This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [PATCH BZ#20422] Do not allow asan/msan/tsan and fortify at the same time.

From: Yuri Gribov <tetra2005 at gmail dot com>
To: Florian Weimer <fw at deneb dot enyo dot de>
Cc: Maxim Ostapenko <m dot ostapenko at samsung dot com>, GNU C Library <libc-alpha at sourceware dot org>, Kostya Serebryany <kcc at google dot com>, Jakub Jelinek <jakub at redhat dot com>
Date: Thu, 29 Sep 2016 10:47:28 +0100
Subject: Re: [PATCH BZ#20422] Do not allow asan/msan/tsan and fortify at the same time.
Authentication-results: sourceware.org; auth=none
References: <57CDAB08.8060601@samsung.com> <8d2403c8-466d-8f1a-e563-8b729deef9ce@redhat.com> <CAJOtW+5r0NQOHh1MKGSoCVyDto7LtJE7d3-oqJy-Yei6AECb8g@mail.gmail.com> <87lgyb9lhf.fsf@mid.deneb.enyo.de>

On Thu, Sep 29, 2016 at 9:08 AM, Florian Weimer <fw@deneb.enyo.de> wrote:
> * Yuri Gribov:
>
>> Would the above approach be accepted for trunk? The reason for me
>> pushing this is because FORTIFY_SOURCE is now enabled by default in
>> major distros and this start to be a detrimental factor for ASan
>> efficiency (there are already 3 open bugs related to this in tracker
>> and they keep coming).
>
> We have received a related feature request:
>
>   <https://sourceware.org/bugzilla/show_bug.cgi?id=20644>
>
> Do the sanitizers depend on direct calls to the interceptors from
> application code, or can we add an indirection which has been compiled
> *without* sanitizer support?

Cc Jakub.

No, there is not dependency on direct calls so indirection should work fine.

> If the indirection is acceptable, we could perhaps provided a DSO
> which maps back the fortify wrappers to the unfortified versions.
> libasan could link against that, for valgrind, it could be preloaded.

Disabling Glibc fortification through indirection should generally
work (Kostya, Jakub -please comment if it's not). Actually it would be
even better than asking users to disable Fortify when building with
Asan because the tool will then be able to intercept calls to
fortified functions from unsanitized parts of the program (and detect
errors in such calls).

I'm just wondering if there are less invasive solutions e.g. providing
a runtime Glibc setting (e.g. through environment variable) to disable
fortification at startup? This shouldn't introduce significant
performance penalty.

> memstop could use this as well:
>
>   <https://bugzilla.redhat.com/show_bug.cgi?id=1034894>
>
> The advantage of the unfortify library is that it keeps the knowledge
> about fortify wrappers in glibc.

Yes, duplicating this information in all existing instrumentation
tools would be inefficient and error-prone.

-Y

Follow-Ups:
- Re: [PATCH BZ#20422] Do not allow asan/msan/tsan and fortify at the same time.
  - From: Jakub Jelinek

References:
- [PATCH BZ#20422] Do not allow asan/msan/tsan and fortify at the same time.
  - From: Maxim Ostapenko
- Re: [PATCH BZ#20422] Do not allow asan/msan/tsan and fortify at the same time.
  - From: Florian Weimer
- Re: [PATCH BZ#20422] Do not allow asan/msan/tsan and fortify at the same time.
  - From: Yuri Gribov
- Re: [PATCH BZ#20422] Do not allow asan/msan/tsan and fortify at the same time.
  - From: Florian Weimer

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]