public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
From: "kcc at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug sanitizer/61293] New: asan can not find left buffer overflow of new[]-allocated buffer, frontend help needed
Date: Fri, 23 May 2014 13:08:00 -0000	[thread overview]
Message-ID: <bug-61293-4@http.gcc.gnu.org/bugzilla/> (raw)

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61293

            Bug ID: 61293
           Summary: asan can not find left buffer overflow of
                    new[]-allocated buffer, frontend help needed
           Product: gcc
           Version: 4.10.0
            Status: UNCONFIRMED
          Severity: enhancement
          Priority: P3
         Component: sanitizer
          Assignee: unassigned at gcc dot gnu.org
          Reporter: kcc at gcc dot gnu.org
                CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
                    jakub at gcc dot gnu.org, kcc at gcc dot gnu.org,
                    timurrrr at google dot com

asan does not detect the following case: 

TypeWithDtor *a = new TypeWithDtor[N];
a[-1] = ... 
https://code.google.com/p/address-sanitizer/issues/detail?id=314

That's because when we have new[] for a type with DTORs, 
the actual allocated size is greater.
The code looks something like this:
  extra = max(sizeof(long), alignment_of(TypeWithDtor));
  ptr = malloc(N + extra);
  *(long*)(ptr+extra-sizeof(long)) = N;
  return ptr + extra;  // must be properly aligned for TypeWithDtor

As the result, we will not detect overwrites of new[] cookie -- scary! 

I don't see how we can implement this w/o help from FE. 

First, we need to ensure alignment 8 even on 32-bits: 
  extra = max(8, alignment_of(TypeWithDtor));  

Second, we need to poison the first extra bytes.

Lastly, we need to not instrument the legitimate loads/stores of the cookie
generated by the frontend. 

All of this has to be done with the help from FE


             reply	other threads:[~2014-05-23 13:08 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-05-23 13:08 kcc at gcc dot gnu.org [this message]
2014-05-23 13:26 ` [Bug sanitizer/61293] " jakub at gcc dot gnu.org
2014-05-23 13:51 ` kcc at gcc dot gnu.org
2014-05-23 14:14 ` jakub at gcc dot gnu.org
2014-08-28  1:19 ` kcc at gcc dot gnu.org

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bug-61293-4@http.gcc.gnu.org/bugzilla/ \
    --to=gcc-bugzilla@gcc.gnu.org \
    --cc=gcc-bugs@gcc.gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).