This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH BZ#20422] Do not allow asan/msan/tsan and fortify at the same time.
- From: Kostya Serebryany <kcc at google dot com>
- To: Maxim Ostapenko <m dot ostapenko at samsung dot com>
- Cc: Florian Weimer <fweimer at redhat dot com>, GNU C Library <libc-alpha at sourceware dot org>, Yuri Gribov <tetra2005 at gmail dot com>
- Date: Wed, 5 Oct 2016 09:01:11 -0700
- Subject: Re: [PATCH BZ#20422] Do not allow asan/msan/tsan and fortify at the same time.
- Authentication-results: sourceware.org; auth=none
- References: <57CDAB08.8060601@samsung.com> <CGME20161005142716eucas1p2c58bebda4ac596908c4f46f3fcbcf3f2@eucas1p2.samsung.com> <93b470fc-0a1f-684f-065a-109ee6534f12@redhat.com> <57F52041.8010801@samsung.com>
On Wed, Oct 5, 2016 at 8:46 AM, Maxim Ostapenko <m.ostapenko@samsung.com> wrote:
> On 05/10/16 17:26, Florian Weimer wrote:
>>
>> On 09/05/2016 07:27 PM, Maxim Ostapenko wrote:
>>>
>>> Although fortify is good thing as it (and it's enabled by default on
>>> some major distros e.g. Ubuntu and Gentoo), people still complain about
>>> {A, M}San vs fortify interaction, see e.g.
>>> https://github.com/google/sanitizers/issues/689. One possible solution
>>> would be to extend {A, M}San to support foo_chk() functions, but this
>>> would increase the complexity of sanitizer tools with quite small
>>> benefit.
>>
>>
>> I'm not sure if there is a small benefit. Based on Mark's feedback on
>> valgrind's capabilities compared to source fortification, I ran an
>> experiment.
>>
>> Consider this example program:
>>
>> #include <stdlib.h>
>> #include <string.h>
>>
>> struct foo {
>> int a;
>> char b[4];
>> void *c;
>> };
>>
>> int
>> main (int argc, char **argv)
>> {
>> struct foo *p = malloc (sizeof (*p));
>> strcpy (p->b, argv[1]);
>> asm volatile ("" ::: "memory");
>> free (p);
>> }
>>
>> Compiled with -D_FORTIFY_SOURCE=2, passing a four-character string yields:
>>
>> $ ./a.out aaaa
>> *** buffer overflow detected ***: ./a.out terminated
>> […]
>>
>> But compiling with clang 3.8 and -fsanitize=address (without source
>> fortification), I can pass a longer string before Address Sanitizer detects
>> the overflow:
>>
>> $ ./a.out aaaaaaaaaaa
>> $ ./a.out aaaaaaaaaaaa
>> =================================================================
>> ==21921==ERROR: AddressSanitizer: heap-buffer-overflow on address
>> 0x60200000f000 at pc 0x000000488d77 bp 0x7ffe8eb00d50 sp 0x7ffe8eb00500
>>
>> Depending on the application, intra-object overflows can be quite
>> relevant. Is this perhaps a sufficient case for Address Sanitizer using
>> this data as well?
Indeed, asan does not handle intra-object overflow, good point.
(fortify also doesn't handle the general case, only when a libc
function is involved and the bounds are known at compile-time)
asan handles all kinds of signals and prints stack traces for them, so
fortify+asan could print a nice stack trace when fortify finds
intra-object overflow.
Also, using __asan_describe_address fortify could print what asan
knows about the address
(e.g. N bytes inside M-byte object allocated at <STACK_TRACE>).
Makes sense.
Now the question where to do this.
To me it sounds more like a fortify extension.
>
>
> Well, this is a valid point, ASan doesn't poison intra objects, but I wonder
> how ASan can reuse it? Perhaps poison dest + bos0(dest) at interceptor entry
> and unpoison at exit?
This would be racy.
--kcc
>
> -Maxim
>
>>
>> Thanks,
>> Florian
>>
>>
>>
>