1
//===-- hwasan_report.cpp -------------------------------------------------===//
2
//
3
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4
// See https://llvm.org/LICENSE.txt for license information.
5
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6
//
7
//===----------------------------------------------------------------------===//
8
//
9
// This file is a part of HWAddressSanitizer.
10
//
11
// Error reporting.
12
//===----------------------------------------------------------------------===//
13

14
#include "hwasan_report.h"
15

16
#include <dlfcn.h>
17

18
#include "hwasan.h"
19
#include "hwasan_allocator.h"
20
#include "hwasan_globals.h"
21
#include "hwasan_mapping.h"
22
#include "hwasan_thread.h"
23
#include "hwasan_thread_list.h"
24
#include "sanitizer_common/sanitizer_allocator_internal.h"
25
#include "sanitizer_common/sanitizer_array_ref.h"
26
#include "sanitizer_common/sanitizer_common.h"
27
#include "sanitizer_common/sanitizer_flags.h"
28
#include "sanitizer_common/sanitizer_internal_defs.h"
29
#include "sanitizer_common/sanitizer_mutex.h"
30
#include "sanitizer_common/sanitizer_placement_new.h"
31
#include "sanitizer_common/sanitizer_report_decorator.h"
32
#include "sanitizer_common/sanitizer_stackdepot.h"
33
#include "sanitizer_common/sanitizer_stacktrace_printer.h"
34
#include "sanitizer_common/sanitizer_symbolizer.h"
35

36
using namespace __sanitizer;
37

38
namespace __hwasan {
39

40
class ScopedReport {
41
 public:
42
  explicit ScopedReport(bool fatal) : fatal(fatal) {
43
    Lock lock(&error_message_lock_);
44
    error_message_ptr_ = &error_message_;
45
    ++hwasan_report_count;
46
  }
47

48
  ~ScopedReport() {
49
    void (*report_cb)(const char *);
50
    {
51
      Lock lock(&error_message_lock_);
52
      report_cb = error_report_callback_;
53
      error_message_ptr_ = nullptr;
54
    }
55
    if (report_cb)
56
      report_cb(error_message_.data());
57
    if (fatal)
58
      SetAbortMessage(error_message_.data());
59
    if (common_flags()->print_module_map >= 2 ||
60
        (fatal && common_flags()->print_module_map))
61
      DumpProcessMap();
62
    if (fatal)
63
      Die();
64
  }
65

66
  static void MaybeAppendToErrorMessage(const char *msg) {
67
    Lock lock(&error_message_lock_);
68
    if (!error_message_ptr_)
69
      return;
70
    error_message_ptr_->Append(msg);
71
  }
72

73
  static void SetErrorReportCallback(void (*callback)(const char *)) {
74
    Lock lock(&error_message_lock_);
75
    error_report_callback_ = callback;
76
  }
77

78
 private:
79
  InternalScopedString error_message_;
80
  bool fatal;
81

82
  static Mutex error_message_lock_;
83
  static InternalScopedString *error_message_ptr_
84
      SANITIZER_GUARDED_BY(error_message_lock_);
85
  static void (*error_report_callback_)(const char *);
86
};
87

88
Mutex ScopedReport::error_message_lock_;
89
InternalScopedString *ScopedReport::error_message_ptr_;
90
void (*ScopedReport::error_report_callback_)(const char *);
91

92
// If there is an active ScopedReport, append to its error message.
93
void AppendToErrorMessageBuffer(const char *buffer) {
94
  ScopedReport::MaybeAppendToErrorMessage(buffer);
95
}
96

97
static StackTrace GetStackTraceFromId(u32 id) {
98
  CHECK(id);
99
  StackTrace res = StackDepotGet(id);
100
  CHECK(res.trace);
101
  return res;
102
}
103

104
static void MaybePrintAndroidHelpUrl() {
105
#if SANITIZER_ANDROID
106
  Printf(
107
      "Learn more about HWASan reports: "
108
      "https://source.android.com/docs/security/test/memory-safety/"
109
      "hwasan-reports\n");
110
#endif
111
}
112

113
namespace {
114
// A RAII object that holds a copy of the current thread stack ring buffer.
115
// The actual stack buffer may change while we are iterating over it (for
116
// example, Printf may call syslog() which can itself be built with hwasan).
117
class SavedStackAllocations {
118
 public:
119
  SavedStackAllocations() = default;
120

121
  explicit SavedStackAllocations(Thread *t) { CopyFrom(t); }
122

123
  void CopyFrom(Thread *t) {
124
    StackAllocationsRingBuffer *rb = t->stack_allocations();
125
    uptr size = rb->size() * sizeof(uptr);
126
    void *storage =
127
        MmapAlignedOrDieOnFatalError(size, size * 2, "saved stack allocations");
128
    new (&rb_) StackAllocationsRingBuffer(*rb, storage);
129
    thread_id_ = t->unique_id();
130
  }
131

132
  ~SavedStackAllocations() {
133
    if (rb_) {
134
      StackAllocationsRingBuffer *rb = get();
135
      UnmapOrDie(rb->StartOfStorage(), rb->size() * sizeof(uptr));
136
    }
137
  }
138

139
  const StackAllocationsRingBuffer *get() const {
140
    return (const StackAllocationsRingBuffer *)&rb_;
141
  }
142

143
  StackAllocationsRingBuffer *get() {
144
    return (StackAllocationsRingBuffer *)&rb_;
145
  }
146

147
  u32 thread_id() const { return thread_id_; }
148

149
 private:
150
  uptr rb_ = 0;
151
  u32 thread_id_;
152
};
153

154
class Decorator: public __sanitizer::SanitizerCommonDecorator {
155
 public:
156
  Decorator() : SanitizerCommonDecorator() { }
157
  const char *Access() { return Blue(); }
158
  const char *Allocation() const { return Magenta(); }
159
  const char *Origin() const { return Magenta(); }
160
  const char *Name() const { return Green(); }
161
  const char *Location() { return Green(); }
162
  const char *Thread() { return Green(); }
163
};
164
}  // namespace
165

166
static bool FindHeapAllocation(HeapAllocationsRingBuffer *rb, uptr tagged_addr,
167
                               HeapAllocationRecord *har, uptr *ring_index,
168
                               uptr *num_matching_addrs,
169
                               uptr *num_matching_addrs_4b) {
170
  if (!rb) return false;
171

