1 //===-- hwasan_report.cc --------------------------------------------------===//
3 // The LLVM Compiler Infrastructure
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
8 //===----------------------------------------------------------------------===//
10 // This file is a part of HWAddressSanitizer.
13 //===----------------------------------------------------------------------===//
16 #include "hwasan_allocator.h"
17 #include "hwasan_mapping.h"
18 #include "hwasan_thread.h"
19 #include "hwasan_thread_list.h"
20 #include "sanitizer_common/sanitizer_allocator_internal.h"
21 #include "sanitizer_common/sanitizer_common.h"
22 #include "sanitizer_common/sanitizer_flags.h"
23 #include "sanitizer_common/sanitizer_mutex.h"
24 #include "sanitizer_common/sanitizer_report_decorator.h"
25 #include "sanitizer_common/sanitizer_stackdepot.h"
26 #include "sanitizer_common/sanitizer_stacktrace_printer.h"
27 #include "sanitizer_common/sanitizer_symbolizer.h"
29 using namespace __sanitizer;
35 ScopedReport(bool fatal = false) : error_message_(1), fatal(fatal) {
36 BlockingMutexLock lock(&error_message_lock_);
37 error_message_ptr_ = fatal ? &error_message_ : nullptr;
41 BlockingMutexLock lock(&error_message_lock_);
43 SetAbortMessage(error_message_.data());
46 error_message_ptr_ = nullptr;
49 static void MaybeAppendToErrorMessage(const char *msg) {
50 BlockingMutexLock lock(&error_message_lock_);
51 if (!error_message_ptr_)
53 uptr len = internal_strlen(msg);
54 uptr old_size = error_message_ptr_->size();
55 error_message_ptr_->resize(old_size + len);
56 // overwrite old trailing '\0', keep new trailing '\0' untouched.
57 internal_memcpy(&(*error_message_ptr_)[old_size - 1], msg, len);
60 ScopedErrorReportLock error_report_lock_;
61 InternalMmapVector<char> error_message_;
64 static InternalMmapVector<char> *error_message_ptr_;
65 static BlockingMutex error_message_lock_;
68 InternalMmapVector<char> *ScopedReport::error_message_ptr_;
69 BlockingMutex ScopedReport::error_message_lock_;
71 // If there is an active ScopedReport, append to its error message.
72 void AppendToErrorMessageBuffer(const char *buffer) {
73 ScopedReport::MaybeAppendToErrorMessage(buffer);
76 static StackTrace GetStackTraceFromId(u32 id) {
78 StackTrace res = StackDepotGet(id);
83 // A RAII object that holds a copy of the current thread stack ring buffer.
84 // The actual stack buffer may change while we are iterating over it (for
85 // example, Printf may call syslog() which can itself be built with hwasan).
86 class SavedStackAllocations {
88 SavedStackAllocations(StackAllocationsRingBuffer *rb) {
89 uptr size = rb->size() * sizeof(uptr);
91 MmapAlignedOrDieOnFatalError(size, size * 2, "saved stack allocations");
92 new (&rb_) StackAllocationsRingBuffer(*rb, storage);
95 ~SavedStackAllocations() {
96 StackAllocationsRingBuffer *rb = get();
97 UnmapOrDie(rb->StartOfStorage(), rb->size() * sizeof(uptr));
100 StackAllocationsRingBuffer *get() {
101 return (StackAllocationsRingBuffer *)&rb_;
108 class Decorator: public __sanitizer::SanitizerCommonDecorator {
110 Decorator() : SanitizerCommonDecorator() { }
111 const char *Access() { return Blue(); }
112 const char *Allocation() const { return Magenta(); }
113 const char *Origin() const { return Magenta(); }
114 const char *Name() const { return Green(); }
115 const char *Location() { return Green(); }
116 const char *Thread() { return Green(); }
119 // Returns the index of the rb element that matches tagged_addr (plus one),
120 // or zero if found nothing.
