public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug testsuite/63305] New: ASan reported heap-buffer-overflow in gcc.target/i386/avx256-unaligned-load{store}-7.c
@ 2014-09-19 6:42 chefmax at gcc dot gnu.org
2014-09-19 15:31 ` [Bug testsuite/63305] " hjl.tools at gmail dot com
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: chefmax at gcc dot gnu.org @ 2014-09-19 6:42 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63305
Bug ID: 63305
Summary: ASan reported heap-buffer-overflow in
gcc.target/i386/avx256-unaligned-load{store}-7.c
Product: gcc
Version: 5.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: testsuite
Assignee: unassigned at gcc dot gnu.org
Reporter: chefmax at gcc dot gnu.org
Host: x86_64-pc-linux-gnu
Target: x86_64-pc-linux-gnu
Build: x86_64-pc-linux-gnu
ASan reported heap-buffer-overflow in
gcc.target/i386/avx256-unaligned-load{store}-7.c:
$ ~/master/gcc gcc/testsuite/gcc.target/i386/avx256-unaligned-load-7.c
-fsanitize=address -O3 -dp -mavx -mavx256-split-unaligned-load -o
./avx256-unaligned-load-7.exe
$ ./avx256-unaligned-load-7.exe
=================================================================
==21855==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60c00000c000 at pc 0x400bcc bp 0x7fffd03d3d90 sp 0x7fffd03d3d88
WRITE of size 8 at 0x60c00000c000 thread T0
#0 0x400bcb in do_test
(/home/max/build/master-x86_64/avx256-unaligned-load-7.exe+0x400bcb)
#1 0x40086f in main
(/home/max/build/master-x86_64/avx256-unaligned-load-7.exe+0x40086f)
#2 0x7fecbc89476c in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2176c)
#3 0x4008c4
(/home/max/build/master-x86_64/avx256-unaligned-load-7.exe+0x4008c4)
0x60c00000c000 is located 0 bytes to the right of 128-byte region
[0x60c00000bf80,0x60c00000c000)
allocated by thread T0 here:
#0 0x7fecbccc5569 in __interceptor_malloc
/home/max/workspace/downloads/gcc/libsanitizer/asan/asan_malloc_linux.cc:73
#1 0x4009bd in foo
(/home/max/build/master-x86_64/avx256-unaligned-load-7.exe+0x4009bd)
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 do_test
Shadow bytes around the buggy address:
0x0c187fff97b0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x0c187fff97c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c187fff97d0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c187fff97e0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x0c187fff97f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c187fff9800:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff9810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff9820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff9830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff9840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff9850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
ASan internal: fe
==21855==ABORTING
Quick analysis shows that overflow happens at line 38. Perhaps allocated arrays
have wrong size.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug testsuite/63305] ASan reported heap-buffer-overflow in gcc.target/i386/avx256-unaligned-load{store}-7.c
2014-09-19 6:42 [Bug testsuite/63305] New: ASan reported heap-buffer-overflow in gcc.target/i386/avx256-unaligned-load{store}-7.c chefmax at gcc dot gnu.org
@ 2014-09-19 15:31 ` hjl.tools at gmail dot com
2014-09-25 9:09 ` chefmax at gcc dot gnu.org
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: hjl.tools at gmail dot com @ 2014-09-19 15:31 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63305
H.J. Lu <hjl.tools at gmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |WAITING
Last reconfirmed| |2014-09-19
CC|hjl at gcc dot gnu.org |hjl.tools at gmail dot com
Ever confirmed|0 |1
--- Comment #1 from H.J. Lu <hjl.tools at gmail dot com> ---
Works for me:
[hjl@gnu-mic-2 gcc]$ ./xgcc -B./
/export/gnu/import/git/gcc/gcc/testsuite/gcc.target/i386/avx256-unaligned-load-7.c
-fsanitize=address -O3 -dp -mavx -mavx256-split-unaligned-load -o /tmp/a.out
-L../x86_64-unknown-linux-gnu/libsanitizer/asan/.libs
-B../x86_64-unknown-linux-gnu/libsanitizer/asan/
-Wl,-R,../x86_64-unknown-linux-gnu/libsanitizer/asan/.libs
[hjl@gnu-mic-2 gcc]$ /tmp/a.out
[hjl@gnu-mic-2 gcc]$ ./xgcc -v
Using built-in specs.
