- Notifications
You must be signed in to change notification settings - Fork1.1k
AddressSanitizerIntraObjectOverflow
Alexander Potapenko edited this pageAug 31, 2015 ·2 revisions
One class of bugs currently not properly detected byAddressSanitizer isintra-object-overflow:
struct S { int buffer[5]; int other_field;};void Foo(S *s, int idx) { s->buffer[idx] = 0; // if idx == 5, asan will not complain}This class of bugs will be detectable with theIntel MPX.
In the meantime, we are trying the following approach inAddressSanitizer:if the type is a C++ non-standard-layout class with a destructor, we add poisoned gaps (redzones) between fields in the class.
An early prototype of this functionality is available in clang trunk. Don't expect it to work outside of small tests (yet).
% clang++ -O1 -g -fsanitize-address-field-padding=1 -fsanitize=address \ ~/llvm/projects/compiler-rt/test/asan/TestCases/intra-object-overflow.cc% ./a.out 11==23931==ERROR: AddressSanitizer: intra-object-overflow on address 0x60c00000bfd4 at pc 0x00000049d672...WRITE of size 4 at 0x60c00000bfd4 thread T0 #0 0x49d671 in Foo::set(int, int) llvm/projects/compiler-rt/test/asan/TestCases/intra-object-overflow.cc:15:30 #1 0x49d48f in main llvm/projects/compiler-rt/test/asan/TestCases/intra-object-overflow.cc:27:3 #2 0x7f1edaf47ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287 #3 0x416d16 in _start (llvm_build/a.out+0x416d16)0x60c00000bfd4 is located 84 bytes inside of 128-byte region [0x60c00000bf80,0x60c00000c000)allocated by thread T0 here: #0 0x49c7cb in operator new(unsigned long) llvm/projects/compiler-rt/lib/asan/asan_new_delete.cc:62:35 #1 0x49d475 in main llvm/projects/compiler-rt/test/asan/TestCases/intra-object-overflow.cc:26:3