172
  *num_matching_addrs = 0;
173
  *num_matching_addrs_4b = 0;
174
  for (uptr i = 0, size = rb->size(); i < size; i++) {
175
    auto h = (*rb)[i];
176
    if (h.tagged_addr <= tagged_addr &&
177
        h.tagged_addr + h.requested_size > tagged_addr) {
178
      *har = h;
179
      *ring_index = i;
180
      return true;
181
    }
182

183
    // Measure the number of heap ring buffer entries that would have matched
184
    // if we had only one entry per address (e.g. if the ring buffer data was
185
    // stored at the address itself). This will help us tune the allocator
186
    // implementation for MTE.
187
    if (UntagAddr(h.tagged_addr) <= UntagAddr(tagged_addr) &&
188
        UntagAddr(h.tagged_addr) + h.requested_size > UntagAddr(tagged_addr)) {
189
      ++*num_matching_addrs;
190
    }
191

192
    // Measure the number of heap ring buffer entries that would have matched
193
    // if we only had 4 tag bits, which is the case for MTE.
194
    auto untag_4b = [](uptr p) {
195
      return p & ((1ULL << 60) - 1);
196
    };
197
    if (untag_4b(h.tagged_addr) <= untag_4b(tagged_addr) &&
198
        untag_4b(h.tagged_addr) + h.requested_size > untag_4b(tagged_addr)) {
199
      ++*num_matching_addrs_4b;
200
    }
201
  }
202
  return false;
203
}
204

205
static void PrintStackAllocations(const StackAllocationsRingBuffer *sa,
206
                                  tag_t addr_tag, uptr untagged_addr) {
207
  uptr frames = Min((uptr)flags()->stack_history_size, sa->size());
208
  bool found_local = false;
209
  InternalScopedString location;
210
  for (uptr i = 0; i < frames; i++) {
211
    const uptr *record_addr = &(*sa)[i];
212
    uptr record = *record_addr;
213
    if (!record)
214
      break;
215
    tag_t base_tag =
216
        reinterpret_cast<uptr>(record_addr) >> kRecordAddrBaseTagShift;
217
    const uptr fp = (record >> kRecordFPShift) << kRecordFPLShift;
218
    CHECK_LT(fp, kRecordFPModulus);
219
    uptr pc_mask = (1ULL << kRecordFPShift) - 1;
220
    uptr pc = record & pc_mask;
221
    FrameInfo frame;
222
    if (!Symbolizer::GetOrInit()->SymbolizeFrame(pc, &frame))
223
      continue;
224
    for (LocalInfo &local : frame.locals) {
225
      if (!local.has_frame_offset || !local.has_size || !local.has_tag_offset)
226
        continue;
227
      if (!(local.name && internal_strlen(local.name)) &&
228
          !(local.function_name && internal_strlen(local.function_name)) &&
229
          !(local.decl_file && internal_strlen(local.decl_file)))
230
        continue;
231
      tag_t obj_tag = base_tag ^ local.tag_offset;
232
      if (obj_tag != addr_tag)
233
        continue;
234

235
      // We only store bits 4-19 of FP (bits 0-3 are guaranteed to be zero).
236
      // So we know only `FP % kRecordFPModulus`, and we can only calculate
237
      // `local_beg % kRecordFPModulus`.
238
      // Out of all possible `local_beg` we will only consider 2 candidates
239
      // nearest to the `untagged_addr`.
240
      uptr local_beg_mod = (fp + local.frame_offset) % kRecordFPModulus;
241
      // Pick `local_beg` in the same 1 MiB block as `untagged_addr`.
242
      uptr local_beg =
243
          RoundDownTo(untagged_addr, kRecordFPModulus) + local_beg_mod;
244
      // Pick the largest `local_beg <= untagged_addr`. It's either the current
245
      // one or the one before.
246
      if (local_beg > untagged_addr)
247
        local_beg -= kRecordFPModulus;
248

249
      uptr offset = -1ull;
250
      const char *whence;
251
      const char *cause = nullptr;
252
      uptr best_beg;
253

254
      // Try two 1 MiB blocks options and pick nearest one.
255
      for (uptr i = 0; i < 2; ++i, local_beg += kRecordFPModulus) {
256
        uptr local_end = local_beg + local.size;
257
        if (local_beg > local_end)
258
          continue;  // This is a wraparound.
259
        if (local_beg <= untagged_addr && untagged_addr < local_end) {
260
          offset = untagged_addr - local_beg;
261
          whence = "inside";
262
          cause = "use-after-scope";
263
          best_beg = local_beg;
264
          break;  // This is as close at it can be.
265
        }
266

267
        if (untagged_addr >= local_end) {
268
          uptr new_offset = untagged_addr - local_end;
269
          if (new_offset < offset) {
270
            offset = new_offset;
271
            whence = "after";
272
            cause = "stack-buffer-overflow";
273
            best_beg = local_beg;
274
          }
275
        } else {
276
          uptr new_offset = local_beg - untagged_addr;
277
          if (new_offset < offset) {
278
            offset = new_offset;
279
            whence = "before";
280
            cause = "stack-buffer-overflow";
281
            best_beg = local_beg;
282
          }
283
        }
284
      }
285

286
      // To fail the `untagged_addr` must be near nullptr, which is impossible
287
      // with Linux user space memory layout.
288
      if (!cause)
289
        continue;
290

291
      if (!found_local) {
292
        Printf("\nPotentially referenced stack objects:\n");
293
        found_local = true;
294
      }
295

296
      Decorator d;
297
      Printf("%s", d.Error());
298
      Printf("Cause: %s\n", cause);
299
      Printf("%s", d.Default());
300
      Printf("%s", d.Location());
301
      StackTracePrinter::GetOrInit()->RenderSourceLocation(
302
          &location, local.decl_file, local.decl_line, /* column= */ 0,
303
          common_flags()->symbolize_vs_style,
304
          common_flags()->strip_path_prefix);
305
      Printf(
306
          "%p is located %zd bytes %s a %zd-byte local variable %s "
307
          "[%p,%p) "
308
          "in %s %s\n",
309
          untagged_addr, offset, whence, local.size, local.name, best_beg,
310
          best_beg + local.size, local.function_name, location.data());
311
      location.clear();
312
      Printf("%s\n", d.Default());
313
    }
314
    frame.Clear();
315
  }
316

