public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug analyzer/111266] New: Missing -Wanalyzer-out-of-bounds for concrete offset overwrite.
@ 2023-09-01 9:56 vultkayn at gcc dot gnu.org
2024-02-15 14:42 ` [Bug analyzer/111266] [13/14 Regression] " dmalcolm at gcc dot gnu.org
` (5 more replies)
0 siblings, 6 replies; 7+ messages in thread
From: vultkayn at gcc dot gnu.org @ 2023-09-01 9:56 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111266
Bug ID: 111266
Summary: Missing -Wanalyzer-out-of-bounds for concrete offset
overwrite.
Product: gcc
Version: 14.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: vultkayn at gcc dot gnu.org
Target Milestone: ---
Hi,
The analyzer do not emit the expected "heap-based write overflow" in the
reproducer below.
#include <stdint.h>
void *malloc (__SIZE_TYPE__);
void free (void *);
void test_binop2 ()
{
char *p = (char *) malloc (4);
int32_t *i = (int32_t *) (p + 3);
*i = 20042; /* { dg-warning "heap-based buffer overflow" "" { xfail *-*-* } }
*/
free (p);
}
A quick investigation showed that on *i = 20042, check_region_bounds had the
following:
reg is an offset_region(heap_allocated(12), 'int32_', 3) as expected
base_reg is heap_allocated(12)
base_reg's capacity is correct too, and reg_offset *is* 3 bytes, as it should.
The issue comes from num_bytes_sval, which corresponds to the number of bytes
accessed. It should be a constant_svalue of value 4, but is instead of value 1.
Therefore the "read_bytes" byte_range do not overflow the buffer, as we get
(offset) 3 + (accessed bytes) 1 = 4, which is not an overflow (3 + 4 expected)
^ permalink raw reply [flat|nested] 7+ messages in thread* [Bug analyzer/111266] [13/14 Regression] Missing -Wanalyzer-out-of-bounds for concrete offset overwrite.
2023-09-01 9:56 [Bug analyzer/111266] New: Missing -Wanalyzer-out-of-bounds for concrete offset overwrite vultkayn at gcc dot gnu.org
@ 2024-02-15 14:42 ` dmalcolm at gcc dot gnu.org
2024-02-15 21:02 ` cvs-commit at gcc dot gnu.org
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2024-02-15 14:42 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111266
David Malcolm <dmalcolm at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |NEW
Ever confirmed|0 |1
CC| |dmalcolm at gcc dot gnu.org
Last reconfirmed| |2024-02-15
Summary|Missing |[13/14 Regression] Missing
|-Wanalyzer-out-of-bounds |-Wanalyzer-out-of-bounds
|for concrete offset |for concrete offset
|overwrite. |overwrite.
--- Comment #1 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Thanks for filing this; confirmed:
Trunk: https://godbolt.org/z/jzevK9cTz
GCC 13.2: https://godbolt.org/z/6jx87aqn6
^ permalink raw reply [flat|nested] 7+ messages in thread* [Bug analyzer/111266] [13/14 Regression] Missing -Wanalyzer-out-of-bounds for concrete offset overwrite.
2023-09-01 9:56 [Bug analyzer/111266] New: Missing -Wanalyzer-out-of-bounds for concrete offset overwrite vultkayn at gcc dot gnu.org
2024-02-15 14:42 ` [Bug analyzer/111266] [13/14 Regression] " dmalcolm at gcc dot gnu.org
@ 2024-02-15 21:02 ` cvs-commit at gcc dot gnu.org
2024-02-15 21:07 ` [Bug analyzer/111266] [13 " dmalcolm at gcc dot gnu.org
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2024-02-15 21:02 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111266
--- Comment #2 from GCC Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:
https://gcc.gnu.org/g:617bd59c659dcf6e5391409a2e9f64f75e905a96
commit r14-9018-g617bd59c659dcf6e5391409a2e9f64f75e905a96
Author: David Malcolm <dmalcolm@redhat.com>
Date: Thu Feb 15 16:01:36 2024 -0500
analyzer: remove offset_region size overloads [PR111266]
PR analyzer/111266 reports a missing -Wanalyzer-out-of-bounds when
accessing relative to a concrete byte offset.
Root cause is that offset_region::get_{byte,bit}_size_sval were
attempting to compute the size that's valid to access, rather than the
size of the access attempt.
Fixed by removing these vfunc overrides from offset_region as the
base class implementation does the right thing.
gcc/analyzer/ChangeLog:
PR analyzer/111266
* region.cc (offset_region::get_byte_size_sval): Delete.
(offset_region::get_bit_size_sval): Delete.
* region.h (region::get_byte_size): Add comment clarifying that
this relates to the size of the access, rather than the size
that's valid to access.
(region::get_bit_size): Likewise.
(region::get_byte_size_sval): Likewise.
(region::get_bit_size_sval): Likewise.
