Menu
▾
▴
Re: [Valgrind-users] How to write a tool to check unsafe strcpy-alike functions in another way
|
From: hamid a. <ham...@gm...> - 2013-10-31 19:29:09
|
Hi, simply running valgrind with --tool=exp-sgcheck won't help, but the source code definitely will. But what part of the code is handy? I find that there are 2 related structs: StackBlock and GlobalBlock that have a size field (szB). What is the function that convert a pointer to a location in stack/global memory into related StackBlock/GlobalBlock struct? On Thu, Oct 31, 2013 at 10:33 PM, Дмитрий Дьяченко <di...@gm...> wrote: > Hi! > > exp-sgcheck can't help? > > Dmitry > > 2013/10/31 Philippe Waroquiers <phi...@sk...>: > > On Thu, 2013-10-31 at 15:26 +0330, hamid alaei wrote: > >> Hi everyone, > >> Assume there is a C code that do this: > >> > >> > >> char buff1[20]; > >> char buff2[30]="some small string"; > >> ... > >> > >> strcpy(buff1, buff2); > >> > >> > >> > >> This code is can be regarded unsafe not only because it use strcpy(), > >> which doesn't accept a size argument for the maximum capacity of > >> buff1, but also because the maximum capacity if the target string > >> buff1 is less than the maximum capacity of the src string buff2. > >> > >> I know that if strcpy() tries to write outside buff1, then memcheck or > >> sgcheck can detect that, depending on whether these strings are in > >> stack/global memory or in the heap. But I want a warning while calling > >> strcpy() in this manner as well, regardless of whether overflow > >> happens or not. > >> > >> > >> I am wondering if there is such a tool to do so. I guess it should > >> replace strcpy() and similar functions with a wrapper. Does anybody > >> know suck a tool/extension or how to write such a wrapper that can > >> have access to the max-size of buff1 and buff2? > > > > This might be an interesting addition to e.g. memcheck > > (or other tools that are replacing str* and others functions). > > > > I think this will be relatively easy to do for "simple cases" > > of stack and global arrays, and maybe arrays in a stack/global struct : > > using --read-var-info=yes, valgrind provides access to (some) > > information about theses, (and from a small experiment, it looks > > like it knows the size of these). > > > > However, for more complex cases (e.g. arrays in a dynamically allocated > > struct), this will be more complex: how to guess (or keep track) that a > > pointer inside a block is a pointer to an array smaller than > > the malloc-ed block is unclear to me. > > > > Philippe > > > > > > > > > > > ------------------------------------------------------------------------------ > > Android is increasing in popularity, but the open development platform > that > > developers love is also attractive to malware creators. Download this > white > > paper to learn more about secure code signing practices that can help > keep > > Android apps secure. > > > http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk > > _______________________________________________ > > Valgrind-users mailing list > > Val...@li... > > https://lists.sourceforge.net/lists/listinfo/valgrind-users > |