105107 – false positive stack-buffer-overflow in ASAN

Bug 105107 - false positive stack-buffer-overflow in ASAN

Summary: false positive stack-buffer-overflow in ASAN

Status:	RESOLVED INVALID

Alias:	None

Product:	gcc
Classification:	Unclassified
Component:	sanitizer (show other bugs)
Version:	12.0

Importance:	P3 normal
Target Milestone:	---
Assignee:	Not yet assigned to anyone

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-03-30 13:51 UTC by Shaohua Li
Modified:	2022-03-31 06:31 UTC (History)
CC List:	5 users (show)

See Also:
Host:
Target:
Build:
Known to work:
Known to fail:
Last reconfirmed:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Shaohua Li 2022-03-30 13:51:38 UTC

Hi,

For the following code, ASAN in gcc-O0 since 9.0 reported a "stack-buffer-overflow", which it shouldn't.

$cat a.c
#define c(d, j) d = 5;
h=1;
*a=&h;
**b = &a;
int e;
fn1() {
  int e=0;
  int **f = &a;
  *f = &e;
}
i() {
  int g[9];
  c(**b, )
}
main() {
  fn1();
  i();
}
$
$gcc -fsanitize=address -O0 a.c;./a.out
==1==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffef6656070 at pc 0x000000401390 bp 0x7ffef6656000 sp 0x7ffef6655ff8
WRITE of size 4 at 0x7ffef6656070 thread T0
    #0 0x40138f in i /app/example.c:13
    #1 0x4013e8 in main /app/example.c:17
    #2 0x7f5a7f21c0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
    #3 0x4010ed in _start (/app/output.s+0x4010ed)

Comment 1 Martin Liška 2022-03-30 14:26:04 UTC

There's expanded version of the testcase:

$ cat pr105107.c
int h=1;
int *a=&h;
int **b = &a;

int e;

void
fn1() {
  int e=0;
  int **f = &a;
  __builtin_printf ("addr of e=%p\n", &e);
  *f = &e;
}

void
i() {
  int g[9];
  __builtin_printf ("write to %p\n", *b);
  **b = 5;
}

int
main() {
  fn1();
  i();

  return 0;
}

$ gcc-11 pr105107.c -fsanitize=address -g && ./a.out
addr of e=0x7fffffffdaf0
write to 0x7fffffffdaf0
=================================================================
==6753==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffdaf0 at pc 0x000000401416 bp 0x7fffffffda80 sp 0x7fffffffda78
WRITE of size 4 at 0x7fffffffdaf0 thread T0
    #0 0x401415 in i /home/marxin/Programming/testcases/pr105107.c:19
    #1 0x401493 in main /home/marxin/Programming/testcases/pr105107.c:25
    #2 0x7ffff73be62f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #3 0x7ffff73be6ef in __libc_start_main_impl ../csu/libc-start.c:392
    #4 0x4010f4 in _start (/home/marxin/Programming/testcases/a.out+0x4010f4)

Address 0x7fffffffdaf0 is located in stack of thread T0 at offset 96 in frame
    #0 0x401305 in i /home/marxin/Programming/testcases/pr105107.c:16

  This frame has 1 object(s):
    [48, 84) 'g' (line 17) <== Memory access at offset 96 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/marxin/Programming/testcases/pr105107.c:19 in i
Shadow bytes around the buggy address:
  0x10007fff7b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7b10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7b20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7b30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7b40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10007fff7b50: 00 00 f1 f1 f1 f1 f1 f1 00 00 00 00 04 f3[f3]f3
  0x10007fff7b60: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==6753==ABORTING

The error is correct as it takes the address of 'e' in function 'fn1' where it writes once fn1 returns.

Comment 2 Shaohua Li 2022-03-30 14:51:54 UTC

Thanks for your prompt reply. The warning messages only appeared for -O0 and -O3, not for -O1 and -O2. I wonder this might also be an issue.

Comment 3 Martin Liška 2022-03-31 06:31:04 UTC

You'll see it with:

gcc-11 pr105107.c -fsanitize=address -g -O2 && ASAN_OPTIONS=detect_stack_use_after_return=1 ./a.out
addr of e=0x7ffff39f4020
write to 0x7ffff39f4020
=================================================================
==31825==ERROR: AddressSanitizer: stack-use-after-return on address 0x7ffff39f4020 at pc 0x000000401373 bp 0x7fffffffdaf0 sp 0x7fffffffdae8
WRITE of size 4 at 0x7ffff39f4020 thread T0
    #0 0x401372 in i /home/marxin/Programming/testcases/pr105107.c:19
    #1 0x4010d1 in main /home/marxin/Programming/testcases/pr105107.c:25
    #2 0x7ffff73be62f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #3 0x7ffff73be6ef in __libc_start_main_impl ../csu/libc-start.c:392
    #4 0x401134 in _start (/home/marxin/Programming/testcases/a.out+0x401134)