Dmitry, thank you response. I'd like to use a example to invite you help me
clarify this magic more clearly. Thank your patience.
Below simple code has a global variable buffer overflow in line 6, and the
Asan can correctly detect and report it. In this case, Asan use
__asan_report_store4 instrumentation to check the &global_array[12], so and
I think the"size"= 4, and the SHADOW_GRANULARITY=8. Also,
"addr"=0x0000013a2ab0, "sp" = MEM_TO_SHADOW(addr) = 0x00008026c556, "s" =
0xf9. Then, ((s8)((addr & (SHADOW_GRANULARITY - 1)) + size - 1)) >= (s8)s)
become ((0x0000013a2ab0 & (8-1)) + 4 -1) >= 0xf9, which is 3 >= 0xf9, and
it is false. So, the total s != 0 && ((s8)((addr & (SHADOW_GRANULARITY -
1)) + size - 1)) >= (s8)s) is false, and Asan should not go into the
ReportGenericError branch with this logic. How could Asan check this shadow
memory correctly?
#include <stdio.h>
#include <stdlib.h>
int global_array[11] = {0};
int main(int argc, char **argv) {
int Index = 12;
global_array[Index] = 0x12345678; // line 6, global buffer overflow,
Index should <= 10
return 1;
}
=================================================================
==3622==ERROR: AddressSanitizer: global-buffer-overflow on address
0x0000013a2ab0 at pc 0x00000050a1e1 bp 0x7ffd39460b60 sp 0x7ffd39460b58
WRITE of size 4 at 0x0000013a2ab0 thread T0
#0 0x50a1e0 in main
/home/jshi19/sanitizer/global_ASAN_MEMORY_ACCESS_CALLBACK_BODY.c:6:23
#1 0x7f68fbd8082f in __libc_start_main
/build/glibc-Qz8a69/glibc-2.23/csu/../csu/libc-start.c:291
#2 0x419368 in _start (/home/jshi19/sanitizer/a.out+0x419368)
0x0000013a2ab0 is located 4 bytes to the right of global variable
'global_array' defined in 'global_ASAN_MEMORY_ACCESS_CALLBACK_BODY.c:3:5'
(0x13a2a80) of size 44
SUMMARY: AddressSanitizer: global-buffer-overflow
/home/jshi19/sanitizer/global_ASAN_MEMORY_ACCESS_CALLBACK_BODY.c:6:23 in
main
Shadow bytes around the buggy address:
0x00008026c500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008026c510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008026c520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008026c530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008026c540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x00008026c550: 00 00 00 00 00 04[f9]f9 f9 f9 f9 f9 00 00 00 00
0x00008026c560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008026c570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008026c580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008026c590: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008026c5a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3622==ABORTING
--
You received this message because you are subscribed to the Google Groups
"address-sanitizer" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
