Hello,
I have compiled the program below with ASAN (gcc -fsanitize=address test.c -o test -ggdb)
#include <stdio.h>
#include <string.h>
#include <stdint.h>
#include <malloc.h>
#define PAGE_SIZE 4096
typedef uint64_t uint64;
typedef uint32_t uint32;
typedef uint16_t uint16;
typedef uint8_t uint8;
typedef struct {
uint8 field1 :5,
field2 :3;
uint8 :6,
field3 :1,
field4 :1;
uint8 field5 :3,
field6 :3,
field7 :2;
uint8 field8 :4,
field9 :1,
field10 :1,
field11 :1,
field12 :1;
uint8 field13;
} TestObj;
int main()
{
void *buf = memalign(PAGE_SIZE, 3);
if(buf)
{
TestObj *obj = buf;
obj->field5=0x0;
}
free(buf);
return 0;
}
There is no out of bound access when obj->field5 is accessed, but ASAN is reporting this access as a heap overflow.
==400==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x625000001000 at pc 0x5ba8f6558266 bp 0x7fff671dae80 sp 0x7fff671dae70
WRITE of size 4 at 0x625000001000 thread T0
#0 0x5ba8f6558265 in main /home/vportal/ahci/ahci2.c:36
#1 0x7a718d232082 in __libc_start_main ../csu/libc-start.c:308
#2 0x5ba8f655810d in _start (/home/vportal/ahci/ahci2+0x110d)
0x625000001003 is located 0 bytes to the right of 3-byte region [0x625000001000,0x625000001003)
allocated by thread T0 here:
#0 0x7a718d50e005 in __interceptor_memalign ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:169
#1 0x5ba8f65581e3 in main /home/vportal/ahci/ahci2.c:32
#2 0x7a718d232082 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/vportal/ahci/ahci2.c:36 in main
Shadow bytes around the buggy address:
0x0c4a7fff81b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff81c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff81d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff81e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff81f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4a7fff8200:[03]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8210: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8220: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==400==ABORTING
Regards,
Victor
Hello,
I have compiled the program below with ASAN (gcc -fsanitize=address test.c -o test -ggdb)
There is no out of bound access when obj->field5 is accessed, but ASAN is reporting this access as a heap overflow.
Regards,
Victor