317
  if (found_local)
318
    return;
319

320
  // We didn't find any locals. Most likely we don't have symbols, so dump
321
  // the information that we have for offline analysis.
322
  InternalScopedString frame_desc;
323
  Printf("Previously allocated frames:\n");
324
  for (uptr i = 0; i < frames; i++) {
325
    const uptr *record_addr = &(*sa)[i];
326
    uptr record = *record_addr;
327
    if (!record)
328
      break;
329
    uptr pc_mask = (1ULL << 48) - 1;
330
    uptr pc = record & pc_mask;
331
    frame_desc.AppendF("  record_addr:%p record:0x%zx",
332
                       reinterpret_cast<const void *>(record_addr), record);
333
    SymbolizedStackHolder symbolized_stack(
334
        Symbolizer::GetOrInit()->SymbolizePC(pc));
335
    const SymbolizedStack *frame = symbolized_stack.get();
336
    if (frame) {
337
      StackTracePrinter::GetOrInit()->RenderFrame(
338
          &frame_desc, " %F %L", 0, frame->info.address, &frame->info,
339
          common_flags()->symbolize_vs_style,
340
          common_flags()->strip_path_prefix);
341
    }
342
    Printf("%s\n", frame_desc.data());
343
    frame_desc.clear();
344
  }
345
}
346

347
// Returns true if tag == *tag_ptr, reading tags from short granules if
348
// necessary. This may return a false positive if tags 1-15 are used as a
349
// regular tag rather than a short granule marker.
350
static bool TagsEqual(tag_t tag, tag_t *tag_ptr) {
351
  if (tag == *tag_ptr)
352
    return true;
353
  if (*tag_ptr == 0 || *tag_ptr > kShadowAlignment - 1)
354
    return false;
355
  uptr mem = ShadowToMem(reinterpret_cast<uptr>(tag_ptr));
356
  tag_t inline_tag = *reinterpret_cast<tag_t *>(mem + kShadowAlignment - 1);
357
  return tag == inline_tag;
358
}
359

360
// HWASan globals store the size of the global in the descriptor. In cases where
361
// we don't have a binary with symbols, we can't grab the size of the global
362
// from the debug info - but we might be able to retrieve it from the
363
// descriptor. Returns zero if the lookup failed.
364
static uptr GetGlobalSizeFromDescriptor(uptr ptr) {
365
  // Find the ELF object that this global resides in.
366
  Dl_info info;
367
  if (dladdr(reinterpret_cast<void *>(ptr), &info) == 0)
368
    return 0;
369
  auto *ehdr = reinterpret_cast<const ElfW(Ehdr) *>(info.dli_fbase);
370
  auto *phdr_begin = reinterpret_cast<const ElfW(Phdr) *>(
371
      reinterpret_cast<const u8 *>(ehdr) + ehdr->e_phoff);
372

373
  // Get the load bias. This is normally the same as the dli_fbase address on
374
  // position-independent code, but can be different on non-PIE executables,
375
  // binaries using LLD's partitioning feature, or binaries compiled with a
376
  // linker script.
377
  ElfW(Addr) load_bias = 0;
378
  for (const auto &phdr :
379
       ArrayRef<const ElfW(Phdr)>(phdr_begin, phdr_begin + ehdr->e_phnum)) {
380
    if (phdr.p_type != PT_LOAD || phdr.p_offset != 0)
381
      continue;
382
    load_bias = reinterpret_cast<ElfW(Addr)>(ehdr) - phdr.p_vaddr;
383
    break;
384
  }
385

386
  // Walk all globals in this ELF object, looking for the one we're interested
387
  // in. Once we find it, we can stop iterating and return the size of the
388
  // global we're interested in.
389
  for (const hwasan_global &global :
390
       HwasanGlobalsFor(load_bias, phdr_begin, ehdr->e_phnum))
391
    if (global.addr() <= ptr && ptr < global.addr() + global.size())
392
      return global.size();
393

394
  return 0;
395
}
396

397
void ReportStats() {}
398

399
constexpr uptr kDumpWidth = 16;
400
constexpr uptr kShadowLines = 17;
401
constexpr uptr kShadowDumpSize = kShadowLines * kDumpWidth;
402

403
constexpr uptr kShortLines = 3;
404
constexpr uptr kShortDumpSize = kShortLines * kDumpWidth;
405
constexpr uptr kShortDumpOffset = (kShadowLines - kShortLines) / 2 * kDumpWidth;
406

407
static uptr GetPrintTagStart(uptr addr) {
408
  addr = MemToShadow(addr);
409
  addr = RoundDownTo(addr, kDumpWidth);
410
  addr -= kDumpWidth * (kShadowLines / 2);
411
  return addr;
412
}
413

414
template <typename PrintTag>
415
static void PrintTagInfoAroundAddr(uptr addr, uptr num_rows,
416
                                   InternalScopedString &s,
417
                                   PrintTag print_tag) {
418
  uptr center_row_beg = RoundDownTo(addr, kDumpWidth);
419
  uptr beg_row = center_row_beg - kDumpWidth * (num_rows / 2);
420
  uptr end_row = center_row_beg + kDumpWidth * ((num_rows + 1) / 2);
421
  for (uptr row = beg_row; row < end_row; row += kDumpWidth) {
422
    s.Append(row == center_row_beg ? "=>" : "  ");
423
    s.AppendF("%p:", (void *)ShadowToMem(row));
424
    for (uptr i = 0; i < kDumpWidth; i++) {
425
      s.Append(row + i == addr ? "[" : " ");
426
      print_tag(s, row + i);
427
      s.Append(row + i == addr ? "]" : " ");
428
    }
429
    s.Append("\n");
430
  }
431
}
432

433
template <typename GetTag, typename GetShortTag>
434
static void PrintTagsAroundAddr(uptr addr, GetTag get_tag,
435
                                GetShortTag get_short_tag) {
436
  InternalScopedString s;
437
  addr = MemToShadow(addr);
438
  s.AppendF(
439
      "\nMemory tags around the buggy address (one tag corresponds to %zd "
440
      "bytes):\n",
441
      kShadowAlignment);
442
  PrintTagInfoAroundAddr(addr, kShadowLines, s,
443
                         [&](InternalScopedString &s, uptr tag_addr) {
444
                           tag_t tag = get_tag(tag_addr);
445
                           s.AppendF("%02x", tag);
446
                         });
447

