From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id EC467384FB48; Thu, 23 Feb 2023 12:01:10 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org EC467384FB48 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1677153670; bh=aJJm2D9vCvwRRm/OXrxFQDWlHpV3oSaxUv46X9likOo=; h=From:To:Subject:Date:From; b=BE7HsEfIx/uP7Xyy1KSkI5VK7H35bODJpxYLBknLqPW3u3mHNnFf3ZCRLCzpGwVXH W0ZscPLMLX4lI8PcksxZYQu6NW3yE5niCluu2UXEuYbi6f62JFfAihwt1sY79lsQ3O 6zjprZzT/3AzkwpCQKV0w3sVGkeHMQjRQ2hqUk9s= From: "shaohua.li at inf dot ethz.ch" To: gcc-bugs@gcc.gnu.org Subject: [Bug sanitizer/108903] New: ASAN may miss a global-buffer-overflow Date: Thu, 23 Feb 2023 12:01:09 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: sanitizer X-Bugzilla-Version: 13.0 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: shaohua.li at inf dot ethz.ch X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc target_milestone Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D108903 Bug ID: 108903 Summary: ASAN may miss a global-buffer-overflow Product: gcc Version: 13.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: sanitizer Assignee: unassigned at gcc dot gnu.org Reporter: shaohua.li at inf dot ethz.ch CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org, jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxi= n at gcc dot gnu.org Target Milestone: --- For the following code, ASAN at -Os did not report the global-buffer-overfl= ow while other opt levels did.=20 $ cat a.c int a, e, c; short b; static int *d =3D &e; int main() { for (; b < 4; b++) { int *f =3D &a; for (; c <=3D 7; c++) { *f =3D *(d + 1); if (*d) break; *f =3D 0; } a=3D*f; } return a; } $ $ gcc a.c -fsanitize=3Daddress -Os && ./a.out $ $ gcc a.c -fsanitize=3Daddress -O3 && ./a.out =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D1=3D=3DERROR: AddressSanitizer: global-buffer-overflow on address 0x0= 00000404244 at pc 0x00000040119a bp 0x7fff990d2e40 sp 0x7fff990d2e38 READ of size 4 at 0x000000404244 thread T0 #0 0x401199 in main /app/a.c:8 #1 0x7fc4eaa09082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) #2 0x4011fd in _start (/app/a.s+0x4011fd) (BuildId: ffda4adec8a32a35ec5ae846f253cc2fcc431a06) ... $ I realize that the statement `*f =3D *(d + 1)` may have been optimized out = and it is indeed according to the optimized tree: $ gcc-tk a.c -Os -fsanitize=3Daddress -fdump-tree-optimized=3D/dev/stdout ... bb 3> [local count: 1014686024]: ivtmp.23_58 =3D ivtmp.23_34 + 1; if (_3 !=3D 0) goto ; [5.50%] else goto ; [94.50%] [local count: 55807731]: _49 =3D (unsigned long) &MEM[(int *)&e + 4B]; _43 =3D _49 >> 3; _10 =3D _43 + 2147450880; .. $ So the ASAN checking branch won't be executed. However, when I check the generated ASM, I find that the `e+4` has been used. I wonder if some later passes promote the overflowed instructions from a dead part. If yes, this is potentially very dangerous. $ gcc-tk a.c -Os -fsanitize=3Daddress -S -o /dev/stdout ... main: movl $e+4, %edx <-- e+4 is used movw b(%rip), %ax pushq %rbx xorl %ecx, %ecx movq %rdx, %rbx movl e(%rip), %r11d ...=