121 uptr FindHeapAllocation(HeapAllocationsRingBuffer *rb,
123 HeapAllocationRecord *har) {
125 for (uptr i = 0, size = rb->size(); i < size; i++) {
127 if (h.tagged_addr <= tagged_addr &&
128 h.tagged_addr + h.requested_size > tagged_addr) {
136 void PrintAddressDescription(
137 uptr tagged_addr, uptr access_size,
138 StackAllocationsRingBuffer *current_stack_allocations) {
140 int num_descriptions_printed = 0;
141 uptr untagged_addr = UntagAddr(tagged_addr);
143 // Print some very basic information about the address, if it's a heap.
144 HwasanChunkView chunk = FindHeapChunkByAddress(untagged_addr);
145 if (uptr beg = chunk.Beg()) {
146 uptr size = chunk.ActualSize();
147 Printf("%s[%p,%p) is a %s %s heap chunk; "
148 "size: %zd offset: %zd\n%s",
151 chunk.FromSmallHeap() ? "small" : "large",
152 chunk.IsAllocated() ? "allocated" : "unallocated",
153 size, untagged_addr - beg,
157 // Check if this looks like a heap buffer overflow by scanning
158 // the shadow left and right and looking for the first adjacent
159 // object with a different memory tag. If that tag matches addr_tag,
160 // check the allocator if it has a live chunk there.
161 tag_t addr_tag = GetTagFromPointer(tagged_addr);
162 tag_t *tag_ptr = reinterpret_cast<tag_t*>(MemToShadow(untagged_addr));
163 if (*tag_ptr != addr_tag) { // should be true usually.
164 tag_t *left = tag_ptr, *right = tag_ptr;
166 for (int i = 0; i < 1000 && *left == *tag_ptr; i++, left--){}
168 for (int i = 0; i < 1000 && *right == *tag_ptr; i++, right++){}
169 // Chose the object that has addr_tag and that is closer to addr.
170 tag_t *candidate = nullptr;
171 if (*right == addr_tag && *left == addr_tag)
172 candidate = right - tag_ptr < tag_ptr - left ? right : left;
173 else if (*right == addr_tag)
175 else if (*left == addr_tag)
179 uptr mem = ShadowToMem(reinterpret_cast<uptr>(candidate));
180 HwasanChunkView chunk = FindHeapChunkByAddress(mem);
181 if (chunk.IsAllocated()) {
182 Printf("%s", d.Location());
184 "%p is located %zd bytes to the %s of %zd-byte region [%p,%p)\n",
186 candidate == left ? untagged_addr - chunk.End()
187 : chunk.Beg() - untagged_addr,
188 candidate == right ? "left" : "right", chunk.UsedSize(),
189 chunk.Beg(), chunk.End());
190 Printf("%s", d.Allocation());
191 Printf("allocated here:\n");
192 Printf("%s", d.Default());
193 GetStackTraceFromId(chunk.GetAllocStackId()).Print();
194 num_descriptions_printed++;
199 hwasanThreadList().VisitAllLiveThreads([&](Thread *t) {
200 // Scan all threads' ring buffers to find if it's a heap-use-after-free.
201 HeapAllocationRecord har;
202 if (uptr D = FindHeapAllocation(t->heap_allocations(), tagged_addr, &har)) {
203 Printf("%s", d.Location());
204 Printf("%p is located %zd bytes inside of %zd-byte region [%p,%p)\n",
205 untagged_addr, untagged_addr - UntagAddr(har.tagged_addr),
206 har.requested_size, UntagAddr(har.tagged_addr),
207 UntagAddr(har.tagged_addr) + har.requested_size);
208 Printf("%s", d.Allocation());
209 Printf("freed by thread T%zd here:\n", t->unique_id());
210 Printf("%s", d.Default());
211 GetStackTraceFromId(har.free_context_id).Print();
213 Printf("%s", d.Allocation());
214 Printf("previously allocated here:\n", t);
215 Printf("%s", d.Default());
216 GetStackTraceFromId(har.alloc_context_id).Print();
218 // Print a developer note: the index of this heap object
219 // in the thread's deallocation ring buffer.
220 Printf("hwasan_dev_note_heap_rb_distance: %zd %zd\n", D,
221 flags()->heap_history_size);
224 num_descriptions_printed++;
227 // Very basic check for stack memory.
