From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id B431B3870F30; Fri, 30 Jun 2023 15:10:32 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org B431B3870F30 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1688137832; bh=yADU/oY/PvMvUf9lKgNUmHLWHy4ZpuKxpPqrsVoAb1I=; h=From:To:Subject:Date:From; b=ubMX6E8L9CondZwePGfo0H0UsP0DHTdgr9LWqrYKVd+qD56Q2vR2d2FrFFIuSKKSa Tgv7VDGxtazQ4lJuOtZD7V6LVKSXwxixFPsO9hXNZgz6mWlojZLJurzYVZZnc1WleD R3pEpfi7N0tyPmXPY9hftL2o9Bf7yZ/uBEDpMoNE= From: "cheyenne.wills at gmail dot com" To: gcc-bugs@gcc.gnu.org Subject: [Bug analyzer/110501] New: Invalid use-after-free / realloc Date: Fri, 30 Jun 2023 15:10:32 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: analyzer X-Bugzilla-Version: 12.3.1 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: cheyenne.wills at gmail dot com X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: dmalcolm at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter target_milestone attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D110501 Bug ID: 110501 Summary: Invalid use-after-free / realloc Product: gcc Version: 12.3.1 Status: UNCONFIRMED Severity: normal Priority: P3 Component: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: cheyenne.wills at gmail dot com Target Milestone: --- Created attachment 55433 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=3D55433&action=3Dedit testcase.i I've ran into a problem where gcc-12 (and later versions) is producing a fa= lse positive on a use-after-free following a realloc. The attached information obtained from a current gentoo system using gcc (Gentoo 12.3.1_p20230526 p2) 12.3.1 20230526)=20 gcc -v -save-temps -Wall -c testcase.c &> testcase.log I've been able to duplicate the problem on godbolt.org using different vers= ions of gcc from gcc 12.1 through gcc master (I also tried various architectures, x86_64, arm, etc.). godbolt's gcc 11 does work as expected. The gist of the problem is: --- S->sp =3D realloc(p, size * 2); if (S->sp =3D=3D NULL && size !=3D 0) { free(p); /* << is flagged as a use after free */ return 0; } --- However the following works: --- char *t; t =3D realloc(p, size * 2); if (t =3D=3D NULL && size !=3D 0) { free(p); /* << is not flagged as a use after free */ return 0; } S->sp =3D t; --- The provided testcase contains 3 simple functions. The function fail1 and fail2 has code that shows the invalid use-after-free, while the function succeeds has code that does not produce the use-after-free message. The on= ly difference between the failed functions and the success that the success function uses a stack based temporary variable to hold the result of the realloc. =3D=3D $ $ gcc -Wall -Wextra -c testcase.c=20 testcase.c: In function =E2=80=98fail1=E2=80=99: testcase.c:10:9: warning: pointer =E2=80=98p=E2=80=99 may be used after =E2= =80=98realloc=E2=80=99 [-Wuse-after-free] 10 | free(p); /* Is flagged as a use after free */ | ^~~~~~~ testcase.c:8:13: note: call to =E2=80=98realloc=E2=80=99 here 8 | S->sp =3D realloc(p, size*2); | ^~~~~~~~~~~~~~~~~~ testcase.c: In function =E2=80=98fail2=E2=80=99: testcase.c:20:9: warning: pointer =E2=80=98p=E2=80=99 may be used after =E2= =80=98realloc=E2=80=99 [-Wuse-after-free] 20 | free(p); /* Is flagged as a use after free */ | ^~~~~~~ testcase.c:18:9: note: call to =E2=80=98realloc=E2=80=99 here 18 | t =3D realloc(p, size*2); | ^~~~~~~~~~~~~~~~~~ $ =3D=3D The problem was originally discovered while building from openafs's master branch (www.openafs.org) with a gcc-13 compiler.=20 src/external/heimdal/krb5/crypto.c:1157:9: error: pointer =E2=80=98p=E2= =80=99 may be used after =E2=80=98realloc=E2=80=99 [-Werror=3Duse-after-free] 1157 | free(p); | ^~~~~~~ src/external/heimdal/krb5/crypto.c:1155:20: note: call to =E2=80=98reallo= c=E2=80=99 here 1155 | result->data =3D realloc(p, sz); | ^~~~~~~~~~~~~~ The failing code is part of an "external library" from the heimdal project.=