Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20150323123540.GP16260@port70.net>
Date: Mon, 23 Mar 2015 13:35:40 +0100
From: Szabolcs Nagy <nsz@...t70.net>
To: Konstantin Serebryany <konstantin.s.serebryany@...il.com>
Cc: Rich Felker <dalias@...c.org>, musl@...ts.openwall.com
Subject: Re: buffer overflow in regcomp and a way to find more of those

* Konstantin Serebryany <konstantin.s.serebryany@...il.com> [2015-03-22 21:55:26 -0700]:
> On Sat, Mar 21, 2015 at 6:28 AM, Szabolcs Nagy <nsz@...t70.net> wrote:
> > * Konstantin Serebryany <konstantin.s.serebryany@...il.com> [2015-03-20 23:05:13 -0700]:
> >> BTW, writing a minimalistic asan run-time as part of musl should be a
> >> matter of a couple of hours.
> >> Probably much faster than making the current monster work with static linking.
> >> I'd be happy to help with such.
> >>
> >
> > how would this look?
> >
> > compile the tests and libc with asan, but instead of linking the
> > asan runtime from clang use a musl specific one?
> 
> Yes
> >
> > i assume for that we still need to change the libc startup code, malloc
> > functions and may be some things around thread stacks
> 
> Try to compile a simple file with asan:
> 
> int main(int argc, char **argv) {
>   int a[10];
>   a[argc * 10] = 0;
>   return 0;
> }
> 
> 
> % clang -fsanitize=address  a.c -c
> 
> % nm a.o | grep U
>                  U __asan_init_v5
>                  U __asan_option_detect_stack_use_after_return
>                  U __asan_report_store4
>                  U __asan_stack_malloc_1
> 
> __asan_report_store4 should print an error message saying that
> "bad write of 4 bytes" happened in <current stack trace> on address <param>.
> Also make  other __asan_report_{store,load}{1,2,4,8,16}
> 
> __asan_init_v5 will be called by the module initializer.
> When called for the first time, it should mmap the shadow memory.
> https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm
> 
> __asan_option_detect_stack_use_after_return is a global, define it to 0.
> __asan_stack_malloc_1 -- just make it an empty function.
> 
> Now, you can build a code with asan and detect stack buffer overflows.
> (The reports won't be very detailed, but they will be correct).
> If you add poisoned redzones to malloc -- you get heap buffer overflows.
> If you delay the reuse of free-d memory -- you get use-after-free.
> 
> If you then implement __asan_register_globals (it is called on module
> initialization and poisons redzones for globals)
> you get global buffer overflows.
> 
> The current asan run-time is large an hairy because it attempts to be
> thread-friendly,
> intercepts lots of libc, and provides very details error messages.
> W/o all that, the run-time will easily fit in < 100 LOC, which can be
> a part of a libc implementation.
> 

nice

i'm not sure if we want to push this into musl, but it looks useful

i'll try to implement it

> hth,
> --kcc

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.