Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 23 Mar 2015 13:35:40 +0100
From: Szabolcs Nagy <nsz@...t70.net>
To: Konstantin Serebryany <konstantin.s.serebryany@...il.com>
Cc: Rich Felker <dalias@...c.org>, musl@...ts.openwall.com
Subject: Re: buffer overflow in regcomp and a way to find more of those

* Konstantin Serebryany <konstantin.s.serebryany@...il.com> [2015-03-22 21:55:26 -0700]:
> On Sat, Mar 21, 2015 at 6:28 AM, Szabolcs Nagy <nsz@...t70.net> wrote:
> > * Konstantin Serebryany <konstantin.s.serebryany@...il.com> [2015-03-20 23:05:13 -0700]:
> >> BTW, writing a minimalistic asan run-time as part of musl should be a
> >> matter of a couple of hours.
> >> Probably much faster than making the current monster work with static linking.
> >> I'd be happy to help with such.
> >>
> >
> > how would this look?
> >
> > compile the tests and libc with asan, but instead of linking the
> > asan runtime from clang use a musl specific one?
> 
> Yes
> >
> > i assume for that we still need to change the libc startup code, malloc
> > functions and may be some things around thread stacks
> 
> Try to compile a simple file with asan:
> 
> int main(int argc, char **argv) {
>   int a[10];
>   a[argc * 10] = 0;
>   return 0;
> }
> 
> 
> % clang -fsanitize=address  a.c -c
> 
> % nm a.o | grep U
>                  U __asan_init_v5
>                  U __asan_option_detect_stack_use_after_return
>                  U __asan_report_store4
>                  U __asan_stack_malloc_1
> 
> __asan_report_store4 should print an error message saying that
> "bad write of 4 bytes" happened in <current stack trace> on address <param>.
> Also make  other __asan_report_{store,load}{1,2,4,8,16}
> 
> __asan_init_v5 will be called by the module initializer.
> When called for the first time, it should mmap the shadow memory.
> https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm
> 
> __asan_option_detect_stack_use_after_return is a global, define it to 0.
> __asan_stack_malloc_1 -- just make it an empty function.
> 
> Now, you can build a code with asan and detect stack buffer overflows.
> (The reports won't be very detailed, but they will be correct).
> If you add poisoned redzones to malloc -- you get heap buffer overflows.
> If you delay the reuse of free-d memory -- you get use-after-free.
> 
> If you then implement __asan_register_globals (it is called on module
> initialization and poisons redzones for globals)
> you get global buffer overflows.
> 
> The current asan run-time is large an hairy because it attempts to be
> thread-friendly,
> intercepts lots of libc, and provides very details error messages.
> W/o all that, the run-time will easily fit in < 100 LOC, which can be
> a part of a libc implementation.
> 

nice

i'm not sure if we want to push this into musl, but it looks useful

i'll try to implement it

> hth,
> --kcc

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.