From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id C2688385828D; Fri, 14 Oct 2022 08:44:38 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org C2688385828D DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1665737078; bh=21v/zD8hvDzBABLJ23uQy2lPLRPmz0WU6UohsrordK0=; h=From:To:Subject:Date:From; b=gjV1LvdeEVgl7AXhok7wFrBjzo/rPn5Bh66QJ3sZNn6ZS3OuY9g/hGD9CRAahIc5T f1wgnR6CAYn+gdpYaZ3cKFumJd4xY6SM1zwPL+2XcFjk5+f+QAbItn0dUmKdX737fS NNnh4QjlO+Mrj0SwDlQtBjK0IwMVrza4VLJt5iTc= From: "shaohua.li at inf dot ethz.ch" To: gcc-bugs@gcc.gnu.org Subject: [Bug sanitizer/107258] New: ASAN at -O1 failed to detect a stack-under-flow Date: Fri, 14 Oct 2022 08:44:26 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: sanitizer X-Bugzilla-Version: 13.0 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: shaohua.li at inf dot ethz.ch X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc target_milestone Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D107258 Bug ID: 107258 Summary: ASAN at -O1 failed to detect a stack-under-flow Product: gcc Version: 13.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: sanitizer Assignee: unassigned at gcc dot gnu.org Reporter: shaohua.li at inf dot ethz.ch CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org, jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxi= n at gcc dot gnu.org Target Milestone: --- ASAN with -O1/-Os failed to detect the stack-buffer-underflow, while -O0/-O2/-O3 can.=20 % gcc-tk -v Using built-in specs. COLLECT_GCC=3Dgcc-tk COLLECT_LTO_WRAPPER=3D/zdata/shaoli/compilers/ccbuilder-compilers/gcc-99da5= 23359e9333555585484eb3b8f854a98f1b4/libexec/gcc/x86_64-pc-linux-gnu/13.0.0/= lto-wrapper Target: x86_64-pc-linux-gnu Configured with: ../configure --disable-multilib --disable-bootstrap --enable-languages=3Dc,c++ --prefix=3D/zdata/shaoli/compilers/ccbuilder-compilers/gcc-99da523359e93335= 55585484eb3b8f854a98f1b4 Thread model: posix Supported LTO compression algorithms: zlib gcc version 13.0.0 20221013 (experimental) (GCC) %=20 % cat a.c int a =3D -5, c, d; static int f() { int b[10]; printf("%d", b[a]); } int h() { for (; c;) { int *e[3]; e; } } int main() { int g[4]; g[d] =3D f(); h(); } % % gcc-tk -w -O1 -fsanitize=3Daddress a.c && ./a.out 0 % gcc-tk -w -O3 -fsanitize=3Daddress a.c && ./a.out =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D929009=3D=3DERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fabc520007c at pc 0x00000040125d bp 0x7ffe232d2c00 sp 0x7ffe232d2bf8 READ of size 4 at 0x7fabc520007c thread T0 #0 0x40125c in f /zdata/shaoli/ubfuzz/synthesizer/debug/a.c:4 #1 0x40125c in main /zdata/shaoli/ubfuzz/synthesizer/debug/a.c:14 #2 0x7fabc79a8082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) #3 0x4012fd in _start (/zdata/shaoli/ubfuzz/synthesizer/debug/a.out+0x4012fd) Address 0x7fabc520007c is located in stack of thread T0 at offset 124 in fr= ame #0 0x4010df in main /zdata/shaoli/ubfuzz/synthesizer/debug/a.c:12 This frame has 3 object(s): [48, 64) 'g' (line 13) [80, 104) 'e' (line 8) [144, 184) 'b' (line 3) <=3D=3D Memory access at offset 124 underflows = this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow /zdata/shaoli/ubfuzz/synthesizer/debug/a.c:4 in f Shadow bytes around the buggy address: 0x0ff5f8a37fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff5f8a37fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff5f8a37fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff5f8a37fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff5f8a37ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =3D>0x0ff5f8a38000: f1 f1 f1 f1 f1 f1 00 00 f2 f2 00 00 00 f2 f2[f2] 0x0ff5f8a38010: f2 f2 00 00 00 00 00 f3 f3 f3 f3 f3 00 00 00 00 0x0ff5f8a38020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff5f8a38030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff5f8a38040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff5f8a38050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07=20 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb =3D=3D929009=3D=3DABORTING % Compiler explorer: https://godbolt.org/z/Gea6cr9E1=