[Bug c++/67942] New: diagnose placement new buffer overflow

[Bug c++/67942] New: diagnose placement new buffer overflow

[msebor at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67942

            Bug ID: 67942
           Summary: diagnose placement new buffer overflow
           Product: gcc
           Version: 6.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c++
          Assignee: unassigned at gcc dot gnu.org
          Reporter: msebor at gcc dot gnu.org
  Target Milestone: ---

C++ placement new expression is known to be subject to buffer overflow flaws
(see for example [1]).  For instance, in the program below, the placement new
expression writes past the end of the local buffer buf.  In many cases of its
use (including the one below), GCC has sufficient information to detect and
diagnose such defects.  This bug tracks the proposed implementation of this
detection.

#include <new>

struct S {
    int a [4];
} s;

void f (S *s) {
    char buf [sizeof s];
    S *t = new (buf) S (*s);

    // ...
}

A New Class of Buffer Overflow Attacks, Kundu, A., Bertino, E., 31st
International Conference on Distributed Computing Systems (ICDCS), 2011
http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5961725

[Bug c++/67942] diagnose placement new buffer overflow

[msebor at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67942

Martin Sebor <msebor at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|unassigned at gcc dot gnu.org      |msebor at gcc dot gnu.org

--- Comment #1 from Martin Sebor <msebor at gcc dot gnu.org> ---
A patch capable of detecting and diagnosing a limited subset of such overflows
will be posted for review shortly.  The output of the patch for the example
program in the Description is as follows:

$ g++ -Wall  u.cpp
u.cpp: In function ‘void f(S*)’:
u.cpp:22:27: warning: placement new constructing a 16-byte object of type ‘S’
in a region of type ‘char [8]’ that is 8 bytes large
     S *t = new (buf) S (*s);
>From gcc-bugs-return-499365-listarch-gcc-bugs=gcc.gnu.org@gcc.gnu.org Mon Oct 12 18:35:17 2015
Return-Path: <gcc-bugs-return-499365-listarch-gcc-bugs=gcc.gnu.org@gcc.gnu.org>
Delivered-To: listarch-gcc-bugs@gcc.gnu.org
Received: (qmail 61739 invoked by alias); 12 Oct 2015 18:35:17 -0000
Mailing-List: contact gcc-bugs-help@gcc.gnu.org; run by ezmlm
Precedence: bulk
List-Id: <gcc-bugs.gcc.gnu.org>
List-Archive: <http://gcc.gnu.org/ml/gcc-bugs/>
List-Post: <mailto:gcc-bugs@gcc.gnu.org>
List-Help: <mailto:gcc-bugs-help@gcc.gnu.org>
Sender: gcc-bugs-owner@gcc.gnu.org
Delivered-To: mailing list gcc-bugs@gcc.gnu.org
Received: (qmail 61720 invoked by uid 48); 12 Oct 2015 18:35:13 -0000
From: "barry.revzin at gmail dot com" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug c++/67943] New: Friend declaration applied to base class, leading to allowing access to protected base
Date: Mon, 12 Oct 2015 18:35:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: c++
X-Bugzilla-Version: 5.2.0
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: barry.revzin at gmail dot com
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Resolution:
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter target_milestone
Message-ID: <bug-67943-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2015-10/txt/msg00920.txt.bz2
Content-length: 884

https://gcc.gnu.org/bugzilla/show_bug.cgi?idg943

            Bug ID: 67943
           Summary: Friend declaration applied to base class, leading to
                    allowing access to protected base
           Product: gcc
           Version: 5.2.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c++
          Assignee: unassigned at gcc dot gnu.org
          Reporter: barry.revzin at gmail dot com
  Target Milestone: ---

gcc 5.2 compiles the following:

struct Base { };
struct Derived : protected Base { };
struct Derived2 : public Derived {
    friend void test();
};

void test() {
    Derived a;
    Base* p = &a;
}

int main(){
    test();
}

If you comment out the friend declaration in Derived2, which should be
irrelevant to the example, then gcc reports an error that Base is an
inaccessible base of Derived.

[Bug c++/67942] diagnose placement new buffer overflow

[msebor at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67942

Martin Sebor <msebor at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |ASSIGNED
   Last reconfirmed|                            |2015-10-13
     Ever confirmed|0                           |1

--- Comment #2 from Martin Sebor <msebor at gcc dot gnu.org> ---
Patch posted for review here:
https://gcc.gnu.org/ml/gcc-patches/2015-10/msg01284.html