valgrind-users

[Valgrind-users] How to write a tool to check unsafe strcpy-alike functions in another way

[hamid a. <ham...@gm...>]

Hi everyone,
Assume there is a C code that do this:

char buff1[20];
char buff2[30]="some small string";
...
strcpy(buff1, buff2);

This code is can be regarded unsafe not only because it use strcpy(), which
doesn't accept a size argument for the maximum capacity of buff1, but also
because the maximum capacity if the target string buff1 is less than the
maximum capacity of the src string buff2.

I know that if strcpy() tries to write outside buff1, then memcheck or
sgcheck can detect that, depending on whether these strings are in
stack/global memory or in the heap. But I want a warning while calling
strcpy() in this manner as well, regardless of whether overflow happens or
not.

I am wondering if there is such a tool to do so. I guess it should replace
strcpy() and similar functions with a wrapper. Does anybody know suck a
tool/extension or how to write such a wrapper that can have access to the
max-size of buff1 and buff2?

Regards,
Hamid.

Re: [Valgrind-users] How to write a tool to check unsafe strcpy-alike functions in another way

[Bart V. A. <bva...@ac...>]

On 31/10/2013 4:56, hamid alaei wrote:
> Hi everyone,
> Assume there is a C code that do this:
>
> char buff1[20];
> char buff2[30]="some small string";
> ...
> strcpy(buff1, buff2);
>
> This code is can be regarded unsafe not only because it use strcpy(),
> which doesn't accept a size argument for the maximum capacity of buff1,
> but also because the maximum capacity if the target string buff1 is less
> than the maximum capacity of the src string buff2.
>
> I know that if strcpy() tries to write outside buff1, then memcheck or
> sgcheck can detect that, depending on whether these strings are in
> stack/global memory or in the heap. But I want a warning while calling
> strcpy() in this manner as well, regardless of whether overflow happens
> or not.
>
> I am wondering if there is such a tool to do so. I guess it should
> replace strcpy() and similar functions with a wrapper. Does anybody know
> suck a tool/extension or how to write such a wrapper that can have
> access to the max-size of buff1 and buff2?

Hello Hamid,

I think that smatch is already able to detect for the above example that 
the output buffer is too small (http://smatch.sourceforge.net/).

Bart.

Re: [Valgrind-users] How to write a tool to check unsafe strcpy-alike functions in another way

[Philippe W. <phi...@sk...>]

On Thu, 2013-10-31 at 15:26 +0330, hamid alaei wrote:
> Hi everyone,
> Assume there is a C code that do this:
> 
> 
> char buff1[20];
> char buff2[30]="some small string";
> ...
> 
> strcpy(buff1, buff2);
> 
> 
> 
> This code is can be regarded unsafe not only because it use strcpy(),
> which doesn't accept a size argument for the maximum capacity of
> buff1, but also because the maximum capacity if the target string
> buff1 is less than the maximum capacity of the src string buff2.
> 
> I know that if strcpy() tries to write outside buff1, then memcheck or
> sgcheck can detect that, depending on whether these strings are in
> stack/global memory or in the heap. But I want a warning while calling
> strcpy() in this manner as well, regardless of whether overflow
> happens or not.
> 
> 
> I am wondering if there is such a tool to do so. I guess it should
> replace strcpy() and similar functions with a wrapper. Does anybody
> know suck a tool/extension or how to write such a wrapper that can
> have access to the max-size of buff1 and buff2?

This might be an interesting addition to e.g. memcheck
(or other tools that are replacing str* and others functions).

I think this will be relatively easy to do for "simple cases"
of stack and global arrays, and maybe arrays in a stack/global struct :
using --read-var-info=yes, valgrind provides access to (some)
information about theses, (and from a small experiment, it looks
like it knows the size of these).

However, for more complex cases (e.g. arrays in a dynamically allocated
struct), this will be more complex: how to guess (or keep track) that a
pointer inside a block is a pointer to an array smaller than
the malloc-ed block is unclear to me.