448
  s.AppendF(
449
      "Tags for short granules around the buggy address (one tag corresponds "
450
      "to %zd bytes):\n",
451
      kShadowAlignment);
452
  PrintTagInfoAroundAddr(addr, kShortLines, s,
453
                         [&](InternalScopedString &s, uptr tag_addr) {
454
                           tag_t tag = get_tag(tag_addr);
455
                           if (tag >= 1 && tag <= kShadowAlignment) {
456
                             tag_t short_tag = get_short_tag(tag_addr);
457
                             s.AppendF("%02x", short_tag);
458
                           } else {
459
                             s.Append("..");
460
                           }
461
                         });
462
  s.Append(
463
      "See "
464
      "https://clang.llvm.org/docs/"
465
      "HardwareAssistedAddressSanitizerDesign.html#short-granules for a "
466
      "description of short granule tags\n");
467
  Printf("%s", s.data());
468
}
469

470
static uptr GetTopPc(const StackTrace *stack) {
471
  return stack->size ? StackTrace::GetPreviousInstructionPc(stack->trace[0])
472
                     : 0;
473
}
474

475
namespace {
476
class BaseReport {
477
 public:
478
  BaseReport(StackTrace *stack, bool fatal, uptr tagged_addr, uptr access_size)
479
      : scoped_report(fatal),
480
        stack(stack),
481
        tagged_addr(tagged_addr),
482
        access_size(access_size),
483
        untagged_addr(UntagAddr(tagged_addr)),
484
        ptr_tag(GetTagFromPointer(tagged_addr)),
485
        mismatch_offset(FindMismatchOffset()),
486
        heap(CopyHeapChunk()),
487
        allocations(CopyAllocations()),
488
        candidate(FindBufferOverflowCandidate()),
489
        shadow(CopyShadow()) {}
490

491
 protected:
492
  struct OverflowCandidate {
493
    uptr untagged_addr = 0;
494
    bool after = false;
495
    bool is_close = false;
496

497
    struct {
498
      uptr begin = 0;
499
      uptr end = 0;
500
      u32 thread_id = 0;
501
      u32 stack_id = 0;
502
      bool is_allocated = false;
503
    } heap;
504
  };
505

506
  struct HeapAllocation {
507
    HeapAllocationRecord har = {};
508
    uptr ring_index = 0;
509
    uptr num_matching_addrs = 0;
510
    uptr num_matching_addrs_4b = 0;
511
    u32 free_thread_id = 0;
512
  };
513

514
  struct Allocations {
515
    ArrayRef<SavedStackAllocations> stack;
516
    ArrayRef<HeapAllocation> heap;
517
  };
518

519
  struct HeapChunk {
520
    uptr begin = 0;
521
    uptr size = 0;
522
    u32 stack_id = 0;
523
    bool from_small_heap = false;
524
    bool is_allocated = false;
525
  };
526

527
  struct Shadow {
528
    uptr addr = 0;
529
    tag_t tags[kShadowDumpSize] = {};
530
    tag_t short_tags[kShortDumpSize] = {};
531
  };
532

533
  sptr FindMismatchOffset() const;
534
  Shadow CopyShadow() const;
535
  tag_t GetTagCopy(uptr addr) const;
536
  tag_t GetShortTagCopy(uptr addr) const;
537
  HeapChunk CopyHeapChunk() const;
538
  Allocations CopyAllocations();
539
  OverflowCandidate FindBufferOverflowCandidate() const;
540
  void PrintAddressDescription() const;
541
  void PrintHeapOrGlobalCandidate() const;
542
  void PrintTags(uptr addr) const;
543

544
  SavedStackAllocations stack_allocations_storage[16];
545
  HeapAllocation heap_allocations_storage[256];
546

547
  const ScopedReport scoped_report;
548
  const StackTrace *stack = nullptr;
549
  const uptr tagged_addr = 0;
550
  const uptr access_size = 0;
551
  const uptr untagged_addr = 0;
552
  const tag_t ptr_tag = 0;
553
  const sptr mismatch_offset = 0;
554

555
  const HeapChunk heap;
556
  const Allocations allocations;
557
  const OverflowCandidate candidate;
558

559
  const Shadow shadow;
560
};
561

562
sptr BaseReport::FindMismatchOffset() const {
563
  if (!access_size)
564
    return 0;
565
  sptr offset =
566
      __hwasan_test_shadow(reinterpret_cast<void *>(tagged_addr), access_size);
567
  CHECK_GE(offset, 0);
568
  CHECK_LT(offset, static_cast<sptr>(access_size));
569
  tag_t *tag_ptr =
570
      reinterpret_cast<tag_t *>(MemToShadow(untagged_addr + offset));
571
  tag_t mem_tag = *tag_ptr;
572

573
  if (mem_tag && mem_tag < kShadowAlignment) {
574
    tag_t *granule_ptr = reinterpret_cast<tag_t *>((untagged_addr + offset) &
575
                                                   ~(kShadowAlignment - 1));
576
    // If offset is 0, (untagged_addr + offset) is not aligned to granules.
577
    // This is the offset of the leftmost accessed byte within the bad granule.
578
    u8 in_granule_offset = (untagged_addr + offset) & (kShadowAlignment - 1);
579
    tag_t short_tag = granule_ptr[kShadowAlignment - 1];
580
    // The first mismatch was a short granule that matched the ptr_tag.
581
    if (short_tag == ptr_tag) {
582
      // If the access starts after the end of the short granule, then the first
583
      // bad byte is the first byte of the access; otherwise it is the first
584
      // byte past the end of the short granule
585
      if (mem_tag > in_granule_offset) {
586
        offset += mem_tag - in_granule_offset;
587
      }
588
    }
589
  }
590
  return offset;
591
}
592

593
BaseReport::Shadow BaseReport::CopyShadow() const {
594
  Shadow result;
595
  if (!MemIsApp(untagged_addr))
596
    return result;
597

