From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id E5E24385840F; Thu, 17 Mar 2022 10:04:38 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org E5E24385840F From: "marxin at gcc dot gnu.org" To: gcc-bugs@gcc.gnu.org Subject: [Bug tree-optimization/104964] New: Wrong *** buffer overflow detected ***: terminated - acl Date: Thu, 17 Mar 2022 10:04:38 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: tree-optimization X-Bugzilla-Version: 12.0 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: marxin at gcc dot gnu.org X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter target_milestone Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: gcc-bugs@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-bugs mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Mar 2022 10:04:39 -0000 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D104964 Bug ID: 104964 Summary: Wrong *** buffer overflow detected ***: terminated - acl Product: gcc Version: 12.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: tree-optimization Assignee: unassigned at gcc dot gnu.org Reporter: marxin at gcc dot gnu.org Target Milestone: --- The test-case is reduced from acl: $ cat x.c #include #include #include struct __string_ext { char s_str[0]; }; struct string_obj_tag { struct __string_ext i; }; typedef struct string_obj_tag string_obj; static void=20 writeto(char *text_p, ssize_t size) { fprintf (stderr, "Write to: %p, size=3D%d\n", text_p, size); strncpy(text_p, "sparta", size); } int main() { ssize_t size =3D 30; string_obj *string_obj_p =3D (string_obj *)malloc (sizeof(string_obj) + s= ize); fprintf (stderr, "allocated: %d B starting at %p\n", size, string_obj_p->i.s_str); writeto(string_obj_p->i.s_str, size); fprintf (stderr, "result STR(%p)=3D%s\n", string_obj_p->i.s_str, string_obj_p->i.s_str); return 0; } $ gcc x.c -D_FORTIFY_SOURCE=3D2 -O2 && ./a.out In file included from /usr/include/string.h:535, from x.c:3: In function =E2=80=98strncpy=E2=80=99, inlined from =E2=80=98writeto=E2=80=99 at x.c:19:3, inlined from =E2=80=98main=E2=80=99 at x.c:28:3: /usr/include/bits/string_fortified.h:95:10: warning: =E2=80=98__builtin___s= trncpy_chk=E2=80=99 writing 30 bytes into a region of size 0 overflows the destination [-Wstringop-overflow=3D] 95 | return __builtin___strncpy_chk (__dest, __src, __len, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 96 | __glibc_objsize (__dest)); | ~~~~~~~~~~~~~~~~~~~~~~~~~ allocated: 30 B starting at 0x4052a0 Write to: 0x4052a0, size=3D30 *** buffer overflow detected ***: terminated Aborted (core dumped) While clang is fine: $ clang x.c -D_FORTIFY_SOURCE=3D2 -O2 && ./a.out allocated: 30 B starting at 0x4052a0 Write to: 0x4052a0, size=3D30 result STR(0x4052a0)=3Dsparta and ASAN,UBSAN as well: $ gcc-11 x.c -fsanitize=3Daddress,undefined && ./a.out allocated: 30 B starting at 0x603000000040 Write to: 0x603000000040, size=3D30 result STR(0x603000000040)=3Dsparta I see the error happens also with older GCC compilers.=