Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ASan shouldn't instrument globals defined in ".CRT*$*" sections #305

Closed
ramosian-glider opened this issue Aug 31, 2015 · 3 comments
Closed

Comments

@ramosian-glider
Copy link
Member

Originally reported on Google Code with ID 305

Example program:
-------------------------
#include <stdio.h>

int met_you = 0;

void call_me_maybe() {
  met_you = 1;
}

typedef void (*FPTR)();
#pragma data_seg(".CRT$XIB")
// Put a global callback in the right section
// to be invoked before the CRT initializers.
FPTR run_on_startup = call_me_maybe;

#pragma data_seg()
// Back to normal compilation.

// __xi_a and __xi_z are defined in VC/crt/src/crt0dat.c
// and are located in .CRT$XIA and .CRT$XIZ respectively.
extern "C" FPTR __xi_a, __xi_z;

int main() {
  if (!met_you) {
    printf("this is crazy\n");
    return 1;
  }

  // Helps debugging.
  printf("&run_on_startup = %p, call_me_maybe = %p\n",
         &run_on_startup, call_me_maybe);

  // Iterate through CRT initializers.
  for (FPTR* it = &__xi_a; it < &__xi_z; ++it)
    printf(".CRT$XI*: %p => %p\n", it, *it);
}
-------------------------

Background:
.CRT$XIA...XIZ sections are arrays of callbacks to be invoked at CRT initialization
time in a for loop (unless an entry is zero).  One can add an extra initialization
callback simply by defining a global function pointer in the appropriate section.

The problem is that ASan happily adds redzones after these globals, thus breaks typical
traversal of the list of callbacks.  We should probably just disable adding redzones
for globals in ".CRT*$*" sections.

Reported by timurrrr@google.com on 2014-05-05 13:11:24

@ramosian-glider
Copy link
Member Author

Forgot to put the output under ASan here:
=================================================================
&run_on_startup = 002A21A0, call_me_maybe = 00271000
.CRT$XI*: 002A2188 => 00000000
.CRT$XI*: 002A218C => 00000000
.CRT$XI*: 002A2190 => 00000000
.CRT$XI*: 002A2194 => 00000000
.CRT$XI*: 002A2198 => 00000000
.CRT$XI*: 002A219C => 00000000
.CRT$XI*: 002A21A0 => 00271000
=================================================================
==7588==ERROR: AddressSanitizer: global-buffer-overflow on address 0x002a21a4 at pc
0x2712cf sp 0x1af914
READ of size 4 at 0x002a21a4 thread T0
    #0 0x2712ce in main test.cpp:34

0x002a21a4 is located 0 bytes to the right of global variable '☺?run_on_startup@@3P6AXXZA'
from 'test.cpp' (0x2a21a0) of size 4
SUMMARY: AddressSanitizer: global-buffer-overflow test.cpp:34 main
Shadow bytes around the buggy address:
  0x200543e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x200543f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x20054400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x20054410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x20054420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x20054430: 00 00 00 00[04]f9 f9 f9 f9 f9 f9 f9 00 00 00 00

Reported by timurrrr@google.com on 2014-05-05 13:12:59

@ramosian-glider
Copy link
Member Author

http://llvm.org/viewvc/llvm-project?revision=207968&view=revision

Reported by timurrrr@google.com on 2014-05-05 14:45:24

  • Status changed: Fixed

@ramosian-glider
Copy link
Member Author

Adding Project:AddressSanitizer as part of GitHub migration.

Reported by ramosian.glider on 2015-07-30 09:14:08

  • Labels added: ProjectAddressSanitizer

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant