This is the mail archive of the gcc-bugs@gcc.gnu.org mailing list for the GCC project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug middle-end/70988] missing buffer overflow detection in chained strcat calls

From: "msebor at gcc dot gnu.org" <gcc-bugzilla at gcc dot gnu dot org>
To: gcc-bugs at gcc dot gnu dot org
Date: Mon, 09 May 2016 20:43:53 +0000
Subject: [Bug middle-end/70988] missing buffer overflow detection in chained strcat calls
Auto-submitted: auto-generated
References: <bug-70988-4 at http dot gcc dot gnu dot org/bugzilla/>

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70988

Martin Sebor <msebor at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|missing buffer overflow     |missing buffer overflow
                   |warning on chained strcat   |detection in chained strcat
                   |calls                       |calls
      Known to fail|                            |4.5.3, 4.8.3, 4.9.3, 5.3.0,
                   |                            |6.1.0

--- Comment #1 from Martin Sebor <msebor at gcc dot gnu.org> ---
Furthermore, in cases where GCC does optimize multiple chained strcat calls
into calls to __builtin_memcpy (which are then expanded into inline assembly)
as in the test case below, it fails to add the instrumentation necessary to
detect the buffer overflow.

$ cat xxx.c && /home/msebor/build/gcc-trunk-git/gcc/xgcc
-B/home/msebor/build/gcc-trunk-git/gcc -D_FORTIFY_SOURCE=2 -O2 -S -Wall -Wextra
-Wpedantic -fdump-tree-optimized=/dev/stdout xxx.c && ./a.out 
#include <string.h>

void  __attribute__ ((noclone, noinline))
f (const char *s)
{
  __builtin_printf ("\"%s\"\n", s);
}

void  __attribute__ ((noclone, noinline))
g (void)
{
  char a [4] = "";
  strcat (a, "abc");
  strcat (a, "def");
  strcat (a, "ghi");
  strcat (a, "jkl");
  f (a);
}

int main ()
{
  g ();
}

;; Function f (f, funcdef_no=24, decl_uid=2214, cgraph_uid=24, symbol_order=24)

__attribute__((noinline, noclone))
f (const char * s)
{
  <bb 2>:
  __builtin_printf ("\"%s\"\n", s_2(D)); [tail call]
  return;

}



;; Function g (g, funcdef_no=25, decl_uid=2217, cgraph_uid=25, symbol_order=25)

__attribute__((noinline, noclone))
g ()
{
  char a[4];

  <bb 2>:
  MEM[(char * {ref-all})&a] = "abc";
  __builtin_memcpy (&MEM[(void *)&a + 3B], "def", 4);
  __builtin_memcpy (&MEM[(void *)&a + 6B], "ghi", 4);
  __builtin_memcpy (&MEM[(void *)&a + 9B], "jkl", 4);
  f (&a);
  a ={v} {CLOBBER};
  return;

}



;; Function main (main, funcdef_no=26, decl_uid=2220, cgraph_uid=26,
symbol_order=26) (executed once)

main ()
{
  <bb 2>:
  g ();
  return 0;

}


"ï@abcdef"

References:
- [Bug middle-end/70988] New: missing buffer overflow warning on chained strcat calls
  - From: msebor at gcc dot gnu.org

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]