sanitizer not detecting buffer overrun

Xi Ruoyao
Sun Nov 12 10:02:48 GMT 2023

On Sun, 2023-11-12 at 10:44 +0530, Navin P via Gcc-help wrote:
> I was asking if there exists any way to catch such errors ?
> Assuming right now there doesn't exist any such implementation i was
> thinking of an approach as to how it should be.
> All pointers are null by default. Every pointer has a [start,end) . pointer
> arithmetic even though it is not dereferenced cannot go beyond the end.
> The start,end can be stored in a hash table for each pointer and it should
> always stay within the bounds. Assignment of pointers copies the [start,end]
> range to the lvalue from the rvalue.
> ptr=ptr+x if x is greater than array size +1 is undefined
> ptr=ptr+x-y where x=array size+10 and y=11 is defined
> Do you think this is right and covers all cases ? Are there better ways ?
> What does it take to implement this ? Maybe I can try or is it too complicated ?

MPX was implemented like this, but it was too problematic to be
maintained or used in practice so it was removed in GCC 9.  Intel also
removed MPX in recent CPU models.

Read the wiki page for more info (including its undoings):

Hardware-assisted address sanitizer (hwasan) is a modern replacement of
MPX-like approaches, but currently it's only implemented on AArch64. 
(The GCC support for hwasan on x86_64 is already added, but Intel has
not shipped any CPUs supporting it as at now.)

On an AArch64 hwasan correctly detects this overrun:

==50998==ERROR: HWAddressSanitizer: tag-mismatch on address 0xefeaffff03f8 at pc 0xffff8666086c
READ of size 4 at 0xefeaffff03f8 tags: cd/ff (ptr/mem) in thread T0
    #0 0xffff8666086c in SigTrap<2> ../../../../libsanitizer/hwasan/hwasan_checks.h:28
    #1 0xffff8666086c in CheckAddress<(__hwasan::ErrorAction)0, (__hwasan::AccessType)0, 2> ../../../../libsanitizer/hwasan/hwasan_checks.h:108
    #2 0xffff8666086c in __hwasan_load4 ../../../../libsanitizer/hwasan/hwasan.cpp:455
    #3 0xaaaadada0b90 in main /home/xry111/t.c:11
    #4 0xffff8644b510 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #5 0xffff8644b5f4 in __libc_start_main_impl ../csu/libc-start.c:360
    #6 0xaaaadada092c in _start ../sysdeps/aarch64/start.S:98

[0xefeaffff0340,0xefeaffff04e0) is a small allocated heap chunk; size: 416 offset: 184

Cause: heap-buffer-overflow
0xefeaffff03f8 is located 200 bytes after a 400-byte region [0xefeaffff01a0,0xefeaffff0330)
allocated here:
    #0 0xffff8665a690 in __sanitizer_calloc ../../../../libsanitizer/hwasan/hwasan_allocation_functions.cpp:116
    #1 0xaaaadada0adc in main /home/xry111/t.c:5
    #2 0xffff8644b510 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #3 0xffff8644b5f4 in __libc_start_main_impl ../csu/libc-start.c:360
    #4 0xaaaadada092c in _start ../sysdeps/aarch64/start.S:98

Xi Ruoyao <>
School of Aerospace Science and Technology, Xidian University

More information about the Gcc-help mailing list