Philippe

Re: [Valgrind-users] How to write a tool to check unsafe strcpy-alike functions in another way

[hamid a. <ham...@gm...>]

OMG, I find that I did not reply to mailing list. So here is my replies to
those how kindle replied me ;)
-----------------------------------------------------------------------
1- Reply to Bart
-----------------------------------------------------------------------
Thanks, but it says it is a static tool, therefore cannot work for dynamic
arrays or even for input argument of a function. My problem is that static
tools generate too much errors and dynamic tools like valgrind may not find
a bug if the test have poor coverage, which almost always is the case. So I
need something in between.
-----------------------------------------------------------------------
2- Reply to Bard
-----------------------------------------------------------------------
Ideally, I am thinking of a function, let say RUNTIME_SIZEOF(x) that gives
the size of object x at runtime, no matter if it is a local or global or
heap variable. Having such a function in valgrind library, then one can
simply write a wrapper for every function like strcpy:

*#include <stdio.h>*
* *

*#include "valgrind.h"*
* *

*char *I_WRAP_SONAME_FNNAME_ZU(???,**strcpy)(char *buff1, char *buff2)*
* *

*{*
* *

*       char * result;*
* *

*       OrigFn fn;*
* *

*       VALGRIND_GET_ORIG_FN(fn);*

*       if(RUNTIME_SIZEOF(buff1) < RUNTIME_SIZEOF(buff2))*

*       {*

*               printf("SOME ERROR REPORT");
*

*       }
*
* *

*       CALL_FN_W_WW(result, buff1, buff2); *
*       return result;
}*
-----------------------------------------------------------------------
3- Reply to Philippe:
-----------------------------------------------------------------------
Thanks Philippe,
I know that can be an interesting extension. I also hope that to Valgrind
developers doing so can be easy. For dynamically allocated structs, I just
expected a tool that can detect if the size of a hole block/struct is large
enough, not specifically one of its static array fields. I think that work
well in many cases. However, there should be a way to implement such a
runtime type checking as well: it will be easy in the case of using new
operator in C++. With malloc as well the desired tool can guess the type of
block by observing the type of pointers in which the address of the block
is stored after malloc.

But the question here is how we can ask valgrind developers to kindly
implement such an extension. It will be very hard to me to do so and I hope
no one force me to do that!!!
-----------------------------------------------------------------------
Thanks all

Re: [Valgrind-users] How to write a tool to check unsafe strcpy-alike functions in another way

[Philippe W. <phi...@sk...>]

On Thu, 2013-10-31 at 21:31 +0330, hamid alaei wrote:

> -----------------------------------------------------------------------
> 3- Reply to Philippe:
> 
> -----------------------------------------------------------------------
> Thanks Philippe,
> 
> I know that can be an interesting extension. I also hope that to
> Valgrind developers doing so can be easy. For dynamically allocated
> structs, I just expected a tool that can detect if the size of a hole
> block/struct is large enough, not specifically one of its static array
> fields. I think that work well in many cases. However, there should be
> a way to implement such a runtime type checking as well: it will be
> easy in the case of using new operator in C++. With malloc as well the
> desired tool can guess the type of block by observing the type of
> pointers in which the address of the block is stored after malloc.
"observing the type of pointers ..." is what I think is complex/unclear
how to do.
> 
> 
> But the question here is how we can ask valgrind developers to kindly
> implement such an extension. It will be very hard to me to do so and I
> hope no one force me to do that!!!
At least for the easy cases, that would be an interesting thing (not so
difficult) to look at for a first hack on valgrind.
Nobody will of course force you :).

Philippe

Re: [Valgrind-users] How to write a tool to check unsafe strcpy-alike functions in another way

[hamid a. <ham...@gm...>]

:) thanks Philippe. I realized you are a Valgrind developer. I may not be
able to do that implementation. But out of curiosity, if someone does that
for static arrays, I guess he/she should have access to some DWARF3
information that is already decoded by valgrind (I guess). So where should
he/she finds the decoded DWARF3 data structures and related functions in
the valgrind source code? Are they easy to work with? What is the
complexity of that part of valgrind?


