| 1 | // RUN: %clang_hwasan %s -o %t |
|---|
| 2 | // RUN: not %run %t 40 2>&1 | FileCheck %s --check-prefix=CHECK40 |
|---|
| 3 | // RUN: not %run %t 80 2>&1 | FileCheck %s --check-prefix=CHECK80 |
|---|
| 4 | // RUN: not %run %t -30 2>&1 | FileCheck %s --check-prefix=CHECKm30 |
|---|
| 5 | // RUN: not %run %t -30 1000000 2>&1 | FileCheck %s --check-prefix=CHECKMm30 |
|---|
| 6 | // RUN: not %run %t 1000000 1000000 2>&1 | FileCheck %s --check-prefix=CHECKM |
|---|
| 7 | |
|---|
| 8 | // Test OOB within the granule. |
|---|
| 9 | // RUN: not %run %t 31 2>&1 | FileCheck %s --check-prefix=CHECK31 |
|---|
| 10 | // RUN: not %run %t 30 20 2>&1 | FileCheck %s --check-prefix=CHECK20 |
|---|
| 11 | |
|---|
| 12 | #include <stdlib.h> |
|---|
| 13 | #include <stdio.h> |
|---|
| 14 | #include <sanitizer/hwasan_interface.h> |
|---|
| 15 | |
|---|
| 16 | static volatile char sink; |
|---|
| 17 | |
|---|
| 18 | int main(int argc, char **argv) { |
|---|
| 19 | __hwasan_enable_allocator_tagging(); |
|---|
| 20 | int offset = argc < 2 ? 40 : atoi(nptr: argv[1]); |
|---|
| 21 | int size = argc < 3 ? 30 : atoi(nptr: argv[2]); |
|---|
| 22 | char * volatile x = (char*)malloc(size: size); |
|---|
| 23 | fprintf(stderr, format: "base: %p access: %p\n" , x, &x[offset]); |
|---|
| 24 | sink = x[offset]; |
|---|
| 25 | |
|---|
| 26 | #if defined(__x86_64__) |
|---|
| 27 | // Aliasing mode doesn't support the secondary allocator, so we fake a HWASan |
|---|
| 28 | // report instead of disabling the entire test. |
|---|
| 29 | if (size == 1000000) { |
|---|
| 30 | fprintf(stderr, format: "is a large allocated heap chunk; size: 1003520 offset: %d\n" , |
|---|
| 31 | offset); |
|---|
| 32 | fprintf(stderr, format: "Cause: heap-buffer-overflow\n" ); |
|---|
| 33 | fprintf(stderr, format: "is located %s a 1000000-byte region\n" , |
|---|
| 34 | offset == -30 ? "30 bytes before" : "0 bytes after" ); |
|---|
| 35 | return -1; |
|---|
| 36 | } |
|---|
| 37 | #endif |
|---|
| 38 | |
|---|
| 39 | // CHECK40: allocated heap chunk; size: 32 offset: 8 |
|---|
| 40 | // CHECK40: Cause: heap-buffer-overflow |
|---|
| 41 | // CHECK40: is located 10 bytes after a 30-byte region |
|---|
| 42 | // |
|---|
| 43 | // CHECK80: allocated heap chunk; size: 32 offset: 16 |
|---|
| 44 | // CHECK80: Cause: heap-buffer-overflow |
|---|
| 45 | // CHECK80: is located 50 bytes after a 30-byte region |
|---|
| 46 | // |
|---|
| 47 | // CHECKm30: Cause: heap-buffer-overflow |
|---|
| 48 | // CHECKm30: is located 30 bytes before a 30-byte region |
|---|
| 49 | // |
|---|
| 50 | // CHECKMm30: is a large allocated heap chunk; size: {{[0-9]*}} offset: -30 |
|---|
| 51 | // CHECKMm30: Cause: heap-buffer-overflow |
|---|
| 52 | // CHECKMm30: is located 30 bytes before a 1000000-byte region |
|---|
| 53 | // |
|---|
| 54 | // CHECKM: is a large allocated heap chunk; size: {{[0-9]*}} offset: 1000000 |
|---|
| 55 | // CHECKM: Cause: heap-buffer-overflow |
|---|
| 56 | // CHECKM: is located 0 bytes after a 1000000-byte region |
|---|
| 57 | // |
|---|
| 58 | // CHECK31: tags: [[TAG:..]]/0e([[TAG]]) (ptr/mem) |
|---|
| 59 | // CHECK31-NOT: Invalid access starting at offset |
|---|
| 60 | // CHECK31: Cause: heap-buffer-overflow |
|---|
| 61 | // CHECK31: is located 1 bytes after a 30-byte region |
|---|
| 62 | // CHECK31: Memory tags around the buggy address |
|---|
| 63 | // CHECK31: [0e] |
|---|
| 64 | // CHECK31: Tags for short granules around the buggy address |
|---|
| 65 | // CHECK31: {{\[}}[[TAG]]] |
|---|
| 66 | // |
|---|
| 67 | // CHECK20-NOT: Invalid access starting at offset |
|---|
| 68 | // CHECK20: Cause: heap-buffer-overflow |
|---|
| 69 | // CHECK20: is located 10 bytes after a 20-byte region [0x{{.*}}0,0x{{.*}}4) |
|---|
| 70 | free(ptr: x); |
|---|
| 71 | } |
|---|
| 72 | |
|---|