598
  result.addr = GetPrintTagStart(untagged_addr + mismatch_offset);
599
  uptr tag_addr = result.addr;
600
  uptr short_end = kShortDumpOffset + ARRAY_SIZE(shadow.short_tags);
601
  for (uptr i = 0; i < ARRAY_SIZE(result.tags); ++i, ++tag_addr) {
602
    if (!MemIsShadow(tag_addr))
603
      continue;
604
    result.tags[i] = *reinterpret_cast<tag_t *>(tag_addr);
605
    if (i < kShortDumpOffset || i >= short_end)
606
      continue;
607
    uptr granule_addr = ShadowToMem(tag_addr);
608
    if (1 <= result.tags[i] && result.tags[i] <= kShadowAlignment &&
609
        IsAccessibleMemoryRange(granule_addr, kShadowAlignment)) {
610
      result.short_tags[i - kShortDumpOffset] =
611
          *reinterpret_cast<tag_t *>(granule_addr + kShadowAlignment - 1);
612
    }
613
  }
614
  return result;
615
}
616

617
tag_t BaseReport::GetTagCopy(uptr addr) const {
618
  CHECK_GE(addr, shadow.addr);
619
  uptr idx = addr - shadow.addr;
620
  CHECK_LT(idx, ARRAY_SIZE(shadow.tags));
621
  return shadow.tags[idx];
622
}
623

624
tag_t BaseReport::GetShortTagCopy(uptr addr) const {
625
  CHECK_GE(addr, shadow.addr + kShortDumpOffset);
626
  uptr idx = addr - shadow.addr - kShortDumpOffset;
627
  CHECK_LT(idx, ARRAY_SIZE(shadow.short_tags));
628
  return shadow.short_tags[idx];
629
}
630

631
BaseReport::HeapChunk BaseReport::CopyHeapChunk() const {
632
  HeapChunk result = {};
633
  if (MemIsShadow(untagged_addr))
634
    return result;
635
  HwasanChunkView chunk = FindHeapChunkByAddress(untagged_addr);
636
  result.begin = chunk.Beg();
637
  if (result.begin) {
638
    result.size = chunk.ActualSize();
639
    result.from_small_heap = chunk.FromSmallHeap();
640
    result.is_allocated = chunk.IsAllocated();
641
    result.stack_id = chunk.GetAllocStackId();
642
  }
643
  return result;
644
}
645

646
BaseReport::Allocations BaseReport::CopyAllocations() {
647
  if (MemIsShadow(untagged_addr))
648
    return {};
649
  uptr stack_allocations_count = 0;
650
  uptr heap_allocations_count = 0;
651
  hwasanThreadList().VisitAllLiveThreads([&](Thread *t) {
652
    if (stack_allocations_count < ARRAY_SIZE(stack_allocations_storage) &&
653
        t->AddrIsInStack(untagged_addr)) {
654
      stack_allocations_storage[stack_allocations_count++].CopyFrom(t);
655
    }
656

657
    if (heap_allocations_count < ARRAY_SIZE(heap_allocations_storage)) {
658
      // Scan all threads' ring buffers to find if it's a heap-use-after-free.
659
      HeapAllocationRecord har;
660
      uptr ring_index, num_matching_addrs, num_matching_addrs_4b;
661
      if (FindHeapAllocation(t->heap_allocations(), tagged_addr, &har,
662
                             &ring_index, &num_matching_addrs,
663
                             &num_matching_addrs_4b)) {
664
        auto &ha = heap_allocations_storage[heap_allocations_count++];
665
        ha.har = har;
666
        ha.ring_index = ring_index;
667
        ha.num_matching_addrs = num_matching_addrs;
668
        ha.num_matching_addrs_4b = num_matching_addrs_4b;
669
        ha.free_thread_id = t->unique_id();
670
      }
671
    }
672
  });
673

674
  return {{stack_allocations_storage, stack_allocations_count},
675
          {heap_allocations_storage, heap_allocations_count}};
676
}
677

678
BaseReport::OverflowCandidate BaseReport::FindBufferOverflowCandidate() const {
679
  OverflowCandidate result = {};
680
  if (MemIsShadow(untagged_addr))
681
    return result;
682
  // Check if this looks like a heap buffer overflow by scanning
683
  // the shadow left and right and looking for the first adjacent
684
  // object with a different memory tag. If that tag matches ptr_tag,
685
  // check the allocator if it has a live chunk there.
686
  tag_t *tag_ptr = reinterpret_cast<tag_t *>(MemToShadow(untagged_addr));
687
  tag_t *candidate_tag_ptr = nullptr, *left = tag_ptr, *right = tag_ptr;
688
  uptr candidate_distance = 0;
689
  for (; candidate_distance < 1000; candidate_distance++) {
690
    if (MemIsShadow(reinterpret_cast<uptr>(left)) && TagsEqual(ptr_tag, left)) {
691
      candidate_tag_ptr = left;
692
      break;
693
    }
694
    --left;
695
    if (MemIsShadow(reinterpret_cast<uptr>(right)) &&
696
        TagsEqual(ptr_tag, right)) {
697
      candidate_tag_ptr = right;
698
      break;
699
    }
700
    ++right;
701
  }
702

703
  constexpr auto kCloseCandidateDistance = 1;
704
  result.is_close = candidate_distance <= kCloseCandidateDistance;
705

706
  result.after = candidate_tag_ptr == left;
707
  result.untagged_addr = ShadowToMem(reinterpret_cast<uptr>(candidate_tag_ptr));
708
  HwasanChunkView chunk = FindHeapChunkByAddress(result.untagged_addr);
709
  if (chunk.IsAllocated()) {
710
    result.heap.is_allocated = true;
711
    result.heap.begin = chunk.Beg();
712
    result.heap.end = chunk.End();
713
    result.heap.thread_id = chunk.GetAllocThreadId();
714
    result.heap.stack_id = chunk.GetAllocStackId();
715
  }
716
  return result;
717
}
718

