From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 124F33858C56; Fri, 14 Oct 2022 09:04:12 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 124F33858C56 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1665738253; bh=fDLsI+8pRtXuvrqdfRTwbE/+cB1o0QngIX/C3DBMdQE=; h=From:To:Subject:Date:In-Reply-To:References:From; b=vCkuMPBtoJMAP9VUp0WP6dPwfS4rr/ToFLpgUz6cWB0M6AlmRQ0QzLR09weZpAICO 0TPbxbNltPD/NG+dRXt+aQ2HxFpuBlE1g7PiDyEtasqqxdddDGw1fMk8Ga8Ah7UYAD WwhrxtEsv0VREbLvfp4E5q8ZtJdtupc26McSEgLI= From: "marxin at gcc dot gnu.org" To: gcc-bugs@gcc.gnu.org Subject: [Bug sanitizer/107258] ASAN at -O1 failed to detect a stack-under-flow Date: Fri, 14 Oct 2022 09:04:11 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: sanitizer X-Bugzilla-Version: 13.0 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: marxin at gcc dot gnu.org X-Bugzilla-Status: RESOLVED X-Bugzilla-Resolution: INVALID X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: resolution bug_status Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D107258 Martin Li=C5=A1ka changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |INVALID Status|UNCONFIRMED |RESOLVED --- Comment #1 from Martin Li=C5=A1ka --- Well, it's a stack underflow and it depends how are the variables placed in= the stack frame: setting a =3D -1 is caught also in -O1: =3D=3D3723=3D=3DERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffd5dc at pc 0x000000401404 bp 0x7fffffffd580 sp 0x7fffffffd578 READ of size 4 at 0x7fffffffd5dc thread T0 #0 0x401403 in main (/home/marxin/Programming/testcases/a.out+0x401403) #1 0x7ffff762c5af in __libc_start_call_main (/lib64/libc.so.6+0x275af) #2 0x7ffff762c678 in __libc_start_main_impl (/lib64/libc.so.6+0x27678) #3 0x4010e4 in _start ../sysdeps/x86_64/start.S:115 Address 0x7fffffffd5dc is located in stack of thread T0 at offset 76 in fra= me #0 0x4012ab in main (/home/marxin/Programming/testcases/a.out+0x4012ab) This frame has 2 object(s): [48, 64) 'g' (line 13) [80, 120) 'b' (line 3) <=3D=3D Memory access at offset 76 underflows th= is variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/marxin/Programming/testcases/a.out+0x401403) in main Shadow bytes around the buggy address: 0x10007fff7a60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff7a70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff7a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff7a90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff7aa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =3D>0x10007fff7ab0: 00 00 f1 f1 f1 f1 f1 f1 00 00 f2[f2]00 00 00 00 0x10007fff7ac0: 00 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 0x10007fff7ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff7ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff7af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff7b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): As seen using a =3D=3D -5 causes we load variable 'g'. That's the risk of b= igger overflows and they can happen.=