[Softbound-users] Problem with fprintf of constant string when using Softbound 1.1.1

Török Edwin edwin at clamav.net
Tue Oct 13 07:37:26 EDT 2009 

Hi,

After seeing the slides on softbound, I tested it on ClamAV
(www.clamav.net).

I encountered two problems: some wrappers were missing (attached patch),
and it detected a bug [1] when calling fprintf, but there is no bug there:

logg("!%s\n", cl_strerror(ret));

const char *cl_strerror(int clerror)
{
 switch (clerror) {
    ...
  case CL_ESTAT:
    return "Can't get file status";
  }
}

int logg(const char *str, ...) {
 char buffer[1025];

 abuffer = malloc(len);
 char *buf = abuffer;
...
 char *buf = buffer;

 ...
 fprintf(logg_fp, "%s", buff+1);
}

What am I doing wrong? Is there a flag to output what is the bounds
violation exaclty? (which pointer, valid size, actual offset, similar to
how valgrind/mudflap reports)

Here's how I compiled ClamAV (after compiling zlib and bzip2 to bitcode
similarly, and compiling libltdl's argz.c to argz.bc):

$ git clone git://git.clamav.net/git/clamav-devel
$ cd clamav-devel
$ ../../clamav-devel/configure --disable-shared --disable-mempool
--disable-pthreads --prefix=/home/edwin/clam/git/builds/softbound/pfx
--with-included-ltdl
$ make CPPFLAGS="-O1 --emit-llvm" CCLD="llvm-ld -disable-opt" CFLAGS= -j4
$ llvm-link
/home/edwin/llvm-git/softbound/SoftBound-v1.1.1/test/softbound-checks.bc
/home/edwin/llvm-git/softbound/SoftBound-v1.1.1/argz.bc $1 >test-linked.bc
$ opt -SoftBoundPass test-linked.bc >test-instrumented.bc
$ llvm-link test-instrumented.bc
/home/edwin/llvm-git/softbound/SoftBound-v1.1.1/test/softbound.bc
/home/edwin/llvm-git/softbound/SoftBound-v1.1.1/test/softbound-wrappers.bc
>test-softbound.bc
$ llvm-ld -disable-opt -lm -lcrypt test-softbound.bc -o test
$ llc -disable-fp-elim <test.bc | as -o test.o
$ gcc test.o -lm -lcrypt -o test
$ gdb ./test

I can send you clamscan.bc if needed.

(I used disable-opt and disable-fp-elim to get a usable stacktrace).

[1] Stacktrace of bug:
Starting program: /home/edwin/clam/git/builds/softbound/clamscan/test

cl_load(): Can't get status of
/home/edwin/clam/git/builds/softbound/pfx/share/clamav
LibClamAV Error:
SoftBound: Bounds violation detected


Backtrace:
/home/edwin/clam/git/builds/softbound/clamscan/test[0x6e7ad6]

Program received signal SIGABRT, Aborted.
0x0000003411231d25 in *__GI_raise (sig=<value optimized out>) at
../nptl/sysdeps/unix/sysv/linux/raise.c:64
64      ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
        in ../nptl/sysdeps/unix/sysv/linux/raise.c
(gdb) bt
#0  0x0000003411231d25 in *__GI_raise (sig=<value optimized out>) at
../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x0000003411234de1 in *__GI_abort () at abort.c:88
#2  0x00000000006e7b15 in __softbound_abort ()
#3  0x00000000006e7faa in __loadDereferenceCheck ()
#4  0x0000000000438f07 in softbound_logg ()
#5  0x0000000000450acf in scanmanager (opts=0x943010) at manager.c:424
#6  0x0000000000444ad7 in softbound_pseudo_main ()
#7  0x00000000006e7c71 in main ()
(gdb) up
#1  0x0000003411234de1 in *__GI_abort () at abort.c:88
88      abort.c: No such file or directory.
        in abort.c
(gdb)
#2  0x00000000006e7b15 in __softbound_abort ()
Current language:  auto
The current source language is "auto; currently asm".
(gdb)
#3  0x00000000006e7faa in __loadDereferenceCheck ()
(gdb)
#4  0x0000000000438f07 in softbound_logg ()
(gdb)
#5  0x0000000000450acf in scanmanager (opts=0x943010) at manager.c:424
424                 logg("!%s\n", cl_strerror(ret));

Program received signal SIGABRT, Aborted.
0x0000003411231d25 in *__GI_raise (sig=<value optimized out>) at
../nptl/sysdeps/unix/sysv/linux/raise.c:64
64      ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
        in ../nptl/sysdeps/unix/sysv/linux/raise.c
(gdb) bt
#0  0x0000003411231d25 in *__GI_raise (sig=<value optimized out>) at
../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x0000003411234de1 in *__GI_abort () at abort.c:88
#2  0x0000000000781c05 in __softbound_abort ()
#3  0x000000000049fd17 in logg () at output.c:330
#4  0x00000000004b1ce8 in softbound_scanmanager ()
#5  0x00000000004ad59a in logg_close () at output.c:208
#6  0x0000000000781d61 in main ()
(gdb) up
#1  0x0000003411234de1 in *__GI_abort () at abort.c:88
88      abort.c: No such file or directory.
        in abort.c
(gdb)
#2  0x0000000000781c05 in __softbound_abort ()
Current language:  auto
The current source language is "auto; currently asm".
(gdb)
#3  0x000000000049fd17 in logg () at output.c:330
330                     fprintf(logg_fp, "%s", buff + 1);



Best regards,
--Edwin

More information about the Softbound-users mailing list