This is the mail archive of the
gcc-bugs@gcc.gnu.org
mailing list for the GCC project.
[Bug sanitizer/61293] asan can not find left buffer overflow of new[]-allocated buffer, frontend help needed
- From: "kcc at gcc dot gnu.org" <gcc-bugzilla at gcc dot gnu dot org>
- To: gcc-bugs at gcc dot gnu dot org
- Date: Fri, 23 May 2014 13:51:40 +0000
- Subject: [Bug sanitizer/61293] asan can not find left buffer overflow of new[]-allocated buffer, frontend help needed
- Auto-submitted: auto-generated
- References: <bug-61293-4 at http dot gcc dot gnu dot org/bugzilla/>
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61293
--- Comment #2 from Kostya Serebryany <kcc at gcc dot gnu.org> ---
(In reply to Jakub Jelinek from comment #1)
> IMNSHO you can't change the value of extra, that is an ABI issue,
> and -fsanitize=address shouldn't be an ABI changing option. Consider:
> struct S { S (); ~S (); };
> S *foo (int n) { return new S[n]; }
> void bar (S *p) { delete [] p; }
> int main () { bar (foo (5)); }
> where bar is defined in a different compilation unit/library and something
> is built with -fsanitize=address, something is not.
>
> If the padding before structure is at least 64-bit, sure, instrumenting the
> FE to put there an __asan_poison_memory_region call after the size is stored
yep
> there
> and in delete[] again to __asan_unpoison_memory_region before reading the
> size should not be that hard.
Yes, but a bit more preferable is to ignore the instructions
reading the size instead of calling __asan_unpoison_memory_region.
Consider a case where the DTORs are accessing the array itself out of bounds.
(We've seen similar things!!)
That's a bit harder to implement though.
>
> For 32-bit code if the type doesn't need at least 64-bit alignment (again,
> alignment of the type is an ABI thing), you are out of luck I'm afraid.
Yea... We can theoretically request operator new to
return memory that is == 4 mod 8 for these cases.
That's a bit complicated too...
> Thus, e.g. tests for this will need to be conditionalized.