719
void BaseReport::PrintHeapOrGlobalCandidate() const {
720
  Decorator d;
721
  if (candidate.heap.is_allocated) {
722
    uptr offset;
723
    const char *whence;
724
    if (candidate.heap.begin <= untagged_addr &&
725
        untagged_addr < candidate.heap.end) {
726
      offset = untagged_addr - candidate.heap.begin;
727
      whence = "inside";
728
    } else if (candidate.after) {
729
      offset = untagged_addr - candidate.heap.end;
730
      whence = "after";
731
    } else {
732
      offset = candidate.heap.begin - untagged_addr;
733
      whence = "before";
734
    }
735
    Printf("%s", d.Error());
736
    Printf("\nCause: heap-buffer-overflow\n");
737
    Printf("%s", d.Default());
738
    Printf("%s", d.Location());
739
    Printf("%p is located %zd bytes %s a %zd-byte region [%p,%p)\n",
740
           untagged_addr, offset, whence,
741
           candidate.heap.end - candidate.heap.begin, candidate.heap.begin,
742
           candidate.heap.end);
743
    Printf("%s", d.Allocation());
744
    Printf("allocated by thread T%u here:\n", candidate.heap.thread_id);
745
    Printf("%s", d.Default());
746
    GetStackTraceFromId(candidate.heap.stack_id).Print();
747
    return;
748
  }
749
  // Check whether the address points into a loaded library. If so, this is
750
  // most likely a global variable.
751
  const char *module_name;
752
  uptr module_address;
753
  Symbolizer *sym = Symbolizer::GetOrInit();
754
  if (sym->GetModuleNameAndOffsetForPC(candidate.untagged_addr, &module_name,
755
                                       &module_address)) {
756
    Printf("%s", d.Error());
757
    Printf("\nCause: global-overflow\n");
758
    Printf("%s", d.Default());
759
    DataInfo info;
760
    Printf("%s", d.Location());
761
    if (sym->SymbolizeData(candidate.untagged_addr, &info) && info.start) {
762
      Printf(
763
          "%p is located %zd bytes %s a %zd-byte global variable "
764
          "%s [%p,%p) in %s\n",
765
          untagged_addr,
766
          candidate.after ? untagged_addr - (info.start + info.size)
767
                          : info.start - untagged_addr,
768
          candidate.after ? "after" : "before", info.size, info.name,
769
          info.start, info.start + info.size, module_name);
770
    } else {
771
      uptr size = GetGlobalSizeFromDescriptor(candidate.untagged_addr);
772
      if (size == 0)
773
        // We couldn't find the size of the global from the descriptors.
774
        Printf(
775
            "%p is located %s a global variable in "
776
            "\n    #0 0x%x (%s+0x%x)\n",
777
            untagged_addr, candidate.after ? "after" : "before",
778
            candidate.untagged_addr, module_name, module_address);
779
      else
780
        Printf(
781
            "%p is located %s a %zd-byte global variable in "
782
            "\n    #0 0x%x (%s+0x%x)\n",
783
            untagged_addr, candidate.after ? "after" : "before", size,
784
            candidate.untagged_addr, module_name, module_address);
785
    }
786
    Printf("%s", d.Default());
787
  }
788
}
789

790
void BaseReport::PrintAddressDescription() const {
791
  Decorator d;
792
  int num_descriptions_printed = 0;
793

794
  if (MemIsShadow(untagged_addr)) {
795
    Printf("%s%p is HWAsan shadow memory.\n%s", d.Location(), untagged_addr,
796
           d.Default());
797
    return;
798
  }
799

800
  // Print some very basic information about the address, if it's a heap.
801
  if (heap.begin) {
802
    Printf(
803
        "%s[%p,%p) is a %s %s heap chunk; "
804
        "size: %zd offset: %zd\n%s",
805
        d.Location(), heap.begin, heap.begin + heap.size,
806
        heap.from_small_heap ? "small" : "large",
807
        heap.is_allocated ? "allocated" : "unallocated", heap.size,
808
        untagged_addr - heap.begin, d.Default());
809
  }
810

811
  auto announce_by_id = [](u32 thread_id) {
812
    hwasanThreadList().VisitAllLiveThreads([&](Thread *t) {
813
      if (thread_id == t->unique_id())
814
        t->Announce();
815
    });
816
  };
817

818
  // Check stack first. If the address is on the stack of a live thread, we
819
  // know it cannot be a heap / global overflow.
820
  for (const auto &sa : allocations.stack) {
821
    Printf("%s", d.Error());
822
    Printf("\nCause: stack tag-mismatch\n");
823
    Printf("%s", d.Location());
824
    Printf("Address %p is located in stack of thread T%zd\n", untagged_addr,
825
           sa.thread_id());
826
    Printf("%s", d.Default());
827
    announce_by_id(sa.thread_id());
828
    PrintStackAllocations(sa.get(), ptr_tag, untagged_addr);
829
    num_descriptions_printed++;
830
  }
831

832
  if (allocations.stack.empty() && candidate.untagged_addr &&
833
      candidate.is_close) {
834
    PrintHeapOrGlobalCandidate();
835
    num_descriptions_printed++;
836
  }
837

838
  for (const auto &ha : allocations.heap) {
839
    const HeapAllocationRecord har = ha.har;
840

841
    Printf("%s", d.Error());
842
    Printf("\nCause: use-after-free\n");
843
    Printf("%s", d.Location());
844
    Printf("%p is located %zd bytes inside a %zd-byte region [%p,%p)\n",
845
           untagged_addr, untagged_addr - UntagAddr(har.tagged_addr),
846
           har.requested_size, UntagAddr(har.tagged_addr),
847
           UntagAddr(har.tagged_addr) + har.requested_size);
848
    Printf("%s", d.Allocation());
849
    Printf("freed by thread T%u here:\n", ha.free_thread_id);
850
    Printf("%s", d.Default());
851
    GetStackTraceFromId(har.free_context_id).Print();
852

853
    Printf("%s", d.Allocation());
854
    Printf("previously allocated by thread T%u here:\n", har.alloc_thread_id);
855
    Printf("%s", d.Default());
856
    GetStackTraceFromId(har.alloc_context_id).Print();
857

858
    // Print a developer note: the index of this heap object
859
    // in the thread's deallocation ring buffer.
860
    Printf("hwasan_dev_note_heap_rb_distance: %zd %zd\n", ha.ring_index + 1,
861
           flags()->heap_history_size);
862
    Printf("hwasan_dev_note_num_matching_addrs: %zd\n", ha.num_matching_addrs);
863
    Printf("hwasan_dev_note_num_matching_addrs_4b: %zd\n",
864
           ha.num_matching_addrs_4b);
865

866
    announce_by_id(ha.free_thread_id);
867
    // TODO: announce_by_id(har.alloc_thread_id);
868
    num_descriptions_printed++;
869
  }
870

871
  if (candidate.untagged_addr && num_descriptions_printed == 0) {
872
    PrintHeapOrGlobalCandidate();
873
    num_descriptions_printed++;
874
  }
875

876
  // Print the remaining threads, as an extra information, 1 line per thread.
877
  if (flags()->print_live_threads_info) {
878
    Printf("\n");
879
    hwasanThreadList().VisitAllLiveThreads([&](Thread *t) { t->Announce(); });
880
  }
881

