[Bug sanitizer/105592] New: array out of bound not detected by ubsan

[Bug sanitizer/105592] New: array out of bound not detected by ubsan

[shaohua.li at inf dot ethz.ch]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105592

            Bug ID: 105592
           Summary: array out of bound not detected by ubsan
           Product: gcc
           Version: 12.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: sanitizer
          Assignee: unassigned at gcc dot gnu.org
          Reporter: shaohua.li at inf dot ethz.ch
                CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
                    jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxin at gcc dot gnu.org
  Target Milestone: ---

Hi,

For the following code, I wonder why &a[1] is not considered as an out-of-bound
while &a[2] is.

$cat a1.c
a[1];
main() {
  int *b = &a[1];
  return *b;
}
$
$gcc -O0 -fsanitize=bounds -w a1.c && ./a.out
$
$ cat a2.c
a[1];
main() {
  int *b = &a[2];
  return *b;
}
$gcc -O0 -fsanitize=bounds -w a2.c && ./a.out
a2.c:3:14: runtime error: index 2 out of bounds for type 'int [1]'
$

[Bug sanitizer/105592] array out of bound not detected by ubsan

[jakub at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105592

Jakub Jelinek <jakub at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
         Resolution|---                         |INVALID

--- Comment #1 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
Because the standards (both C and C++) say that &a[1] is valid.
E.g. in ISO C99, 6.5.6/8
"If both the pointer
operand and the result point to elements of the same array object, or one past
the last
element of the array object, the evaluation shall not produce an overflow;
otherwise, the
behavior is undefined. If the result points one past the last element of the
array object, it
shall not be used as the operand of a unary * operator that is evaluated."
&a[1] is valid, a[1] is not valid for an array with a single element.

[Bug sanitizer/105592] array out of bound not detected by ubsan

[m.cencora at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105592

m.cencora at gmail dot com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |m.cencora at gmail dot com

--- Comment #2 from m.cencora at gmail dot com ---
While forming the pointer to 'one past the last' element is fine in C/C++,
dereferencing it is not valid. And that is what is happening in 'return *b;'

-fsanitizer=address correctly reports the problem for a1.c

[Bug sanitizer/105592] array out of bound not detected by ubsan

[jakub at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105592

--- Comment #3 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
Note, the -fsanitize=bounds instrumentation is done when taking the address, at
that point the compiler doesn't know if it will be dereferenced or not, and
especially with -O0 it won't at all.  As #c2 says, this may then be caught in
ASan instead.  Or when optimizing -fsanitize=object-size can catch that too.
Or if you just return a[1];