228 if (t->AddrIsInStack(untagged_addr)) {
229 Printf("%s", d.Location());
230 Printf("Address %p is located in stack of thread T%zd\n", untagged_addr,
232 Printf("%s", d.Default());
235 // Temporary report section, needs to be improved.
236 Printf("Previously allocated frames:\n");
237 auto *sa = (t == GetCurrentThread() && current_stack_allocations)
238 ? current_stack_allocations
239 : t->stack_allocations();
240 uptr frames = Min((uptr)flags()->stack_history_size, sa->size());
241 InternalScopedString frame_desc(GetPageSizeCached() * 2);
242 for (uptr i = 0; i < frames; i++) {
243 uptr record = (*sa)[i];
246 uptr sp = (record >> 48) << 4;
247 uptr pc_mask = (1ULL << 48) - 1;
248 uptr pc = record & pc_mask;
249 if (SymbolizedStack *frame = Symbolizer::GetOrInit()->SymbolizePC(pc)) {
250 frame_desc.append(" sp: 0x%zx pc: %p ", sp, pc);
251 RenderFrame(&frame_desc, "in %f %s:%l\n", 0, frame->info,
252 common_flags()->symbolize_vs_style,
253 common_flags()->strip_path_prefix);
255 if (auto Descr = GetStackFrameDescr(pc))
256 frame_desc.append(" %s\n", Descr);
258 Printf("%s", frame_desc.data());
262 num_descriptions_printed++;
266 // Print the remaining threads, as an extra information, 1 line per thread.
267 hwasanThreadList().VisitAllLiveThreads([&](Thread *t) { t->Announce(); });
269 if (!num_descriptions_printed)
270 // We exhausted our possibilities. Bail out.
271 Printf("HWAddressSanitizer can not describe address in more detail.\n");
274 void ReportStats() {}
276 static void PrintTagsAroundAddr(tag_t *tag_ptr) {
278 "Memory tags around the buggy address (one tag corresponds to %zd "
279 "bytes):\n", kShadowAlignment);
281 const uptr row_len = 16; // better be power of two.
282 const uptr num_rows = 17;
283 tag_t *center_row_beg = reinterpret_cast<tag_t *>(
284 RoundDownTo(reinterpret_cast<uptr>(tag_ptr), row_len));
285 tag_t *beg_row = center_row_beg - row_len * (num_rows / 2);
286 tag_t *end_row = center_row_beg + row_len * (num_rows / 2);
287 InternalScopedString s(GetPageSizeCached() * 8);
288 for (tag_t *row = beg_row; row < end_row; row += row_len) {
289 s.append("%s", row == center_row_beg ? "=>" : " ");
290 for (uptr i = 0; i < row_len; i++) {
291 s.append("%s", row + i == tag_ptr ? "[" : " ");
292 s.append("%02x", row[i]);
293 s.append("%s", row + i == tag_ptr ? "]" : " ");
295 s.append("%s\n", row == center_row_beg ? "<=" : " ");
297 Printf("%s", s.data());
300 void ReportInvalidFree(StackTrace *stack, uptr tagged_addr) {
301 ScopedReport R(flags()->halt_on_error);
303 uptr untagged_addr = UntagAddr(tagged_addr);
304 tag_t ptr_tag = GetTagFromPointer(tagged_addr);
305 tag_t *tag_ptr = reinterpret_cast<tag_t*>(MemToShadow(untagged_addr));
306 tag_t mem_tag = *tag_ptr;
308 Printf("%s", d.Error());
309 uptr pc = stack->size ? stack->trace[0] : 0;
310 const char *bug_type = "invalid-free";
311 Report("ERROR: %s: %s on address %p at pc %p\n", SanitizerToolName, bug_type,
313 Printf("%s", d.Access());
314 Printf("tags: %02x/%02x (ptr/mem)\n", ptr_tag, mem_tag);
315 Printf("%s", d.Default());
319 PrintAddressDescription(tagged_addr, 0, nullptr);
321 PrintTagsAroundAddr(tag_ptr);
323 ReportErrorSummary(bug_type, stack);
326 void ReportTailOverwritten(StackTrace *stack, uptr tagged_addr, uptr orig_size,