882
  if (!num_descriptions_printed)
883
    // We exhausted our possibilities. Bail out.
884
    Printf("HWAddressSanitizer can not describe address in more detail.\n");
885
  if (num_descriptions_printed > 1) {
886
    Printf(
887
        "There are %d potential causes, printed above in order "
888
        "of likeliness.\n",
889
        num_descriptions_printed);
890
  }
891
}
892

893
void BaseReport::PrintTags(uptr addr) const {
894
  if (shadow.addr) {
895
    PrintTagsAroundAddr(
896
        addr, [&](uptr addr) { return GetTagCopy(addr); },
897
        [&](uptr addr) { return GetShortTagCopy(addr); });
898
  }
899
}
900

901
class InvalidFreeReport : public BaseReport {
902
 public:
903
  InvalidFreeReport(StackTrace *stack, uptr tagged_addr)
904
      : BaseReport(stack, flags()->halt_on_error, tagged_addr, 0) {}
905
  ~InvalidFreeReport();
906

907
 private:
908
};
909

910
InvalidFreeReport::~InvalidFreeReport() {
911
  Decorator d;
912
  Printf("%s", d.Error());
913
  uptr pc = GetTopPc(stack);
914
  const char *bug_type = "invalid-free";
915
  const Thread *thread = GetCurrentThread();
916
  if (thread) {
917
    Report("ERROR: %s: %s on address %p at pc %p on thread T%zd\n",
918
           SanitizerToolName, bug_type, untagged_addr, pc, thread->unique_id());
919
  } else {
920
    Report("ERROR: %s: %s on address %p at pc %p on unknown thread\n",
921
           SanitizerToolName, bug_type, untagged_addr, pc);
922
  }
923
  Printf("%s", d.Access());
924
  if (shadow.addr) {
925
    Printf("tags: %02x/%02x (ptr/mem)\n", ptr_tag,
926
           GetTagCopy(MemToShadow(untagged_addr)));
927
  }
928
  Printf("%s", d.Default());
929

930
  stack->Print();
931

932
  PrintAddressDescription();
933
  PrintTags(untagged_addr);
934
  MaybePrintAndroidHelpUrl();
935
  ReportErrorSummary(bug_type, stack);
936
}
937

938
class TailOverwrittenReport : public BaseReport {
939
 public:
940
  explicit TailOverwrittenReport(StackTrace *stack, uptr tagged_addr,
941
                                 uptr orig_size, const u8 *expected)
942
      : BaseReport(stack, flags()->halt_on_error, tagged_addr, 0),
943
        orig_size(orig_size),
944
        tail_size(kShadowAlignment - (orig_size % kShadowAlignment)) {
945
    CHECK_GT(tail_size, 0U);
946
    CHECK_LT(tail_size, kShadowAlignment);
947
    internal_memcpy(tail_copy,
948
                    reinterpret_cast<u8 *>(untagged_addr + orig_size),
949
                    tail_size);
950
    internal_memcpy(actual_expected, expected, tail_size);
951
    // Short granule is stashed in the last byte of the magic string. To avoid
952
    // confusion, make the expected magic string contain the short granule tag.
953
    if (orig_size % kShadowAlignment != 0)
954
      actual_expected[tail_size - 1] = ptr_tag;
955
  }
956
  ~TailOverwrittenReport();
957

958
 private:
959
  const uptr orig_size = 0;
960
  const uptr tail_size = 0;
961
  u8 actual_expected[kShadowAlignment] = {};
962
  u8 tail_copy[kShadowAlignment] = {};
963
};
964

965
TailOverwrittenReport::~TailOverwrittenReport() {
966
  Decorator d;
967
  Printf("%s", d.Error());
968
  const char *bug_type = "allocation-tail-overwritten";
969
  Report("ERROR: %s: %s; heap object [%p,%p) of size %zd\n", SanitizerToolName,
970
         bug_type, untagged_addr, untagged_addr + orig_size, orig_size);
971
  Printf("\n%s", d.Default());
972
  Printf(
973
      "Stack of invalid access unknown. Issue detected at deallocation "
974
      "time.\n");
975
  Printf("%s", d.Allocation());
976
  Printf("deallocated here:\n");
977
  Printf("%s", d.Default());
978
  stack->Print();
979
  if (heap.begin) {
980
    Printf("%s", d.Allocation());
981
    Printf("allocated here:\n");
982
    Printf("%s", d.Default());
983
    GetStackTraceFromId(heap.stack_id).Print();
984
  }
985

986
  InternalScopedString s;
987
  u8 *tail = tail_copy;
988
  s.Append("Tail contains: ");
989
  for (uptr i = 0; i < kShadowAlignment - tail_size; i++) s.Append(".. ");
990
  for (uptr i = 0; i < tail_size; i++) s.AppendF("%02x ", tail[i]);
991
  s.Append("\n");
992
  s.Append("Expected:      ");
993
  for (uptr i = 0; i < kShadowAlignment - tail_size; i++) s.Append(".. ");
994
  for (uptr i = 0; i < tail_size; i++) s.AppendF("%02x ", actual_expected[i]);
995
  s.Append("\n");
996
  s.Append("               ");
997
  for (uptr i = 0; i < kShadowAlignment - tail_size; i++) s.Append("   ");
998
  for (uptr i = 0; i < tail_size; i++)
999
    s.AppendF("%s ", actual_expected[i] != tail[i] ? "^^" : "  ");
1000

1001
  s.AppendF(
1002
      "\nThis error occurs when a buffer overflow overwrites memory\n"
1003
      "after a heap object, but within the %zd-byte granule, e.g.\n"
1004
      "   char *x = new char[20];\n"
1005
      "   x[25] = 42;\n"
1006
      "%s does not detect such bugs in uninstrumented code at the time of "
1007
      "write,"
1008
      "\nbut can detect them at the time of free/delete.\n"
1009
      "To disable this feature set HWASAN_OPTIONS=free_checks_tail_magic=0\n",
1010
      kShadowAlignment, SanitizerToolName);
1011
  Printf("%s", s.data());
1012
  GetCurrentThread()->Announce();
1013
  PrintTags(untagged_addr);
1014
  MaybePrintAndroidHelpUrl();
1015
  ReportErrorSummary(bug_type, stack);
1016
}
1017

