From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from xry111.site (xry111.site [89.208.246.23]) by sourceware.org (Postfix) with ESMTPS id 64EC33858D20 for ; Sun, 12 Nov 2023 10:02:58 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 64EC33858D20 Authentication-Results: sourceware.org; dmarc=pass (p=reject dis=none) header.from=xry111.site Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=xry111.site ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 64EC33858D20 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=89.208.246.23 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1699783388; cv=none; b=mWcevjlp0NyAudS3rTFrgNi2c6dF7+h9bW7aVRIbC3XM44g8Oc3yXNuOPKgbUTXAmt5iR7pcAXrhG2lJqs52FABwZE4KNv66F85zXoI324yDGGSXi3sd/un35iYac6w8akwLxiaONDvVe7XXwLgYR7u4uNCLCurEp7DLH1A9Jhg= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1699783388; c=relaxed/simple; bh=RbFNCTBDA6DyVLFA1wxG2PHd9eyDPbBbq+qdF9vd1dk=; h=DKIM-Signature:Message-ID:Subject:From:To:Date:MIME-Version; b=X+Nw9U64Fagwh+g4FUs0O+C32DE6pGxGzun3S8s3dPR4f58+xqBnCGm7UMWTAmKVml7uoiK1iJWGvnhiCzRBhHzCOHTKToXCwnFzOUfSOxWk3QPor61qK8pPr25hTv5BnoYfaNaYQCa1zI2W73WnRKFIh7hlSxuSCUy/ecuNjE0= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=xry111.site; s=default; t=1699783377; bh=RbFNCTBDA6DyVLFA1wxG2PHd9eyDPbBbq+qdF9vd1dk=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=Y4EMPjy/nkfjnFK8+okCmn7s+t9HzLeU+Ay/1a/yuUC0tphlZdFQ7liD4bHQw9daq J1ps20wc24aVRAc/2jk14KiBjKBfLDW176KeRtH+BtC/RAArDlV7r9pnwaE4CLvMrd AjuXyGfpQ2HqudQK1jHyNCLYfsMmcstAWlhb6is4= Received: from [IPv6:240e:358:116b:6800:dc73:854d:832e:3] (unknown [IPv6:240e:358:116b:6800:dc73:854d:832e:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) (Authenticated sender: xry111@xry111.site) by xry111.site (Postfix) with ESMTPSA id 3392F66A03; Sun, 12 Nov 2023 05:02:54 -0500 (EST) Message-ID: Subject: Re: sanitizer not detecting buffer overrun From: Xi Ruoyao To: Navin P , Sam James Cc: gcc-help@gcc.gnu.org Date: Sun, 12 Nov 2023 18:02:48 +0800 In-Reply-To: References: <877cmn66kl.fsf@gentoo.org> Autocrypt: addr=xry111@xry111.site; prefer-encrypt=mutual; keydata=mDMEYnkdPhYJKwYBBAHaRw8BAQdAsY+HvJs3EVKpwIu2gN89cQT/pnrbQtlvd6Yfq7egugi0HlhpIFJ1b3lhbyA8eHJ5MTExQHhyeTExMS5zaXRlPoiTBBMWCgA7FiEEkdD1djAfkk197dzorKrSDhnnEOMFAmJ5HT4CGwMFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQrKrSDhnnEOPHFgD8D9vUToTd1MF5bng9uPJq5y3DfpcxDp+LD3joA3U2TmwA/jZtN9xLH7CGDHeClKZK/ZYELotWfJsqRcthOIGjsdAPuDgEYnkdPhIKKwYBBAGXVQEFAQEHQG+HnNiPZseiBkzYBHwq/nN638o0NPwgYwH70wlKMZhRAwEIB4h4BBgWCgAgFiEEkdD1djAfkk197dzorKrSDhnnEOMFAmJ5HT4CGwwACgkQrKrSDhnnEOPjXgD/euD64cxwqDIqckUaisT3VCst11RcnO5iRHm6meNIwj0BALLmWplyi7beKrOlqKfuZtCLbiAPywGfCNg8LOTt4iMD Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.50.1 MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,KAM_SHORT,LIKELY_SPAM_FROM,SPF_HELO_PASS,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On Sun, 2023-11-12 at 10:44 +0530, Navin P via Gcc-help wrote: > I was asking if there exists any way to catch such errors ? > Assuming right now there doesn't exist any such implementation i was > thinking of an approach as to how it should be. > All pointers are null by default. Every pointer has a [start,end) . point= er > arithmetic even though it is not dereferenced cannot go beyond the end. > The start,end can be stored in a hash table for each pointer and it shoul= d > always stay within the bounds. Assignment of pointers copies the [start,e= nd] > range to the lvalue from the rvalue. >=20 > ptr=3Dptr+x if x is greater than array size +1 is undefined > ptr=3Dptr+x-y where x=3Darray size+10 and y=3D11 is defined >=20 > Do you think this is right and covers all cases ? Are there better ways ? > What does it take to implement this ? Maybe I can try or is it too compli= cated ? MPX was implemented like this, but it was too problematic to be maintained or used in practice so it was removed in GCC 9. Intel also removed MPX in recent CPU models. Read the wiki page for more info (including its undoings): https://gcc.gnu.org/wiki/Intel%20MPX%20support%20in%20the%20GCC%20compiler Hardware-assisted address sanitizer (hwasan) is a modern replacement of MPX-like approaches, but currently it's only implemented on AArch64.=20 (The GCC support for hwasan on x86_64 is already added, but Intel has not shipped any CPUs supporting it as at now.) On an AArch64 hwasan correctly detects this overrun: =3D=3D50998=3D=3DERROR: HWAddressSanitizer: tag-mismatch on address 0xefeaf= fff03f8 at pc 0xffff8666086c READ of size 4 at 0xefeaffff03f8 tags: cd/ff (ptr/mem) in thread T0 #0 0xffff8666086c in SigTrap<2> ../../../../libsanitizer/hwasan/hwasan_= checks.h:28 #1 0xffff8666086c in CheckAddress<(__hwasan::ErrorAction)0, (__hwasan::= AccessType)0, 2> ../../../../libsanitizer/hwasan/hwasan_checks.h:108 #2 0xffff8666086c in __hwasan_load4 ../../../../libsanitizer/hwasan/hwa= san.cpp:455 #3 0xaaaadada0b90 in main /home/xry111/t.c:11 #4 0xffff8644b510 in __libc_start_call_main ../sysdeps/nptl/libc_start_= call_main.h:58 #5 0xffff8644b5f4 in __libc_start_main_impl ../csu/libc-start.c:360 #6 0xaaaadada092c in _start ../sysdeps/aarch64/start.S:98 [0xefeaffff0340,0xefeaffff04e0) is a small allocated heap chunk; size: 416 = offset: 184 Cause: heap-buffer-overflow 0xefeaffff03f8 is located 200 bytes after a 400-byte region [0xefeaffff01a0= ,0xefeaffff0330) allocated here: #0 0xffff8665a690 in __sanitizer_calloc ../../../../libsanitizer/hwasan= /hwasan_allocation_functions.cpp:116 #1 0xaaaadada0adc in main /home/xry111/t.c:5 #2 0xffff8644b510 in __libc_start_call_main ../sysdeps/nptl/libc_start_= call_main.h:58 #3 0xffff8644b5f4 in __libc_start_main_impl ../csu/libc-start.c:360 #4 0xaaaadada092c in _start ../sysdeps/aarch64/start.S:98 --=20 Xi Ruoyao School of Aerospace Science and Technology, Xidian University