[Bug sanitizer/105714] New: ASan in gcc trunk missed a buffer-overflow at -Os
shaohua.li at inf dot ethz.ch
gcc-bugzilla@gcc.gnu.org
Tue May 24 08:42:11 GMT 2022
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105714
Bug ID: 105714
Summary: ASan in gcc trunk missed a buffer-overflow at -Os
Product: gcc
Version: 13.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: sanitizer
Assignee: unassigned at gcc dot gnu.org
Reporter: shaohua.li at inf dot ethz.ch
CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxin at gcc dot gnu.org
Target Milestone: ---
For the following code, `gcc-trunk -Os -fsanitize=address` reported nothing,
however other opt levels reported the global buffer-overflow at the end of
function g().
Initially, I thought it might due to optimization at -Os, but I indeed found
the overflowed buffer be loaded in the assembly code and gcc-11 -Os did not
miss this bug: https://godbolt.org/z/r4rhM8bjz
$cat a.c
struct a {
int x
};
struct a b[2];
struct a *c = b, *d = b;
int e;
int g() {
for (e = 0; e < 1; e++) {
int i[1];
i;
}
for (int h = 0; h < 3; h++)
*c = *d;
*c = *(b+3);
return c->x;
}
void main() {
g();
}
$
$gcc-trunk -Os -fsanitize=address a.c && ./a.out
$
$gcc-trunk -O3 -fsanitize=address a.c && ./a.out
==12272==ERROR: AddressSanitizer: global-buffer-overflow on address
0x0000004042ac at pc 0x00000040132a bp 0x7ffdbc905820 sp 0x7ffdbc905818
READ of size 4 at 0x0000004042ac thread T0
#0 0x401329 in g /local/home/shaoli/a.c:15
#1 0x7fc367b2f082 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId:
1878e6b475720c7c51969e69ab2d276fae6d1dee)
#2 0x40111d in _start (/local/home/shaoli/a.out+0x40111d)
0x0000004042ac is located 4 bytes to the right of global variable 'b' defined
in 'a.c:4:10' (0x4042a0) of size 8
SUMMARY: AddressSanitizer: global-buffer-overflow /local/home/shaoli/a.c:15 in
g
Shadow bytes around the buggy address:
0x000080078800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080078810: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
0x000080078820: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 f9
0x000080078830: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x000080078840: f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 04 f9 f9 f9
=>0x000080078850: f9 f9 f9 f9 00[f9]f9 f9 f9 f9 f9 f9 00 00 00 00
0x000080078860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080078870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080078880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080078890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800788a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==12272==ABORTING
More information about the Gcc-bugs
mailing list