On Thu, Oct 31, 2013 at 9:48 PM, hamid alaei <ham...@gm...> wrote:

> :) thanks Philippe. I realized you are a Valgrind developer. I may not be
> able to do that implementation. But out of curiosity, if someone does that
> for static arrays, I guess he/she should have access to some DWARF3
> information that is already decoded by valgrind (I guess). So where should
> he/she finds the decoded DWARF3 data structures and related functions in
> the valgrind source code? Are they easy to work with? What is the
> complexity of that part of valgrind?
>
>
> On Thu, Oct 31, 2013 at 9:38 PM, Philippe Waroquiers <
> phi...@sk...> wrote:
>
>> (I have re-replied on the list)
>>
>> On Thu, 2013-10-31 at 19:05 +0100, Philippe Waroquiers wrote:
>> > On Thu, 2013-10-31 at 21:00 +0330, hamid alaei wrote:
>> > > Thanks Philippe,
>> > >
>> > > I know that can be an interesting extension. I also hope that to
>> > > Valgrind developers doing so can be easy. For dynamically allocated
>> > > structs, I just expected a tool that can detect if the size of a hole
>> > > block/struct is large enough, not specifically one of its static array
>> > > fields. I think that work well in many cases. However, there should be
>> > > a way to implement such a runtime type checking as well: it will be
>> > > easy in the case of using new operator in C++. With malloc as well the
>> > > desired tool can guess the type of block by observing the type of
>> > > pointers in which the address of the block is stored after malloc.
>> > "observing the type of pointers ..." is what I think is complex/unclear
>> > how to do.
>> >
>> > >
>> > >
>> > > But the question here is how we can ask valgrind developers to kindly
>> > > implement such an extension. It will be very hard to me to do so and I
>> > > hope no one force me to do that!!!
>> > At least for the easy cases, that would be an interesting thing (not so
>> > difficult) to look at for a first hack on valgrind.
>> > Nobody will of course force you :).
>> >
>> > Philippe
>> >
>> >
>> >
>>
>>
>>
>

Re: [Valgrind-users] How to write a tool to check unsafe strcpy-alike functions in another way

[Дмитрий Д. <di...@gm...>]

Hi!

exp-sgcheck can't help?

Dmitry

2013/10/31 Philippe Waroquiers <phi...@sk...>:
> On Thu, 2013-10-31 at 15:26 +0330, hamid alaei wrote:
>> Hi everyone,
>> Assume there is a C code that do this:
>>
>>
>> char buff1[20];
>> char buff2[30]="some small string";
>> ...
>>
>> strcpy(buff1, buff2);
>>
>>
>>
>> This code is can be regarded unsafe not only because it use strcpy(),
>> which doesn't accept a size argument for the maximum capacity of
>> buff1, but also because the maximum capacity if the target string
>> buff1 is less than the maximum capacity of the src string buff2.
>>
>> I know that if strcpy() tries to write outside buff1, then memcheck or
>> sgcheck can detect that, depending on whether these strings are in
>> stack/global memory or in the heap. But I want a warning while calling
>> strcpy() in this manner as well, regardless of whether overflow
>> happens or not.
>>
>>
>> I am wondering if there is such a tool to do so. I guess it should
>> replace strcpy() and similar functions with a wrapper. Does anybody
>> know suck a tool/extension or how to write such a wrapper that can
>> have access to the max-size of buff1 and buff2?
>
> This might be an interesting addition to e.g. memcheck
> (or other tools that are replacing str* and others functions).
>
> I think this will be relatively easy to do for "simple cases"
> of stack and global arrays, and maybe arrays in a stack/global struct :
> using --read-var-info=yes, valgrind provides access to (some)
> information about theses, (and from a small experiment, it looks
> like it knows the size of these).
>
> However, for more complex cases (e.g. arrays in a dynamically allocated
> struct), this will be more complex: how to guess (or keep track) that a
> pointer inside a block is a pointer to an array smaller than
> the malloc-ed block is unclear to me.
>
> Philippe
>
>
>
>
> ------------------------------------------------------------------------------
> Android is increasing in popularity, but the open development platform that
> developers love is also attractive to malware creators. Download this white
> paper to learn more about secure code signing practices that can help keep
> Android apps secure.
> http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
> _______________________________________________
> Valgrind-users mailing list
> Val...@li...
> https://lists.sourceforge.net/lists/listinfo/valgrind-users

