[Bug sanitizer/107586] New: gcc trunk missed a stack-buffer-overflow

[Bug sanitizer/107586] New: gcc trunk missed a stack-buffer-overflow

[shaohua.li at inf dot ethz.ch]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107586

            Bug ID: 107586
           Summary: gcc trunk missed a stack-buffer-overflow
           Product: gcc
           Version: 13.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: sanitizer
          Assignee: unassigned at gcc dot gnu.org
          Reporter: shaohua.li at inf dot ethz.ch
                CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
                    jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxin at gcc dot gnu.org
  Target Milestone: ---

For the following code, `gcc-tk -fsanitize=address -O2` successfully detected
the buffer-overflow in `memcpy()`. However, I found that when you uncomment the
line `int *f = &e[0]`, the ASAN warning went away.
I checked gcc-9, which detected the error in both cases but not for gcc-10 and
above.

I wonder if this is due to some optimizations going on that change the memory
layout, which disables ASAN's detection in this case.

Compiler explorer: https://godbolt.org/z/zfGv5378a


% cat a.c
struct a
{
    int x;
};

void h(struct a *b)
{
    struct a c[70];
    int i;
    for (i = 0; i < 70; i++)
        c[i].x = 1;
    __builtin_memcpy(b, c, 70*sizeof(struct a));
    __builtin_printf("%d\n", b->x);
};
void g()
{
    struct a * d = (struct a *)__builtin_alloca(69*sizeof(struct a));
    int e[20] ;
    // int *f = &e[0];
    h(d);
}

int main()
{
    g();
    return 0;
}

%

[Bug sanitizer/107586] gcc trunk missed a stack-buffer-overflow

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107586

Martin Liška <marxin at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|unassigned at gcc dot gnu.org      |marxin at gcc dot gnu.org
     Ever confirmed|0                           |1
   Last reconfirmed|                            |2022-11-10
             Status|UNCONFIRMED                 |ASSIGNED

--- Comment #1 from Martin Liška <marxin at gcc dot gnu.org> ---
The bug can be spotted with -O0 and I noticed it's also not reported with clang
-O2. I can take a look at this later.

[Bug sanitizer/107586] gcc trunk missed a stack-buffer-overflow

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107586

Martin Liška <marxin at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |INVALID
             Status|ASSIGNED                    |RESOLVED

--- Comment #2 from Martin Liška <marxin at gcc dot gnu.org> ---
If I hide the constant 70, then I get the error also with -O2:

diff -u pr107586-orig.c pr107586.c
--- pr107586-orig.c     2022-12-02 14:19:49.392836836 +0100
+++ pr107586.c  2022-12-02 14:19:33.096414298 +0100
@@ -3,13 +3,15 @@
     int x;
 };

+int N = 70;
+
 void h(struct a *b)
 {
     struct a c[70];
     int i;
-    for (i = 0; i < 70; i++)
+    for (i = 0; i < N; i++)
         c[i].x = 1;
-    __builtin_memcpy(b, c, 70*sizeof(struct a));
+    __builtin_memcpy(b, c, N*sizeof(struct a));
     __builtin_printf("%d\n", b->x);
 };
 void g()

So the compiler can propagate that, so closing as invalid.