[Bug sanitizer/107410] New: ASan failed to detect a heap-buffer-overflow

[Bug sanitizer/107410] New: ASan failed to detect a heap-buffer-overflow

[shaohua.li at inf dot ethz.ch]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107410

            Bug ID: 107410
           Summary: ASan failed to detect a  heap-buffer-overflow
           Product: gcc
           Version: 13.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: sanitizer
          Assignee: unassigned at gcc dot gnu.org
          Reporter: shaohua.li at inf dot ethz.ch
                CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
                    jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxin at gcc dot gnu.org
  Target Milestone: ---

For the following code, `gcc-fsanitize=address -O0` reported nothing, while
`gcc -fsanitize=address -Ox` (x=1, 2, 3, or s) reported the
heap-buffer-overflow. There is a stack-buffer-overflow in `c[i] = 2`, which has
crossed the red-zone but I believe it should not affect the
heap-buffer-overflow detection.

% gcc-tk -tv
Using built-in specs.
COLLECT_GCC=gcc-tk
COLLECT_LTO_WRAPPER=/zdata/shaoli/compilers/ccbuilder-compilers/gcc-99da523359e9333555585484eb3b8f854a98f1b4/libexec/gcc/x86_64-pc-linux-gnu/13.0.0/lto-wrapper
Target: x86_64-pc-linux-gnu
Configured with: ../configure --disable-multilib --disable-bootstrap
--enable-languages=c,c++
--prefix=/zdata/shaoli/compilers/ccbuilder-compilers/gcc-99da523359e9333555585484eb3b8f854a98f1b4
Thread model: posix
Supported LTO compression algorithms: zlib
gcc version 13.0.0 20221013 (experimental) (GCC) 
%
% gcc-tk -fsanitize=address -w -g -O0 a.c && ./a.out
%
% gcc-tk -fsanitize=address -w -g -O3 a.c && ./a.out
=================================================================
==1764559==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000000038 at pc 0x000000401210 bp 0x7fff57c272c0 sp 0x7fff57c272b8
WRITE of size 4 at 0x602000000038 thread T0
    #0 0x40120f in main
/zdata/shaoli/ubfuzz/synthesizer/bugs/gcc_work114/a.c:17
    #1 0x7f5e7a12a082 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId:
1878e6b475720c7c51969e69ab2d276fae6d1dee)
    #2 0x4012bd in _start
(/zdata/shaoli/ubfuzz/synthesizer/bugs/gcc_work114/a.out+0x4012bd)

0x602000000038 is located 32 bytes to the right of 8-byte region
[0x602000000010,0x602000000018)
allocated by thread T0 here:
    #0 0x7f5e7a3c78bf in __interceptor_malloc
../../../../gcc/libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 0x40115f in main
/zdata/shaoli/ubfuzz/synthesizer/bugs/gcc_work114/a.c:12

SUMMARY: AddressSanitizer: heap-buffer-overflow
/zdata/shaoli/ubfuzz/synthesizer/bugs/gcc_work114/a.c:17 in main
Shadow bytes around the buggy address:
  0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fff8000: fa fa 00 fa fa fa fa[fa]fa fa fa fa fa fa fa fa
  0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1764559==ABORTING
%
% cat a.c
typedef struct {
  int a
} b;

int d;

int main() {
  for (; d != 3; ++d) {
    char c[2];
    char e[5];
    char *h = e;
    int *g = malloc(2*sizeof(int));
    int i=19;
    b k;
    c[i] = 2;
    k.a = 0;
    g[c[i]] = 1;
  }
}
%

[Bug sanitizer/107410] ASan failed to detect a heap-buffer-overflow

[shaohua.li at inf dot ethz.ch]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107410

--- Comment #1 from Li Shaohua <shaohua.li at inf dot ethz.ch> ---
Compiler explorer: https://godbolt.org/z/9aqvx71xo

[Bug sanitizer/107410] ASan failed to detect a heap-buffer-overflow

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107410

Martin Liška <marxin at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |INVALID
             Status|UNCONFIRMED                 |RESOLVED

--- Comment #2 from Martin Liška <marxin at gcc dot gnu.org> ---
Well, the test-case is very fragile and we tend to optimize out another UBSAN
stuff (c[i] = 2;). 

Please provide a test-case that addresses the buffer-overflow due does not
contain an UBSAN:

$ gcc-12 broken.c -fsanitize=undefined -w && ./a.out
broken.c:15:6: runtime error: index 19 out of bounds for type 'char [2]'
broken.c:15:10: runtime error: store to address 0x7fffffffd5bd with
insufficient space for an object of type 'char'
0x7fffffffd5bd: note: pointer points here
 d5 ff ff ff 7f 00 00  00 20 01 00 00 00 00 00  e8 d6 ff ff ff 7f 00 00  01 00
00 00 00 00 00 00  b0
             ^ 
broken.c:17:8: runtime error: index 19 out of bounds for type 'char [2]'
broken.c:17:8: runtime error: load of address 0x7fffffffd5bd with insufficient
space for an object of type 'char'
0x7fffffffd5bd: note: pointer points here
 d5 ff ff ff 02 00 00  00 20 01 00 00 00 00 00  e8 d6 ff ff ff 7f 00 00  01 00
00 00 00 00 00 00  b0
             ^