llvm dev - Apr 2019 - [ASan][Windows] Interceptor function type not compatible with intercepted function

Hi,

I triggered a build failure on a Windows-sanitizer by making the sanity checking
in `ASAN_INTERCEPT_FUNC` a bit stricter.
My best guess is that the type of the defined interceptor is not compatible (in
C++ typing terms) with the “real” function.

This seems to be the case for the following 2 functions:

CreateThread “no conversion”:
From: 'DWORD  (__cdecl *)(void *               , __sanitizer::uptr, DWORD
(__cdecl *)(void *), void *, DWORD, void * )'
To  : 'HANDLE (__cdecl *)(LPSECURITY_ATTRIBUTES, SIZE_T           ,
LPTHREAD_START_ROUTINE   , LPVOID, DWORD, LPDWORD)'

__C_specific_handler:
From: 'int                   (__cdecl *)(void *             , void *, void *
, void *               )'
To:   'EXCEPTION_DISPOSITION (__cdecl *)(_EXCEPTION_RECORD *, void *,
_CONTEXT *, _DISPATCHER_CONTEXT *)'


Can someone on the Windows side take a quick look and revert my temporary fix?

Thanks!
Julian


Bot failure:
http://lab.llvm.org:8011/builders/sanitizer-windows/builds/45049/steps/stage%201%20build/logs/stdio

My temporary fix:
https://github.com/llvm/llvm-project/commit/93c05f097a969666d48d67b8a658d5bc7e164478
<https://github.com/llvm/llvm-project/commit/93c05f097a969666d48d67b8a658d5bc7e164478>



-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.llvm.org/pipermail/llvm-dev/attachments/20190426/7596b75b/attachment.html>

While I'm not an active LLVM dev at the moment, this piqued my interest.

It looks like the interceptor function is trying to return a DWORD from
CreateThread, where it should be returning a HANDLE (which is basically a
void*, something I've exploited in the past for statically checking
resource leaks & handle misuse). The C specific handler looks like the same
thing, returning int instead of EXCEPTION_DISPOSITION. I bet that'd fix it.

On Fri, Apr 26, 2019, 4:10 PM Julian Lettner via llvm-dev <
llvm-dev at lists.llvm.org> wrote:
> Hi,
>
> I triggered a build failure on a Windows-sanitizer by making the sanity
> checking in `ASAN_INTERCEPT_FUNC` a bit stricter.
> My best guess is that the type of the defined interceptor is not
> compatible (in C++ typing terms) with the “real” function.
>
> This seems to be the case for the following 2 functions:
>
> CreateThread “no conversion”:
> From: 'DWORD  (__cdecl *)(void *               , __sanitizer::uptr,
DWORD
> (__cdecl *)(void *), void *, DWORD, void * )'
> To  : 'HANDLE (__cdecl *)(LPSECURITY_ATTRIBUTES, SIZE_T           ,
> LPTHREAD_START_ROUTINE   , LPVOID, DWORD, LPDWORD)'
>
> __C_specific_handler:
> From: 'int                   (__cdecl *)(void *             , void *,
void
> *    , void *               )'
> To:   'EXCEPTION_DISPOSITION (__cdecl *)(_EXCEPTION_RECORD *, void *,
> _CONTEXT *, _DISPATCHER_CONTEXT *)'
>
>
> Can someone on the Windows side take a quick look and revert my temporary
> fix?
>
> Thanks!
> Julian
>
>
> Bot failure:
>
>
http://lab.llvm.org:8011/builders/sanitizer-windows/builds/45049/steps/stage%201%20build/logs/stdio
>
> My temporary fix:
>
>
https://github.com/llvm/llvm-project/commit/93c05f097a969666d48d67b8a658d5bc7e164478
>
>
>
> _______________________________________________
> LLVM Developers mailing list
> llvm-dev at lists.llvm.org
> https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.llvm.org/pipermail/llvm-dev/attachments/20190426/ca1d269e/attachment.html>

It looks like the parameters of the interceptors were written in more
familiar/basic types rather than their official Windows formats. I've seen
that done in another project to avoid pulling in some of the more obscure
Windows headers, although that doesn't seem to be a problem here. Maybe it
was done to avoid noisy casts in the interceptor body, I don't know.
Ideally the fix is to "just" use the correct types, but maybe it's
not that
simple. Try it and see what happens.



On Fri, Apr 26, 2019 at 6:42 PM <Alexander G. Riccio> via llvm-dev <
llvm-dev at lists.llvm.org> wrote:
> While I'm not an active LLVM dev at the moment, this piqued my
interest.
>
> It looks like the interceptor function is trying to return a DWORD from
> CreateThread, where it should be returning a HANDLE (which is basically a
> void*, something I've exploited in the past for statically checking
> resource leaks & handle misuse). The C specific handler looks like the
same
> thing, returning int instead of EXCEPTION_DISPOSITION. I bet that'd fix
it.
>
> On Fri, Apr 26, 2019, 4:10 PM Julian Lettner via llvm-dev <
> llvm-dev at lists.llvm.org> wrote:
>
>> Hi,
>>
>> I triggered a build failure on a Windows-sanitizer by making the sanity
>> checking in `ASAN_INTERCEPT_FUNC` a bit stricter.
>> My best guess is that the type of the defined interceptor is not
>> compatible (in C++ typing terms) with the “real” function.
>>
>> This seems to be the case for the following 2 functions:
>>
>> CreateThread “no conversion”:
>> From: 'DWORD  (__cdecl *)(void *               , __sanitizer::uptr,
DWORD
>> (__cdecl *)(void *), void *, DWORD, void * )'
>> To  : 'HANDLE (__cdecl *)(LPSECURITY_ATTRIBUTES, SIZE_T           ,
>> LPTHREAD_START_ROUTINE   , LPVOID, DWORD, LPDWORD)'
>>
>> __C_specific_handler:
>> From: 'int                   (__cdecl *)(void *             , void
*,
>> void *    , void *               )'
>> To:   'EXCEPTION_DISPOSITION (__cdecl *)(_EXCEPTION_RECORD *, void
*,
>> _CONTEXT *, _DISPATCHER_CONTEXT *)'
>>
>>
>> Can someone on the Windows side take a quick look and revert my
temporary
>> fix?
>>
>> Thanks!
>> Julian
>>
>>
>> Bot failure:
>>
>>
http://lab.llvm.org:8011/builders/sanitizer-windows/builds/45049/steps/stage%201%20build/logs/stdio
>>
>> My temporary fix:
>>
>>
https://github.com/llvm/llvm-project/commit/93c05f097a969666d48d67b8a658d5bc7e164478
>>
>>
>>
>> _______________________________________________
>> LLVM Developers mailing list
>> llvm-dev at lists.llvm.org
>> https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev
>>
> _______________________________________________
> LLVM Developers mailing list
> llvm-dev at lists.llvm.org
> https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.llvm.org/pipermail/llvm-dev/attachments/20190426/c236f0f2/attachment.html>