From 01d565ce570207a9baff7d5a2aa27203613716dd Mon Sep 17 00:00:00 2001
From: Andrew Haberlandt <ahaberlandt@apple.com>
Date: Mon, 15 Sep 2025 09:00:56 -0700
Subject: [PATCH 1/2] [sanitizer-common] Improve mach_vm_region_recurse error
 handling

Some sanitizers use mach_vm_region_recurse on macOS to find a sufficiently
large gap to allocate shadow memory. Some sandboxes do not allow this.

When we get KERN_DENIED, we suggest to the user that it may have been
blocked by the sandbox.

For error codes other than KERN_INVALID_ADDRESS and KERN_DENIED,
we make sure to log a message and not use the address.

rdar://145860383
---
 .../lib/sanitizer_common/sanitizer_mac.cpp    | 31 +++++++++++++----
 .../Darwin/sandbox-vm-region-recurse.cpp      | 34 +++++++++++++++++++
 2 files changed, 58 insertions(+), 7 deletions(-)
 create mode 100644 compiler-rt/test/asan/TestCases/Darwin/sandbox-vm-region-recurse.cpp

diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_mac.cpp b/compiler-rt/lib/sanitizer_common/sanitizer_mac.cpp
index d4811ff4ed217..a3c0c18ec5760 100644
--- a/compiler-rt/lib/sanitizer_common/sanitizer_mac.cpp
+++ b/compiler-rt/lib/sanitizer_common/sanitizer_mac.cpp
@@ -1265,17 +1265,34 @@ uptr FindAvailableMemoryRange(uptr size, uptr alignment, uptr left_padding,
     kr = mach_vm_region_recurse(mach_task_self(), &address, &vmsize, &depth,
                                 (vm_region_info_t)&vminfo, &count);
 
-    // There are cases where going beyond the processes' max vm does
-    // not return KERN_INVALID_ADDRESS so we check for going beyond that
-    // max address as well.
-    if (kr == KERN_INVALID_ADDRESS || address > max_vm_address) {
+    if (kr == KERN_SUCCESS) {
+      // There are cases where going beyond the processes' max vm does
+      // not return KERN_INVALID_ADDRESS so we check for going beyond that
+      // max address as well.
+      if (address > max_vm_address) {
+        address = max_vm_address;
+        kr = -1;  // break after this iteration.
+      }
+
+      if (max_occupied_addr)
+        *max_occupied_addr = address + vmsize;
+    } else if (kr == KERN_INVALID_ADDRESS) {
       // No more regions beyond "address", consider the gap at the end of VM.
       address = max_vm_address;
-      vmsize = 0;
-      kr = -1;  // break after this iteration.
+
+      // We will break after this iteration anyway since kr != KERN_SUCCESS
+    } else if (kr == KERN_DENIED) {
+      Report("ERROR: Unable to find a memory range for dynamic shadow.\n");
+      Report("HINT: Ensure mach_vm_region_recurse is allowed under sandbox.\n");
+      Die();
     } else {
-      if (max_occupied_addr) *max_occupied_addr = address + vmsize;
+      Report("WARNING: mach_vm_region_recurse returned unexpected code %d\n",
+             kr);
+      DCHECK(false && "mach_vm_region_recurse returned unexpected code");
+      break;  // address is not valid unless KERN_SUCCESS, therefore we must not
+              // use it.
     }
+
     if (free_begin != address) {
       // We found a free region [free_begin..address-1].
       uptr gap_start = RoundUpTo((uptr)free_begin + left_padding, alignment);
diff --git a/compiler-rt/test/asan/TestCases/Darwin/sandbox-vm-region-recurse.cpp b/compiler-rt/test/asan/TestCases/Darwin/sandbox-vm-region-recurse.cpp
new file mode 100644
index 0000000000000..0044335cc1282
--- /dev/null
+++ b/compiler-rt/test/asan/TestCases/Darwin/sandbox-vm-region-recurse.cpp
@@ -0,0 +1,34 @@
+// Check that if mach_vm_region_recurse is disallowed by sandbox, we report a message saying so.
+
+// RUN: %clangxx_asan -O0 %s -o %t
+// RUN: not %run sandbox-exec -p '(version 1)(allow default)(deny syscall-mig (kernel-mig-routine mach_vm_region_recurse))' %t 2>&1 | FileCheck --check-prefix=CHECK-DENY %s
+// RUN: not %run %t 2>&1 | FileCheck --check-prefix=CHECK-ALLOW %s
+// RUN: %clangxx_asan -O3 %s -o %t
+// RUN: not %run sandbox-exec -p '(version 1)(allow default)(deny syscall-mig (kernel-mig-routine mach_vm_region_recurse))' %t 2>&1 | FileCheck --check-prefix=CHECK-DENY %s
+// RUN: not %run %t 2>&1 | FileCheck --check-prefix=CHECK-ALLOW %s
+
+// sandbox-exec isn't available on iOS
+// UNSUPPORTED: ios
+
+// x86_64 does not use ASAN_SHADOW_OFFSET_DYNAMIC
+// UNSUPPORTED: x86_64-darwin
+// UNSUPPORTED: x86_64h-darwin
+
+#include <stdlib.h>
+
+int main() {
+  char *x = (char *)malloc(10 * sizeof(char));
+  free(x);
+  return x[5];
+  // CHECK-ALLOW: {{.*ERROR: AddressSanitizer: heap-use-after-free on address}}
+  // CHECK-DENY-NOT: {{.*ERROR: AddressSanitizer: heap-use-after-free on address}}
+  // CHECK-ALLOW: {{READ of size 1 at 0x.* thread T0}}
+  // CHECK-ALLOW: {{    #0 0x.* in main}}
+  // CHECK-ALLOW: {{freed by thread T0 here:}}
+  // CHECK-ALLOW: {{    #0 0x.* in free}}
+  // CHECK-ALLOW: {{    #1 0x.* in main}}
+  // CHECK-ALLOW: {{previously allocated by thread T0 here:}}
+  // CHECK-ALLOW: {{    #0 0x.* in malloc}}
+  // CHECK-ALLOW: {{    #1 0x.* in main}}
+  // CHECK-DENY: {{.*HINT: Ensure mach_vm_region_recurse is allowed under sandbox}}
+}

