[cfi] Fix __cfi_check address calculation. The current code is incorrect when the target address is 18 bit aligned. Test: stops random (and extremely rare) crashes in media.extractor Bug: 63400743 Bug: 65590288 (cherry picked from commit ded4524cb0a2ad931468409ff0f4817f9c0a8925) Change-Id: I7047f7304621d3a7a100cde57860a3154a29effe

commit: ee2a59a20ac4497241a971a17799f65dcca3424a [log] [tgz]
author: Evgenii Stepanov <eugenis@google.com> Fri Sep 15 13:58:58 2017 -0700
committer: Evgenii Stepanov <eugenis@google.com> Fri Sep 15 16:18:28 2017 -0700
tree: db8308cdd6b01f4a821de8c73904870c48967532
parent: 2270a9d24f2900b19b95e6ab89ca6ef21c3c9481 [diff]
diff --git a/libdl/libdl_cfi.cpp b/libdl/libdl_cfi.cpp
index 483364f..1dd5b21 100644
--- a/libdl/libdl_cfi.cpp
+++ b/libdl/libdl_cfi.cpp

@@ -52,7 +52,10 @@
 
 static uintptr_t cfi_check_addr(uint16_t v, void* Ptr) {
   uintptr_t addr = reinterpret_cast<uintptr_t>(Ptr);
-  uintptr_t aligned_addr = align_up(addr, CFIShadow::kShadowAlign);
+  // The aligned range of [0, kShadowAlign) uses a single shadow element, therefore all pointers in
+  // this range must get the same aligned_addr below. This matches CFIShadowWriter::Add; not the
+  // same as align_up().
+  uintptr_t aligned_addr = align_down(addr, CFIShadow::kShadowAlign) + CFIShadow::kShadowAlign;
   uintptr_t p = aligned_addr - (static_cast<uintptr_t>(v - CFIShadow::kRegularShadowMin)
                                 << CFIShadow::kCfiCheckGranularity);
 #ifdef __arm__
commit	ee2a59a20ac4497241a971a17799f65dcca3424a	[log] [tgz]
author	Evgenii Stepanov <eugenis@google.com>	Fri Sep 15 13:58:58 2017 -0700
committer	Evgenii Stepanov <eugenis@google.com>	Fri Sep 15 16:18:28 2017 -0700
tree	db8308cdd6b01f4a821de8c73904870c48967532
parent	2270a9d24f2900b19b95e6ab89ca6ef21c3c9481 [diff]