COLLECT_GCC=./xgcc
Target: x86_64-unknown-linux-gnu
Configured with: /export/gnu/import/git/gcc/configure --enable-languages=c,c++
--disable-bootstrap --prefix=/usr/gcc-5.0.0 --with-local-prefix=/usr/local
--enable-gnu-indirect-function --with-fpmath=sse
Thread model: posix
gcc version 5.0.0 20140916 (experimental) (GCC)
[hjl@gnu-mic-2 gcc]$
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug testsuite/63305] ASan reported heap-buffer-overflow in gcc.target/i386/avx256-unaligned-load{store}-7.c
2014-09-19 6:42 [Bug testsuite/63305] New: ASan reported heap-buffer-overflow in gcc.target/i386/avx256-unaligned-load{store}-7.c chefmax at gcc dot gnu.org
2014-09-19 15:31 ` [Bug testsuite/63305] " hjl.tools at gmail dot com
@ 2014-09-25 9:09 ` chefmax at gcc dot gnu.org
2014-09-25 15:50 ` hjl.tools at gmail dot com
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: chefmax at gcc dot gnu.org @ 2014-09-25 9:09 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63305
--- Comment #2 from Maxim Ostapenko <chefmax at gcc dot gnu.org> ---
Still fails on trunk:
$ ./xgcc -B./
~/workspace/downloads/gcc/gcc/testsuite/gcc.target/i386/avx256-unaligned-load-7.c
-fsanitize=address -O3 -dp -mavx -mavx256-split-unaligned-load -o /tmp/a.out
-L../x86_64-unknown-linux-gnu/libsanitizer/asan/.libs
-B../x86_64-unknown-linux-gnu/libsanitizer/asan/
-Wl,-R,../x86_64-unknown-linux-gnu/libsanitizer/asan/.libs -fdump-tree-asan
$ /tmp/a.out
=================================================================
==4263==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c00000c000
at pc 0x000000400b9c bp 0x7fff6dad1c20 sp 0x7fff6dad1c18
WRITE of size 8 at 0x60c00000c000 thread T0
#0 0x400b9b in do_test (/tmp/a.out+0x400b9b)
#1 0x400845 in main (/tmp/a.out+0x400845)
#2 0x7f13038b976c in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2176c)
#3 0x400894 (/tmp/a.out+0x400894)
0x60c00000c000 is located 0 bytes to the right of 128-byte region
[0x60c00000bf80,0x60c00000c000)
allocated by thread T0 here:
#0 0x7f1303ceeaa9 in __interceptor_malloc
/home/max/workspace/downloads/gcc/libsanitizer/asan/asan_malloc_linux.cc:38
#1 0x40098d in foo (/tmp/a.out+0x40098d)
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 do_test
Shadow bytes around the buggy address:
0x0c187fff97b0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x0c187fff97c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c187fff97d0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c187fff97e0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x0c187fff97f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c187fff9800:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff9810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff9820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff9830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff9840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff9850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
ASan internal: fe
==4263==ABORTING
$ ./xgcc -v
Using built-in specs.
COLLECT_GCC=./xgcc
Target: x86_64-unknown-linux-gnu
Configured with: /home/max/workspace/downloads/gcc/configure
--enable-languages=c,c++ --disable-bootstrap --prefix=/usr/gcc-5.0.0
--with-local-prefix=/usr/local --enable-gnu-indirect-function --with-fpmath=sse
Thread model: posix
gcc version 5.0.0 20140925 (experimental) (GCC)
At line 36:
for (i = N; i >= 0; i--)
{
*cp++ = str;
*dp++ = str;
}
Here cp itself is char **, so we move cp on sizeof (char *) on each loop
iteration.
Since N == 128 here, we have 129 iterations, so size of array cp points to
should be 129 * sizeof (char *). Correct?