327 uptr tail_size, const u8 *expected) {
328 ScopedReport R(flags()->halt_on_error);
330 uptr untagged_addr = UntagAddr(tagged_addr);
331 Printf("%s", d.Error());
332 const char *bug_type = "alocation-tail-overwritten";
333 Report("ERROR: %s: %s; heap object [%p,%p) of size %zd\n", SanitizerToolName,
334 bug_type, untagged_addr, untagged_addr + orig_size, orig_size);
335 Printf("\n%s", d.Default());
337 HwasanChunkView chunk = FindHeapChunkByAddress(untagged_addr);
339 Printf("%s", d.Allocation());
340 Printf("allocated here:\n");
341 Printf("%s", d.Default());
342 GetStackTraceFromId(chunk.GetAllocStackId()).Print();
345 InternalScopedString s(GetPageSizeCached() * 8);
346 CHECK_GT(tail_size, 0U);
347 CHECK_LT(tail_size, kShadowAlignment);
348 u8 *tail = reinterpret_cast<u8*>(untagged_addr + orig_size);
349 s.append("Tail contains: ");
350 for (uptr i = 0; i < kShadowAlignment - tail_size; i++)
352 for (uptr i = 0; i < tail_size; i++)
353 s.append("%02x ", tail[i]);
355 s.append("Expected: ");
356 for (uptr i = 0; i < kShadowAlignment - tail_size; i++)
358 for (uptr i = 0; i < tail_size; i++)
359 s.append("%02x ", expected[i]);
362 for (uptr i = 0; i < kShadowAlignment - tail_size; i++)
364 for (uptr i = 0; i < tail_size; i++)
365 s.append("%s ", expected[i] != tail[i] ? "^^" : " ");
367 s.append("\nThis error occurs when a buffer overflow overwrites memory\n"
368 "to the right of a heap object, but within the %zd-byte granule, e.g.\n"
369 " char *x = new char[20];\n"
371 "By default %s does not detect such bugs at the time of write,\n"
372 "but can detect them at the time of free/delete.\n"
373 "To disable this feature set HWASAN_OPTIONS=free_checks_tail_magic=0;\n"
374 "To enable checking at the time of access, set "
375 "HWASAN_OPTIONS=malloc_align_right to non-zero\n\n",
376 kShadowAlignment, SanitizerToolName);
377 Printf("%s", s.data());
378 GetCurrentThread()->Announce();
380 tag_t *tag_ptr = reinterpret_cast<tag_t*>(MemToShadow(untagged_addr));
381 PrintTagsAroundAddr(tag_ptr);
383 ReportErrorSummary(bug_type, stack);
386 void ReportTagMismatch(StackTrace *stack, uptr tagged_addr, uptr access_size,
387 bool is_store, bool fatal) {
388 ScopedReport R(fatal);
389 SavedStackAllocations current_stack_allocations(
390 GetCurrentThread()->stack_allocations());
393 Printf("%s", d.Error());
394 uptr untagged_addr = UntagAddr(tagged_addr);
395 // TODO: when possible, try to print heap-use-after-free, etc.
396 const char *bug_type = "tag-mismatch";
397 uptr pc = stack->size ? stack->trace[0] : 0;
398 Report("ERROR: %s: %s on address %p at pc %p\n", SanitizerToolName, bug_type,
401 Thread *t = GetCurrentThread();
403 tag_t ptr_tag = GetTagFromPointer(tagged_addr);
404 tag_t *tag_ptr = reinterpret_cast<tag_t*>(MemToShadow(untagged_addr));
405 tag_t mem_tag = *tag_ptr;
406 Printf("%s", d.Access());
407 Printf("%s of size %zu at %p tags: %02x/%02x (ptr/mem) in thread T%zd\n",
408 is_store ? "WRITE" : "READ", access_size, untagged_addr, ptr_tag,
409 mem_tag, t->unique_id());
410 Printf("%s", d.Default());
414 PrintAddressDescription(tagged_addr, access_size,
415 current_stack_allocations.get());
418 PrintTagsAroundAddr(tag_ptr);
420 ReportErrorSummary(bug_type, stack);
423 } // namespace __hwasan