This is the mail archive of the
gcc-bugs@gcc.gnu.org
mailing list for the GCC project.
[Bug sanitizer/82517] New: use-after-scope for a variable with big alignment causes a false positive
- From: "marxin at gcc dot gnu.org" <gcc-bugzilla at gcc dot gnu dot org>
- To: gcc-bugs at gcc dot gnu dot org
- Date: Wed, 11 Oct 2017 12:15:58 +0000
- Subject: [Bug sanitizer/82517] New: use-after-scope for a variable with big alignment causes a false positive
- Auto-submitted: auto-generated
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82517
Bug ID: 82517
Summary: use-after-scope for a variable with big alignment
causes a false positive
Product: gcc
Version: unknown
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: sanitizer
Assignee: unassigned at gcc dot gnu.org
Reporter: marxin at gcc dot gnu.org
CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxin at gcc dot gnu.org
Target Milestone: ---
Target: aarch64-linux-gnu
Considering a target with MAX_SUPPORTED_STACK_ALIGNMENT being limited, we have:
$ cat bug_1.c
static int *pp;
void baz() {
return;
}
void bar(int *p) {
*p = 1;
}
void foo(int a) {
if (a == 2) {
lab:
baz();
return;
}
if (a > 1) {
int x __attribute__((aligned(256)));
pp = &x;
bar(&x);
if (!x)
goto lab;
}
}
int main(int argc, char **argv) {
foo(4);
foo(3);
}
$ gcc bug_1.c -fsanitize=address && ./a.out
=================================================================
==6958==ERROR: AddressSanitizer: stack-use-after-scope on address
0xffffcd0fe400 at pc 0x000000400a70 bp 0xffffcd0fe310 sp 0xffffcd0fe328
WRITE of size 4 at 0xffffcd0fe400 thread T0
#0 0x400a6f in bar (/tmp/a.out+0x400a6f)
#1 0x400ae3 in foo (/tmp/a.out+0x400ae3)
#2 0x400b93 in main (/tmp/a.out+0x400b93)
#3 0xffffacb5182f in __libc_start_main (/lib64/libc.so.6+0x1f82f)
#4 0x400937 (/tmp/a.out+0x400937)
Address 0xffffcd0fe400 is located in stack of thread T0
SUMMARY: AddressSanitizer: stack-use-after-scope (/tmp/a.out+0x400a6f) in bar
Shadow bytes around the buggy address:
0x200ff9a1fc30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x200ff9a1fc40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x200ff9a1fc50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x200ff9a1fc60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x200ff9a1fc70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x200ff9a1fc80:[f8]00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x200ff9a1fc90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x200ff9a1fca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x200ff9a1fcb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x200ff9a1fcc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x200ff9a1fcd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Problem is that we don't add a stack_variable to asan_decl_vec in else branch:
1119 if (alignb * BITS_PER_UNIT <= MAX_SUPPORTED_STACK_ALIGNMENT)
1120 {
1121 base = virtual_stack_vars_rtx;
1122 if ((asan_sanitize_stack_p ())
...
1153 data->asan_decl_vec.safe_push (repr_decl);
...
1172 else
1173 {
1174 /* Large alignment is only processed in the last pass. */
1175 if (pred)
...