Why electric fence/Valgrind is unable to catch this buffer-overflow issue?
Asked Answered
N

5

4

I have created a buggy program - buggy.c - this is a buffer-overflow scenario for buffer t. You can see that I am writing more than 5 indexes. It works fine. It never throws me an error. I was wondering, why is it like that? I tried even Valgrind, this also couldn't find this issue. Can you tell me please what is the issue here?

void buffer_overflow(void)
    {
      int t[5];
      int i = 0;

      for(i = 0; i<=7; i++)
      {
        t[i] = i;  

      }


      /** this will cause buffer overflow **/   
      printf("Memory_overflow_completed\r\n");

    }


    int main(int argc, char **argv)
    {

      buffer_overflow();

      return 0; 
    }

    $gcc -g buggy.c -o buggy.out -lefence

$./buggy.out

However, I don't get any crash. There is no effect of electric fence here. What am I missing? I saw the similar question posted here gcc with electric fence library does not take effect, but there seems to be no answer yet. I am running this example on FC19. Does anyone has an answer to it? Even valgrind fails to detect the issue? Is there any other tool to detect these issues?

Based on the further comments, I revised the buffer-overflow function to get detected by Electric Fence. However,Electric Fence cannot detect the issue. Here is the modified function.

void buffer_overflow(void)
{

  #if 0
  int t[5];
  int i = 0;

  for(i = 0; i<=7; i++)
  {
    t[i] = i;  

  }
  #endif

  char *t = malloc(sizeof(char)*7);
  strcpy(t,"SHREYAS_JOSHI");


  /** this will cause buffer overflow **/   
  printf("Memory_overflow_completed\r\n");
  free(t);

}

[joshis1@localhost blogs-tune2wizard]$ gcc -g buggy.c  -o buggy.out -lefence

[joshis1@localhost blogs-tune2wizard]$ ./buggy.out 

  Electric Fence 2.2.2 Copyright (C) 1987-1999 Bruce Perens <[email protected]>
Memory_overflow_completed

There is no error detected by Electric Fence, but Valgrind atleast showed it.

Novobiocin answered 6/10, 2013 at 10:25 Comment(0)
D
11

Valgrind is limited by having only the binary available. If you don't mind some instrumentation being inserted in your code (by compiler), you can try address sanitizer. It poisons memory around allocated areas (even on stack) and then checks every read/write, so it has higher chance to catch these problems.

It's integrated in current gcc (4.8+) and clang (3.2+) Just compile your code like:

gcc -g buggy.c  -o buggy.out -fsanitize=address

Upon execution, it prints something like:

==26247== ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff9fa0be54 at pc 0x4008df bp 0x7fff9fa0be00 sp 0x7fff9fa0bdf8
WRITE of size 4 at 0x7fff9fa0be54 thread T0

and a stack trace.

Chandler Carruth talked about it in this talk at GN13

Note: It is supported even in clang 3.1, but the switch is called -faddress-sanitizer instead of -fsanitize=address.

Delladelle answered 6/10, 2013 at 12:34 Comment(3)
I get this error - joshis1@(none) temp]$ gcc -g ef.c -o ef.out -fsanitize=address cc1: error: unrecognized command line option ‘-fsanitize=address’ Can you please tell me the gcc version where it is available?Novobiocin
My gcc version is [joshis1@(none) temp]$ gcc --version gcc (GCC) 4.6.3 20120306 (Red Hat 4.6.3-2) Copyright (C) 2011 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.Novobiocin
Sorry, I forgot to explicitly mention the current versions. It seems that it's supported in gcc from version 4.8 and in clang from at least 3.1.Delladelle
S
4

Running valgrind --tool=exp-sgcheck ./buggy.out and it should be able to detect that you have buffer overrun within the local variable t[5]

Serriform answered 7/10, 2013 at 5:51 Comment(2)
I get the following error - [joshis1@(none) temp]$ valgrind --tool=exp-sgcheck ./ef.out valgrind: failed to start tool 'exp-sgcheck' for platform 'x86-linux': No such file or directory I have installed valgrind on my fc machine as $sudo yum install valgrindNovobiocin
exp-sgcheck is available only in Valgrind 3.7.0 or later. Please check your Valgrind version or files in /usr/lib/valgrind/exp*.Serriform
T
0

Valgrind and EF detect errors in dynamically-allocated memory. Your array is not dynamically-allocated.

Tica answered 6/10, 2013 at 10:27 Comment(2)
What should be the tool to detect these issues?Novobiocin
See my comments, Electric Fence still failed. I am looking for answers here, I could see that nobody has answered even the related question to it . #16160453. Don't know what next to be done.Novobiocin
C
0

Citing from valgrind quick start guide: "For example, it can't detect out-of-range reads or writes to arrays that are allocated statically or on the stack."

Cerveny answered 6/10, 2013 at 11:11 Comment(1)
Why Electric fence failed even for dynamically allocated memory?Novobiocin
U
0

To detect out-of-bounds accesses in statically allocated memory (i.e. on the stack), you can use a static code analysis tool.

One that we've just begun to use at work is Klocwork

As mentioned on the Valgrind wiki page (under limitations of memcheck), it can't detect out of bound accesses on statically allocated memory. Quoting from the wiki:

The experimental valgrind tool exp-sgcheck has been written to address this limitation in Memcheck. It will detect array overrun errors provided the first access to an array is within the array bounds.

Universally answered 8/10, 2013 at 16:59 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.