[Bug sanitizer/81040] New: asan false negative if parameter of a global function passed by reference
ryabinin.a.a at gmail dot com
gcc-bugzilla@gcc.gnu.org
Fri Jun 9 17:36:00 GMT 2017
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81040
Bug ID: 81040
Summary: asan false negative if parameter of a global function
passed by reference
Product: gcc
Version: 8.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: sanitizer
Assignee: unassigned at gcc dot gnu.org
Reporter: ryabinin.a.a at gmail dot com
CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxin at gcc dot gnu.org
Target Milestone: ---
The following test case doesn't produce asan warning while it should.
For some reason gcc doesn't surround 'a' with redzones.
$ cat asan_test.c
static __attribute__((noinline)) void goo(int *a)
{
*(volatile int*)a;
}
__attribute__((noinline)) void foo(char a)
{
goo((int*)&a);
}
int main()
{
foo(1);
return 0;
}
$ gcc -fsanitize=address -O2 asan_test.c
$ ./a.out
$
Now, if we make foo() static, asan suddenly works:
$ cat asan_static_test.c
static __attribute__((noinline)) void goo(int *a)
{
*(volatile int*)a;
}
static __attribute__((noinline)) void foo(char a)
{
goo((int*)&a);
}
int main()
{
foo(1);
return 0;
}
$ gcc -fsanitize=address -O2 asan_static_test.c
$ ./a.out
=================================================================
==3278==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffc2e298480 at pc 0x00000040083b bp 0x7ffc2e298440 sp 0x7ffc2e298438
READ of size 4 at 0x7ffc2e298480 thread T0
#0 0x40083a in goo (/home/andrew/linux/a.out+0x40083a)
#1 0x4008a0 in foo.constprop.0 (/home/andrew/linux/a.out+0x4008a0)
#2 0x4006e8 in main (/home/andrew/linux/a.out+0x4006e8)
#3 0x7ff179db971f in __libc_start_main (/lib64/libc.so.6+0x2071f)
#4 0x400738 in _start (/home/andrew/linux/a.out+0x400738)
Address 0x7ffc2e298480 is located in stack of thread T0 at offset 32 in frame
#0 0x40084f in foo.constprop.0 (/home/andrew/linux/a.out+0x40084f)
This frame has 1 object(s):
[32, 33) 'a' <== Memory access at offset 32 partially overflows this
variable
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
(/home/andrew/linux/a.out+0x40083a) in goo
Shadow bytes around the buggy address:
0x100005c4b040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100005c4b050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100005c4b060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100005c4b070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100005c4b080: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
=>0x100005c4b090:[01]f4 f4 f4 f3 f3 f3 f3 00 00 00 00 00 00 00 00
0x100005c4b0a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100005c4b0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100005c4b0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100005c4b0d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100005c4b0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3278==ABORTING
More information about the Gcc-bugs
mailing list