[asan] NPD calling prctl with PR_SET_VMA PR_SET_VMA_ANON_NAME and nullptr for name

[nickdesaulniers]

unsigned long name = reinterpret_cast<unsigned long>(nullptr);
prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, start, len, name);

will crash in internal_strlen called from the prctl asan interceptor.

man 2 prctl states:

PR_SET_VMA (since Linux 5.17)
PR_SET_VMA_ANON_NAME
If arg5 is NULL, the name of the appropriate anonymous virtual memory areas will be re‐set.

So it is valid and expected to be able to call prctl with the 5th parameter set to NULL. It's UB to call strlen with NULL; and in this case, internal_strlen immediately dereferences the pointer it's given.

a4c97e1

cc @vitalybuka @eugenis @devnexen

[llvmbot]

Hi!

This issue may be a good introductory issue for people new to working on LLVM. If you would like to work on this issue, your first steps are:

1. Check that no other contributor is working on this issue. If someone is assigned to the issue or claimed to be working on it, ping the person. After one week without a response, the assignee may be changed.
2. Leave a comment indicating that you are working on the issue, or just create a pull request after following the steps below. Mention this issue in the description of the pull request.
3. Fix the issue locally.
4. Run the test suite locally. Remember that the subdirectories under test/ create fine-grained testing targets, so you can e.g. use make check-clang-ast to only run Clang's AST tests.
5. Create a Git commit.
6. Run git clang-format HEAD~1 to format your changes.
7. Open a pull request to the upstream repository on GitHub. Detailed instructions can be found in GitHub's documentation. Mention this issue in the description of the pull request.

If you have any further questions about this issue, don't hesitate to ask via a comment in the thread below.

[llvmbot]

@llvm/issue-subscribers-good-first-issue

Author: Nick Desaulniers (nickdesaulniers)

```c++ unsigned long name = reinterpret_cast<unsigned long>(nullptr); prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, start, len, name); ``` will crash in `internal_strlen` called from the prctl asan interceptor.

man 2 prctl states:

> PR_SET_VMA (since Linux 5.17)
> PR_SET_VMA_ANON_NAME
> If arg5 is NULL, the name of the appropriate anonymous virtual memory areas will be re‐set.

So it is valid and expected to be able to call prctl with the 5th parameter set to NULL. It's UB to call strlen with NULL; and in this case, internal_strlen immediately dereferences the pointer it's given.

a4c97e1

cc @vitalybuka @eugenis @devnexen

[woruyu]

I’m happy to fix this. I’m not very familiar with this interceptor code.so I’d like to confirm the minimal change before sending a patch.
For PR_SET_VMA / PR_SET_VMA_ANON_NAME, arg5 can legally be NULL. The current interceptor unconditionally does:

PRCTL_INTERCEPTOR(int, prctl, int option, unsigned long arg2,
                  unsigned long arg3, unsigned long arg4, unsigned long arg5) {
  void *ctx;
  COMMON_INTERCEPTOR_ENTER(ctx, prctl, option, arg2, arg3, arg4, arg5);
  static const int PR_SET_NAME = 15;
  static const int PR_GET_NAME = 16;
  static const int PR_SET_VMA = 0x53564d41;
  static const int PR_SCHED_CORE = 62;
  static const int PR_SCHED_CORE_GET = 0;
  static const int PR_GET_PDEATHSIG = 2;

#  if !SANITIZER_ANDROID
  static const int PR_SET_SECCOMP = 22;
  static const int SECCOMP_MODE_FILTER = 2;
#  endif
  if (option == PR_SET_VMA && arg2 == 0UL) {
    char *name = (char *)arg5;
    COMMON_INTERCEPTOR_READ_RANGE(ctx, name, internal_strlen(name) + 1);
  }


// modification like this?
--->
if (option == PR_SET_VMA && arg2 == PR_SET_VMA_ANON_NAME) {
  const char *name = (const char *)arg5;
  if (name)  // NULL means “reset”; do not touch memory in that case
    COMMON_INTERCEPTOR_READ_RANGE(ctx, name, internal_strlen(name) + 1);
}

[devnexen]

or

if (option == PR_SET_VMA && arg2 == PR_SET_VMA_ANON_NAME && arg5 != 0UL) {

[nickdesaulniers]

Thanks @woruyu and reviewers!