Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

allocator_may_return_null=1 does not seem to work, hindering fuzzing for security issues #1720

Open
vanhauser-thc opened this issue Jan 15, 2024 · 1 comment
Open

allocator_may_return_null=1 does not seem to work, hindering fuzzing for security issues #1720

vanhauser-thc opened this issue Jan 15, 2024 · 1 comment

Comments

@vanhauser-thc
Copy link

allocator_may_return_null=1 is not working for me, which is quite an issue when fuzzing for security vulnerabilities.
It is an important security check to verify that if an allocator returns NULL that the program does not crash because of this, which is not possible if allocator_may_return_null does not work. We basically need ASAN, but not this specific check, when fuzzing.

The issue has been raised a few times, e.g. in #740, #779 and #1377, some fixes were done as it seems, however for me this is not working in either LLVM 16, 17 or 18.

Simple example:

#include <iostream>
#include <new>

int main() {
    try {
        char* arr = new char[3ul << 40];
        delete[] arr;
    } catch (const std::bad_alloc& e) {
        std::cerr << "Allocation failed: " << e.what() << '\n';
    }
    return 0;
}

LLVM result with allocator_may_return_null=1:

$ clang++ -fsanitize=address -o test test.cpp
$ ASAN_OPTIONS=allocator_may_return_null=1 ./test
==3453407==WARNING: AddressSanitizer failed to allocate 0x30000000000 bytes
=================================================================
==3453407==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0x30000000000 bytes
    #0 0x7ffff74b00c7 in operator new[](unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:102
    #1 0x555555555263 in main (/tmp/x+0x1263)
    #2 0x7ffff72461c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

==3453407==HINT: if you don't care about these errors you may set allocator_may_return_null=1
SUMMARY: AddressSanitizer: out-of-memory ../../../../src/libsanitizer/asan/asan_new_delete.cpp:102 in operator new[](unsigned long)
==3453407==ABORTING

also pinging @kcc
@JarLob
Copy link

JarLob commented Sep 23, 2024

From the comment it sounds the sanitizer itself may not work in low memory conditions. This is probably why it prefers to abort early on OOM. Which is still unfortunate for fuzzing. Having the allocator_may_return_null=1 flag introduces confusion.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vanhauser-thc @JarLob