From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 2378C3858C53; Wed, 25 Jan 2023 16:41:34 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 2378C3858C53 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1674664894; bh=gmpbWl9Z97POWYHaqyDLjpvUc5hC1t0jRGbKBFLERcw=; h=From:To:Subject:Date:From; b=LXXDJcXwy+DcJw2mVXyl8JJXDLy5qyTc798uVcFmZUbxUHQ+y2UTvVnSJlqUA/GMv +biwOuB1jKE8UisUX2SGifV4Kvt/XvVCzi0gEeB+JWulbZAJeyRsIFZiGe9f+xsGBM RQPQX9pFGD6koQ3k0LL0BrdBmtJ5K6ve7u7Q53ZA= From: "shaohua.li at inf dot ethz.ch" To: gcc-bugs@gcc.gnu.org Subject: [Bug sanitizer/108541] New: ASAN since GCC 9 missed a stack-buffer-overflow Date: Wed, 25 Jan 2023 16:41:33 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: sanitizer X-Bugzilla-Version: 13.0 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: shaohua.li at inf dot ethz.ch X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc target_milestone Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D108541 Bug ID: 108541 Summary: ASAN since GCC 9 missed a stack-buffer-overflow Product: gcc Version: 13.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: sanitizer Assignee: unassigned at gcc dot gnu.org Reporter: shaohua.li at inf dot ethz.ch CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org, jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxi= n at gcc dot gnu.org Target Milestone: --- For the following code, ASAN at -O0 missed the stack-buffer-overflow while other opt levels caught it. This issue happens since GCC-9. GCC-8 and before worked fine. I also noticed that there is an incompatible pointer assignment `i =3D &m`,= but anyway the bufferoverflow should be reported. Clang can detect it at all opt levels. Compiler explorer: https://godbolt.org/z/ovTEKG9PM % cat a.c struct a { long b; int c; long d; short e; long f; long g; }; struct { struct a b; unsigned : 6; } h, *i; int j; int main() { struct a *k; &k; long l[3]; l[j] =3D 4; int m =3D 1; i =3D &m; *i =3D h; return m; } %=20 % gcc-tk -fsanitize=3Daddress -w -O0 a.c && ./a.out %=20 % gcc-tk -fsanitize=3Daddress -w -O1 a.c && ./a.out =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D1=3D=3DERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f= 8605800030 at pc 0x0000004012e0 bp 0x7ffdfd9e9b10 sp 0x7ffdfd9e9b08 WRITE of size 56 at 0x7f8605800030 thread T0 #0 0x4012df in main /a.c:21 #1 0x7f860810f082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) #2 0x4010cd in _start (/a.s+0x4010cd) (BuildId: 62f9205a5d8cda9f9cd98eb2592c0ba25a6a0a20) Address 0x7f8605800030 is located in stack of thread T0 at offset 48 in fra= me #0 0x401195 in main /app/example.c:14 This frame has 2 object(s): [48, 52) 'm' (line 19) <=3D=3D Memory access at offset 48 partially ove= rflows this variable [64, 88) 'l' (line 17) <=3D=3D Memory access at offset 48 partially und= erflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow /a.c:21 in main Shadow bytes around the buggy address: ... %=