if (new_beg < old_beg) {
540	// Round down because we can't poison prefixes.
541	uptr a = RoundDownTo(x: new_beg, boundary: granularity);
542	// Round down and ignore the [c, old_beg) as its state defined by unchanged
543	// [old_beg, old_end).
544	uptr c = RoundDownTo(x: old_beg, boundary: granularity);
545	PoisonShadow(addr: a, size: c - a, value: `0`);
546	} else if (new_beg > old_beg) {
547	// Round down and poison [a, old_beg) because it was unpoisoned only as a
548	// prefix.
549	uptr a = RoundDownTo(x: old_beg, boundary: granularity);
550	// Round down and ignore the [c, new_beg) as its state defined by unchanged
551	// [new_beg, old_end).
552	uptr c = RoundDownTo(x: new_beg, boundary: granularity);
553
554	PoisonShadow(addr: a, size: c - a, value: kAsanContiguousContainerOOBMagic);
555	}
556
557	if (new_end > old_end) {
558	// Round down to poison the prefix.
559	uptr a = RoundDownTo(x: old_end, boundary: granularity);
560	// Round down and handle remainder below.
561	uptr c = RoundDownTo(x: new_end, boundary: granularity);
562	PoisonShadow(addr: a, size: c - a, value: `0`);
563	if (!AddrIsAlignedByGranularity(a: new_end))
564	(u8 )MemToShadow(p: c) = static_cast<u8>(new_end - c);
565	} else if (new_end < old_end) {
566	// Round up and handle remained below.
567	uptr a2 = RoundUpTo(size: new_end, boundary: granularity);
568	// Round up to poison entire granule as we had nothing in [old_end, c2).
569	uptr c2 = RoundUpTo(size: old_end, boundary: granularity);
570	PoisonShadow(addr: a2, size: c2 - a2, value: kAsanContiguousContainerOOBMagic);
571
572	if (!AddrIsAlignedByGranularity(a: new_end)) {
573	uptr a = RoundDownTo(x: new_end, boundary: granularity);
574	(u8 )MemToShadow(p: a) = static_cast<u8>(new_end - a);
575	}
576	}
577	}
578
579	static const void FindBadAddress(uptr begin, uptr end, bool* poisoned) {
580	CHECK_LE(begin, end);
581	constexpr uptr kMaxRangeToCheck = `32`;
582	if (end - begin > kMaxRangeToCheck * `2`) {
583	if (auto *bad = FindBadAddress(begin, end: begin + kMaxRangeToCheck, poisoned))
584	return bad;
585	if (auto *bad = FindBadAddress(begin: end - kMaxRangeToCheck, end, poisoned))
586	return bad;
587	}
588
589	for (uptr i = begin; i < end; ++i)
590	if (AddressIsPoisoned(a: i) != poisoned)
591	return reinterpret_cast<const void *>(i);
592	return nullptr;
593	}
594
595	const void *__sanitizer_contiguous_container_find_bad_address(
596	const void beg_p, const* void mid_p, const* void *end_p) {
597	if (!flags()->detect_container_overflow)
598	return nullptr;
599	uptr granularity = ASAN_SHADOW_GRANULARITY;
600	uptr beg = reinterpret_cast<uptr>(beg_p);
601	uptr end = reinterpret_cast<uptr>(end_p);
602	uptr mid = reinterpret_cast<uptr>(mid_p);
603	CHECK_LE(beg, mid);
604	CHECK_LE(mid, end);
605	// If the byte after the storage is unpoisoned, everything in the granule
606	// before must stay unpoisoned.
607	uptr annotations_end =
608	(!AddrIsAlignedByGranularity(a: end) && !AddressIsPoisoned(a: end))
609	? RoundDownTo(x: end, boundary: granularity)
610	: end;
611	beg = Min(a: beg, b: annotations_end);
612	mid = Min(a: mid, b: annotations_end);
613	if (auto bad = FindBadAddress(begin: beg, end: mid, poisoned: false*))
614	return bad;
615	if (auto bad = FindBadAddress(begin: mid, end: annotations_end, poisoned: true*))
616	return bad;
617	return FindBadAddress(begin: annotations_end, end, poisoned: false);
618	}
619
620	int __sanitizer_verify_contiguous_container(const void *beg_p,
621	const void *mid_p,
622	const void *end_p) {
623	return __sanitizer_contiguous_container_find_bad_address(beg_p, mid_p,
624	end_p) == nullptr;
625	}
626
627	const void *__sanitizer_double_ended_contiguous_container_find_bad_address(
628	const void storage_beg_p, const* void *container_beg_p,
629	const void container_end_p, const* void *storage_end_p) {
630	if (!flags()->detect_container_overflow)
631	return nullptr;
632	uptr granularity = ASAN_SHADOW_GRANULARITY;
633	uptr storage_beg = reinterpret_cast<uptr>(storage_beg_p);
634	uptr storage_end = reinterpret_cast<uptr>(storage_end_p);
635	uptr beg = reinterpret_cast<uptr>(container_beg_p);
636	uptr end = reinterpret_cast<uptr>(container_end_p);
637
638	// The prefix of the firs granule of the container is unpoisoned.
639	if (beg != end)
640	beg = Max(a: storage_beg, b: RoundDownTo(x: beg, boundary: granularity));
641
642	// If the byte after the storage is unpoisoned, the prefix of the last granule
643	// is unpoisoned.
644	uptr annotations_end = (!AddrIsAlignedByGranularity(a: storage_end) &&
645	!AddressIsPoisoned(a: storage_end))
646	? RoundDownTo(x: storage_end, boundary: granularity)
647	: storage_end;
648	storage_beg = Min(a: storage_beg, b: annotations_end);
649	beg = Min(a: beg, b: annotations_end);
650	end = Min(a: end, b: annotations_end);
651
652	if (auto bad = FindBadAddress(begin: storage_beg, end: beg, poisoned: true*))
653	return bad;
654	if (auto bad = FindBadAddress(begin: beg, end, poisoned: false*))
655	return bad;
656	if (auto bad = FindBadAddress(begin: end, end: annotations_end, poisoned: true*))
657	return bad;
658	return FindBadAddress(begin: annotations_end, end: storage_end, poisoned: false);
659	}
660
661	int __sanitizer_verify_double_ended_contiguous_container(
662	const void storage_beg_p, const* void *container_beg_p,
663	const void container_end_p, const* void *storage_end_p) {
664	return __sanitizer_double_ended_contiguous_container_find_bad_address(
665	storage_beg_p, container_beg_p, container_end_p, storage_end_p) ==
666	nullptr;
667	}
668
669	extern "C" SANITIZER_INTERFACE_ATTRIBUTE
670	void __asan_poison_intra_object_redzone(uptr ptr, uptr size) {
671	AsanPoisonOrUnpoisonIntraObjectRedzone(ptr, size, poison: true);
672	}
673
674	extern "C" SANITIZER_INTERFACE_ATTRIBUTE
675	void __asan_unpoison_intra_object_redzone(uptr ptr, uptr size) {
676	AsanPoisonOrUnpoisonIntraObjectRedzone(ptr, size, poison: false);
677	}
678
679	// --- Implementation of LSan-specific functions --- {{{1
680	namespace __lsan {
681	bool WordIsPoisoned(uptr addr) {
682	return (__asan_region_is_poisoned(beg: addr, size: sizeof(uptr)) != `0`);
683	}
684	}
685

source code of compiler-rt/lib/asan/asan_poisoning.cpp