From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-bugzilla@gcc.gnu.org>
Received: by sourceware.org (Postfix, from userid 48)
 id 31D413858C54; Tue, 26 Apr 2022 14:39:31 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 31D413858C54
From: "jakub at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug sanitizer/105396] missed stack-buffer-overflow by -O0
Date: Tue, 26 Apr 2022 14:39:30 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: sanitizer
X-Bugzilla-Version: 12.0
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: jakub at gcc dot gnu.org
X-Bugzilla-Status: ASSIGNED
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: marxin at gcc dot gnu.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: 
Message-ID: <bug-105396-4-9AqB5Yfuz4@http.gcc.gnu.org/bugzilla/>
In-Reply-To: <bug-105396-4@http.gcc.gnu.org/bugzilla/>
References: <bug-105396-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: gcc-bugs@gcc.gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Gcc-bugs mailing list <gcc-bugs.gcc.gnu.org>
List-Unsubscribe: <https://gcc.gnu.org/mailman/options/gcc-bugs>,
 <mailto:gcc-bugs-request@gcc.gnu.org?subject=unsubscribe>
List-Archive: <https://gcc.gnu.org/pipermail/gcc-bugs/>
List-Post: <mailto:gcc-bugs@gcc.gnu.org>
List-Help: <mailto:gcc-bugs-request@gcc.gnu.org?subject=help>
List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/gcc-bugs>,
 <mailto:gcc-bugs-request@gcc.gnu.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Apr 2022 14:39:31 -0000

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D105396

--- Comment #3 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
So, the bug is clearly in asan_redzone_buffer::emit_redzone_byte.
The off =3D=3D offset case is handled correctly, but the other case is vali=
d only
if the gap is bigger such that we need to flush in between.

--- gcc/asan.cc.jj      2022-02-19 09:03:50.000000000 +0100
+++ gcc/asan.cc 2022-04-26 16:36:55.717551793 +0200
@@ -1502,6 +1502,15 @@ asan_redzone_buffer::emit_redzone_byte (
       m_shadow_bytes.safe_push (value);
       flush_if_full ();
     }
+  else if (offset < m_prev_offset + ASAN_SHADOW_GRANULARITY * RZ_BUFFER_SI=
ZE
+          && !m_shadow_bytes.is_empty ())
+    {
+      /* Shadow memory byte with a small gap.  */
+      for (; off < offset; off +=3D ASAN_SHADOW_GRANULARITY)
+       m_shadow_bytes.safe_push (0);
+      m_shadow_bytes.safe_push (value);
+      flush_if_full ();
+    }
   else
     {
       if (!m_shadow_bytes.is_empty ())

fixes this.=