Date: Fri, 20 Mar 2015 22:20:23 -0400 From: Rich Felker <dalias@...c.org> To: Konstantin Serebryany <konstantin.s.serebryany@...il.com> Cc: musl@...ts.openwall.com Subject: Re: buffer overflow in regcomp and a way to find more of those On Fri, Mar 20, 2015 at 07:14:33PM -0700, Konstantin Serebryany wrote: > > > > Sorry to keep bombarding you with questions. > > You are more than welcome! > > > One more: is it only asan > > that needs dynamic linking? If we're willing to drop asan for now and > > just rely on musl itself crashing for heap corruption (musl does a > > good job of detecting it usually), can the necessary coverage stuff > > still work with static linking? > > I think it can with a reasonable additional work, but not out of the box. > The compiler instrumentation in clang clearly does not care about > dynamic vs static linking. > If you build the source with "-fsanitize=leak -fsanitize-coverage=4 > -O1" the compiler will not insert any of the asan instrumentation > and only insert calls to a couple of functions needed for coverage. > Then, instead of linking with the full asan+coverage run-time, you > will need a very simple re-implementation of coverage-only runtime. Could the existing runtime be used, just stripped down? > But, my previous experience with running fuzzers w/o memory bug > detectors (asan, or others) > suggests that this is a bad idea. Memory bugs tend to accumulate and > show up in the following iterations (if at all). Well static linking with musl does not impose any constraint on redefining functions, so you could easily use a debugging malloc that lines up each allocation to end on a page boundary with a guard page after it. This would of course be slow and use lots of memory but would catch all heap overflows. And -fstack-protector-all would catch most stack-based overflows. Rich
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.