From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 2B3143858C60; Thu, 16 Feb 2023 08:16:44 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 2B3143858C60 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1676535404; bh=TetbC9xJWk0c3CSVn0gh4HWWQTOn1+8G75M8207snQI=; h=From:To:Subject:Date:From; b=NNoTG2W8PQARDUw0bor0li2ngBzW8uMN74h4j1U9B+MKlmmZLYTAjya/wsbAGY6GW SOzH9CN5itEyiqo2Zah3yoO4cMrjCWctcnqWgJP6voA66OfV6JDPy1w4iA1mcptVKC Isq192UOwy8Yk0T3/Sh0Mx7X/zSuSrJKvOksD5zQ= From: "shaohua.li at inf dot ethz.ch" To: gcc-bugs@gcc.gnu.org Subject: [Bug sanitizer/108817] New: ASAN at -O3 failed to detect a global-buffer-overflow Date: Thu, 16 Feb 2023 08:16:43 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: sanitizer X-Bugzilla-Version: 13.0 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: shaohua.li at inf dot ethz.ch X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc target_milestone Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D108817 Bug ID: 108817 Summary: ASAN at -O3 failed to detect a global-buffer-overflow Product: gcc Version: 13.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: sanitizer Assignee: unassigned at gcc dot gnu.org Reporter: shaohua.li at inf dot ethz.ch CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org, jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxi= n at gcc dot gnu.org Target Milestone: --- For the following code, ASAN at -O3 (GCC>=3D12) missed the global buffer-overflow, while other opt levels detected it. GCC-11 can detect it at all opt levels. Although I was using -O3, I indeed observed the overflow re= ad and the ASAN check in the assembly code. Compiler explorer: https://godbolt.org/z/9Yenz8roT % cat a.c long a; int b[3]; char c; int main() { int d; a =3D 2; for (; a >=3D 0; a--) { d =3D 0; for (; d <=3D 3; d++) c =3D b[a+1]; } return c; } % % gcc-tk -O3 -fsanitize=3Daddress a.c && ./a.out %=20 % gcc-tk -O2 -fsanitize=3Daddress a.c && ./a.out =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D1=3D=3DERROR: AddressSanitizer: global-buffer-overflow on address 0x0= 000004041cc at pc 0x00000040112b bp 0x7ffd88ccd090 sp 0x7ffd88ccd088 READ of size 4 at 0x0000004041cc thread T0 #0 0x40112a in main /a.c:10 #1 0x7f8b3fad2082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) #2 0x40119d in _start (/a.s+0x40119d) (BuildId: 8f8919b865053b4da8e28daf8de45ed9390d0057) 0x0000004041cc is located 52 bytes before global variable 'a' defined in '/= a.c' (0x404200) of size 8 0x0000004041cc is located 0 bytes after global variable 'b' defined in '/a.= c' (0x4041c0) of size 12 SUMMARY: AddressSanitizer: global-buffer-overflow /a.c:10 in main Shadow bytes around the buggy address: 0x000000403f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x000000403f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x000000404000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x000000404080: 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x000000404100: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 =3D>0x000000404180: 01 f9 f9 f9 f9 f9 f9 f9 00[04]f9 f9 f9 f9 f9 f9 0x000000404200: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00 0x000000404280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x000000404300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x000000404380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x000000404400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07=20 ... %=