(offset_region::get_byte_size_sval): Delete.
(offset_region::get_bit_size_sval): Delete.
gcc/testsuite/ChangeLog:
PR analyzer/111266
* c-c++-common/analyzer/out-of-bounds-pr111266.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
^ permalink raw reply [flat|nested] 7+ messages in thread* [Bug analyzer/111266] [13 Regression] Missing -Wanalyzer-out-of-bounds for concrete offset overwrite.
2023-09-01 9:56 [Bug analyzer/111266] New: Missing -Wanalyzer-out-of-bounds for concrete offset overwrite vultkayn at gcc dot gnu.org
2024-02-15 14:42 ` [Bug analyzer/111266] [13/14 Regression] " dmalcolm at gcc dot gnu.org
2024-02-15 21:02 ` cvs-commit at gcc dot gnu.org
@ 2024-02-15 21:07 ` dmalcolm at gcc dot gnu.org
2024-04-14 5:06 ` pinskia at gcc dot gnu.org
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2024-02-15 21:07 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111266
David Malcolm <dmalcolm at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|[13/14 Regression] Missing |[13 Regression] Missing
|-Wanalyzer-out-of-bounds |-Wanalyzer-out-of-bounds
|for concrete offset |for concrete offset
|overwrite. |overwrite.
Status|NEW |ASSIGNED
--- Comment #3 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Should be fixed on trunk by the above patch.
Keeping open to track backport to gcc 13 branch.
^ permalink raw reply [flat|nested] 7+ messages in thread* [Bug analyzer/111266] [13 Regression] Missing -Wanalyzer-out-of-bounds for concrete offset overwrite.
2023-09-01 9:56 [Bug analyzer/111266] New: Missing -Wanalyzer-out-of-bounds for concrete offset overwrite vultkayn at gcc dot gnu.org
` (2 preceding siblings ...)
2024-02-15 21:07 ` [Bug analyzer/111266] [13 " dmalcolm at gcc dot gnu.org
@ 2024-04-14 5:06 ` pinskia at gcc dot gnu.org
2024-05-13 11:30 ` rguenth at gcc dot gnu.org
2024-05-21 9:16 ` jakub at gcc dot gnu.org
5 siblings, 0 replies; 7+ messages in thread
From: pinskia at gcc dot gnu.org @ 2024-04-14 5:06 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111266
Andrew Pinski <pinskia at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Target Milestone|--- |13.3
^ permalink raw reply [flat|nested] 7+ messages in thread* [Bug analyzer/111266] [13 Regression] Missing -Wanalyzer-out-of-bounds for concrete offset overwrite.
2023-09-01 9:56 [Bug analyzer/111266] New: Missing -Wanalyzer-out-of-bounds for concrete offset overwrite vultkayn at gcc dot gnu.org
` (3 preceding siblings ...)
2024-04-14 5:06 ` pinskia at gcc dot gnu.org
@ 2024-05-13 11:30 ` rguenth at gcc dot gnu.org
2024-05-21 9:16 ` jakub at gcc dot gnu.org
5 siblings, 0 replies; 7+ messages in thread
From: rguenth at gcc dot gnu.org @ 2024-05-13 11:30 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111266
Richard Biener <rguenth at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Priority|P3 |P2
^ permalink raw reply [flat|nested] 7+ messages in thread* [Bug analyzer/111266] [13 Regression] Missing -Wanalyzer-out-of-bounds for concrete offset overwrite.
2023-09-01 9:56 [Bug analyzer/111266] New: Missing -Wanalyzer-out-of-bounds for concrete offset overwrite vultkayn at gcc dot gnu.org
` (4 preceding siblings ...)
2024-05-13 11:30 ` rguenth at gcc dot gnu.org
@ 2024-05-21 9:16 ` jakub at gcc dot gnu.org
5 siblings, 0 replies; 7+ messages in thread
From: jakub at gcc dot gnu.org @ 2024-05-21 9:16 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111266
Jakub Jelinek <jakub at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Target Milestone|13.3 |13.4
--- Comment #4 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
GCC 13.3 is being released, retargeting bugs to GCC 13.4.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2024-05-21 9:16 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-09-01 9:56 [Bug analyzer/111266] New: Missing -Wanalyzer-out-of-bounds for concrete offset overwrite vultkayn at gcc dot gnu.org
2024-02-15 14:42 ` [Bug analyzer/111266] [13/14 Regression] " dmalcolm at gcc dot gnu.org
2024-02-15 21:02 ` cvs-commit at gcc dot gnu.org
2024-02-15 21:07 ` [Bug analyzer/111266] [13 " dmalcolm at gcc dot gnu.org
2024-04-14 5:06 ` pinskia at gcc dot gnu.org
2024-05-13 11:30 ` rguenth at gcc dot gnu.org
2024-05-21 9:16 ` jakub at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).