[Bug sanitizer/70051] New: ubsan doesn't detect VLA overflow
msebor at gcc dot gnu.org
gcc-bugzilla@gcc.gnu.org
Wed Mar 2 19:35:00 GMT 2016
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70051
Bug ID: 70051
Summary: ubsan doesn't detect VLA overflow
Product: gcc
Version: 6.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: sanitizer
Assignee: unassigned at gcc dot gnu.org
Reporter: msebor at gcc dot gnu.org
CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
jakub at gcc dot gnu.org, kcc at gcc dot gnu.org
Target Milestone: ---
The undefined behavior sanitizer tries to detect some simple invalid uses of
VLAs (negative bounds, AFAICS) but misses overflow/wraparound in the unsigned
bounds. For example, the test case below crashes (or aborts when the memset
loop is removed), when one would expect or hope to have the sanitizer
instrumentation to detect this.
$ cat z.c && /home/msebor/build/gcc-trunk-svn/gcc/xg++
-B/home/msebor/build/gcc-trunk-svn/gcc -L
/home/msebor/build/gcc-trunk-svn/stage3-x86_64-pc-linux-gnu/libstdc++-v3/src/.libs
-L
/home/msebor/build/gcc-trunk-svn/stage3-x86_64-pc-linux-gnu/libsanitizer/ubsan/.libs
-O2 -Wall -Wextra -Wpedantic -fsanitize=undefined -xc++ z.c &&
LD_LIBRARY_PATH=/home/msebor/build/gcc-trunk-svn/stage3-x86_64-pc-linux-gnu/libsanitizer/ubsan/.libs
./a.out
typedef __SIZE_TYPE__ size_t;
void __attribute__ ((noclone, noinline))
foo (void *p) { }
void __attribute__ ((noclone, noinline))
bar (size_t m, size_t n)
{
int a [m][n];
for (size_t i = 0; i != m; ++i)
__builtin_memset (a [i], 0, n * sizeof (int));
foo (a);
}
#define M (__SIZE_MAX__ / 1024)
#define N (__SIZE_MAX__ / 1024)
int main (void)
{
#if __cplusplus
try {
bar (M, N);
__builtin_abort ();
}
catch (...) {
}
#else
bar (M, N);
#endif
}
z.c: In function ‘void foo(void*)’:
z.c:4:12: warning: unused parameter ‘p’ [-Wunused-parameter]
foo (void *p) { }
^
z.c: In function ‘void bar(size_t, size_t)’:
z.c:9:16: warning: ISO C++ forbids variable length array ‘a’ [-Wvla]
int a [m][n];
^
z.c:9:16: warning: ISO C++ forbids variable length array ‘a’ [-Wvla]
Bus error (core dumped)
More information about the Gcc-bugs
mailing list