From e9a08b3c389afe83eff20364c1ae1fc212488f20 Mon Sep 17 00:00:00 2001
From: Andrew Haberlandt <ahaberlandt@apple.com>
Date: Tue, 16 Sep 2025 17:37:58 -0700
Subject: [PATCH 2/2] nits

---
 compiler-rt/lib/sanitizer_common/sanitizer_mac.cpp          | 6 ++++--
 .../asan/TestCases/Darwin/sandbox-vm-region-recurse.cpp     | 3 +--
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_mac.cpp b/compiler-rt/lib/sanitizer_common/sanitizer_mac.cpp
index a3c0c18ec5760..be55fb5d5fe4b 100644
--- a/compiler-rt/lib/sanitizer_common/sanitizer_mac.cpp
+++ b/compiler-rt/lib/sanitizer_common/sanitizer_mac.cpp
@@ -61,6 +61,7 @@ extern char ***_NSGetArgv(void);
 #  include <libkern/OSAtomic.h>
 #  include <mach-o/dyld.h>
 #  include <mach/mach.h>
+#  include <mach/mach_error.h>
 #  include <mach/mach_time.h>
 #  include <mach/vm_statistics.h>
 #  include <malloc/malloc.h>
@@ -1286,8 +1287,9 @@ uptr FindAvailableMemoryRange(uptr size, uptr alignment, uptr left_padding,
       Report("HINT: Ensure mach_vm_region_recurse is allowed under sandbox.\n");
       Die();
     } else {
-      Report("WARNING: mach_vm_region_recurse returned unexpected code %d\n",
-             kr);
+      Report(
+          "WARNING: mach_vm_region_recurse returned unexpected code %d (%s)\n",
+          kr, mach_error_string(kr));
       DCHECK(false && "mach_vm_region_recurse returned unexpected code");
       break;  // address is not valid unless KERN_SUCCESS, therefore we must not
               // use it.
diff --git a/compiler-rt/test/asan/TestCases/Darwin/sandbox-vm-region-recurse.cpp b/compiler-rt/test/asan/TestCases/Darwin/sandbox-vm-region-recurse.cpp
index 0044335cc1282..c496d822a7fb8 100644
--- a/compiler-rt/test/asan/TestCases/Darwin/sandbox-vm-region-recurse.cpp
+++ b/compiler-rt/test/asan/TestCases/Darwin/sandbox-vm-region-recurse.cpp
@@ -11,8 +11,7 @@
 // UNSUPPORTED: ios
 
 // x86_64 does not use ASAN_SHADOW_OFFSET_DYNAMIC
-// UNSUPPORTED: x86_64-darwin
-// UNSUPPORTED: x86_64h-darwin
+// UNSUPPORTED: x86_64-darwin || x86_64h-darwin
 
 #include <stdlib.h>