From: Kostya Serebryany <kcc@google.com>
To: Maxim Ostapenko <m.ostapenko@samsung.com>
Cc: Florian Weimer <fweimer@redhat.com>,
GNU C Library <libc-alpha@sourceware.org>,
Yuri Gribov <tetra2005@gmail.com>
Subject: Re: [PATCH BZ#20422] Do not allow asan/msan/tsan and fortify at the same time.
Date: Wed, 05 Oct 2016 16:01:00 -0000 [thread overview]
Message-ID: <CAN=P9pgnnHuk_10aduk3Tj1xWQ=mP7Xz-LCNF7SxFRdJ6Z8HLQ@mail.gmail.com> (raw)
In-Reply-To: <57F52041.8010801@samsung.com>
On Wed, Oct 5, 2016 at 8:46 AM, Maxim Ostapenko <m.ostapenko@samsung.com> wrote:
> On 05/10/16 17:26, Florian Weimer wrote:
>>
>> On 09/05/2016 07:27 PM, Maxim Ostapenko wrote:
>>>
>>> Although fortify is good thing as it (and it's enabled by default on
>>> some major distros e.g. Ubuntu and Gentoo), people still complain about
>>> {A, M}San vs fortify interaction, see e.g.
>>> https://github.com/google/sanitizers/issues/689. One possible solution
>>> would be to extend {A, M}San to support foo_chk() functions, but this
>>> would increase the complexity of sanitizer tools with quite small
>>> benefit.
>>
>>
>> I'm not sure if there is a small benefit. Based on Mark's feedback on
>> valgrind's capabilities compared to source fortification, I ran an
>> experiment.
>>
>> Consider this example program:
>>
>> #include <stdlib.h>
>> #include <string.h>
>>
>> struct foo {
>> int a;
>> char b[4];
>> void *c;
>> };
>>
>> int
>> main (int argc, char **argv)
>> {
>> struct foo *p = malloc (sizeof (*p));
>> strcpy (p->b, argv[1]);
>> asm volatile ("" ::: "memory");
>> free (p);
>> }
>>
>> Compiled with -D_FORTIFY_SOURCE=2, passing a four-character string yields:
>>
>> $ ./a.out aaaa
>> *** buffer overflow detected ***: ./a.out terminated
>> […]
>>
>> But compiling with clang 3.8 and -fsanitize=address (without source
>> fortification), I can pass a longer string before Address Sanitizer detects
>> the overflow:
>>
>> $ ./a.out aaaaaaaaaaa
>> $ ./a.out aaaaaaaaaaaa
>> =================================================================
>> ==21921==ERROR: AddressSanitizer: heap-buffer-overflow on address
>> 0x60200000f000 at pc 0x000000488d77 bp 0x7ffe8eb00d50 sp 0x7ffe8eb00500
>>
>> Depending on the application, intra-object overflows can be quite
>> relevant. Is this perhaps a sufficient case for Address Sanitizer using
>> this data as well?
Indeed, asan does not handle intra-object overflow, good point.
(fortify also doesn't handle the general case, only when a libc
function is involved and the bounds are known at compile-time)
asan handles all kinds of signals and prints stack traces for them, so
fortify+asan could print a nice stack trace when fortify finds
intra-object overflow.
Also, using __asan_describe_address fortify could print what asan
knows about the address
(e.g. N bytes inside M-byte object allocated at <STACK_TRACE>).
Makes sense.
Now the question where to do this.
To me it sounds more like a fortify extension.
>
>
> Well, this is a valid point, ASan doesn't poison intra objects, but I wonder
> how ASan can reuse it? Perhaps poison dest + bos0(dest) at interceptor entry
> and unpoison at exit?
This would be racy.
--kcc
>
> -Maxim
>
>>
>> Thanks,
>> Florian
>>
>>
>>
>
next prev parent reply other threads:[~2016-10-05 16:01 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-05 17:27 Maxim Ostapenko
2016-09-05 19:48 ` Andrew Pinski
2016-09-06 8:39 ` Florian Weimer
2016-09-06 8:58 ` Yuri Gribov
2016-09-06 9:13 ` Florian Weimer
2016-09-06 9:20 ` Yuri Gribov
2016-09-06 9:51 ` Florian Weimer
2016-09-09 22:35 ` Kostya Serebryany
[not found] ` <CAN=P9phe_OP+tU+nnDDPEeZCR77w2ddrSX+LtSnx2-42p9JgUg@mail.gmail.com>
2016-09-12 9:36 ` Florian Weimer
2016-09-06 9:16 ` Maxim Ostapenko
2016-09-06 9:44 ` Florian Weimer
2016-09-09 22:36 ` Kostya Serebryany
2016-09-12 9:31 ` Florian Weimer
2016-09-12 18:54 ` Kostya Serebryany
2016-09-17 9:00 ` Yuri Gribov
2016-09-29 8:08 ` Florian Weimer
2016-09-29 9:47 ` Yuri Gribov
2016-09-29 10:04 ` Jakub Jelinek
2016-09-29 10:32 ` Yuri Gribov
2016-09-29 10:44 ` Jakub Jelinek
2016-09-29 10:52 ` Andrew Pinski
2016-09-29 21:23 ` Kostya Serebryany
2016-10-01 21:38 ` Andrew Pinski
2016-10-01 21:50 ` Jakub Jelinek
2016-10-02 7:51 ` Florian Weimer
2016-10-02 9:40 ` Jakub Jelinek
2016-10-02 9:43 ` Florian Weimer
2016-10-02 14:02 ` Yuri Gribov
2016-10-04 0:53 ` Kostya Serebryany
2016-10-04 6:46 ` Jakub Jelinek
2016-10-04 12:15 ` fortification and valgrind/memcheck (Was: [PATCH BZ#20422] Do not allow asan/msan/tsan and fortify@the same time) Mark Wielaard
2016-10-05 11:49 ` Florian Weimer
2016-10-05 12:02 ` Mark Wielaard
2016-10-05 14:27 ` [PATCH BZ#20422] Do not allow asan/msan/tsan and fortify at the same time Florian Weimer
2016-10-05 15:46 ` Maxim Ostapenko
2016-10-05 16:01 ` Kostya Serebryany [this message]
2016-10-05 16:01 ` Maxim Ostapenko
2016-10-05 16:06 ` Zack Weinberg
2016-10-05 16:11 ` Kostya Serebryany
2016-10-05 16:46 ` Zack Weinberg
2016-10-05 17:58 ` Yuri Gribov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAN=P9pgnnHuk_10aduk3Tj1xWQ=mP7Xz-LCNF7SxFRdJ6Z8HLQ@mail.gmail.com' \
--to=kcc@google.com \
--cc=fweimer@redhat.com \
--cc=libc-alpha@sourceware.org \
--cc=m.ostapenko@samsung.com \
--cc=tetra2005@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).