From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-bugzilla@gcc.gnu.org>
Received: by sourceware.org (Postfix, from userid 48)
 id D3F8B385840C; Thu, 28 Apr 2022 09:11:27 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org D3F8B385840C
From: "marxin at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug sanitizer/105405] missed buffer-overflow in -O0
Date: Thu, 28 Apr 2022 09:11:27 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: sanitizer
X-Bugzilla-Version: 12.0
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: marxin at gcc dot gnu.org
X-Bugzilla-Status: RESOLVED
X-Bugzilla-Resolution: INVALID
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: 
Message-ID: <bug-105405-4-u2FL78fAKj@http.gcc.gnu.org/bugzilla/>
In-Reply-To: <bug-105405-4@http.gcc.gnu.org/bugzilla/>
References: <bug-105405-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: gcc-bugs@gcc.gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Gcc-bugs mailing list <gcc-bugs.gcc.gnu.org>
List-Unsubscribe: <https://gcc.gnu.org/mailman/options/gcc-bugs>,
 <mailto:gcc-bugs-request@gcc.gnu.org?subject=unsubscribe>
List-Archive: <https://gcc.gnu.org/pipermail/gcc-bugs/>
List-Post: <mailto:gcc-bugs@gcc.gnu.org>
List-Help: <mailto:gcc-bugs-request@gcc.gnu.org?subject=help>
List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/gcc-bugs>,
 <mailto:gcc-bugs-request@gcc.gnu.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Apr 2022 09:11:27 -0000

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D105405

--- Comment #6 from Martin Li=C5=A1ka <marxin at gcc dot gnu.org> ---
(In reply to Jakub Jelinek from comment #5)
> j[5][1].h is 36 after the end of a array, that is definitely too far.

Yes. Just a small note that clang emits there a bit bigger red-zone:

=3D>0x0000801c50a0: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9[f9]f9 f9
  0x0000801c50b0: 04 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00

and thus catches that.

> Red zone can be 16 bytes or even less in certain cases (e.g. in the PR105=
396
> case it is 12 bytes in between d and b variables).
> ASan mostly protects against buffer overflows, something accesses the last
> byte of a variable, then the byte after it, ... (or similarly the first b=
yte
> of a variable, then the byte before it, ...).
> -fsanitize=3Dundefined on the other side includes the bounds sanitizer th=
at
> verifies array indexes by comparing them against the number of elements t=
he
> array has.

gcc-11 pr105405.c -fsanitize=3Dundefined && ./a.out
pr105405.c:10:13: runtime error: index 1 out of bounds for type 'a [1]'=