This is the mail archive of the
gcc-bugs@gcc.gnu.org
mailing list for the GCC project.
[Bug middle-end/70988] missing buffer overflow detection in chained strcat calls
- From: "msebor at gcc dot gnu.org" <gcc-bugzilla at gcc dot gnu dot org>
- To: gcc-bugs at gcc dot gnu dot org
- Date: Mon, 09 May 2016 20:43:53 +0000
- Subject: [Bug middle-end/70988] missing buffer overflow detection in chained strcat calls
- Auto-submitted: auto-generated
- References: <bug-70988-4 at http dot gcc dot gnu dot org/bugzilla/>
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70988
Martin Sebor <msebor at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|missing buffer overflow |missing buffer overflow
|warning on chained strcat |detection in chained strcat
|calls |calls
Known to fail| |4.5.3, 4.8.3, 4.9.3, 5.3.0,
| |6.1.0
--- Comment #1 from Martin Sebor <msebor at gcc dot gnu.org> ---
Furthermore, in cases where GCC does optimize multiple chained strcat calls
into calls to __builtin_memcpy (which are then expanded into inline assembly)
as in the test case below, it fails to add the instrumentation necessary to
detect the buffer overflow.
$ cat xxx.c && /home/msebor/build/gcc-trunk-git/gcc/xgcc
-B/home/msebor/build/gcc-trunk-git/gcc -D_FORTIFY_SOURCE=2 -O2 -S -Wall -Wextra
-Wpedantic -fdump-tree-optimized=/dev/stdout xxx.c && ./a.out
#include <string.h>
void __attribute__ ((noclone, noinline))
f (const char *s)
{
__builtin_printf ("\"%s\"\n", s);
}
void __attribute__ ((noclone, noinline))
g (void)
{
char a [4] = "";
strcat (a, "abc");
strcat (a, "def");
strcat (a, "ghi");
strcat (a, "jkl");
f (a);
}
int main ()
{
g ();
}
;; Function f (f, funcdef_no=24, decl_uid=2214, cgraph_uid=24, symbol_order=24)
__attribute__((noinline, noclone))
f (const char * s)
{
<bb 2>:
__builtin_printf ("\"%s\"\n", s_2(D)); [tail call]
return;
}
;; Function g (g, funcdef_no=25, decl_uid=2217, cgraph_uid=25, symbol_order=25)
__attribute__((noinline, noclone))
g ()
{
char a[4];
<bb 2>:
MEM[(char * {ref-all})&a] = "abc";
__builtin_memcpy (&MEM[(void *)&a + 3B], "def", 4);
__builtin_memcpy (&MEM[(void *)&a + 6B], "ghi", 4);
__builtin_memcpy (&MEM[(void *)&a + 9B], "jkl", 4);
f (&a);
a ={v} {CLOBBER};
return;
}
;; Function main (main, funcdef_no=26, decl_uid=2220, cgraph_uid=26,
symbol_order=26) (executed once)
main ()
{
<bb 2>:
g ();
return 0;
}
"ï@abcdef"