1018
class TagMismatchReport : public BaseReport {
1019
 public:
1020
  explicit TagMismatchReport(StackTrace *stack, uptr tagged_addr,
1021
                             uptr access_size, bool is_store, bool fatal,
1022
                             uptr *registers_frame)
1023
      : BaseReport(stack, fatal, tagged_addr, access_size),
1024
        is_store(is_store),
1025
        registers_frame(registers_frame) {}
1026
  ~TagMismatchReport();
1027

1028
 private:
1029
  const bool is_store;
1030
  const uptr *registers_frame;
1031
};
1032

1033
TagMismatchReport::~TagMismatchReport() {
1034
  Decorator d;
1035
  // TODO: when possible, try to print heap-use-after-free, etc.
1036
  const char *bug_type = "tag-mismatch";
1037
  uptr pc = GetTopPc(stack);
1038
  Printf("%s", d.Error());
1039
  Report("ERROR: %s: %s on address %p at pc %p\n", SanitizerToolName, bug_type,
1040
         untagged_addr, pc);
1041

1042
  Thread *t = GetCurrentThread();
1043

1044
  tag_t mem_tag = GetTagCopy(MemToShadow(untagged_addr + mismatch_offset));
1045

1046
  Printf("%s", d.Access());
1047
  if (mem_tag && mem_tag < kShadowAlignment) {
1048
    tag_t short_tag =
1049
        GetShortTagCopy(MemToShadow(untagged_addr + mismatch_offset));
1050
    Printf(
1051
        "%s of size %zu at %p tags: %02x/%02x(%02x) (ptr/mem) in thread T%zd\n",
1052
        is_store ? "WRITE" : "READ", access_size, untagged_addr, ptr_tag,
1053
        mem_tag, short_tag, t->unique_id());
1054
  } else {
1055
    Printf("%s of size %zu at %p tags: %02x/%02x (ptr/mem) in thread T%zd\n",
1056
           is_store ? "WRITE" : "READ", access_size, untagged_addr, ptr_tag,
1057
           mem_tag, t->unique_id());
1058
  }
1059
  if (mismatch_offset)
1060
    Printf("Invalid access starting at offset %zu\n", mismatch_offset);
1061
  Printf("%s", d.Default());
1062

1063
  stack->Print();
1064

1065
  PrintAddressDescription();
1066
  t->Announce();
1067

1068
  PrintTags(untagged_addr + mismatch_offset);
1069

1070
  if (registers_frame)
1071
    ReportRegisters(registers_frame, pc);
1072

1073
  MaybePrintAndroidHelpUrl();
1074
  ReportErrorSummary(bug_type, stack);
1075
}
1076
}  // namespace
1077

1078
void ReportInvalidFree(StackTrace *stack, uptr tagged_addr) {
1079
  InvalidFreeReport R(stack, tagged_addr);
1080
}
1081

1082
void ReportTailOverwritten(StackTrace *stack, uptr tagged_addr, uptr orig_size,
1083
                           const u8 *expected) {
1084
  TailOverwrittenReport R(stack, tagged_addr, orig_size, expected);
1085
}
1086

1087
void ReportTagMismatch(StackTrace *stack, uptr tagged_addr, uptr access_size,
1088
                       bool is_store, bool fatal, uptr *registers_frame) {
1089
  TagMismatchReport R(stack, tagged_addr, access_size, is_store, fatal,
1090
                      registers_frame);
1091
}
1092

1093
// See the frame breakdown defined in __hwasan_tag_mismatch (from
1094
// hwasan_tag_mismatch_{aarch64,riscv64}.S).
1095
void ReportRegisters(const uptr *frame, uptr pc) {
1096
  Printf("\nRegisters where the failure occurred (pc %p):\n", pc);
1097

1098
  // We explicitly print a single line (4 registers/line) each iteration to
1099
  // reduce the amount of logcat error messages printed. Each Printf() will
1100
  // result in a new logcat line, irrespective of whether a newline is present,
1101
  // and so we wish to reduce the number of Printf() calls we have to make.
1102
#if defined(__aarch64__)
1103
  Printf("    x0  %016llx  x1  %016llx  x2  %016llx  x3  %016llx\n",
1104
       frame[0], frame[1], frame[2], frame[3]);
1105
#elif SANITIZER_RISCV64
1106
  Printf("    sp  %016llx  x1  %016llx  x2  %016llx  x3  %016llx\n",
1107
         reinterpret_cast<const u8 *>(frame) + 256, frame[1], frame[2],
1108
         frame[3]);
1109
#endif
1110
  Printf("    x4  %016llx  x5  %016llx  x6  %016llx  x7  %016llx\n",
1111
       frame[4], frame[5], frame[6], frame[7]);
1112
  Printf("    x8  %016llx  x9  %016llx  x10 %016llx  x11 %016llx\n",
1113
       frame[8], frame[9], frame[10], frame[11]);
1114
  Printf("    x12 %016llx  x13 %016llx  x14 %016llx  x15 %016llx\n",
1115
       frame[12], frame[13], frame[14], frame[15]);
1116
  Printf("    x16 %016llx  x17 %016llx  x18 %016llx  x19 %016llx\n",
1117
       frame[16], frame[17], frame[18], frame[19]);
1118
  Printf("    x20 %016llx  x21 %016llx  x22 %016llx  x23 %016llx\n",
1119
       frame[20], frame[21], frame[22], frame[23]);
1120
  Printf("    x24 %016llx  x25 %016llx  x26 %016llx  x27 %016llx\n",
1121
       frame[24], frame[25], frame[26], frame[27]);
1122
  // hwasan_check* reduces the stack pointer by 256, then __hwasan_tag_mismatch
1123
  // passes it to this function.
1124
#if defined(__aarch64__)
1125
  Printf("    x28 %016llx  x29 %016llx  x30 %016llx   sp %016llx\n", frame[28],
1126
         frame[29], frame[30], reinterpret_cast<const u8 *>(frame) + 256);
1127
#elif SANITIZER_RISCV64
1128
  Printf("    x28 %016llx  x29 %016llx  x30 %016llx  x31 %016llx\n", frame[28],
1129
         frame[29], frame[30], frame[31]);
1130
#else
1131
#endif
1132
}
1133

1134
}  // namespace __hwasan
1135

1136
void __hwasan_set_error_report_callback(void (*callback)(const char *)) {
1137
  __hwasan::ScopedReport::SetErrorReportCallback(callback);
1138
}
1139

1140