public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug sanitizer/105697] New: GCC trunk failed to detect a stack buffer-overflow
@ 2022-05-23 7:40 shaohua.li at inf dot ethz.ch
2022-05-23 11:25 ` [Bug sanitizer/105697] " marxin at gcc dot gnu.org
2022-06-01 13:20 ` shaohua.li at inf dot ethz.ch
0 siblings, 2 replies; 3+ messages in thread
From: shaohua.li at inf dot ethz.ch @ 2022-05-23 7:40 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105697
Bug ID: 105697
Summary: GCC trunk failed to detect a stack buffer-overflow
Product: gcc
Version: 13.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: sanitizer
Assignee: unassigned at gcc dot gnu.org
Reporter: shaohua.li at inf dot ethz.ch
CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxin at gcc dot gnu.org
Target Milestone: ---
For the following code, `gcc-trunk -O0 -fsanitize=address` didn't report the
buffer-overflow in e(), while `gcc-trunk -O3 -fsanitize=address` reported it
successfully.
$cat a.c
int *d;
int e(volatile int h) {
d = &h;
return *(d + 1);
}
int main() {
return e(0);
}
$
$gcc-trunk -O0 -fsanitize=address a.c && ./a.out
$
$gcc-trunk -O3 -fsanitize=address a.c && ./a.out
=================================================================
==1721824==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffd3c2733d4 at pc 0x55a2efd4b1f5 bp 0x7ffd3c2733a0 sp 0x7ffd3c273390
READ of size 4 at 0x7ffd3c2733d4 thread T0
#0 0x55a2efd4b1f4 in main (/project/shaoli/data/work-amd3/a.out+0x11f4)
#1 0x7f77fb01d082 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x24082)
#2 0x55a2efd4b28d in _start (/project/shaoli/data/work-amd3/a.out+0x128d)
Address 0x7ffd3c2733d4 is located in stack of thread T0 at offset 36 in frame
#0 0x55a2efd4b10f in main (/project/shaoli/data/work-amd3/a.out+0x110f)
This frame has 1 object(s):
[32, 36) 'h' (line 6) <== Memory access at offset 36 overflows this
variable
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
(/project/shaoli/data/work-amd3/a.out+0x11f4) in main
Shadow bytes around the buggy address:
0x100027846620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100027846630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100027846640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100027846650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100027846660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100027846670: 00 00 00 00 00 00 f1 f1 f1 f1[04]f3 f3 f3 00 00
0x100027846680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100027846690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000278466a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000278466b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000278466c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1721824==ABORTING
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug sanitizer/105697] GCC trunk failed to detect a stack buffer-overflow
2022-05-23 7:40 [Bug sanitizer/105697] New: GCC trunk failed to detect a stack buffer-overflow shaohua.li at inf dot ethz.ch
@ 2022-05-23 11:25 ` marxin at gcc dot gnu.org
2022-06-01 13:20 ` shaohua.li at inf dot ethz.ch
1 sibling, 0 replies; 3+ messages in thread
From: marxin at gcc dot gnu.org @ 2022-05-23 11:25 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105697
Martin Liška <marxin at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Ever confirmed|0 |1
Last reconfirmed| |2022-05-23
Status|UNCONFIRMED |NEW
--- Comment #1 from Martin Liška <marxin at gcc dot gnu.org> ---
Confirmed.
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug sanitizer/105697] GCC trunk failed to detect a stack buffer-overflow
2022-05-23 7:40 [Bug sanitizer/105697] New: GCC trunk failed to detect a stack buffer-overflow shaohua.li at inf dot ethz.ch
2022-05-23 11:25 ` [Bug sanitizer/105697] " marxin at gcc dot gnu.org
@ 2022-06-01 13:20 ` shaohua.li at inf dot ethz.ch
1 sibling, 0 replies; 3+ messages in thread
From: shaohua.li at inf dot ethz.ch @ 2022-06-01 13:20 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105697
--- Comment #2 from Li Shaohua <shaohua.li at inf dot ethz.ch> ---
I think the volatile keyword in function parameters is critical to this bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-06-01 13:20 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-05-23 7:40 [Bug sanitizer/105697] New: GCC trunk failed to detect a stack buffer-overflow shaohua.li at inf dot ethz.ch
2022-05-23 11:25 ` [Bug sanitizer/105697] " marxin at gcc dot gnu.org
2022-06-01 13:20 ` shaohua.li at inf dot ethz.ch
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).