public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug sanitizer/109444] New: Possible array overflow without diagnosis in memcpy if called within a virtual method scenario
@ 2023-04-06 23:31 mohamed.selim at dxc dot com
2023-04-06 23:37 ` [Bug sanitizer/109444] " pinskia at gcc dot gnu.org
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: mohamed.selim at dxc dot com @ 2023-04-06 23:31 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109444
Bug ID: 109444
Summary: Possible array overflow without diagnosis in memcpy if
called within a virtual method scenario
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: sanitizer
Assignee: unassigned at gcc dot gnu.org
Reporter: mohamed.selim at dxc dot com
CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxin at gcc dot gnu.org
Target Milestone: ---
It's possible to overflow the destination array size in std::memcpy, this
behavior doesn't trigger the expected sanitizer diagnosis when using memcpy in
a virtual method scenario (scenario 1).
While in (scenario 2) when the std::memcpy is called from a normal method, the
overflow is diagnosed as expected.
#include <iostream>
#include <array>
#include <cstring>
// zero terminated 8 characters string literal
const char txt[] = "1234567";
class Bar
{
public:
constexpr Bar() : dst{}
{
}
std::int8_t dst[6];
};
void test(Bar& b)
{
std::cout << "staring memcpy.\n";
std::cout << "size of bytes to be copied: " << sizeof(txt) <<"\n";
std::cout << "dst array size: " << sizeof(b.dst) << "\n";
std::memcpy(b.dst, txt, sizeof(txt));
}
class Base
{
public:
virtual ~Base() = default;
virtual void func() = 0;
};
// 1 - Foo inherits Base, virtual method implementation
class Foo: public Base
{
public:
void func() override
{
test(b);
}
private:
Bar b{};
};
// 2 - no inheritance
class Foo2
{
public:
void func()
{
test(b);
}
private:
Bar b{};
};
//-std=c++14 -fsanitize=address -fsanitize=undefined -static-libasan
-static-libubsan
int main()
{
Foo c{}; // scenario 1, no sanitizer diagnosis
//Foo2 c{}; // scenario 2, triggers sanitizer diagnosis
c.func();
return 0;
}
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug sanitizer/109444] Possible array overflow without diagnosis in memcpy if called within a virtual method scenario
2023-04-06 23:31 [Bug sanitizer/109444] New: Possible array overflow without diagnosis in memcpy if called within a virtual method scenario mohamed.selim at dxc dot com
@ 2023-04-06 23:37 ` pinskia at gcc dot gnu.org
2023-04-07 15:10 ` mohamed.selim at dxc dot com
2023-04-07 17:51 ` [Bug sanitizer/109444] Possible array overflow without diagnosis in memcpy pinskia at gcc dot gnu.org
2 siblings, 0 replies; 4+ messages in thread
From: pinskia at gcc dot gnu.org @ 2023-04-06 23:37 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109444
--- Comment #1 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
There is padding bytes for Foo because the alignment of Foo needs to be the
same alignment as a pointer.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug sanitizer/109444] Possible array overflow without diagnosis in memcpy if called within a virtual method scenario
2023-04-06 23:31 [Bug sanitizer/109444] New: Possible array overflow without diagnosis in memcpy if called within a virtual method scenario mohamed.selim at dxc dot com
2023-04-06 23:37 ` [Bug sanitizer/109444] " pinskia at gcc dot gnu.org
@ 2023-04-07 15:10 ` mohamed.selim at dxc dot com
2023-04-07 17:51 ` [Bug sanitizer/109444] Possible array overflow without diagnosis in memcpy pinskia at gcc dot gnu.org
2 siblings, 0 replies; 4+ messages in thread
From: mohamed.selim at dxc dot com @ 2023-04-07 15:10 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109444
--- Comment #2 from Mohamed <mohamed.selim at dxc dot com> ---
I guess you meant Bar, since Bar has the array member. But then for the
sanitizer to intervene and diagnose are there conditions for alignment??
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug sanitizer/109444] Possible array overflow without diagnosis in memcpy
2023-04-06 23:31 [Bug sanitizer/109444] New: Possible array overflow without diagnosis in memcpy if called within a virtual method scenario mohamed.selim at dxc dot com
2023-04-06 23:37 ` [Bug sanitizer/109444] " pinskia at gcc dot gnu.org
2023-04-07 15:10 ` mohamed.selim at dxc dot com
@ 2023-04-07 17:51 ` pinskia at gcc dot gnu.org
2 siblings, 0 replies; 4+ messages in thread
From: pinskia at gcc dot gnu.org @ 2023-04-07 17:51 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109444
Andrew Pinski <pinskia at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |RESOLVED
Resolution|--- |INVALID
--- Comment #3 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
(In reply to Mohamed from comment #2)
> I guess you meant Bar, since Bar has the array member. But then for the
> sanitizer to intervene and diagnose are there conditions for alignment??
No, I Mean Bar's alignment is 1 byte aligned while Foo is
alignof(decltype(nullptr)) because of the vtable pointer. Foo2 does not have a
vtable so its alignment is still 1 byte. The padding bytes for Foo is done
because Bar is not a multiple of the alignment though.
There is not much to be done here as the overflow is into padding bits and
address sanitizer is doing exactly what it should do.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2023-04-07 17:51 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-04-06 23:31 [Bug sanitizer/109444] New: Possible array overflow without diagnosis in memcpy if called within a virtual method scenario mohamed.selim at dxc dot com
2023-04-06 23:37 ` [Bug sanitizer/109444] " pinskia at gcc dot gnu.org
2023-04-07 15:10 ` mohamed.selim at dxc dot com
2023-04-07 17:51 ` [Bug sanitizer/109444] Possible array overflow without diagnosis in memcpy pinskia at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).