Skip to content

ASan should detect writing to a basic_string's reserved but uninitialized memory #5252

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
StephanTLavavej merged 9 commits into from
Jan 29, 2025
Merged

ASan should detect writing to a basic_string's reserved but uninitialized memory #5252

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
90e8f09
manually modify ASan annotations on `reserve` and add unit test. Miss…
davidmrdavid Jan 24, 2025
7538633
add death test
davidmrdavid Jan 24, 2025
281910e
fix spacing in comment
davidmrdavid Jan 24, 2025
756e2f4
add comment to test
davidmrdavid Jan 24, 2025
6457226
run: clang-format
davidmrdavid Jan 25, 2025
3b8cdbd
Fix comment typos.
StephanTLavavej Jan 28, 2025
2c07dff
Drop redundant `std::` qualification.
StephanTLavavej Jan 28, 2025
5195bab
Avoid shadowing: `data` => `myData`
StephanTLavavej Jan 28, 2025
d0a9a4b
Simplify: `basic_string<char>` => `string`
StephanTLavavej Jan 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions stl/inc/xstring
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2418,6 +2418,10 @@ public:
[](_Elem* const _New_ptr, const _Elem* const _Old_ptr, const size_type _Old_size)
_STATIC_CALL_OPERATOR { _Traits::copy(_New_ptr, _Old_ptr, _Old_size + 1); });

// `_Reallocate_grow_by` calls `_ASAN_STRING_CREATE` assuming that the string
// has size (initialized memory) equal to its new capacity (allocated memory).
// This is not true for the `reserve` method, so we modify the ASan annotation.
_ASAN_STRING_MODIFY(*this, _Mypair._Myval2._Mysize, _Old_size);
_Mypair._Myval2._Mysize = _Old_size;
}

Expand All @@ -2442,6 +2446,10 @@ public:
[](_Elem* const _New_ptr, const _Elem* const _Old_ptr, const size_type _Old_size)
_STATIC_CALL_OPERATOR { _Traits::copy(_New_ptr, _Old_ptr, _Old_size + 1); });

// `_Reallocate_grow_by` calls `_ASAN_STRING_CREATE` assuming that the string
// has size (initialized memory) equal to its new capacity (allocated memory).
// This is not true for the `reserve` method, so we modify the ASan annotation.
_ASAN_STRING_MODIFY(*this, _Mypair._Myval2._Mysize, _Old_size);
_Mypair._Myval2._Mysize = _Old_size;
return;
}
Expand Down
39 changes: 28 additions & 11 deletions tests/std/tests/GH_002030_asan_annotate_string/test.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,8 @@
#include <new>
#include <sstream>
#include <string>

#include <test_death.hpp>
#if _HAS_CXX17
#include <string_view>
#endif // _HAS_CXX17
Expand Down Expand Up @@ -1917,17 +1919,32 @@ void test_gh_3955() {
assert(s == t);
}

int main() {
run_allocator_matrix<char>();
void test_gh_5251() {
// GH-5251 <string>: ASan annotations do not prevent writing to allocated
// but uninitialized basic_string memory
string myString;
myString.reserve(100);
char* myData = &myString[0];
myData[50] = 'A'; // ASan should fire!
}

int main(int argc, char* argv[]) {
std_testing::death_test_executive exec([] {
run_allocator_matrix<char>();
#ifdef __cpp_char8_t
run_allocator_matrix<char8_t>();
run_allocator_matrix<char8_t>();
#endif // __cpp_char8_t
run_allocator_matrix<char16_t>();
run_allocator_matrix<char32_t>();
run_allocator_matrix<wchar_t>();

test_DevCom_10116361();
test_DevCom_10109507();
test_gh_3883();
test_gh_3955();
run_allocator_matrix<char16_t>();
run_allocator_matrix<char32_t>();
run_allocator_matrix<wchar_t>();

test_DevCom_10116361();
test_DevCom_10109507();
test_gh_3883();
test_gh_3955();
});
#ifdef __SANITIZE_ADDRESS__
exec.add_death_tests({test_gh_5251});
#endif // ASan instrumentation enabled
return exec.run(argc, argv);
}