DFSan does not trasfer labels on realloc

[Quuxplusone]

Bugzilla Link	PR45583
Status	NEW
Importance	P enhancement
Reported by	Elia Geretto (elia.f.geretto@gmail.com)
Reported on	2020-04-17 06:40:13 -0700
Last modified on	2021-04-06 03:16:20 -0700
Version	10.0
Hardware	PC Linux
CC	llvm-bugs@lists.llvm.org
Fixed by commit(s)
Attachments	realloc.c (1244 bytes, text/x-csrc)
Blocks
Blocked by
See also

Created attachment 23382 Reproducer (glibc)

When a dynamically allocated buffer is moved due to a realloc, DataFlowSanitizer does not correctly transfer the taint labels to the shadow memory for the new location. I am attaching a reproducer that works with glibc 2.30.

This bug is caused by realloc being marked as discard in compiler-rt/lib/dfsan/done_abilist.txt, while instead it needs a custom wrapper to be handled correctly. Moreover, marking realloc as discard while it should not be also silences the warning which tells the user that a custom wrapper is missing, effectively masking the incorrect behavior.

Implementing the custom wrapper is not obvious since it probably requires to use allocator introspection to have good performance. It is necessary to retrieve the size of the old chunk passed to realloc. Allocator introspection, however, is not standard and is thus different for every allocator on every platform.

In the meantime, if this bug is confirmed, it could be a good idea to remove realloc from the done_abilist.txt file so that a warning is shown when realloc is called.

[Quuxplusone]

Attached realloc.c (1244 bytes, text/x-csrc): Reproducer (glibc)

[Quuxplusone]

realloc was removed from done_abilist.txt in https://reviews.llvm.org/D78379.