[Bug middle-end/77622] __builtin_object_size incorrect for an out-of-bounds pointer prior to destination object
msebor at gcc dot gnu.org
gcc-bugzilla@gcc.gnu.org
Sun Nov 3 20:34:00 GMT 2019
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=77622
Martin Sebor <msebor at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |NEW
Last reconfirmed| |2019-11-03
Ever confirmed|0 |1
Known to fail| |10.0, 7.3.0, 8.3.0, 9.2.0
--- Comment #3 from Martin Sebor <msebor at gcc dot gnu.org> ---
GCC 10 warns but still doesn't instrument the code so the invalid access is
allowed to cause memory corruption at runtime:
$ gcc -O2 -Wall -fdump-tree-optimized=/dev/stdout pr77622.c && ./a.out
pr77622.c: In function ‘f’:
pr77622.c:6:9: warning: array subscript -7 is outside array bounds of ‘char[3]’
[-Warray-bounds]
6 | char *p = &d[3] - i;
| ^
pr77622.c:4:8: note: while referencing ‘d’
4 | char d [3];
| ^
pr77622.c:6:9: warning: array subscript -7 is outside array bounds of ‘char[3]’
[-Warray-bounds]
6 | char *p = &d[3] - i;
| ^
pr77622.c:4:8: note: while referencing ‘d’
4 | char d [3];
| ^
;; Function f (f, funcdef_no=0, decl_uid=1930, cgraph_uid=1, symbol_order=0)
__attribute__((noinline))
f ()
{
char d[3];
<bb 2> [local count: 1073741824]:
__builtin_memcpy (&MEM <char> [(void *)&d + -7B], "abcdef", 5);
__builtin_printf ("%.0s", &MEM <char> [(void *)&d + -7B]);
d ={v} {CLOBBER};
return;
}
;; Function main (main, funcdef_no=1, decl_uid=1936, cgraph_uid=2,
symbol_order=1) (executed once)
main ()
{
<bb 2> [local count: 1073741824]:
f ();
return 0;
}
Clang doesn't warn about the invalid access like GCC does but it prevents it at
runtime:
$ cat pr77622.c && clang -D_FORTIFY_SOURCE=2 -O2 -Wall pr77622.c && ./a.out
__attribute__ ((noinline))
void f (void)
{
char d [3];
int i = 10;
char *p = &d[3] - i;
__builtin___memcpy_chk (p, "abcdef", 5, __builtin_object_size (p, 0));
__builtin_printf ("%.0s", p);
}
int main (void)
{
f ();
}
*** buffer overflow detected ***: ./a.out terminated
Aborted (core dumped)
More information about the Gcc-bugs
mailing list