150
|
1 // RUN: %clang_hwasan %s -o %t && not %env_hwasan_opts=verbose_threads=1 %run %t 2>&1 | FileCheck %s
|
|
2 // REQUIRES: stable-runtime
|
|
3
|
|
4 #include <pthread.h>
|
|
5 #include <stdlib.h>
|
|
6 #include <stdio.h>
|
|
7
|
|
8 #include <sanitizer/hwasan_interface.h>
|
|
9
|
|
10 void *BoringThread(void *arg) {
|
|
11 char * volatile x = (char*)malloc(10);
|
|
12 x[5] = 0;
|
|
13 free(x);
|
|
14 return NULL;
|
|
15 }
|
|
16
|
|
17 // CHECK: Creating : T0
|
|
18 // CHECK: Creating : T1
|
|
19 // CHECK: Destroying: T1
|
|
20 // CHECK: Creating : T1100
|
|
21 // CHECK: Destroying: T1100
|
|
22 // CHECK: Creating : T1101
|
|
23
|
|
24 void *UAFThread(void *arg) {
|
|
25 char * volatile x = (char*)malloc(10);
|
221
|
26 fprintf(stderr, "ZZZ %p\n", x);
|
150
|
27 free(x);
|
|
28 x[5] = 42;
|
|
29 // CHECK: ERROR: HWAddressSanitizer: tag-mismatch on address
|
|
30 // CHECK: WRITE of size 1
|
|
31 // CHECK: many-threads-uaf.c:[[@LINE-3]]
|
|
32 // CHECK: Thread: T1101
|
|
33 return NULL;
|
|
34 }
|
|
35
|
|
36 int main() {
|
|
37 __hwasan_enable_allocator_tagging();
|
|
38 pthread_t t;
|
|
39 for (int i = 0; i < 1100; i++) {
|
|
40 pthread_create(&t, NULL, BoringThread, NULL);
|
|
41 pthread_join(t, NULL);
|
|
42 }
|
|
43 pthread_create(&t, NULL, UAFThread, NULL);
|
|
44 pthread_join(t, NULL);
|
|
45 }
|