Re: sanitizer not detecting buffer overrun

[Navin P <navinp0304@gmail.com>]

Hi,

On Sun, Nov 12, 2023 at 8:06 AM Sam James <sam@gentoo.org> wrote:
>
>
> Navin P via Gcc-help <gcc-help@gcc.gnu.org> writes:
>
> > Hi,
> >
> > Why doesn't sanitizer catch this ? The value ptr is a valid address but it
> > did a buffer overflow into another object a3 and then it is a valid
> > address. This is from production code where a ptr whose base was different
> > array address overflows into another array and becomes a valid address.
> > This is not caught by address sanitizer.
> >
> >    - How do you detect this and fix this ? Are there any alternative
> >    datastructures in C or C++ that prevent these kind of overruns
> >    Please don't increase the cookie or red zone size between arrays. Again
> >    sizes more than the cookie or redzone between arrays or objects can be
> >    overrun
>
> You appear to have answered your own question unless I'm
> misunderstanding you?
>
> ASAN does not claim to capture every possible overflow. It has to strike
> a balance, for one, between performance and catching errors (it has some
> other trade-offs too).
>
> Are you interested in a broad technical discussion about alternatives
> to redzones and other mitigations like SSP (which is unrelated here...)
> or are you wondering specifically just about how ASAN works and why it
> missed something?
>
I was asking if there exists any way to catch such errors ?
Assuming right now there doesn't exist any such implementation i was
thinking of an approach as to how it should be.
All pointers are null by default. Every pointer has a [start,end) . pointer
arithmetic even though it is not dereferenced cannot go beyond the end.
The start,end can be stored in a hash table for each pointer and it should
always stay within the bounds. Assignment of pointers copies the [start,end]
range to the lvalue from the rvalue.

ptr=ptr+x if x is greater than array size +1 is undefined
ptr=ptr+x-y where x=array size+10 and y=11 is defined

Do you think this is right and covers all cases ? Are there better ways ?
What does it take to implement this ? Maybe I can try or is it too complicated ?

> To me, the intent of your email seems mixed.
>
> >
> >
> >
> > navin@Navin-acer-5740:~/cpp$ gcc -fsanitize=address sanitizer.c
> > navin@Navin-acer-5740:~/cpp$ ./a.out
> > a1=(0x614000000040-0x6140000001d0) a2=(0x614000000240-0x6140000003d0)
> > a3=(0x614000000440-0x6140000005d0)
> > value=0, ptr=0x614000000498
> > ptr lies in the array a3
> > navin@Navin-acer-5740:~/cpp$ cat sanitizer.c
> > #include<stdlib.h>
> > #include<stdio.h>
> > int main(){
> > int *a1=calloc(100,sizeof(int));
> > int *a2=calloc(100,sizeof(int));
> > int *a3=calloc(100,sizeof(int));
> >
> > printf("a1=(%p-%p) a2=(%p-%p) a3=(%p-%p)\n",a1,a1+100,a2,a2+100,a3,a3+100);
> > int *ptr=a2;
> > ptr+=150;
> > printf("value=%d, ptr=%p\n",*ptr,ptr);
> > if(a3<=ptr && ptr<=a3+100) printf("ptr lies in the array a3\n");
> >
> > free(a1);
> > free(a2);
> > free(a3);
> > }
> > navin@Navin-acer-5740:~/cpp$
> >
> >
> > Regards,
> > Navin
>