Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 20 Mar 2015 22:20:23 -0400
From: Rich Felker <dalias@...c.org>
To: Konstantin Serebryany <konstantin.s.serebryany@...il.com>
Cc: musl@...ts.openwall.com
Subject: Re: buffer overflow in regcomp and a way to find more of those

On Fri, Mar 20, 2015 at 07:14:33PM -0700, Konstantin Serebryany wrote:
> >
> > Sorry to keep bombarding you with questions.
> 
> You are more than welcome!
> 
> > One more: is it only asan
> > that needs dynamic linking? If we're willing to drop asan for now and
> > just rely on musl itself crashing for heap corruption (musl does a
> > good job of detecting it usually), can the necessary coverage stuff
> > still work with static linking?
> 
> I think it can with a reasonable additional work, but not out of the box.
> The compiler instrumentation in clang clearly does not care about
> dynamic vs static linking.
> If you build the source with "-fsanitize=leak -fsanitize-coverage=4
> -O1" the compiler will not insert any of the asan instrumentation
> and only insert calls to a couple of functions needed for coverage.
> Then, instead of linking with the full asan+coverage run-time, you
> will need a very simple re-implementation of coverage-only runtime.

Could the existing runtime be used, just stripped down?

> But, my previous experience with running fuzzers w/o memory bug
> detectors (asan, or others)
> suggests that this is a bad idea. Memory bugs tend to accumulate and
> show up in the following iterations (if at all).

Well static linking with musl does not impose any constraint on
redefining functions, so you could easily use a debugging malloc that
lines up each allocation to end on a page boundary with a guard page
after it. This would of course be slow and use lots of memory but
would catch all heap overflows. And -fstack-protector-all would catch
most stack-based overflows.

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.