From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id D2D153858D32; Fri, 7 Apr 2023 15:47:49 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org D2D153858D32 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1680882469; bh=rRh0dges5CE8EOJIEE5qC9RQxyb8X25LlA0MBkggCnM=; h=From:To:Subject:Date:From; b=pxVQv0dhjszlFqM4Uq4oMXohwx5jwGZpv9dnwb0z/mTlWpay73hrB+0E8WVXWXpV4 vsc0qKjDubySWJ5UG7Mu+XIBuRqWrK9U53NYBZSS7voBVaJVL/MoXeCEHHw31yfXpq jCUdFwbVyFfB1FsTdGm8ii2i/EbtQekSKJbwjg4Q= From: "mohamed.selim at dxc dot com" To: gcc-bugs@gcc.gnu.org Subject: [Bug sanitizer/109446] New: Possible destination array overflow without diagnosis in memcpy Date: Fri, 07 Apr 2023 15:47:49 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: sanitizer X-Bugzilla-Version: 8.4.0 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: mohamed.selim at dxc dot com X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc target_milestone Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D109446 Bug ID: 109446 Summary: Possible destination array overflow without diagnosis in memcpy Product: gcc Version: 8.4.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: sanitizer Assignee: unassigned at gcc dot gnu.org Reporter: mohamed.selim at dxc dot com CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org, jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxi= n at gcc dot gnu.org Target Milestone: --- Possible overflow of destination array using std::memcpy, the behavior does= n't trigger any diagnostic by the sanitizer in scenario I, while in scenario II= the behavior triggers the sanitizer diagnosis.=20 In the test the overflow is about 40 bytes, by overflow 24 bytes array with= 64 bytes src string literals.=20 I've also tried to use alignas(64) to align class bar on 64 bytes i.e.=20 class alignas(64) Bar { ... }; But it didn't trigger the sanitizer diagnosis. #include #include #include const char txt[] =3D "123456789-123456789-123456789-123456789-123456789-123456789-123"; class Bar { public: constexpr Bar() : m1{}, m2{}, m3{}, m4{}, dst{} {} std::uint16_t m1; std::uint16_t m2; std::uint16_t m3; std::uint16_t m4; std::int8_t dst[24]; }; void test(Bar& b) // scenario II //void test(Bar& b) // scenario II { std::cout << "staring memcpy.\n"; std::cout << "size of bytes to be copied: " << sizeof(txt) <<"\n"; std::cout << "dst array size: " << sizeof(b.dst) << "\n"; std::cout << "overflow size: " << sizeof(txt) - sizeof(b.dst) << "\= n"; std::memcpy(b.dst, txt, sizeof(txt)); } class client { public: void func() { test(b); } private: Bar b{}; }; //g++-8 -o vtest vmain.cpp -std=3Dc++14 -fsanitize=3Daddress -fsanitize=3Du= ndefined -static-libasan -static-libubsan int main() { client c{}; c.func(); std::cout << "size of Bar: " << sizeof(Bar) << "\n"; std::cout << "align of Bar: " << alignof(Bar) << "\n"; return 0; }=