public inbox for gcc-bugs@sourceware.org help / color / mirror / Atom feed
From: "mohamed.selim at dxc dot com" <gcc-bugzilla@gcc.gnu.org> To: gcc-bugs@gcc.gnu.org Subject: [Bug sanitizer/109446] New: Possible destination array overflow without diagnosis in memcpy Date: Fri, 07 Apr 2023 15:47:49 +0000 [thread overview] Message-ID: <bug-109446-4@http.gcc.gnu.org/bugzilla/> (raw) https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109446 Bug ID: 109446 Summary: Possible destination array overflow without diagnosis in memcpy Product: gcc Version: 8.4.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: sanitizer Assignee: unassigned at gcc dot gnu.org Reporter: mohamed.selim at dxc dot com CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org, jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxin at gcc dot gnu.org Target Milestone: --- Possible overflow of destination array using std::memcpy, the behavior doesn't trigger any diagnostic by the sanitizer in scenario I, while in scenario II the behavior triggers the sanitizer diagnosis. In the test the overflow is about 40 bytes, by overflow 24 bytes array with 64 bytes src string literals. I've also tried to use alignas(64) to align class bar on 64 bytes i.e. class alignas(64) Bar { ... }; But it didn't trigger the sanitizer diagnosis. #include <iostream> #include <array> #include <cstring> const char txt[] = "123456789-123456789-123456789-123456789-123456789-123456789-123"; class Bar { public: constexpr Bar() : m1{}, m2{}, m3{}, m4{}, dst{} {} std::uint16_t m1; std::uint16_t m2; std::uint16_t m3; std::uint16_t m4; std::int8_t dst[24]; }; void test(Bar& b) // scenario II //void test(Bar& b) // scenario II { std::cout << "staring memcpy.\n"; std::cout << "size of bytes to be copied: " << sizeof(txt) <<"\n"; std::cout << "dst array size: " << sizeof(b.dst) << "\n"; std::cout << "overflow size: " << sizeof(txt) - sizeof(b.dst) << "\n"; std::memcpy(b.dst, txt, sizeof(txt)); } class client { public: void func() { test(b); } private: Bar b{}; }; //g++-8 -o vtest vmain.cpp -std=c++14 -fsanitize=address -fsanitize=undefined -static-libasan -static-libubsan int main() { client c{}; c.func(); std::cout << "size of Bar: " << sizeof(Bar) << "\n"; std::cout << "align of Bar: " << alignof(Bar) << "\n"; return 0; }
next reply other threads:[~2023-04-07 15:47 UTC|newest] Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top 2023-04-07 15:47 mohamed.selim at dxc dot com [this message] 2023-04-11 11:02 ` [Bug sanitizer/109446] " mohamed.selim at dxc dot com 2023-04-11 13:33 ` xry111 at gcc dot gnu.org 2023-04-12 8:05 ` marxin at gcc dot gnu.org 2023-04-12 8:08 ` xry111 at gcc dot gnu.org 2023-04-12 8:10 ` marxin at gcc dot gnu.org 2023-04-12 8:46 ` rguenth at gcc dot gnu.org 2023-04-12 8:52 ` jakub at gcc dot gnu.org 2023-04-12 8:59 ` rguenth at gcc dot gnu.org 2023-04-12 9:01 ` marxin at gcc dot gnu.org 2023-04-12 9:04 ` pinskia at gcc dot gnu.org 2023-04-12 9:07 ` marxin at gcc dot gnu.org 2023-04-12 9:18 ` rguenther at suse dot de 2023-04-12 11:16 ` xry111 at gcc dot gnu.org
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-109446-4@http.gcc.gnu.org/bugzilla/ \ --to=gcc-bugzilla@gcc.gnu.org \ --cc=gcc-bugs@gcc.gnu.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).