堆缓冲区溢出——这是地址清理程序的误报吗?
[英]Heap buffer overflow--is this a false positive of address sanitizer?
问题描述
I have the following simple program
我有以下简单的程序
void copy(const int16_t *buffer) {
int16_t *b;
memcpy(b,buffer,2);
return ;
}
int LLVMFuzzerTestOneInput(const int16_t *buffer) {
copy(buffer);
return 0;
}
which I compile with clang (v9) using the address sanitizer and fuzzer flags as follows我使用地址清理器和模糊器标志使用 clang (v9) 编译如下
clang -fsanitize=address,fuzzer -g test5.c
When I run the resulted executable the fuzzer finds a heap-buffer overflow due to an invalid read--in particular while trying to copy the second byte in memcpy.当我运行生成的可执行文件时,模糊器发现由于无效读取导致堆缓冲区溢出 - 特别是在尝试复制 memcpy 中的第二个字节时。
I cannot really understand why this is an error.我无法真正理解为什么这是一个错误。 Any explanations?有什么解释吗? Thank you in advance.先感谢您。
1 个解决方案
解决方案1
3 2019-11-08 19:24:32
As b is not initialized when you memcpy to it, you are invoking undefined behavior.由于b在您对其进行memcpy时未初始化,因此您正在调用未定义的行为。 Literally, "where do you want to copy that data to?"从字面上看,“您要将数据复制到哪里?”
The sanitizer is correct, and doing you a big favor by pointing that issue out.消毒剂是正确的,指出这个问题对你有很大帮助。
What is that copy function intended to do?那个副本 function 打算做什么?
解决方案2
-1 2019-11-08 18:36:47
void copy(const int16_t *buffer) {
int16_t *b;
memcpy(b,buffer,2);
return ;
}
What is the value of b when memcpy() copies into the buffer "pointed to" it?当memcpy()复制到“指向”它的缓冲区时b的值是多少?
You probably are trying to copy the values of the pointers rather than the memory pointed to by them, in which case you'd use something like:您可能正在尝试复制指针的值,而不是它们指向的 memory,在这种情况下,您将使用类似的东西:
memcpy(&b, &buffer, sizeof b);
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.