From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-bugzilla@gcc.gnu.org>
Received: by sourceware.org (Postfix, from userid 48)
 id 1E44A385B804; Tue, 24 May 2022 08:42:12 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 1E44A385B804
From: "shaohua.li at inf dot ethz.ch" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug sanitizer/105714] New: ASan in gcc trunk missed a
 buffer-overflow at -Os
Date: Tue, 24 May 2022 08:42:11 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: sanitizer
X-Bugzilla-Version: 13.0
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: shaohua.li at inf dot ethz.ch
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status
 bug_severity priority component assigned_to reporter cc target_milestone
Message-ID: <bug-105714-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: gcc-bugs@gcc.gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Gcc-bugs mailing list <gcc-bugs.gcc.gnu.org>
List-Unsubscribe: <https://gcc.gnu.org/mailman/options/gcc-bugs>,
 <mailto:gcc-bugs-request@gcc.gnu.org?subject=unsubscribe>
List-Archive: <https://gcc.gnu.org/pipermail/gcc-bugs/>
List-Post: <mailto:gcc-bugs@gcc.gnu.org>
List-Help: <mailto:gcc-bugs-request@gcc.gnu.org?subject=help>
List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/gcc-bugs>,
 <mailto:gcc-bugs-request@gcc.gnu.org?subject=subscribe>
X-List-Received-Date: Tue, 24 May 2022 08:42:12 -0000

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D105714

            Bug ID: 105714
           Summary: ASan in gcc trunk missed a buffer-overflow at -Os
           Product: gcc
           Version: 13.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: sanitizer
          Assignee: unassigned at gcc dot gnu.org
          Reporter: shaohua.li at inf dot ethz.ch
                CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
                    jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxi=
n at gcc dot gnu.org
  Target Milestone: ---

For the following code, `gcc-trunk -Os -fsanitize=3Daddress` reported nothi=
ng,
however other opt levels reported the global buffer-overflow at the end of
function g().

Initially, I thought it might due to optimization at -Os, but I indeed found
the overflowed buffer be loaded in the assembly code and gcc-11 -Os did not
miss this bug: https://godbolt.org/z/r4rhM8bjz=20

$cat a.c
struct a {
  int x
};
struct a b[2];
struct a *c =3D b, *d =3D b;
int e;

int g() {
  for (e =3D 0; e < 1; e++) {
    int i[1];
    i;
  }
  for (int h =3D 0; h < 3; h++)
    *c =3D *d;
  *c =3D *(b+3);
  return c->x;
}

void main() {=20
    g();=20
}
$
$gcc-trunk -Os -fsanitize=3Daddress a.c && ./a.out
$
$gcc-trunk -O3 -fsanitize=3Daddress a.c && ./a.out
=3D=3D12272=3D=3DERROR: AddressSanitizer: global-buffer-overflow on address
0x0000004042ac at pc 0x00000040132a bp 0x7ffdbc905820 sp 0x7ffdbc905818
READ of size 4 at 0x0000004042ac thread T0
    #0 0x401329 in g /local/home/shaoli/a.c:15
    #1 0x7fc367b2f082 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId:
1878e6b475720c7c51969e69ab2d276fae6d1dee)
    #2 0x40111d in _start (/local/home/shaoli/a.out+0x40111d)

0x0000004042ac is located 4 bytes to the right of global variable 'b' defin=
ed
in 'a.c:4:10' (0x4042a0) of size 8
SUMMARY: AddressSanitizer: global-buffer-overflow /local/home/shaoli/a.c:15=
 in
g
Shadow bytes around the buggy address:
  0x000080078800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080078810: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x000080078820: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 f9
  0x000080078830: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x000080078840: f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 04 f9 f9 f9
=3D>0x000080078850: f9 f9 f9 f9 00[f9]f9 f9 f9 f9 f9 f9 00 00 00 00
  0x000080078860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080078870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080078880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080078890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800788a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
=3D=3D12272=3D=3DABORTING=