6

valgrind can't find anything useful. I'm confused.

Symptomes:

  1. my data corrupted by a malloc() call
  2. return address of my function is replaced via something wrong

PS: code does NOT segfault

Currently I have some progress via replacing all my malloc() via mmap()+mprotect()

vitaly.v.ch
  • 2,485
  • 4
  • 26
  • 36
  • 1
    maybe you could provide at least some lines of code? otherwise, nobody will be able to help you. – eckes Feb 21 '11 at 10:08
  • 1
    Correct all bugs and that should solve it. [/sarcasm] – Lundin Feb 21 '11 at 10:54
  • 1
    Please provide at least *some* information. What is the symptom that you are seeing? A segmentation fault? Data corruption? What have you tried? What were the results? If you don't put some effort in your question, how do you expect us to answer it? – thkala Feb 21 '11 at 12:29

5 Answers5

7

You might be overwriting the stack, or you might be overwriting the heap.

You can try adding the flag -fstack-protector-all to your GCC command line options to ask for some stack-smashing reporting to be built into the program. This might cause it to fail sooner.

Another possibility is to look at the address reported in dmesg output and see if you can't track down the function/memory that is being smashed:

[68303.941351] broken[13301]: segfault at 7f0061616161 ip 000000000040053d sp 00007fffd4ad3980 error 4 in broken[400000+1000]

readelf -s will dump the symbol table, we can look for the function that is triggering the problem:

$ readelf -s broken | grep 4005
40: 00000000004005e0     0 FUNC    LOCAL  DEFAULT   13 __do_global_ctors_aux
47: 0000000000400540     2 FUNC    GLOBAL DEFAULT   13 __libc_csu_fini
57: 0000000000400550   137 FUNC    GLOBAL DEFAULT   13 __libc_csu_init
63: 0000000000400515    42 FUNC    GLOBAL DEFAULT   13 main

The main routine is the one executing when the bad pointer is used:

#include <string.h>

void f(const char *s) {
    char buf[4];
    strcpy(buf, s);
    return;
}

int main(int argc, char* argv[]) {
    f("aaaa");
    f("aaaaaaaaaaaaaaaaaaaa");
    return 0;
}

When main tries to return to the C library to quit, it uses a bad pointer stored in the stack frame. So look at the functions called by main, and (it's pretty easy in this trivial case) f is obviously the bugger that scribbled all over the stack frame.

If you're overwriting the heap, then perhaps you could try electric fence. The downsides are pretty steep (vast memory use) but it might be just what you need to find the problem.

sarnold
  • 102,305
  • 22
  • 181
  • 238
  • I already use -fstack-protect-all, but this at the moment does not produce any usefull result – vitaly.v.ch Feb 21 '11 at 10:54
  • @vitaly.v.ch, I was disappointed too. StackGuard could catch that one, the ProPolice patch that the GCC team eventually excepted was pretty clever about which routines 'needed protection'; I hoped the `-all` variant would fix that... – sarnold Feb 21 '11 at 10:56
  • @vitaly.v.ch, when I filed a bugreport about `-fstack-protect-all` with Ubuntu, it was marked duplicate of [this bug](https://bugs.launchpad.net/ubuntu/+source/gcc-4.5/+bug/691722), which mentions the patch in the Natty version of gcc-4.4: `debian/patches/gcc-default-ssp.patch`. Hope this helps you get a fixed version of GCC on your Slack. – sarnold Feb 22 '11 at 00:18
  • According to output of hardening-check my gcc dos not have this bug. – vitaly.v.ch Feb 22 '11 at 09:01
2
  1. Fix all dangling pointers,all buffer overflows
  2. Use pointers only where they are really needed

see following link:: What C/C++ tools can check for buffer overflows?

Community
  • 1
  • 1
Manish Trivedi
  • 3,481
  • 5
  • 23
  • 29
2

Valgrind memcheck isn't very good at detecting buffer overruns. But you could try a patch that might.

onemasse
  • 6,514
  • 8
  • 32
  • 37
2

You could also try the trial version of IBM Rational Purify - a pretty good tool to detect buffer overflows, memory leaks and any other memory corruption errors. Follow this link to download http://www-01.ibm.com/software/awdtools/purify/unix/

Subbu
  • 43
  • 3
0

Can't help you on Linux. But you say you aren't using any string functions, which suggests your application might be fairly portable. Does it fail under Windows?

If it does, our CheckPointer tool may be able to find the problem. It performs a much more careful check of how your program uses pointers than Valgrind can do, because it can see the structure and declarations in your code, and it understands the various kinds of storage uses (stack frames vs. heap). Valgrind only sees the machine instructions, and can't tell when stack frames go out of scope.

Ira Baxter
  • 93,541
  • 22
  • 172
  • 341