theRockLiu / address-sanitizer

Automatically exported from code.google.com/p/address-sanitizer
1 stars 0 forks source link

asan does not detect stack buffer overflow for alloca(const) #347

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Compile and run the following program with -fsanitize=address:

---- 8< ---- (alloca_stack_overflow.c)
#include <alloca.h>

int main()
{
    //int p[3];
    int *p = alloca(3*sizeof(*p));

    p[0] = 0;
    p[1] = 1;
    p[2] = 2;

    p[3] = 3;   // <-- buffer overflow here
                // with  int p[3]                           - asan does      report,
                // with  int *p = alloca(3*sizeof(*p))      - asan does not  report.

    return 0;
}
---- 8< ----

$ clang-3.6 -fsanitize=address -g -Wall  alloca_stack_overflow.c
$ ./a.out

What is the expected output? What do you see instead?

Expected output: ASAN reports stack-buffer-overflow related to `p[3] = 3` 
assignment.

I see: no errors.

What version of the product are you using? On what operating system?

$ clang-3.6 --version
Debian clang version 3.6.0-svn218446-1 (trunk) (based on LLVM 3.6.0)
Target: x86_64-pc-linux-gnu
Thread model: posix

$ uname -a
Linux teco 3.16-2-amd64 #1 SMP Debian 3.16.3-2 (2014-09-20) x86_64 GNU/Linux

Please provide any additional information below.

If I change p declaration to `int p[3]` array - asan reports the problem about 
stack buffer overflow.

If array is of variable-length - asan does not report the problem, as well as 
it does not report it for alloca with non-constant argument.

I guess most of the above relates to issue138 (asan should support 
variable-sized alloca).

The issue is present with both clang and gcc (initially discovered with 
gcc-4.9.1).

Thanks beforehand,
Kirill

Original issue reported on code.google.com by kirill.s...@gmail.com on 28 Sep 2014 at 10:18

GoogleCodeExporter commented 9 years ago
I don't think Asan instrument allocas or VLAs, do we? Sounds like a useful 
addition though.

Original comment by tetra2...@gmail.com on 29 Sep 2014 at 10:57

GoogleCodeExporter commented 9 years ago
I think in LLVM we instrument all static allocas, which may include C-level 
allocas (in addition to plain local variables).

Original comment by euge...@google.com on 29 Sep 2014 at 12:33

GoogleCodeExporter commented 9 years ago
Today clang's asan does not instrument variable sized allocas. 
This can be done and would be a nice thing to have, by is a low priority for us 
at this point. Maybe once we start instrumenting glibc with clang's asan this 
will become more interesting. 
Patches are welcome, as always. :) 

Dupping against issue 138

Original comment by konstant...@gmail.com on 29 Sep 2014 at 9:03