public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug sanitizer/61547] New: Invalid sanitization of trailing byte in __builtin_strlen
@ 2014-06-18 9:52 y.gribov at samsung dot com
2014-06-18 9:54 ` [Bug sanitizer/61547] " y.gribov at samsung dot com
` (6 more replies)
0 siblings, 7 replies; 8+ messages in thread
From: y.gribov at samsung dot com @ 2014-06-18 9:52 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61547
Bug ID: 61547
Summary: Invalid sanitization of trailing byte in
__builtin_strlen
Product: gcc
Version: 4.10.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: sanitizer
Assignee: unassigned at gcc dot gnu.org
Reporter: y.gribov at samsung dot com
CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
jakub at gcc dot gnu.org, kcc at gcc dot gnu.org
Created attachment 32963
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=32963&action=edit
Reprocase
The attached testcase performs an overflow in strlen call. Current GCC fails to
detect it because of invalid instrumentation of trailing byte:
$ gcc repro.c -fsanitize=address -O1 -static-libasan
$ ./a.out
$ echo $?
0
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug sanitizer/61547] Invalid sanitization of trailing byte in __builtin_strlen
2014-06-18 9:52 [Bug sanitizer/61547] New: Invalid sanitization of trailing byte in __builtin_strlen y.gribov at samsung dot com
@ 2014-06-18 9:54 ` y.gribov at samsung dot com
2014-06-18 10:37 ` kcc at gcc dot gnu.org
` (5 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: y.gribov at samsung dot com @ 2014-06-18 9:54 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61547
--- Comment #1 from Yury Gribov <y.gribov at samsung dot com> ---
Created attachment 32964
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=32964&action=edit
Proposed patch
Adding draft patch. I only ran Asan regression tests though (leaving for long
vacation today). Perhaps someone will have time to have a look at this.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug sanitizer/61547] Invalid sanitization of trailing byte in __builtin_strlen
2014-06-18 9:52 [Bug sanitizer/61547] New: Invalid sanitization of trailing byte in __builtin_strlen y.gribov at samsung dot com
2014-06-18 9:54 ` [Bug sanitizer/61547] " y.gribov at samsung dot com
@ 2014-06-18 10:37 ` kcc at gcc dot gnu.org
2014-06-18 11:19 ` rguenth at gcc dot gnu.org
` (4 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: kcc at gcc dot gnu.org @ 2014-06-18 10:37 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61547
--- Comment #2 from Kostya Serebryany <kcc at gcc dot gnu.org> ---
Note that in clang we chose not to instrument any builtins in compiler,
but instead fully rely on interceptors.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug sanitizer/61547] Invalid sanitization of trailing byte in __builtin_strlen
2014-06-18 9:52 [Bug sanitizer/61547] New: Invalid sanitization of trailing byte in __builtin_strlen y.gribov at samsung dot com
2014-06-18 9:54 ` [Bug sanitizer/61547] " y.gribov at samsung dot com
2014-06-18 10:37 ` kcc at gcc dot gnu.org
@ 2014-06-18 11:19 ` rguenth at gcc dot gnu.org
2014-06-18 11:33 ` kcc at gcc dot gnu.org
` (3 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: rguenth at gcc dot gnu.org @ 2014-06-18 11:19 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61547
--- Comment #3 from Richard Biener <rguenth at gcc dot gnu.org> ---
(In reply to Kostya Serebryany from comment #2)
> Note that in clang we chose not to instrument any builtins in compiler,
> but instead fully rely on interceptors.
So you never expand such builtins inline?
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug sanitizer/61547] Invalid sanitization of trailing byte in __builtin_strlen
2014-06-18 9:52 [Bug sanitizer/61547] New: Invalid sanitization of trailing byte in __builtin_strlen y.gribov at samsung dot com
` (2 preceding siblings ...)