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug testsuite/63305] ASan reported heap-buffer-overflow in gcc.target/i386/avx256-unaligned-load{store}-7.c
2014-09-19 6:42 [Bug testsuite/63305] New: ASan reported heap-buffer-overflow in gcc.target/i386/avx256-unaligned-load{store}-7.c chefmax at gcc dot gnu.org
2014-09-19 15:31 ` [Bug testsuite/63305] " hjl.tools at gmail dot com
2014-09-25 9:09 ` chefmax at gcc dot gnu.org
@ 2014-09-25 15:50 ` hjl.tools at gmail dot com
2014-11-09 18:01 ` hjl at gcc dot gnu.org
2014-11-09 18:03 ` hjl.tools at gmail dot com
4 siblings, 0 replies; 6+ messages in thread
From: hjl.tools at gmail dot com @ 2014-09-25 15:50 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63305
--- Comment #3 from H.J. Lu <hjl.tools at gmail dot com> ---
Created attachment 33566
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=33566&action=edit
A patch
Please try this.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug testsuite/63305] ASan reported heap-buffer-overflow in gcc.target/i386/avx256-unaligned-load{store}-7.c
2014-09-19 6:42 [Bug testsuite/63305] New: ASan reported heap-buffer-overflow in gcc.target/i386/avx256-unaligned-load{store}-7.c chefmax at gcc dot gnu.org
` (2 preceding siblings ...)
2014-09-25 15:50 ` hjl.tools at gmail dot com
@ 2014-11-09 18:01 ` hjl at gcc dot gnu.org
2014-11-09 18:03 ` hjl.tools at gmail dot com
4 siblings, 0 replies; 6+ messages in thread
From: hjl at gcc dot gnu.org @ 2014-11-09 18:01 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63305
--- Comment #4 from hjl at gcc dot gnu.org <hjl at gcc dot gnu.org> ---
Author: hjl
Date: Sun Nov 9 18:01:12 2014
New Revision: 217269
URL: https://gcc.gnu.org/viewcvs?rev=217269&root=gcc&view=rev
Log:
Fix buffer overflow in avx256-unaligned-{load|store}-7.c
Backported from mainline
PR testsuite/63305
* gcc.target/i386/avx256-unaligned-load-7.c (avx_test): Fix
buffer overflow.
* gcc.target/i386/avx256-unaligned-store-7.c (avx_test): Likewise.
Modified:
branches/gcc-4_9-branch/gcc/testsuite/ChangeLog
branches/gcc-4_9-branch/gcc/testsuite/gcc.target/i386/avx256-unaligned-load-7.c
branches/gcc-4_9-branch/gcc/testsuite/gcc.target/i386/avx256-unaligned-store-7.c
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug testsuite/63305] ASan reported heap-buffer-overflow in gcc.target/i386/avx256-unaligned-load{store}-7.c
2014-09-19 6:42 [Bug testsuite/63305] New: ASan reported heap-buffer-overflow in gcc.target/i386/avx256-unaligned-load{store}-7.c chefmax at gcc dot gnu.org
` (3 preceding siblings ...)
2014-11-09 18:01 ` hjl at gcc dot gnu.org
@ 2014-11-09 18:03 ` hjl.tools at gmail dot com
4 siblings, 0 replies; 6+ messages in thread
From: hjl.tools at gmail dot com @ 2014-11-09 18:03 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63305
H.J. Lu <hjl.tools at gmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|WAITING |RESOLVED
Resolution|--- |FIXED
Target Milestone|--- |4.9.3
--- Comment #5 from H.J. Lu <hjl.tools at gmail dot com> ---
Fixed on trunk and 4.9 branch.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2014-11-09 18:03 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-09-19 6:42 [Bug testsuite/63305] New: ASan reported heap-buffer-overflow in gcc.target/i386/avx256-unaligned-load{store}-7.c chefmax at gcc dot gnu.org
2014-09-19 15:31 ` [Bug testsuite/63305] " hjl.tools at gmail dot com
2014-09-25 9:09 ` chefmax at gcc dot gnu.org
2014-09-25 15:50 ` hjl.tools at gmail dot com
2014-11-09 18:01 ` hjl at gcc dot gnu.org
2014-11-09 18:03 ` hjl.tools at gmail dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).