From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 81E1A385E451; Fri, 25 Mar 2022 15:00:25 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 81E1A385E451 From: "siddhesh at gcc dot gnu.org" To: gcc-bugs@gcc.gnu.org Subject: [Bug tree-optimization/104964] Wrong *** buffer overflow detected ***: terminated - acl Date: Fri, 25 Mar 2022 15:00:25 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: tree-optimization X-Bugzilla-Version: 12.0 X-Bugzilla-Keywords: wrong-code X-Bugzilla-Severity: normal X-Bugzilla-Who: siddhesh at gcc dot gnu.org X-Bugzilla-Status: ASSIGNED X-Bugzilla-Resolution: X-Bugzilla-Priority: P1 X-Bugzilla-Assigned-To: siddhesh at gcc dot gnu.org X-Bugzilla-Target-Milestone: 12.0 X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: gcc-bugs@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-bugs mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Mar 2022 15:00:25 -0000 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D104964 --- Comment #13 from Siddhesh Poyarekar --- It's not really a regression AFAICT, it's only more visible with __bdos bec= ause non-constant offsets don't stop it. Also the problem is only with subobjec= ts (hence limited to _FORTIFY_SOURCE > 1 for strcpy) where the block in addr_object_size that is supposed to deal with flex arrays at the end doesn= 't quite do its job with nested structs. The same reproducer tweaked a bit will crash even for __builtin_object_size: struct __string_ext { char s_str[0]; }; typedef struct { int o_prefix; struct __string_ext i; } string_obj; #define SUFFIX ".suffix" string_obj * __acl_to_any_text (unsigned long n) { unsigned long off =3D 0; unsigned long size =3D sizeof SUFFIX; string_obj *obj =3D __builtin_malloc (sizeof (string_obj) + size); if (n =3D=3D 0) __builtin_unreachable (); while (n-- !=3D 0) { if (off + 1 > size - sizeof SUFFIX) { size <<=3D 1; string_obj *tmp =3D __builtin_realloc (obj, sizeof (string_obj) + size); if (!tmp) __builtin_unreachable (); obj =3D tmp; } obj->i.s_str[off++] =3D 'A'; } char *t =3D obj->i.s_str; __strcpy_chk (t, SUFFIX, __builtin_object_size (t, 1)); return obj; } int main () { string_obj *s =3D __acl_to_any_text (32); __builtin_printf ("%zu: %s\n", __builtin_strlen (s->i.s_str), s->i.s_str); return 0; } $ gcc/cc1 -g -o test.s -quiet -Wall -O3 fs3.c fs3.c: In function =E2=80=98__acl_to_any_text=E2=80=99: fs3.c:40:3: warning: =E2=80=98__builtin___memcpy_chk=E2=80=99 writing 8 byt= es into a region of size 0 overflows the destination [-Wstringop-overflow=3D] 40 | __strcpy_chk (t, SUFFIX, __builtin_object_size (t, 1)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=