Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20150321022023.GW23507@brightrain.aerifal.cx>
Date: Fri, 20 Mar 2015 22:20:23 -0400
From: Rich Felker <dalias@...c.org>
To: Konstantin Serebryany <konstantin.s.serebryany@...il.com>
Cc: musl@...ts.openwall.com
Subject: Re: buffer overflow in regcomp and a way to find more of those

On Fri, Mar 20, 2015 at 07:14:33PM -0700, Konstantin Serebryany wrote:
> >
> > Sorry to keep bombarding you with questions.
> 
> You are more than welcome!
> 
> > One more: is it only asan
> > that needs dynamic linking? If we're willing to drop asan for now and
> > just rely on musl itself crashing for heap corruption (musl does a
> > good job of detecting it usually), can the necessary coverage stuff
> > still work with static linking?
> 
> I think it can with a reasonable additional work, but not out of the box.
> The compiler instrumentation in clang clearly does not care about
> dynamic vs static linking.
> If you build the source with "-fsanitize=leak -fsanitize-coverage=4
> -O1" the compiler will not insert any of the asan instrumentation
> and only insert calls to a couple of functions needed for coverage.
> Then, instead of linking with the full asan+coverage run-time, you
> will need a very simple re-implementation of coverage-only runtime.

Could the existing runtime be used, just stripped down?

> But, my previous experience with running fuzzers w/o memory bug
> detectors (asan, or others)
> suggests that this is a bad idea. Memory bugs tend to accumulate and
> show up in the following iterations (if at all).

Well static linking with musl does not impose any constraint on
redefining functions, so you could easily use a debugging malloc that
lines up each allocation to end on a page boundary with a guard page
after it. This would of course be slow and use lots of memory but
would catch all heap overflows. And -fstack-protector-all would catch
most stack-based overflows.

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.