Re: [Valgrind-users] How to write a tool to check unsafe strcpy-alike functions in another way

[hamid a. <ham...@gm...>]

Hi,
simply running valgrind with --tool=exp-sgcheck won't help, but the source
code definitely will. But what part of the code is handy?

I find that there are 2 related structs: StackBlock and GlobalBlock that
have a size field (szB). What is the function that convert a pointer to a
location in stack/global memory into related StackBlock/GlobalBlock struct?






On Thu, Oct 31, 2013 at 10:33 PM, Дмитрий Дьяченко <di...@gm...> wrote:

> Hi!
>
> exp-sgcheck can't help?
>
> Dmitry
>
> 2013/10/31 Philippe Waroquiers <phi...@sk...>:
> > On Thu, 2013-10-31 at 15:26 +0330, hamid alaei wrote:
> >> Hi everyone,
> >> Assume there is a C code that do this:
> >>
> >>
> >> char buff1[20];
> >> char buff2[30]="some small string";
> >> ...
> >>
> >> strcpy(buff1, buff2);
> >>
> >>
> >>
> >> This code is can be regarded unsafe not only because it use strcpy(),
> >> which doesn't accept a size argument for the maximum capacity of
> >> buff1, but also because the maximum capacity if the target string
> >> buff1 is less than the maximum capacity of the src string buff2.
> >>
> >> I know that if strcpy() tries to write outside buff1, then memcheck or
> >> sgcheck can detect that, depending on whether these strings are in
> >> stack/global memory or in the heap. But I want a warning while calling
> >> strcpy() in this manner as well, regardless of whether overflow
> >> happens or not.
> >>
> >>
> >> I am wondering if there is such a tool to do so. I guess it should
> >> replace strcpy() and similar functions with a wrapper. Does anybody
> >> know suck a tool/extension or how to write such a wrapper that can
> >> have access to the max-size of buff1 and buff2?
> >
> > This might be an interesting addition to e.g. memcheck
> > (or other tools that are replacing str* and others functions).
> >
> > I think this will be relatively easy to do for "simple cases"
> > of stack and global arrays, and maybe arrays in a stack/global struct :
> > using --read-var-info=yes, valgrind provides access to (some)
> > information about theses, (and from a small experiment, it looks
> > like it knows the size of these).
> >
> > However, for more complex cases (e.g. arrays in a dynamically allocated
> > struct), this will be more complex: how to guess (or keep track) that a
> > pointer inside a block is a pointer to an array smaller than
> > the malloc-ed block is unclear to me.
> >
> > Philippe
> >
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > Android is increasing in popularity, but the open development platform
> that
> > developers love is also attractive to malware creators. Download this
> white
> > paper to learn more about secure code signing practices that can help
> keep
> > Android apps secure.
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
> > _______________________________________________
> > Valgrind-users mailing list
> > Val...@li...
> > https://lists.sourceforge.net/lists/listinfo/valgrind-users
>

Re: [Valgrind-users] How to write a tool to check unsafe strcpy-alike functions in another way

[hamid a. <ham...@gm...>]

I wrote a function to return the size of an array in global memory. But I
am not sure if it works:

//return the size of a global block with a given address, 0 if not found
SizeT runtime_size_of_global(Addr adr)
{
    WordFM* gitree = giTree;
    GlobalTreeNode* g = find_GlobalTreeNode(gitree,adr);
    if(g)
        return g->szB;
    return 0;
}

How can my desired wrapper, which I am going to LD_PRELOAD, can have access
to this function in a way that it works?