search

gopalshankar / address-sanitizer

Automatically exported from code.google.com/p/address-sanitizer
0 stars 0 forks source link

shmctl() interceptor assumes wrong size for written data #259

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Hi,

to reproduce:

asan_shm_info.cpp:
#include <sys/shm.h>

int main()
{
  struct shm_info shmInfo;
  char dummy[10];
  int ret = shmctl(0, SHM_INFO, (struct shmid_ds *) &shmInfo);

  return ret;
}

clang++ -fsanitize=address -o asan_shm_info asan_shm_info.cpp

./asan_shm_info

==20192==ERROR: AddressSanitizer: stack-buffer-overflow on address 
0x7fff85fa2c00 at pc 0x4551d0 bp 0x7fff85fa2b30 sp 0x7fff85fa2b08
WRITE of size 112 at 0x7fff85fa2c00 thread T0
    #0 0x4551cf in __interceptor_shmctl /local/mar_/llvmtrunk/projects/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:2700
    #1 0x48d362 in main (/local/build/git/sys/src/asan_shm_info+0x48d362)
    #2 0x2ae23c04ebc5 in __libc_start_main (/lib64/libc.so.6+0x1ebc5)
    #3 0x48d14c in _start (/local/build/git/sys/src/asan_shm_info2+0x48d14c)

Address 0x7fff85fa2c00 is located in stack of thread T0 at offset 96 in frame
    #0 0x48d21f in main (/local/build/git/sys/src/asan_shm_info+0x48d21f)

  This frame has 4 object(s):
    [32, 36) 'retval'
    [48, 96) 'shmInfo'
    [128, 138) 'dummy' <== Memory access at offset 96 partially underflows this variable
    [160, 164) 'ret' <== Memory access at offset 96 partially underflows this variable

clang trunk, SuSE Linux Enterprise 11 SP1

The problem is in 
projects/compiler-rt/lib/sanitizer_common/sanitizer_platform_limits_posix.cc:196
:

  int shmctl_shm_info = (int)SHM_INFO;
- int shmctl_shm_stat = (int)SHM_INFO;
+ int shmctl_shm_stat = (int)SHM_STAT;

With this fix the program does not throw an error.

Best regards,
Martin

Original issue reported on code.google.com by mric...@googlemail.com on 30 Jan 2014 at 2:13

GoogleCodeExporter commented 9 years ago

Original comment by euge...@google.com on 30 Jan 2014 at 2:28

GoogleCodeExporter commented 9 years ago 
Thanks for reporting!
Fixed in r200468.

Original comment by euge...@google.com on 30 Jan 2014 at 2:37