|
From: Bram M. (Syzop) <sy...@vu...> - 2005-07-26 00:35:44
|
Hi,
Does valgrind also check the stack for buffer overflows and such issues,
or only the heap?
I tried the following program (well, typing from the top of my head):
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
int main(int argc, char *argv[])
{
char alpha[8], beta[512];
beta[0] = 'a';
printf("abc\n");
strcpy(alpha, "this is just a test");
printf("def\n");
exit(EXIT_SUCCESS);
}
And valgrind does not detect any problems. Tried both valgrind 2.4.0
(also with --single-step=yes) and latest 3.* from SVN (from 1 hour ago).
If valgrind cannot do this, does anyone have any hints about what would
be capable of this? Would be nice to have that + valgrind.
IIRC there were some gcc patches, but AFAICT they only check for
overwriting of the return address and/or for any pointers (put a canary
between the buffers and the pointers/smallobjects on the stack), and
they do not check for one buffer overflowing into another buffer (which
can be nearly as dangerous, if you ask me).
Any help is appreciated.
Thanks,
Bram.
--
Bram Matthys
Software developer/IT consultant sy...@vu...
PGP key: www.vulnscan.org/pubkey.asc
PGP fp: 8DD4 437E 9BA8 09AA 0A8D 1811 E1C3 D65F E6ED 2AA2
|
|
From: Dennis L. <pla...@in...> - 2005-07-26 00:59:34
|
At 02:35 26.07.2005, Bram Matthys (Syzop) wrote:
>Hi,
>
>Does valgrind also check the stack for buffer overflows and such issues,
>or only the heap?
>
>I tried the following program (well, typing from the top of my head):
>#include <stdio.h>
>#include <stdlib.h>
>#include <unistd.h>
>#include <string.h>
>
>int main(int argc, char *argv[])
>{
>char alpha[8], beta[512];
>
> beta[0] = 'a';
> printf("abc\n");
> strcpy(alpha, "this is just a test");
> printf("def\n");
> exit(EXIT_SUCCESS);
>}
>
>And valgrind does not detect any problems. Tried both valgrind 2.4.0
>(also with --single-step=yes) and latest 3.* from SVN (from 1 hour ago).
>
>If valgrind cannot do this, does anyone have any hints about what would
>be capable of this? Would be nice to have that + valgrind.
Valgrind cannot find such errors, since it is "limited" to checking for
valid memory access, and all the stack is accesible. It cannot know if the
pointer was intented for this part of memory. (You may run into a similar
false negative when a wild going pointer accidently falls into some other
heap block). There was once an idea of a pointer-misuse tool for valgrind,
but I dont know what its status is/was.
Recent gcc (4.0.x) has the mudflap library integrated, which does some
stack instrumentation and various other checks. The drawback of this is of
course you can only run code (resp. check it) with it that was compiled
with this.
greets
Dennis
Carpe quod tibi datum est
|
|
From: Nicholas N. <nj...@cs...> - 2005-07-26 23:10:44
|
On Tue, 26 Jul 2005, Bram Matthys (Syzop) wrote: > Does valgrind also check the stack for buffer overflows and such issues, > or only the heap? This is FAQ 5.2 (6.2 on the website). N |
|
From: Bram M. (Syzop) <sy...@vu...> - 2005-07-26 23:36:55
|
Nicholas Nethercote wrote: > On Tue, 26 Jul 2005, Bram Matthys (Syzop) wrote: > >> Does valgrind also check the stack for buffer overflows and such issues, >> or only the heap? > > > This is FAQ 5.2 (6.2 on the website). I see, I didn't read that, sorry. However.. I did check the manual '2.12 Limitations' at that time, it is not listed there (unless I'm completely blind). Perhaps a good idea to add? Sounds like an appropriate place to me... Bram. -- Bram Matthys Software developer/IT consultant sy...@vu... PGP key: www.vulnscan.org/pubkey.asc PGP fp: 8DD4 437E 9BA8 09AA 0A8D 1811 E1C3 D65F E6ED 2AA2 |