public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
From: "shaohua.li at inf dot ethz.ch" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug sanitizer/108903] New: ASAN may miss a global-buffer-overflow
Date: Thu, 23 Feb 2023 12:01:09 +0000 [thread overview]
Message-ID: <bug-108903-4@http.gcc.gnu.org/bugzilla/> (raw)
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108903
Bug ID: 108903
Summary: ASAN may miss a global-buffer-overflow
Product: gcc
Version: 13.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: sanitizer
Assignee: unassigned at gcc dot gnu.org
Reporter: shaohua.li at inf dot ethz.ch
CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxin at gcc dot gnu.org
Target Milestone: ---
For the following code, ASAN at -Os did not report the global-buffer-overflow
while other opt levels did.
$ cat a.c
int a, e, c;
short b;
static int *d = &e;
int main() {
for (; b < 4; b++) {
int *f = &a;
for (; c <= 7; c++) {
*f = *(d + 1);
if (*d)
break;
*f = 0;
}
a=*f;
}
return a;
}
$
$ gcc a.c -fsanitize=address -Os && ./a.out
$
$ gcc a.c -fsanitize=address -O3 && ./a.out
=================================================================
==1==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000404244
at pc 0x00000040119a bp 0x7fff990d2e40 sp 0x7fff990d2e38
READ of size 4 at 0x000000404244 thread T0
#0 0x401199 in main /app/a.c:8
#1 0x7fc4eaa09082 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId:
1878e6b475720c7c51969e69ab2d276fae6d1dee)
#2 0x4011fd in _start (/app/a.s+0x4011fd) (BuildId:
ffda4adec8a32a35ec5ae846f253cc2fcc431a06)
...
$
I realize that the statement `*f = *(d + 1)` may have been optimized out and it
is indeed according to the optimized tree:
$ gcc-tk a.c -Os -fsanitize=address -fdump-tree-optimized=/dev/stdout
...
bb 3> [local count: 1014686024]:
ivtmp.23_58 = ivtmp.23_34 + 1;
if (_3 != 0)
goto <bb 4>; [5.50%]
else
goto <bb 7>; [94.50%]
<bb 4> [local count: 55807731]:
_49 = (unsigned long) &MEM[(int *)&e + 4B];
_43 = _49 >> 3;
_10 = _43 + 2147450880;
..
$
So the ASAN checking branch won't be executed. However, when I check the
generated ASM, I find that the `e+4` has been used. I wonder if some later
passes promote the overflowed instructions from a dead part. If yes, this is
potentially very dangerous.
$ gcc-tk a.c -Os -fsanitize=address -S -o /dev/stdout
...
main:
movl $e+4, %edx <-- e+4 is used
movw b(%rip), %ax
pushq %rbx
xorl %ecx, %ecx
movq %rdx, %rbx
movl e(%rip), %r11d
...
next reply other threads:[~2023-02-23 12:01 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-23 12:01 shaohua.li at inf dot ethz.ch [this message]
2023-02-23 14:11 ` [Bug sanitizer/108903] " marxin at gcc dot gnu.org
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-108903-4@http.gcc.gnu.org/bugzilla/ \
--to=gcc-bugzilla@gcc.gnu.org \
--cc=gcc-bugs@gcc.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).