Status: New
Owner: ----
Labels: Type-Defect Priority-Medium
New issue 348 by [email protected]: asan does not always detect access
beyond mmaped page
https://code.google.com/p/address-sanitizer/issues/detail?id=348
What steps will reproduce the problem?
1. Compile attached test program with either gcc or clang:
(test program essentially is):
---- 8< ----
page1 = mmap(NULL, PAGE_SIZE, R | W)
page2 = mmap(NULL, PAGE_SIZE, R | W)
// access beyond page1 (catched by gcc/asan, dies on clang/asan)
// page1[PAGE_SIZE] = 99
page2[PAGE_SIZE] = 199 // <- access beyond page2 (not catched by asan)
---- 8< ----
$ gcc -g -Wall -fsanitize=address page-access-beyond.c -o a.gcc
$ clang-3.6 -g -Wall -fsanitize=address page-access-beyond.c -o a.clang
2. Run it
$ ./a.gcc
$ ./a.clang
What is the expected output? What do you see instead?
Expected: ASAN reports bad access at `page2[PAGE_SIZE]` write.
I see: nothing
What version of the product are you using? On what operating system?
$ gcc --version
gcc (Debian 4.9.1-15) 4.9.1
$ clang-3.6 --version
Debian clang version 3.6.0-svn218446-1 (trunk) (based on LLVM 3.6.0)
Target: x86_64-pc-linux-gnu
Thread model: posix
$ uname -a
Linux teco 3.16-2-amd64 #1 SMP Debian 3.16.3-2 (2014-09-20) x86_64 GNU/Linux
Please provide any additional information below.
If `page1[PAGE_SIZE]` write is uncommented - a.clang just dies
with "Segmentation fault" and a.gcc reports problem correctly:
==20907==ERROR: AddressSanitizer: unknown-crash on address 0x7f452c447000
at pc 0x400aa7 bp 0x7fffd9135b40 sp 0x7fffd9135b38
WRITE of size 1 at 0x7f452c447000 thread T0
#0 0x400aa6 in main /home/kirr/tmp/trashme/page-access-beyond.c:35
#1 0x7f452afd1b44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
#2 0x400878 (/home/kirr/tmp/trashme/a.gcc+0x400878)
AddressSanitizer can not describe address in more detail (wild memory
access suspected).
SUMMARY: AddressSanitizer: unknown-crash
/home/kirr/tmp/trashme/page-access-beyond.c:35 main
Shadow bytes around the buggy address:
0x0fe925880db0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe925880dc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe925880dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe925880de0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe925880df0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe925880e00:[fe]fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
0x0fe925880e10: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
0x0fe925880e20: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
0x0fe925880e30: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
0x0fe925880e40: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
0x0fe925880e50: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==20907==ABORTING
Valgrind 3.10 inversely catches page2 write-beyond-end, but does not catch
page1 write-beyond-end.
Thanks beforehand,
Kirill
Attachments:
page-access-beyond.c 1.2 KB
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
--
You received this message because you are subscribed to the Google Groups
"address-sanitizer" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
