From: Maxim Ostapenko <m.ostapenko@samsung.com>
To: Florian Weimer <fweimer@redhat.com>,
GNU C Library <libc-alpha@sourceware.org>
Cc: Kostya Serebryany <kcc@google.com>, Yuri Gribov <tetra2005@gmail.com>
Subject: Re: [PATCH BZ#20422] Do not allow asan/msan/tsan and fortify at the same time.
Date: Tue, 06 Sep 2016 09:16:00 -0000 [thread overview]
Message-ID: <57CE8965.7050505@samsung.com> (raw)
In-Reply-To: <8d2403c8-466d-8f1a-e563-8b729deef9ce@redhat.com>
On 06/09/16 11:39, Florian Weimer wrote:
> On 09/05/2016 07:27 PM, Maxim Ostapenko wrote:
>> Hi!
>>
>> When fortify is used with MSan it will cause MSan false positives.
>>
>> #include <stdio.h>
>> #include <string.h>
>> int main()
>> {
>> char text[100];
>> sprintf(text, "hello");
>> printf("%lu\n", strlen(text));
>> }
>>
>> % clang test.c -fsanitize=memory -O3 && ./a.out
>> 5
>> % clang test.c -fsanitize=memory -D_FORTIFY_SOURCE=2 -O3 && ./a.out
>> Uninitialized bytes in __interceptor_strlen at offset 0 inside
>> [0x7ffe259e4d20, 6)
>> ==26297==WARNING: MemorySanitizer: use-of-uninitialized-value
>> #0 0x4869cc in main
>>
>> With ASan, this will not cause false positives, but may case false
>> negatives or just confuse people with "wrong" reports when fortify
>> catches the error.
>
> Why does the above cause a warning, but this does not, and happily
> prints the undefined array members?
>
> #include <stdio.h>
> #include <pwd.h>
> #include <unistd.h>
> #include <string.h>
> #include <err.h>
> #include <grp.h>
>
> int main()
> {
> struct passwd *pw = getpwuid (getuid ());
> if (pw == NULL)
> err (1, "getpwuid");
> gid_t groups[50];
> int ngroups = 50;
> if (getgrouplist (pw->pw_name, pw->pw_gid, groups, &ngroups) < 0)
> errx (1, "getgrouplist");
> for (int i = 0; i < 50; ++i)
> printf ("group %d: %lld\n", i + 1, (long long) groups[i]);
> }
>
>
> I find this rather confusing. -D_FORTIFY_SOURCE=2 does not make a
> difference here.
I think because MSan doesn't have getgrouplist interceptor.
>
>> Although fortify is good thing as it (and it's enabled by default on
>> some major distros e.g. Ubuntu and Gentoo), people still complain about
>> {A, M}San vs fortify interaction, see e.g.
>> https://github.com/google/sanitizers/issues/689. One possible solution
>> would be to extend {A, M}San to support foo_chk() functions, but this
>> would increase the complexity of sanitizer tools with quite small
>> benefit. Another choice would be to warn users when they compile their
>> code with {A, M, T}San and fortify enabled.
>
> At least for Memory Sanitizer, the documentation clearly says that
> *everything* has to be compiled with it. I read that as as meaning
> that the interceptors are just a kludge.
I thought we should compile everything except Glibc, no? Compiling Glibc
with MSan would be tricky, that's why it needs interceptors.
>
> If you do not intended to implement further interceptors, I expect you
> don't want to implement those for open/openat either, other
> compile-time fortification, or whatever other fortify functions we
> might add which are not directly related to memory safety. This means
> that for full coverage, a developer would have to compile to test with
> the different sanitizers *and* _FORTIFY_SOURCE. I'm not sure if that
> leads to a good developer experience.
>
> We could conceivably guard every _chk wrapper (say __sprintf_chk) with
>
> #ifndef __fortify_no___sprintf_chk
> â¦
> #endif
>
> . In sanitizer mode, for those wrappers you have deemed to be
> unnecessary, the compiler would define these macros, so that glibc
> wouldn't install the wrapper.
>
> Another option would be to provide a glibc which has been compiled
> with the required sanitizers, so that most interceptors become
> unnecessary.
>
>> I've tried to add a testcase for new warning into Glibc testsuite, but
>> failed to see how exactly I can do it. Does Glibc have some framework
>> for compilation tests?
>
> It does not. Carlos proposed something earlier this year, but it was
> not able to check for the presence expected warnings. We need
> something like this for the compile-time checks.
>
> Florian
>
>
next prev parent reply other threads:[~2016-09-06 9:16 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-05 17:27 Maxim Ostapenko
2016-09-05 19:48 ` Andrew Pinski
2016-09-06 8:39 ` Florian Weimer
2016-09-06 8:58 ` Yuri Gribov
2016-09-06 9:13 ` Florian Weimer
2016-09-06 9:20 ` Yuri Gribov
2016-09-06 9:51 ` Florian Weimer
2016-09-09 22:35 ` Kostya Serebryany
[not found] ` <CAN=P9phe_OP+tU+nnDDPEeZCR77w2ddrSX+LtSnx2-42p9JgUg@mail.gmail.com>
2016-09-12 9:36 ` Florian Weimer
2016-09-06 9:16 ` Maxim Ostapenko [this message]
2016-09-06 9:44 ` Florian Weimer
2016-09-09 22:36 ` Kostya Serebryany
2016-09-12 9:31 ` Florian Weimer
2016-09-12 18:54 ` Kostya Serebryany
2016-09-17 9:00 ` Yuri Gribov
2016-09-29 8:08 ` Florian Weimer
2016-09-29 9:47 ` Yuri Gribov
2016-09-29 10:04 ` Jakub Jelinek
2016-09-29 10:32 ` Yuri Gribov
2016-09-29 10:44 ` Jakub Jelinek
2016-09-29 10:52 ` Andrew Pinski
2016-09-29 21:23 ` Kostya Serebryany
2016-10-01 21:38 ` Andrew Pinski
2016-10-01 21:50 ` Jakub Jelinek
2016-10-02 7:51 ` Florian Weimer
2016-10-02 9:40 ` Jakub Jelinek
2016-10-02 9:43 ` Florian Weimer
2016-10-02 14:02 ` Yuri Gribov
2016-10-04 0:53 ` Kostya Serebryany
2016-10-04 6:46 ` Jakub Jelinek
2016-10-04 12:15 ` fortification and valgrind/memcheck (Was: [PATCH BZ#20422] Do not allow asan/msan/tsan and fortify@the same time) Mark Wielaard
2016-10-05 11:49 ` Florian Weimer
2016-10-05 12:02 ` Mark Wielaard
2016-10-05 14:27 ` [PATCH BZ#20422] Do not allow asan/msan/tsan and fortify at the same time Florian Weimer
2016-10-05 15:46 ` Maxim Ostapenko
2016-10-05 16:01 ` Kostya Serebryany
2016-10-05 16:01 ` Maxim Ostapenko
2016-10-05 16:06 ` Zack Weinberg
2016-10-05 16:11 ` Kostya Serebryany
2016-10-05 16:46 ` Zack Weinberg
2016-10-05 17:58 ` Yuri Gribov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=57CE8965.7050505@samsung.com \
--to=m.ostapenko@samsung.com \
--cc=fweimer@redhat.com \
--cc=kcc@google.com \
--cc=libc-alpha@sourceware.org \
--cc=tetra2005@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).