发表新帖
发表新帖

Why electric fence/Valgrind is unable to catch this buffer-overflow issue?

前端 未结
关注
5 2047
忘掉有多难
忘掉有多难 2021-02-10 16:11

I have created a buggy program - buggy.c - this is a buffer-overflow scenario for buffer t. You can see that I am writing more than 5 indexes. It works fine. It never throws me

相关标签:
5条回答
  • 孤街浪徒
    2021-02-10 16:35

    Citing from valgrind quick start guide: "For example, it can't detect out-of-range reads or writes to arrays that are allocated statically or on the stack."

    0 讨论(0)
  • 春和景丽
    2021-02-10 16:36

    Valgrind and EF detect errors in dynamically-allocated memory. Your array is not dynamically-allocated.

    0 讨论(0)
  • 萌比男神i
    2021-02-10 16:38

    To detect out-of-bounds accesses in statically allocated memory (i.e. on the stack), you can use a static code analysis tool.

    One that we've just begun to use at work is Klocwork

    As mentioned on the Valgrind wiki page (under limitations of memcheck), it can't detect out of bound accesses on statically allocated memory. Quoting from the wiki:

    The experimental valgrind tool exp-sgcheck has been written to address this limitation in Memcheck. It will detect array overrun errors provided the first access to an array is within the array bounds.

    0 讨论(0)
  • 感动是毒
    2021-02-10 16:40

    Running valgrind --tool=exp-sgcheck ./buggy.out and it should be able to detect that you have buffer overrun within the local variable t[5]

    0 讨论(0)
  • 梦如初夏
    2021-02-10 16:48

    Valgrind is limited by having only the binary available. If you don't mind some instrumentation being inserted in your code (by compiler), you can try address sanitizer. It poisons memory around allocated areas (even on stack) and then checks every read/write, so it has higher chance to catch these problems.

    It's integrated in current gcc (4.8+) and clang (3.2+) Just compile your code like:

    gcc -g buggy.c  -o buggy.out -fsanitize=address

    Upon execution, it prints something like:

    ==26247== ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff9fa0be54 at pc 0x4008df bp 0x7fff9fa0be00 sp 0x7fff9fa0bdf8
WRITE of size 4 at 0x7fff9fa0be54 thread T0

    and a stack trace.

    Chandler Carruth talked about it in this talk at GN13

    Note: It is supported even in clang 3.1, but the switch is called -faddress-sanitizer instead of -fsanitize=address.

    0 讨论(0)
 看不清?
提交回复
热议问题