[LLVMbugs] [Bug 19838] New: asan can not find left buffer overflow of new[]-allocated buffer, clang help needed

Fri May 23 05:51:42 PDT 2014

http://llvm.org/bugs/show_bug.cgi?id=19838

            Bug ID: 19838
           Summary: asan can not find left buffer overflow of
                    new[]-allocated buffer, clang help needed
           Product: new-bugs
           Version: trunk
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P
         Component: new bugs
          Assignee: unassignedbugs at nondot.org
          Reporter: kcc at google.com
                CC: llvmbugs at cs.uiuc.edu, timurrrr at google.com
    Classification: Unclassified

asan does not detect the following case: 

TypeWithDtor *a = new TypeWithDtor[N];
a[-1] = ... 
https://code.google.com/p/address-sanitizer/issues/detail?id=314

That's because when we have new[] for a type with DTORs, 
the actual allocated size is greater.
The code looks something like this:
  extra = max(sizeof(long), alignment_of(TypeWithDtor));
  ptr = malloc(N + extra);
  *(long*)(ptr+extra-sizeof(long)) = N;
  return ptr + extra;  // must be properly aligned for TypeWithDtor

As the result, we will not detect overwrites of new[] cookie -- scary! 

I don't see how we can implement this w/o help from FE. 

First, we need to ensure alignment 8 even on 32-bits: 
  extra = max(8, alignment_of(TypeWithDtor));  

Second, we need to poison the first extra bytes.

Lastly, we need to not instrument the legitimate loads/stores of the cookie
generated by the frontend. 

All of this has to be done in FE

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20140523/a9fff100/attachment.html>