Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / platform / external / clang / 6c552c1d5f47fbba00e6268d96a26ad026f2da2a^! / . / lib / CodeGen / CodeGenFunction.cpp
commit6c552c1d5f47fbba00e6268d96a26ad026f2da2a[log] [tgz]
authorChris Lattner <sabre@nondot.org>Tue Jul 20 20:19:24 2010 +0000
committerChris Lattner <sabre@nondot.org>Tue Jul 20 20:19:24 2010 +0000
tree0db7f53769c0611ae1901d17e402351a18eef312
parentf033f1da4a34f8df6e95e9929dc04ff54bb8fb01 [diff] [blame]
implement rdar://5739832 - operator new should check for overflow in multiply,
causing clang to compile this code into something that correctly throws a
length error, fixing a potential integer overflow security attack:

void *test(long N) {
  return new int[N];
}

int main() {
  test(1L << 62);
}

We do this even when exceptions are disabled, because it is better for the
code to abort than for the attack to succeed.

This is heavily based on a patch that Fariborz wrote.



git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@108915 91177308-0d34-0410-b5e6-96231b3b80d8

diff --git a/lib/CodeGen/CodeGenFunction.cpp b/lib/CodeGen/CodeGenFunction.cpp
index eb6c436..5e5e2a4 100644
--- a/lib/CodeGen/CodeGenFunction.cpp
+++ b/lib/CodeGen/CodeGenFunction.cpp

@@ -36,7 +36,7 @@
     DidCallStackSave(false), UnreachableBlock(0),
     CXXThisDecl(0), CXXThisValue(0), CXXVTTDecl(0), CXXVTTValue(0),
     ConditionalBranchLevel(0), TerminateLandingPad(0), TerminateHandler(0),
-    TrapBB(0) {
+    TrapBB(0), ThrowLengthErrorBB(0) {
       
   // Get some frequently used types.
   LLVMPointerWidth = Target.getPointerWidth(0);
@@ -155,6 +155,13 @@
     Builder.ClearInsertionPoint();
   }
   
+  // If someone called operator new[] and needs a throw_length_error block, emit
+  // it at the end of the function.
+  if (ThrowLengthErrorBB) {
+    EmitBlock(ThrowLengthErrorBB);
+    Builder.ClearInsertionPoint();
+  }
+  
   // Remove the AllocaInsertPt instruction, which is just a convenience for us.
   llvm::Instruction *Ptr = AllocaInsertPt;
   AllocaInsertPt = 0;
@@ -178,6 +185,37 @@
     EmitDeclMetadata();
 }
 
+/// getThrowLengthErrorBB - Create a basic block that will call
+/// std::__throw_length_error to throw a std::length_error exception.
+llvm::BasicBlock *CodeGenFunction::getThrowLengthErrorBB() {
+  if (ThrowLengthErrorBB) return ThrowLengthErrorBB;
+  
+  llvm::IRBuilder<>::InsertPoint SavedIP = Builder.saveIP();
+  
+  ThrowLengthErrorBB = createBasicBlock("throw_length_error");
+  Builder.SetInsertPoint(ThrowLengthErrorBB);
+  
+  // Call to void std::__throw_length_error("length_error");
+  const llvm::Type *ResultType = Builder.getVoidTy();
+  const llvm::Type *PtrToInt8Ty = Builder.getInt8PtrTy();
+  std::vector<const llvm::Type*> ArgTys(1, PtrToInt8Ty);
+  llvm::Constant *Fn = 
+   CGM.CreateRuntimeFunction(llvm::FunctionType::get(ResultType, ArgTys, false),
+                             "_ZSt20__throw_length_errorPKc");
+    
+  llvm::Value *C = CGM.GetAddrOfConstantCString("length_error");
+  C = Builder.CreateStructGEP(C, 0, "arraydecay");
+  llvm::CallInst *TheCall = Builder.CreateCall(Fn, C);
+  TheCall->setDoesNotReturn();
+
+  Builder.CreateUnreachable();
+  
+  
+  Builder.restoreIP(SavedIP);
+  return ThrowLengthErrorBB;
+}
+
+
 /// ShouldInstrumentFunction - Return true if the current function should be
 /// instrumented with __cyg_profile_func_* calls
 bool CodeGenFunction::ShouldInstrumentFunction() {