sanitizer not detecting buffer overrun

Sam James sam@gentoo.org
Sun Nov 12 02:34:58 GMT 2023


Navin P via Gcc-help <gcc-help@gcc.gnu.org> writes:

> Hi,
>
> Why doesn't sanitizer catch this ? The value ptr is a valid address but it
> did a buffer overflow into another object a3 and then it is a valid
> address. This is from production code where a ptr whose base was different
> array address overflows into another array and becomes a valid address.
> This is not caught by address sanitizer.
>
>    - How do you detect this and fix this ? Are there any alternative
>    datastructures in C or C++ that prevent these kind of overruns
>    Please don't increase the cookie or red zone size between arrays. Again
>    sizes more than the cookie or redzone between arrays or objects can be
>    overrun

You appear to have answered your own question unless I'm
misunderstanding you?

ASAN does not claim to capture every possible overflow. It has to strike
a balance, for one, between performance and catching errors (it has some
other trade-offs too).

Are you interested in a broad technical discussion about alternatives
to redzones and other mitigations like SSP (which is unrelated here...)
or are you wondering specifically just about how ASAN works and why it
missed something?

To me, the intent of your email seems mixed.

>
>
>
> navin@Navin-acer-5740:~/cpp$ gcc -fsanitize=address sanitizer.c
> navin@Navin-acer-5740:~/cpp$ ./a.out
> a1=(0x614000000040-0x6140000001d0) a2=(0x614000000240-0x6140000003d0)
> a3=(0x614000000440-0x6140000005d0)
> value=0, ptr=0x614000000498
> ptr lies in the array a3
> navin@Navin-acer-5740:~/cpp$ cat sanitizer.c
> #include<stdlib.h>
> #include<stdio.h>
> int main(){
> int *a1=calloc(100,sizeof(int));
> int *a2=calloc(100,sizeof(int));
> int *a3=calloc(100,sizeof(int));
>
> printf("a1=(%p-%p) a2=(%p-%p) a3=(%p-%p)\n",a1,a1+100,a2,a2+100,a3,a3+100);
> int *ptr=a2;
> ptr+=150;
> printf("value=%d, ptr=%p\n",*ptr,ptr);
> if(a3<=ptr && ptr<=a3+100) printf("ptr lies in the array a3\n");
>
> free(a1);
> free(a2);
> free(a3);
> }
> navin@Navin-acer-5740:~/cpp$
>
>
> Regards,
> Navin



More information about the Gcc-help mailing list