[Bug sanitizer/105405] New: missed buffer-overflow in -O0
shaohua.li at inf dot ethz.ch
gcc-bugzilla@gcc.gnu.org
Wed Apr 27 10:02:31 GMT 2022
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105405
Bug ID: 105405
Summary: missed buffer-overflow in -O0
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: sanitizer
Assignee: unassigned at gcc dot gnu.org
Reporter: shaohua.li at inf dot ethz.ch
CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxin at gcc dot gnu.org
Target Milestone: ---
For the following code, `gcc -fsanitize=address -O0` would miss the report,
while `gcc -fsanitize=address -O3` would not.
$cat a.c
main() {
int a[1][1];
{
int *b[1];
}
a[1][3]++;
}
$
$gcc -fsanitize=address -w -O0 a.c ; ./a.out
$
$gcc -fsanitize=address -w -O3 a.c ; ./a.out
=================================================================
==6342==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7f8843a00030 at pc 0x0000004010f9 bp 0x7fff0b7f6a40 sp 0x7fff0b7f6a38
READ of size 4 at 0x7f8843a00030 thread T0
#0 0x4010f8 in main
(/shared/mutate/array/trial_new/work0/debug40/a.out+0x4010f8)
#1 0x7f8845c570b2 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
#2 0x40117d in _start
(/shared/mutate/array/trial_new/work0/debug40/a.out+0x40117d)
Address 0x7f8843a00030 is located in stack of thread T0 at offset 48 in frame
#0 0x40107f in main
(/shared/mutate/array/trial_new/work0/debug40/a.out+0x40107f)
This frame has 1 object(s):
[32, 36) 'a' (line 2) <== Memory access at offset 48 overflows this
variable
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
(/shared/mutate/array/trial_new/work0/debug40/a.out+0x4010f8) in main
Shadow bytes around the buggy address:
0x0ff188737fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff188737fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff188737fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff188737fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff188737ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff188738000: f1 f1 f1 f1 04 f3[f3]f3 00 00 00 00 00 00 00 00
0x0ff188738010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff188738020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff188738030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff188738040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff188738050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==6342==ABORTING
More information about the Gcc-bugs
mailing list