[ASan][Windows] Fix rip-relative instruction replacement #68432
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@llvm/pr-subscribers-compiler-rt-sanitizer ChangesThe old code incorrectly checked what relative offsets were allowed. The correct check is that the offset from the target to the instruction pointer should be within [-231, 231); however, the check that was originally written was that the offset was within [0, 2**31). Negative offsets are certainly allowable (as long as they fit in 32 bits), and this change fixes that. Full diff: https://github.com/llvm/llvm-project/pull/68432.diff 1 Files Affected:
diff --git a/compiler-rt/lib/interception/interception_win.cpp b/compiler-rt/lib/interception/interception_win.cpp
index 23d26ea94b51a66..4f2a51e1adbc6e0 100644
--- a/compiler-rt/lib/interception/interception_win.cpp
+++ b/compiler-rt/lib/interception/interception_win.cpp
@@ -726,16 +726,22 @@ static bool CopyInstructions(uptr to, uptr from, size_t size) {
size_t instruction_size = GetInstructionSize(from + cursor, &rel_offset);
if (!instruction_size)
return false;
- _memcpy((void*)(to + cursor), (void*)(from + cursor),
+ _memcpy((void *)(to + cursor), (void *)(from + cursor),
(size_t)instruction_size);
if (rel_offset) {
- uptr delta = to - from;
- uptr relocated_offset = *(u32*)(to + cursor + rel_offset) - delta;
#if SANITIZER_WINDOWS64
- if (relocated_offset + 0x80000000U >= 0xFFFFFFFFU)
+ // we want to make sure that the new relative offset still fits in 32-bits
+ // this will be untrue if relocated_offset \notin [-2**31, 2**31)
+ s64 delta = to - from;
+ s64 relocated_offset = *(s32 *)(to + cursor + rel_offset) - delta;
+ if (-0x8000'0000ll > relocated_offset || relocated_offset > 0x7FFF'FFFFll)
return false;
+#else
+ // on 32-bit, the relative offset will always be correct
+ s32 delta = to - from;
+ s32 relocated_offset = *(s32 *)(to + cursor + rel_offset) - delta;
#endif
- *(u32*)(to + cursor + rel_offset) = relocated_offset;
+ *(s32 *)(to + cursor + rel_offset) = relocated_offset;
}
cursor += instruction_size;
}
|
This comment was marked as resolved.
This comment was marked as resolved.
strega-nil-ms
force-pushed
the
fix-relocation-math
branch
from
67dfb84 to
f855b36
Compare
The old code incorrectly checked what relative offsets were allowed.
The correct check is that the offset from the target to the instruction
pointer should be within $[-2^{31}, 2^{31})$; however, the check that was
originally written was that the offset was within $[0, 2^{31})$.
Negative offsets are certainly allowable (as long as they fit in 32 bits),
and this change fixes that.
strega-nil-ms
force-pushed
the
fix-relocation-math
branch
from
f855b36 to
3d8e67d
Compare
barcharcraz
requested changes
Oct 9, 2023
barcharcraz
approved these changes
Oct 9, 2023
vitalybuka
reviewed
Oct 9, 2023
| @@ -726,16 +726,22 @@ static bool CopyInstructions(uptr to, uptr from, size_t size) { | |||
| size_t instruction_size = GetInstructionSize(from + cursor, &rel_offset); | |||
| if (!instruction_size) | |||
| return false; | |||
| _memcpy((void*)(to + cursor), (void*)(from + cursor), | |||
| _memcpy((void *)(to + cursor), (void *)(from + cursor), | |||
There was a problem hiding this comment.
Is this clang-formated?
vitalybuka
reviewed
Oct 9, 2023
| uptr relocated_offset = *(u32*)(to + cursor + rel_offset) - delta; | ||
| #if SANITIZER_WINDOWS64 | ||
| if (relocated_offset + 0x80000000U >= 0xFFFFFFFFU) | ||
| # if SANITIZER_WINDOWS64 |
There was a problem hiding this comment.
maybe if constexpr (SANITIZER_WINDOWS64) to compile it always
vitalybuka
reviewed
Oct 9, 2023
| // we want to make sure that the new relative offset still fits in 32-bits | ||
| // this will be untrue if relocated_offset \notin [-2**31, 2**31) | ||
| s64 delta = to - from; | ||
| s64 relocated_offset = *(s32 *)(to + cursor + rel_offset) - delta; |
There was a problem hiding this comment.
I guess you can use same code if use s64/s32 -> sptr
vitalybuka
approved these changes
Oct 9, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The old code incorrectly checked what relative offsets were allowed.
The correct check is that the offset from the target to the instruction pointer should be within$[-2^{31}, 2^{31})$ ; however, the check that was originally written was that the offset was within $[0, 2^{31})$ . Negative offsets are certainly allowable (as long as they fit in 32 bits), and this change fixes that.