[Softbound-users] Problem with fprintf of constant string when using Softbound 1.1.1

Török Edwin edwin at clamav.net
Tue Oct 13 07:42:59 EDT 2009 

On 2009-10-13 14:37, Török Edwin wrote:
> Hi,
> 
> After seeing the slides on softbound, I tested it on ClamAV
> (www.clamav.net).
> 
> I encountered two problems: some wrappers were missing (attached patch),

Forgot to attach, here it is.

Maybe it is something wrong in the wrappers I wrote that causes the bug?

> and it detected a bug [1] when calling fprintf, but there is no bug there:
> 
> logg("!%s\n", cl_strerror(ret));
> 
> const char *cl_strerror(int clerror)
> {
>  switch (clerror) {
>     ...
>   case CL_ESTAT:
>     return "Can't get file status";
>   }
> }
> 
> int logg(const char *str, ...) {
>  char buffer[1025];
> 
>  abuffer = malloc(len);
>  char *buf = abuffer;
> ...
>  char *buf = buffer;
> 
>  ...
>  fprintf(logg_fp, "%s", buff+1);
> }
> 
> What am I doing wrong? Is there a flag to output what is the bounds
> violation exaclty? (which pointer, valid size, actual offset, similar to
> how valgrind/mudflap reports)
> 
> Here's how I compiled ClamAV (after compiling zlib and bzip2 to bitcode
> similarly, and compiling libltdl's argz.c to argz.bc):
> 
> $ git clone git://git.clamav.net/git/clamav-devel
> $ cd clamav-devel
> $ ../../clamav-devel/configure --disable-shared --disable-mempool
> --disable-pthreads --prefix=/home/edwin/clam/git/builds/softbound/pfx
> --with-included-ltdl
> $ make CPPFLAGS="-O1 --emit-llvm" CCLD="llvm-ld -disable-opt" CFLAGS= -j4
> $ llvm-link
> /home/edwin/llvm-git/softbound/SoftBound-v1.1.1/test/softbound-checks.bc
> /home/edwin/llvm-git/softbound/SoftBound-v1.1.1/argz.bc $1 >test-linked.bc
> $ opt -SoftBoundPass test-linked.bc >test-instrumented.bc
> $ llvm-link test-instrumented.bc
> /home/edwin/llvm-git/softbound/SoftBound-v1.1.1/test/softbound.bc
> /home/edwin/llvm-git/softbound/SoftBound-v1.1.1/test/softbound-wrappers.bc
>> test-softbound.bc
> $ llvm-ld -disable-opt -lm -lcrypt test-softbound.bc -o test
> $ llc -disable-fp-elim <test.bc | as -o test.o
> $ gcc test.o -lm -lcrypt -o test
> $ gdb ./test
> 
> I can send you clamscan.bc if needed.
> 
> (I used disable-opt and disable-fp-elim to get a usable stacktrace).
> 
> [1] Stacktrace of bug:
> Starting program: /home/edwin/clam/git/builds/softbound/clamscan/test
> 
> cl_load(): Can't get status of
> /home/edwin/clam/git/builds/softbound/pfx/share/clamav
> LibClamAV Error:
> SoftBound: Bounds violation detected
> 
> 
> Backtrace:
> /home/edwin/clam/git/builds/softbound/clamscan/test[0x6e7ad6]
> 
> Program received signal SIGABRT, Aborted.
> 0x0000003411231d25 in *__GI_raise (sig=<value optimized out>) at
> ../nptl/sysdeps/unix/sysv/linux/raise.c:64
> 64      ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
>         in ../nptl/sysdeps/unix/sysv/linux/raise.c
> (gdb) bt
> #0  0x0000003411231d25 in *__GI_raise (sig=<value optimized out>) at
> ../nptl/sysdeps/unix/sysv/linux/raise.c:64
> #1  0x0000003411234de1 in *__GI_abort () at abort.c:88
> #2  0x00000000006e7b15 in __softbound_abort ()
> #3  0x00000000006e7faa in __loadDereferenceCheck ()
> #4  0x0000000000438f07 in softbound_logg ()
> #5  0x0000000000450acf in scanmanager (opts=0x943010) at manager.c:424
> #6  0x0000000000444ad7 in softbound_pseudo_main ()
> #7  0x00000000006e7c71 in main ()
> (gdb) up
> #1  0x0000003411234de1 in *__GI_abort () at abort.c:88
> 88      abort.c: No such file or directory.
>         in abort.c
> (gdb)
> #2  0x00000000006e7b15 in __softbound_abort ()
> Current language:  auto
> The current source language is "auto; currently asm".
> (gdb)
> #3  0x00000000006e7faa in __loadDereferenceCheck ()
> (gdb)
> #4  0x0000000000438f07 in softbound_logg ()
> (gdb)
> #5  0x0000000000450acf in scanmanager (opts=0x943010) at manager.c:424
> 424                 logg("!%s\n", cl_strerror(ret));
> 
> Program received signal SIGABRT, Aborted.
> 0x0000003411231d25 in *__GI_raise (sig=<value optimized out>) at
> ../nptl/sysdeps/unix/sysv/linux/raise.c:64
> 64      ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
>         in ../nptl/sysdeps/unix/sysv/linux/raise.c
> (gdb) bt
> #0  0x0000003411231d25 in *__GI_raise (sig=<value optimized out>) at
> ../nptl/sysdeps/unix/sysv/linux/raise.c:64
> #1  0x0000003411234de1 in *__GI_abort () at abort.c:88
> #2  0x0000000000781c05 in __softbound_abort ()
> #3  0x000000000049fd17 in logg () at output.c:330
> #4  0x00000000004b1ce8 in softbound_scanmanager ()
> #5  0x00000000004ad59a in logg_close () at output.c:208
> #6  0x0000000000781d61 in main ()
> (gdb) up
> #1  0x0000003411234de1 in *__GI_abort () at abort.c:88
> 88      abort.c: No such file or directory.
>         in abort.c
> (gdb)
> #2  0x0000000000781c05 in __softbound_abort ()
> Current language:  auto
> The current source language is "auto; currently asm".
> (gdb)
> #3  0x000000000049fd17 in logg () at output.c:330
> 330                     fprintf(logg_fp, "%s", buff + 1);
> 
> 
> 
> Best regards,
> --Edwin
> _______________________________________________
> Softbound-users mailing list
> Softbound-users at lists.seas.upenn.edu
> http://lists.seas.upenn.edu/mailman/listinfo/softbound-users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: newwrappers.patch
Type: text/x-diff
Size: 9775 bytes
Desc: not available
Url : http://lists.seas.upenn.edu/pipermail/softbound-users/attachments/20091013/44f588e0/newwrappers-0001.bin

More information about the Softbound-users mailing list