[Bug sanitizer/87191] UBSan doesn't catch invalid pointer arithmetic outside known object bounds
marxin at gcc dot gnu.org
gcc-bugzilla@gcc.gnu.org
Mon Sep 3 11:31:00 GMT 2018
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87191
--- Comment #3 from Martin Liška <marxin at gcc dot gnu.org> ---
I believe it's nice example where ASAN can help:
$ cat pr87191.c
void bar(void *ptr)
{
__builtin_putchar (*(char *)ptr);
}
int main()
{
char a[10];
bar(&a+2);
}
$ =================================================================
==17684==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fffffffdb84 at pc 0x000000401192 bp 0x7fffffffdb20 sp 0x7fffffffdb18
READ of size 1 at 0x7fffffffdb84 thread T0
#0 0x401191 in bar (/home/marxin/Programming/testcases/a.out+0x401191)
#1 0x40122a in main (/home/marxin/Programming/testcases/a.out+0x40122a)
#2 0x7ffff6c71fea in __libc_start_main ../csu/libc-start.c:308
#3 0x4010a9 in _start (/home/marxin/Programming/testcases/a.out+0x4010a9)
Address 0x7fffffffdb84 is located in stack of thread T0 at offset 52 in frame
#0 0x4011b5 in main (/home/marxin/Programming/testcases/a.out+0x4011b5)
This frame has 1 object(s):
[32, 42) 'a' <== Memory access at offset 52 overflows this variable
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
More information about the Gcc-bugs
mailing list