Playing around with address sanitizer

Dag Haavi Finstad daghf at varnish-software.com
Mon Feb 1 19:58:23 CET 2016 

Hi

Inspired by a talk at FOSDEM this weekend [1], I tried building
Varnish with -fsanitize=address enabled.

This exposed a few buffer overflow situations, mainly in varnishtest.
Patches w/ fixes attached.

This was done with ASan's leak checker disabled, since varnishtest has
intentional memory leaks and I haven't yet investigated if specific
allocations can be annotated to make ASan disregard individual leaks.

In addition, there is a use-after-free situation in current master
related to ESI (not present in 4.1.1). I'm about to file a bug for
that one.

In order to build varnish w/ -fsanitize=address, you can do
    ./autogen.des  --without-jemalloc CFLAGS="-fno-omit-frame-pointer
-fsanitize=address"
    export ASAN_OPTIONS=detect_leaks=0
followed by the regular make/make check/etc.

This requires clang >= 3.1 or gcc >= 4.8. Disabling jemalloc is
required as ASan only works with the system allocator.

Note the third patch attached may be a false positive, but I think it
could be an issue on platforms where memcmp does 64 bit word
comparisons at a time.

Regards,
Dag


[1]: https://fosdem.org/2016/schedule/event/csafecode/attachments/slides/1131/export/events/attachments/csafecode/slides/1131/fosdem_gentoo_asan.pdf

-- 
Dag Haavi Finstad
Software Developer | Varnish Software
Mobile: +47 476 64 134
We Make Websites Fly!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Fix-a-buffer-overflow-in-vtc.c-macro_get.patch
Type: text/x-diff
Size: 893 bytes
Desc: not available
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-dev/attachments/20160201/4647d548/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-Fix-a-buffer-overflow-in-vtc_http.c-cmd_var_resolve.patch
Type: text/x-diff
Size: 1005 bytes
Desc: not available
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-dev/attachments/20160201/4647d548/attachment-0001.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-Test-lengths-of-both-ban-strings-to-avoid-a-potentia.patch
Type: text/x-diff
Size: 1258 bytes
Desc: not available
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-dev/attachments/20160201/4647d548/attachment-0002.patch>

More information about the varnish-dev mailing list