[Bug sanitizer/109444] New: Possible array overflow without diagnosis in memcpy if called within a virtual method scenario

public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed

* [Bug sanitizer/109444] New: Possible array overflow without diagnosis in memcpy if called within a virtual method scenario
@ 2023-04-06 23:31 mohamed.selim at dxc dot com
  2023-04-06 23:37 ` [Bug sanitizer/109444] " pinskia at gcc dot gnu.org
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: mohamed.selim at dxc dot com @ 2023-04-06 23:31 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109444

            Bug ID: 109444
           Summary: Possible array overflow without diagnosis in memcpy if
                    called within a virtual method scenario
           Product: gcc
           Version: 12.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: sanitizer
          Assignee: unassigned at gcc dot gnu.org
          Reporter: mohamed.selim at dxc dot com
                CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
                    jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxin at gcc dot gnu.org
  Target Milestone: ---

It's possible to overflow the destination array size in std::memcpy, this
behavior doesn't trigger the expected sanitizer diagnosis when using memcpy in
a virtual method scenario (scenario 1).

While in (scenario 2) when the std::memcpy is called from a normal method, the
overflow is diagnosed as expected.


#include <iostream>
#include <array>
#include <cstring>

// zero terminated 8 characters string literal 
const char txt[] = "1234567";

class Bar
{
 public:
  constexpr Bar() : dst{}
  {
  }
  std::int8_t dst[6];
};

void test(Bar& b)
{
        std::cout << "staring memcpy.\n";

        std::cout << "size of bytes to be copied: " << sizeof(txt) <<"\n";
        std::cout << "dst array size: " << sizeof(b.dst) << "\n";
        std::memcpy(b.dst, txt, sizeof(txt));
}

class Base
{
public:
        virtual ~Base() = default;
        virtual void func() = 0;

};

// 1 - Foo inherits Base, virtual method implementation
class Foo: public Base
{
public:
        void func() override
        {
                test(b);
        }

private:
        Bar b{};
};

// 2 - no inheritance
class Foo2
{
public:
        void func()
        {
                test(b);
        }

private:
        Bar b{};
};

//-std=c++14 -fsanitize=address -fsanitize=undefined -static-libasan
-static-libubsan

int main()
{
    Foo c{}; // scenario 1, no sanitizer diagnosis
    //Foo2 c{}; // scenario 2, triggers sanitizer diagnosis
    c.func();
    return 0;
}

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [Bug sanitizer/109444] Possible array overflow without diagnosis in memcpy if called within a virtual method scenario
  2023-04-06 23:31 [Bug sanitizer/109444] New: Possible array overflow without diagnosis in memcpy if called within a virtual method scenario mohamed.selim at dxc dot com
@ 2023-04-06 23:37 ` pinskia at gcc dot gnu.org
  2023-04-07 15:10 ` mohamed.selim at dxc dot com
  2023-04-07 17:51 ` [Bug sanitizer/109444] Possible array overflow without diagnosis in memcpy pinskia at gcc dot gnu.org
  2 siblings, 0 replies; 4+ messages in thread
From: pinskia at gcc dot gnu.org @ 2023-04-06 23:37 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109444

--- Comment #1 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
There is padding bytes for Foo because the alignment of Foo needs to be the
same alignment as a pointer.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [Bug sanitizer/109444] Possible array overflow without diagnosis in memcpy if called within a virtual method scenario
  2023-04-06 23:31 [Bug sanitizer/109444] New: Possible array overflow without diagnosis in memcpy if called within a virtual method scenario mohamed.selim at dxc dot com
  2023-04-06 23:37 ` [Bug sanitizer/109444] " pinskia at gcc dot gnu.org
@ 2023-04-07 15:10 ` mohamed.selim at dxc dot com
  2023-04-07 17:51 ` [Bug sanitizer/109444] Possible array overflow without diagnosis in memcpy pinskia at gcc dot gnu.org
  2 siblings, 0 replies; 4+ messages in thread
From: mohamed.selim at dxc dot com @ 2023-04-07 15:10 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109444

--- Comment #2 from Mohamed <mohamed.selim at dxc dot com> ---
I guess you meant Bar, since Bar has the array member. But then for the
sanitizer to intervene and diagnose are there conditions for alignment??

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [Bug sanitizer/109444] Possible array overflow without diagnosis in memcpy
  2023-04-06 23:31 [Bug sanitizer/109444] New: Possible array overflow without diagnosis in memcpy if called within a virtual method scenario mohamed.selim at dxc dot com
  2023-04-06 23:37 ` [Bug sanitizer/109444] " pinskia at gcc dot gnu.org
  2023-04-07 15:10 ` mohamed.selim at dxc dot com
@ 2023-04-07 17:51 ` pinskia at gcc dot gnu.org
  2 siblings, 0 replies; 4+ messages in thread
From: pinskia at gcc dot gnu.org @ 2023-04-07 17:51 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109444

Andrew Pinski <pinskia at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
         Resolution|---                         |INVALID

--- Comment #3 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
(In reply to Mohamed from comment #2)
> I guess you meant Bar, since Bar has the array member. But then for the
> sanitizer to intervene and diagnose are there conditions for alignment??

No, I Mean Bar's alignment is 1 byte aligned while Foo is
alignof(decltype(nullptr)) because of the vtable pointer. Foo2 does not have a
vtable so its alignment is still 1 byte. The padding bytes for Foo is done
because Bar is not a multiple of the alignment though.

There is not much to be done here as the overflow is into padding bits and
address sanitizer is doing exactly what it should do.

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2023-04-07 17:51 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-04-06 23:31 [Bug sanitizer/109444] New: Possible array overflow without diagnosis in memcpy if called within a virtual method scenario mohamed.selim at dxc dot com
2023-04-06 23:37 ` [Bug sanitizer/109444] " pinskia at gcc dot gnu.org
2023-04-07 15:10 ` mohamed.selim at dxc dot com
2023-04-07 17:51 ` [Bug sanitizer/109444] Possible array overflow without diagnosis in memcpy pinskia at gcc dot gnu.org

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).