2014-06-18 11:19 ` rguenth at gcc dot gnu.org
@ 2014-06-18 11:33 ` kcc at gcc dot gnu.org
2014-06-19 20:09 ` tetra2005 at gmail dot com
` (2 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: kcc at gcc dot gnu.org @ 2014-06-18 11:33 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61547
--- Comment #4 from Kostya Serebryany <kcc at gcc dot gnu.org> ---
(In reply to Richard Biener from comment #3)
> (In reply to Kostya Serebryany from comment #2)
> > Note that in clang we chose not to instrument any builtins in compiler,
> > but instead fully rely on interceptors.
>
> So you never expand such builtins inline?
Not that I know of.
LLVM has only 3 builtins like this (memset/memcpy/memmove):
http://llvm.org/docs/LangRef.html#standard-c-library-intrinsics
And asan replaces these builtins with asan's own call (e.g. __asan_memset)
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug sanitizer/61547] Invalid sanitization of trailing byte in __builtin_strlen
2014-06-18 9:52 [Bug sanitizer/61547] New: Invalid sanitization of trailing byte in __builtin_strlen y.gribov at samsung dot com
` (3 preceding siblings ...)
2014-06-18 11:33 ` kcc at gcc dot gnu.org
@ 2014-06-19 20:09 ` tetra2005 at gmail dot com
2014-10-16 13:47 ` ygribov at gcc dot gnu.org
2015-04-17 7:45 ` y.gribov at samsung dot com
6 siblings, 0 replies; 8+ messages in thread
From: tetra2005 at gmail dot com @ 2014-06-19 20:09 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61547
Yuri Gribov <tetra2005 at gmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |tetra2005 at gmail dot com
--- Comment #5 from Yuri Gribov <tetra2005 at gmail dot com> ---
Yeah, GCC is different in this regard.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug sanitizer/61547] Invalid sanitization of trailing byte in __builtin_strlen
2014-06-18 9:52 [Bug sanitizer/61547] New: Invalid sanitization of trailing byte in __builtin_strlen y.gribov at samsung dot com
` (4 preceding siblings ...)
2014-06-19 20:09 ` tetra2005 at gmail dot com
@ 2014-10-16 13:47 ` ygribov at gcc dot gnu.org
2015-04-17 7:45 ` y.gribov at samsung dot com
6 siblings, 0 replies; 8+ messages in thread
From: ygribov at gcc dot gnu.org @ 2014-10-16 13:47 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61547
--- Comment #6 from ygribov at gcc dot gnu.org ---
Author: ygribov
Date: Thu Oct 16 13:46:39 2014
New Revision: 216326
URL: https://gcc.gnu.org/viewcvs?rev=216326&root=gcc&view=rev
Log:
New asan-instrumentation-with-call-threshold
parameter.
2014-10-16 Yury Gribov <y.gribov@samsung.com>
Backport from mainline
2014-06-16 Yury Gribov <y.gribov@samsung.com>
* asan.c (check_func): New function.
(maybe_create_ssa_name): Likewise.
(build_check_stmt_with_calls): Likewise.
(use_calls_p): Likewise.
(report_error_func): Change interface.
(build_check_stmt): Allow non-integer lengths; add support
for new parameter.
(asan_instrument): Likewise.
(instrument_mem_region_access): Moved code to
build_check_stmt.
(instrument_derefs): Likewise.
(instrument_strlen_call): Likewise.
* cfgcleanup.c (old_insns_match_p): Add support for new
functions.
* doc/invoke.texi: Describe new parameter.
* params.def: Define new parameter.
* params.h: Likewise.
* sanitizer.def: Describe new builtins.
* c-c++-common/asan/instrument-with-calls-1.c: New test.
* c-c++-common/asan/instrument-with-calls-2.c: Likewise.
* c-c++-common/asan/no-redundant-instrumentation-1.c: Update
test patterns.
* c-c++-common/asan/no-redundant-instrumentation-2.c:
Likewise.
* c-c++-common/asan/no-redundant-instrumentation-4.c:
Likewise.
* c-c++-common/asan/no-redundant-instrumentation-5.c:
Likewise.
* c-c++-common/asan/no-redundant-instrumentation-6.c:
Likewise.
* c-c++-common/asan/no-redundant-instrumentation-7.c:
Likewise.
