Bruno Haible <br...@clisp.org> writes:
> I was impressed by the fact that CHERI detected the multithread-safety > bug of gnulib's use of rand() in the test suite. > > Now I'd like to try CHERI on packages like gettext, and see whether > it finds bugs that neither valgrind nor the gcc bounds-checking options > can detect. > > For this purpose, it is useful if all functions that allocate memory > blocks return bounds for these memory blocks that are as tight as possible. > malloc(), realloc(), reallocarray(), alloca() already do so. > (To convince yourself, use a C program that makes use of these functions, > and print the return values from within gdb. gdb prints pointers with bounds.) > > This set of patches handles most memory allocators that we have in gnulib. Oh, TIL. I didn't realise CHERI provided an API for this. Thank you! I don't think this applies to gnulib, but it feels relevant enough for me to mention it: for packages with their own allocator where they retain a pool, it may be worth adding ASAN attributes/hooks. Emacs did this a little while ago in https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=cb242bf1514ade34ab93b1db1ea7550093ae5839 to find UAFs where the memory might get reused yet but isn't yet returned to the underlying malloc/free impl. > > The API is documented in > <https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-947.pdf>. > > > 2023-11-11 Bruno Haible <br...@clisp.org> > > malloca: Take advantage of CHERI bounds-checking. > * lib/malloca.h: Include <cheri.h>. > (malloca) [CHERI]: In the stack-allocation case, return a pointer with > a tight lower bound and a tight upper bound. > * lib/malloca.c: Include <cheri.h>. > (small_t) [CHERI]: Define as uintptr_t. > (mmalloca) [CHERI]: Return a pointer with a tight upper bound. > (freea) [CHERI]: Update. > > 2023-11-11 Bruno Haible <br...@clisp.org> > > safe-alloc: Take advantage of CHERI bounds-checking. > * lib/safe-alloc.h: Include <cheri.h>. > (safe_alloc_realloc_n): When count or size is 0, return a pointer whose > bounds are of size 0, not 1. > > 2023-11-11 Bruno Haible <br...@clisp.org> > > ialloc: Take advantage of CHERI bounds-checking. > * lib/ialloc.h: Include <cheri.h>. > (irealloc): When s is 0, return a pointer whose bounds are of size 0, > not 1. > (ireallocarray): When n or s is 0, return a pointer whose bounds are of > size 0, not 1. > > 2023-11-11 Bruno Haible <br...@clisp.org> > > eealloc: Take advantage of CHERI bounds-checking. > * lib/eealloc.h: Include <cheri.h>. > (eemalloc): When n is 0, return a pointer whose bounds are of size 0, > not 1. > (eerealloc): Likewise. > > 2023-11-11 Bruno Haible <br...@clisp.org> > > alignalloc: Take advantage of CHERI bounds-checking. > * lib/alignalloc.h: Include <cheri.h>. > (alignalloc): When size is 0, return a pointer whose bounds are of > size 0, not 1. > > [2. text/x-patch; > 0001-alignalloc-Take-advantage-of-CHERI-bounds-checking.patch]... > > [3. text/x-patch; > 0002-eealloc-Take-advantage-of-CHERI-bounds-checking.patch]... > > [4. text/x-patch; > 0003-ialloc-Take-advantage-of-CHERI-bounds-checking.patch]... > > [5. text/x-patch; > 0004-safe-alloc-Take-advantage-of-CHERI-bounds-checking.patch]... > > [6. text/x-patch; > 0005-malloca-Take-advantage-of-CHERI-bounds-checking.patch]...