How to confirm if the memory of mmap is generating shadow?

[shisuhao]

Hi, I want to confirm if the memory of mmap is generating shadow?like: src = mmap((char )0x10000000000, 4096 8, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS | MAP_FIXED, -1, 0)); And, i am sure 0x10000000000 is in high memory;

[shisuhao]

please give me some ideals.

[kcc]

you can run a simple test built with asan under strace to see what exactly syscalls are being made.

[shisuhao]

you can run a simple test built with asan under strace to see what exactly syscalls are being made. Hi，@kcc I run a simple test, code follows: int main() { int i; char p = malloc(40968);

char *shadow = (char *)(((unsigned long long)p / 8) + 0x7fff8000);
char *shadow_end = (char *)(((unsigned long long)(p+4096*8) / 8) + 0x7fff8000);

printf("%p    ----     %p, -------%p\n", p, shadow,shadow_end);

getchar();
free((p));
return 0;

}

then,under gdb,II read the shadow memory: (gdb) p (0xc5a7fff8080) $1 = 0 (gdb) p (0xc5a7fff807f) $2 = 250 (gdb) x/1xb 0xc5a7fff807f 0xc5a7fff807f: 0xfa (gdb) x/1xb 0xc5a7fff807e 0xc5a7fff807e: 0xfa (gdb) x/1xb 0xc5a7fff9080 0xc5a7fff9080: 0xfa (gdb) x/1xb 0xc5a7fff9079 0xc5a7fff9079: 0x00 (gdb) x/1xb 0xc5a7fff9081 0xc5a7fff9081: 0xfa (gdb) ; as the same, I run a simple test with mmap,Unfortunately， I read the shadow memory，there are no value such as 0xfa; follows: root@ubuntu:/home/hss2/asan# LD_PRELOAD=/usr/local/gcc7.3.0/lib64/libasan.so gdb ./asan_test GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.5) 7.11.1 Copyright (C) 2016 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: http://www.gnu.org/software/gdb/bugs/. Find the GDB manual and other documentation resources online at: http://www.gnu.org/software/gdb/documentation/. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from ./asan_test...done. (gdb) b test_mmap Breakpoint 1 at 0x400b27: file asan_test.c, line 43. (gdb) r Starting program: /home/hss2/asan/asan_test [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". warning: File "/usr/local/gcc7.3.0/lib64/libstdc++.so.6.0.24-gdb.py" auto-loading has been declined by your `auto-load safe-path' set to "$debugdir:$datadir/auto-load". To enable execution of this file add add-auto-load-safe-path /usr/local/gcc7.3.0/lib64/libstdc++.so.6.0.24-gdb.py line to your configuration file "/root/.gdbinit". To completely disable this security protection add set auto-load safe-path / line to your configuration file "/root/.gdbinit". For more information about this security protection see the "Auto-loading safe path" section in the GDB manual. E.g., run from the shell: info "(gdb)Auto-loading safe path"

Breakpoint 1, test_mmap () at asan_test.c:43 43 char src = NULL;
(gdb) l 38
39 char buffer[4096] = {0}; 40
41 int test_mmap(void) 42 { 43 char src = NULL;
44 int i;
45
46 //if ((src = mmap((char )0x10000000000, 4096 8, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS | MAP_FIXED, -1, 0)) == MAP_FAILED) 47 if ((src = mmap((char )0x100080000000, 4096 8, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS | MAP_FIXED, -1, 0)) == MAP_FAILED) { (gdb) l 48
49 printf("failure, test_map src == %p !\n", src); 50
51 } 52 else { 53 printf("successfully, test_map src == %p !\n", src); 54 } 55
56
57
(gdb) l 58 for(i = 0; i < 40968; i++) 59 { 60 (src+i) = 100; 61 } 62
63 //(src-1) = 'N'; 64
65 //__asan_poison_memory_region(src, 40968); 66
67 //asan_poison_memory_region(src-64, 64); (gdb) l 68 //__asan_poison_memory_region(src+4096*8-64, 64); 69 i = 100; 70 printf("i = %d\n", i); 71 i = asan_address_is_poisoned(src); 72 printf("i = %d\n", i); 73
74 memcpy(buffer, src, 4096); 75
76 (src) = 1; 77 (src+10) = 2; (gdb) b 69 Breakpoint 2 at 0x400bed: file asan_test.c, line 69. (gdb) c Continuing. successfully, test_map src == 0x100080000000 !

Breakpoint 2, test_mmap () at asan_test.c:69 69 i = 100; (gdb) x/1xb 0x2008fff8000 0x2008fff8000: 0x00 (gdb) x/1xb 0x2008fff7fff 0x2008fff7fff: 0x00 (gdb) x/1xb 0x2008fff7ffe 0x2008fff7ffe: 0x00 (gdb) x/1xb 0x2008fff9000 0x2008fff9000: 0x00 (gdb) x/1xb 0x2008fff9001 0x2008fff9001: 0x00 (gdb) x/1xb 0x2008fff9002 0x2008fff9002: 0x00 (gdb)

[shisuhao]

so, can i think the address of mmap is not generated shadow,and this is normal?if not, how can i fix it?

[shisuhao]

@kcc can you give me some Suggestions？

[eugenis]

mmap does not update shadow. Doing that would be very expensive, because then the redzones would need to be at least 1 whole page each.

On Wed, Mar 25, 2020 at 8:31 PM shisuhao notifications@github.com wrote:

@kcc https://github.com/kcc can you give me some Suggestions？

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/google/sanitizers/issues/1210#issuecomment-604208490, or unsubscribe https://github.com/notifications/unsubscribe-auth/AADG4SRKVZGW6SWT5BBDGM3RJLEATANCNFSM4LRUYOLQ .

[shisuhao]

@eugenis Thank you very much for your explanation.

[shisuhao]

I will close this issue, thank you very much everyone who participated in the discussion.