* c-c++-common/asan/no-redundant-instrumentation-8.c:
Likewise.
Backport from mainline
2014-06-16 Yury Gribov <y.gribov@samsung.com>
* asan.c (build_check_stmt): Fix maybe-uninitialized warning.
Backport from mainline
2014-06-18 Yury Gribov <y.gribov@samsung.com>
PR sanitizer/61530
* asan.c (build_check_stmt): Add condition.
* c-c++-common/asan/pr61530.c: New test.
Backport from mainline
2014-06-18 Yury Gribov <y.gribov@samsung.com>
PR sanitizer/61547
* asan.c (instrument_strlen_call): Fixed instrumentation of
trailing byte.
* c-c++-common/asan/strlen-overflow-1.c: New test.
Added:
branches/gcc-4_9-branch/gcc/testsuite/c-c++-common/asan/instrument-with-calls-1.c
branches/gcc-4_9-branch/gcc/testsuite/c-c++-common/asan/instrument-with-calls-2.c
branches/gcc-4_9-branch/gcc/testsuite/c-c++-common/asan/pr61530.c
branches/gcc-4_9-branch/gcc/testsuite/c-c++-common/asan/strlen-overflow-1.c
Modified:
branches/gcc-4_9-branch/gcc/ChangeLog
branches/gcc-4_9-branch/gcc/asan.c
branches/gcc-4_9-branch/gcc/cfgcleanup.c
branches/gcc-4_9-branch/gcc/doc/invoke.texi
branches/gcc-4_9-branch/gcc/params.def
branches/gcc-4_9-branch/gcc/params.h
branches/gcc-4_9-branch/gcc/sanitizer.def
branches/gcc-4_9-branch/gcc/testsuite/ChangeLog
branches/gcc-4_9-branch/gcc/testsuite/c-c++-common/asan/no-redundant-instrumentation-1.c
branches/gcc-4_9-branch/gcc/testsuite/c-c++-common/asan/no-redundant-instrumentation-2.c
branches/gcc-4_9-branch/gcc/testsuite/c-c++-common/asan/no-redundant-instrumentation-4.c
branches/gcc-4_9-branch/gcc/testsuite/c-c++-common/asan/no-redundant-instrumentation-5.c
branches/gcc-4_9-branch/gcc/testsuite/c-c++-common/asan/no-redundant-instrumentation-6.c
branches/gcc-4_9-branch/gcc/testsuite/c-c++-common/asan/no-redundant-instrumentation-7.c
branches/gcc-4_9-branch/gcc/testsuite/c-c++-common/asan/no-redundant-instrumentation-8.c
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug sanitizer/61547] Invalid sanitization of trailing byte in __builtin_strlen
2014-06-18 9:52 [Bug sanitizer/61547] New: Invalid sanitization of trailing byte in __builtin_strlen y.gribov at samsung dot com
` (5 preceding siblings ...)
2014-10-16 13:47 ` ygribov at gcc dot gnu.org
@ 2015-04-17 7:45 ` y.gribov at samsung dot com
6 siblings, 0 replies; 8+ messages in thread
From: y.gribov at samsung dot com @ 2015-04-17 7:45 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61547
Yury Gribov <y.gribov at samsung dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |RESOLVED
Resolution|--- |FIXED
--- Comment #7 from Yury Gribov <y.gribov at samsung dot com> ---
.
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2015-04-17 7:45 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-06-18 9:52 [Bug sanitizer/61547] New: Invalid sanitization of trailing byte in __builtin_strlen y.gribov at samsung dot com
2014-06-18 9:54 ` [Bug sanitizer/61547] " y.gribov at samsung dot com
2014-06-18 10:37 ` kcc at gcc dot gnu.org
2014-06-18 11:19 ` rguenth at gcc dot gnu.org
2014-06-18 11:33 ` kcc at gcc dot gnu.org
2014-06-19 20:09 ` tetra2005 at gmail dot com
2014-10-16 13:47 ` ygribov at gcc dot gnu.org
2015-04-17 7:45 ` y.gribov at samsung dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).