public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug sanitizer/105107] New: false positive stack-buffer-overflow in ASAN
@ 2022-03-30 13:51 shaohua.li at inf dot ethz.ch
2022-03-30 14:26 ` [Bug sanitizer/105107] " marxin at gcc dot gnu.org
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: shaohua.li at inf dot ethz.ch @ 2022-03-30 13:51 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105107
Bug ID: 105107
Summary: false positive stack-buffer-overflow in ASAN
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: sanitizer
Assignee: unassigned at gcc dot gnu.org
Reporter: shaohua.li at inf dot ethz.ch
CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxin at gcc dot gnu.org
Target Milestone: ---
Hi,
For the following code, ASAN in gcc-O0 since 9.0 reported a
"stack-buffer-overflow", which it shouldn't.
$cat a.c
#define c(d, j) d = 5;
h=1;
*a=&h;
**b = &a;
int e;
fn1() {
int e=0;
int **f = &a;
*f = &e;
}
i() {
int g[9];
c(**b, )
}
main() {
fn1();
i();
}
$
$gcc -fsanitize=address -O0 a.c;./a.out
==1==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffef6656070
at pc 0x000000401390 bp 0x7ffef6656000 sp 0x7ffef6655ff8
WRITE of size 4 at 0x7ffef6656070 thread T0
#0 0x40138f in i /app/example.c:13
#1 0x4013e8 in main /app/example.c:17
#2 0x7f5a7f21c0b2 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
#3 0x4010ed in _start (/app/output.s+0x4010ed)
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug sanitizer/105107] false positive stack-buffer-overflow in ASAN
2022-03-30 13:51 [Bug sanitizer/105107] New: false positive stack-buffer-overflow in ASAN shaohua.li at inf dot ethz.ch
@ 2022-03-30 14:26 ` marxin at gcc dot gnu.org
2022-03-30 14:51 ` shaohua.li at inf dot ethz.ch
2022-03-31 6:31 ` marxin at gcc dot gnu.org
2 siblings, 0 replies; 4+ messages in thread
From: marxin at gcc dot gnu.org @ 2022-03-30 14:26 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105107
Martin Liška <marxin at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |RESOLVED
Resolution|--- |INVALID
--- Comment #1 from Martin Liška <marxin at gcc dot gnu.org> ---
There's expanded version of the testcase:
$ cat pr105107.c
int h=1;
int *a=&h;
int **b = &a;
int e;
void
fn1() {
int e=0;
int **f = &a;
__builtin_printf ("addr of e=%p\n", &e);
*f = &e;
}
void
i() {
int g[9];
__builtin_printf ("write to %p\n", *b);
**b = 5;
}
int
main() {
fn1();
i();
return 0;
}
$ gcc-11 pr105107.c -fsanitize=address -g && ./a.out
addr of e=0x7fffffffdaf0
write to 0x7fffffffdaf0
=================================================================
==6753==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fffffffdaf0 at pc 0x000000401416 bp 0x7fffffffda80 sp 0x7fffffffda78
WRITE of size 4 at 0x7fffffffdaf0 thread T0
#0 0x401415 in i /home/marxin/Programming/testcases/pr105107.c:19
#1 0x401493 in main /home/marxin/Programming/testcases/pr105107.c:25
#2 0x7ffff73be62f in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
#3 0x7ffff73be6ef in __libc_start_main_impl ../csu/libc-start.c:392
#4 0x4010f4 in _start (/home/marxin/Programming/testcases/a.out+0x4010f4)
Address 0x7fffffffdaf0 is located in stack of thread T0 at offset 96 in frame
#0 0x401305 in i /home/marxin/Programming/testcases/pr105107.c:16
This frame has 1 object(s):
[48, 84) 'g' (line 17) <== Memory access at offset 96 overflows this
variable
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
/home/marxin/Programming/testcases/pr105107.c:19 in i
Shadow bytes around the buggy address:
0x10007fff7b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7b10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7b20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7b30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7b40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10007fff7b50: 00 00 f1 f1 f1 f1 f1 f1 00 00 00 00 04 f3[f3]f3
0x10007fff7b60: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==6753==ABORTING
The error is correct as it takes the address of 'e' in function 'fn1' where it
writes once fn1 returns.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug sanitizer/105107] false positive stack-buffer-overflow in ASAN
2022-03-30 13:51 [Bug sanitizer/105107] New: false positive stack-buffer-overflow in ASAN shaohua.li at inf dot ethz.ch
2022-03-30 14:26 ` [Bug sanitizer/105107] " marxin at gcc dot gnu.org
@ 2022-03-30 14:51 ` shaohua.li at inf dot ethz.ch
2022-03-31 6:31 ` marxin at gcc dot gnu.org
2 siblings, 0 replies; 4+ messages in thread
From: shaohua.li at inf dot ethz.ch @ 2022-03-30 14:51 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105107
--- Comment #2 from Li Shaohua <shaohua.li at inf dot ethz.ch> ---
Thanks for your prompt reply. The warning messages only appeared for -O0 and
-O3, not for -O1 and -O2. I wonder this might also be an issue.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug sanitizer/105107] false positive stack-buffer-overflow in ASAN
2022-03-30 13:51 [Bug sanitizer/105107] New: false positive stack-buffer-overflow in ASAN shaohua.li at inf dot ethz.ch
2022-03-30 14:26 ` [Bug sanitizer/105107] " marxin at gcc dot gnu.org
2022-03-30 14:51 ` shaohua.li at inf dot ethz.ch
@ 2022-03-31 6:31 ` marxin at gcc dot gnu.org
2 siblings, 0 replies; 4+ messages in thread
From: marxin at gcc dot gnu.org @ 2022-03-31 6:31 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105107
--- Comment #3 from Martin Liška <marxin at gcc dot gnu.org> ---
You'll see it with:
gcc-11 pr105107.c -fsanitize=address -g -O2 &&
ASAN_OPTIONS=detect_stack_use_after_return=1 ./a.out
addr of e=0x7ffff39f4020
write to 0x7ffff39f4020
=================================================================
==31825==ERROR: AddressSanitizer: stack-use-after-return on address
0x7ffff39f4020 at pc 0x000000401373 bp 0x7fffffffdaf0 sp 0x7fffffffdae8
WRITE of size 4 at 0x7ffff39f4020 thread T0
#0 0x401372 in i /home/marxin/Programming/testcases/pr105107.c:19
#1 0x4010d1 in main /home/marxin/Programming/testcases/pr105107.c:25
#2 0x7ffff73be62f in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
#3 0x7ffff73be6ef in __libc_start_main_impl ../csu/libc-start.c:392
#4 0x401134 in _start (/home/marxin/Programming/testcases/a.out+0x401134)
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-03-31 6:31 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-03-30 13:51 [Bug sanitizer/105107] New: false positive stack-buffer-overflow in ASAN shaohua.li at inf dot ethz.ch
2022-03-30 14:26 ` [Bug sanitizer/105107] " marxin at gcc dot gnu.org
2022-03-30 14:51 ` shaohua.li at inf dot ethz.ch
2022-03-31 6:31 ` marxin at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).