Skip to content

[msan] Support prctl PR_GET_NAME call #98951

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Jul 16, 2024
Merged

Conversation

ccotter
Copy link
Contributor

@ccotter ccotter commented Jul 15, 2024

Per the man page, PR_GET_NAME stores a null terminated string into the input char name[16].

This also adds prctl support in ASAN to detect freed memory being passed to prctl(PR_GET_NAME, ...):

@llvmbot
Copy link
Member

llvmbot commented Jul 15, 2024

@llvm/pr-subscribers-compiler-rt-sanitizer

Author: Chris Cotter (ccotter)

Changes

Per the man page, PR_GET_NAME stores a null terminated string into the input char name[16].

This also adds prctl support in ASAN to detect freed memory being passed to prctl(PR_GET_NAME, ...):


Full diff: https://github.com/llvm/llvm-project/pull/98951.diff

2 Files Affected:

  • (modified) compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc (+11)
  • (added) compiler-rt/test/msan/prctl.cpp (+24)
diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc b/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc
index 1df61e79f7d84..cc5f0f3c8bc33 100644
--- a/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc
+++ b/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc
@@ -1251,6 +1251,7 @@ INTERCEPTOR(int, prctl, int option, unsigned long arg2, unsigned long arg3,
   void *ctx;
   COMMON_INTERCEPTOR_ENTER(ctx, prctl, option, arg2, arg3, arg4, arg5);
   static const int PR_SET_NAME = 15;
+  static const int PR_GET_NAME = 16;
   static const int PR_SET_VMA = 0x53564d41;
   static const int PR_SCHED_CORE = 62;
   static const int PR_SCHED_CORE_GET = 0;
@@ -1264,6 +1265,16 @@ INTERCEPTOR(int, prctl, int option, unsigned long arg2, unsigned long arg3,
     internal_strncpy(buff, (char *)arg2, 15);
     buff[15] = 0;
     COMMON_INTERCEPTOR_SET_THREAD_NAME(ctx, buff);
+  } else if (res != 1 && option == PR_GET_NAME) {
+    unsigned long null_index = 0;
+    char* name = (char*)arg2;
+    while (name[null_index] && null_index < 16) {
+      ++null_index;
+    }
+    if (null_index > 15) {
+      null_index = 15;
+    }
+    COMMON_INTERCEPTOR_WRITE_RANGE(ctx, (u64*)arg2, null_index+1);
   } else if (res != -1 && option == PR_SCHED_CORE && arg2 == PR_SCHED_CORE_GET) {
     COMMON_INTERCEPTOR_WRITE_RANGE(ctx, (u64*)(arg5), sizeof(u64));
   }
diff --git a/compiler-rt/test/msan/prctl.cpp b/compiler-rt/test/msan/prctl.cpp
new file mode 100644
index 0000000000000..7b8e60c98c13b
--- /dev/null
+++ b/compiler-rt/test/msan/prctl.cpp
@@ -0,0 +1,24 @@
+// RUN: %clangxx_msan -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s
+// REQUIRES: linux
+
+#include <linux/prctl.h>
+#include <sys/prctl.h>
+
+int main(void) {
+  prctl(PR_SET_NAME, "tname");
+  char name[16];
+  prctl(PR_GET_NAME, name);
+
+  if (name[0] == 'A') {
+    return 0;
+  }
+  if (name[5] != '\0') {
+    return 0;
+  }
+  if (name[6] != '\0') {
+    return 0;
+  }
+  // CHECK: SUMMARY: MemorySanitizer: use-of-uninitialized-value {{.*prctl.cpp}}:[[@LINE-3]]
+
+  return 0;
+}

Copy link

github-actions bot commented Jul 15, 2024

✅ With the latest revision this PR passed the C/C++ code formatter.

@ccotter ccotter force-pushed the msan-prctl branch 2 times, most recently from 5f35f71 to 77e2591 Compare July 16, 2024 01:36
Per the man page, PR_GET_NAME stores a null terminated string
into the input `char name[16]`.

This also adds prctl support in ASAN to detect freed memory being passed
to `prctl(PR_GET_NAME, ...)`:
Copy link
Collaborator

@vitalybuka vitalybuka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the patch!

It's needs a few small improvements.

Please don't forget to click "re-request review" after updating.

Copy link
Collaborator

@vitalybuka vitalybuka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@ccotter
Copy link
Contributor Author

ccotter commented Jul 16, 2024

Thanks for the quick review!

@vitalybuka
Copy link
Collaborator

I'll wait checks completion and land after that, likely tomorrow.

@vitalybuka vitalybuka merged commit 986ceae into llvm:main Jul 16, 2024
6 checks passed
@ccotter ccotter deleted the msan-prctl branch July 18, 2024 02:47
yuxuanchen1997 pushed a commit that referenced this pull request Jul 25, 2024
Summary:
Per the man page, PR_GET_NAME stores a null terminated string into the
input `char name[16]`.

This also adds prctl support in ASAN to detect freed memory being passed
to `prctl(PR_GET_NAME, ...)`:

Test Plan: 

Reviewers: 

Subscribers: 

Tasks: 

Tags: 


Differential Revision: https://phabricator.intern.facebook.com/D60251534
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants