This is the mail archive of the gcc-bugs@gcc.gnu.org mailing list for the GCC project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug sanitizer/70541] unnoticed invalid dereference when using address sanitizer

From: "m.ostapenko at samsung dot com" <gcc-bugzilla at gcc dot gnu dot org>
To: gcc-bugs at gcc dot gnu dot org
Date: Tue, 05 Apr 2016 07:13:38 +0000
Subject: [Bug sanitizer/70541] unnoticed invalid dereference when using address sanitizer
Auto-submitted: auto-generated
References: <bug-70541-4 at http dot gcc dot gnu dot org/bugzilla/>

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70541

Maxim Ostapenko <m.ostapenko at samsung dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |m.ostapenko at samsung dot com

--- Comment #1 from Maxim Ostapenko <m.ostapenko at samsung dot com> ---
This bug also happens on current trunk. Consider slightly reduced testcase
(just part of Christof's one):

#include <stdlib.h>
#include <stdio.h>

struct Simple {
  int value;
};

int f(struct Simple simple) {
  return simple.value;
}


int main() {
  int *pint = (int *) malloc(sizeof(int));
  *pint = 24;
  free(pint);
  printf("%d\n", g(*pint));
  return 0;
}

Corresponding gimple dump:

main ()
{
  int D.3060;
  int D.3061;

  {
    struct Simple * psimple;

    psimple = malloc (4);
    psimple->value = 42;
    free (psimple);
    D.3060 = f (*psimple);   <===========================
    printf ("%d\n", D.3060);
    D.3061 = 0;
    return D.3061;
  }
  D.3061 = 0;
  return D.3061;
}

Here, GCC propagates *psimple directly to f() without creating temporary
variable and ASan is unable to check it because it doesn't sanitize gimple
calls arguments.
I think the easiest way to fix this would be adding arguments checks in
maybe_instrument_call, something like this:

@@ -2060,7 +2067,20 @@ maybe_instrument_call (gimple_stmt_iterator *iter)
       return true;
     }

-  return false;
+  bool instrumented = false;
+  HOST_WIDE_INT args_num = gimple_call_num_args (stmt);
+  for (int i = 0; i < args_num; ++i)
+    {
+      if (is_arg_deref_p (TREE_CODE (gimple_call_arg (stmt, i))))
+       {
+         instrument_derefs (iter, gimple_call_arg (stmt, i),
+                            gimple_location (stmt), false);
+         instrumented = true;
+       }
+    }
+  if (instrumented)
+    gsi_next (iter);
+  return instrumented;

References:
- [Bug sanitizer/70541] New: unnoticed invalid dereference when using address sanitizer
  - From: christof.warlich at siemens dot com

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]