Description
Hi guys,
AddressSanitizer as of Clang 11 on Mac fails to properly instrument linker sets. The resulting asan-instrumented build is unusable due to broken data.
Linker sets is a somewhat unpopular (I only see it used in FreeBSD) but very handy programming technique that uses macros + compiler intrinsics such as __section and __concat to collect object references from multiple source modules, and store them in a dedicated section of the binary, thus exposing them to centralized search and iteration. In binary such a set is represented with an array of pointers that sits in a dedicated binary section and looks like this:
zerodayengineering.com:asan_bug alisa$ objdump --macho -j "__set" asan-bug
asan-bug:
Contents of (__asan_bug_set,__set) section
0000000100003000 10 20 00 00 01 00 00 00 20 20 00 00 01 00 00 00
In the asan-instrumented binary the set is too sparse:
zerodayengineering.com:asan_bug alisa$ objdump --macho -j "__set" asan-bug.asanbuild
asan-bug.asanbuild:
Contents of (__asan_bug_set,__set) section
0000000100003000 60 20 00 00 01 00 00 00 00 00 00 00 00 00 00 00
0000000100003010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0000000100003020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0000000100003030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0000000100003040 a0 20 00 00 01 00 00 00 00 00 00 00 00 00 00 00
0000000100003050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0000000100003060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0000000100003070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
So the asan-instrumented binary fails with a global-buffer-overflow verdict. And if you whitelist it, it fails with a null dereference.
This is used in FreeBSD so I guess it's better fixed.
Attaching the testcase and the asan log.