[Bug sanitizer/107586] New: gcc trunk missed a stack-buffer-overflow
shaohua.li at inf dot ethz.ch
gcc-bugzilla@gcc.gnu.org
Wed Nov 9 09:05:08 GMT 2022
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107586
Bug ID: 107586
Summary: gcc trunk missed a stack-buffer-overflow
Product: gcc
Version: 13.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: sanitizer
Assignee: unassigned at gcc dot gnu.org
Reporter: shaohua.li at inf dot ethz.ch
CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxin at gcc dot gnu.org
Target Milestone: ---
For the following code, `gcc-tk -fsanitize=address -O2` successfully detected
the buffer-overflow in `memcpy()`. However, I found that when you uncomment the
line `int *f = &e[0]`, the ASAN warning went away.
I checked gcc-9, which detected the error in both cases but not for gcc-10 and
above.
I wonder if this is due to some optimizations going on that change the memory
layout, which disables ASAN's detection in this case.
Compiler explorer: https://godbolt.org/z/zfGv5378a
% cat a.c
struct a
{
int x;
};
void h(struct a *b)
{
struct a c[70];
int i;
for (i = 0; i < 70; i++)
c[i].x = 1;
__builtin_memcpy(b, c, 70*sizeof(struct a));
__builtin_printf("%d\n", b->x);
};
void g()
{
struct a * d = (struct a *)__builtin_alloca(69*sizeof(struct a));
int e[20] ;
// int *f = &e[0];
h(d);
}
int main()
{
g();
return 0;
}
%
More information about the Gcc-bugs
mailing list