AddressSanitizer, an unsatisfied detection. #1397
Comments
|
Most certainly the compiler optimizes the OOB access away. This is possible
because out of bounds accesses are considered undefined behavior.
You can try building with -O0 to prevent that, or declare the local array
as volatile.
…On Mon, Apr 19, 2021, 08:24 XXX ***@***.***> wrote:
Code:
int b(int _a) {
int arr[100];
int k = 1000;
return arr[k+100];
}
int main(int argc, char **argv) {
printf("[start]\n");
int k = b(argc);
printf("%d\n", k);
printf("[end]\n");
return 1;
}
Result:
clang++-9 -O1 -g -fsanitize=address -fno-omit-frame-pointer yup.cc && ls
-la ./a.out && ./a.out
-rwxr-xr-x 1 root root 1272640 Apr 19 15:23 ./a.out
[start]
0
[end]
Why above code is not considered as stack-overflow?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#1397>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAG6Z45ZHJOQMO2PNU2OTADTJPEATANCNFSM43FEVV6A>
.
|
|
Experiment A, replace to -O0. clang++-9 -O0 -g -fsanitize=address -fno-omit-frame-pointer yup.cc && ls -la ./a.out && ./a.out Experiment B, add volatile: clang++-9 -O0 -g -fsanitize=address -fno-omit-frame-pointer yup.cc && ls -la ./a.out && ./a.out |
|
Asan by design does not detect accesses to memory owned by non-instrumented code. Actually even "lucky" invalid access can point into variable of another stack frame and asan will not be able to detect. However I would expect that https://github.com/google/sanitizers/wiki/AddressSanitizerUseAfterReturn will detect cases like this. Unfortunately as-is FakeStack does not poison just allocated memory, so out of bounds accesses which hit not yet used frames will not be detected. This probably can be improved for uar_noreserve=0 case. |
|
To expand on Vitaly's answer, ASan has limited size redzones around stack
allocations, 16-32-64 bytes, not more. In a real program, when you access
1000 bytes out of bounds, there is a chance - not very high - to hit
another object's redzone and catch the bug. In this example, you are almost
guaranteed to hit some part of the stack below the frame of main(). ASan
can not catch that.
…On Mon, Apr 19, 2021 at 10:13 AM Vitaly Buka ***@***.***> wrote:
Asan by design does not detect accesses to memory owned by
non-instrumented code.
With "k = 1000" looks like it hits non-unstrumented libc frames above the
main.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#1397 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AADG4SU2OE4C3HF7ETFGAV3TJRQCZANCNFSM43FEVV6A>
.
|
|
As the eugenis's comment: Experiment A, change the overread index from 1100 to 110: Code Result clang++-9 -O0 -g -fsanitize=address -fno-omit-frame-pointer y Additionally, if this kind (overread index that is bigger than the redzones eugenis mentioned) of issues must be detected, then UndefinedBehaviorSanitizer could be utilized: Code Result Thanks everyone, |
Code:
Result:
clang++-9 -O1 -g -fsanitize=address -fno-omit-frame-pointer yup.cc && ls -la ./a.out && ./a.out
-rwxr-xr-x 1 root root 1272640 Apr 19 15:23 ./a.out
[start]
0
[end]
Why above code is not considered as stack-overflow?
The text was updated successfully, but these errors were encountered: