From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-bugs-return-499363-listarch-gcc-bugs=gcc.gnu.org@gcc.gnu.org>
Received: (qmail 126327 invoked by alias); 12 Oct 2015 18:16:21 -0000
Mailing-List: contact gcc-bugs-help@gcc.gnu.org; run by ezmlm
Precedence: bulk
List-Id: <gcc-bugs.gcc.gnu.org>
List-Archive: <http://gcc.gnu.org/ml/gcc-bugs/>
List-Post: <mailto:gcc-bugs@gcc.gnu.org>
List-Help: <mailto:gcc-bugs-help@gcc.gnu.org>
Sender: gcc-bugs-owner@gcc.gnu.org
Received: (qmail 126297 invoked by uid 48); 12 Oct 2015 18:16:17 -0000
From: "msebor at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug c++/67942] New: diagnose placement new buffer overflow
Date: Mon, 12 Oct 2015 18:16:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: c++
X-Bugzilla-Version: 6.0
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: msebor at gcc dot gnu.org
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Resolution:
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter target_milestone
Message-ID: <bug-67942-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2015-10/txt/msg00918.txt.bz2

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67942

            Bug ID: 67942
           Summary: diagnose placement new buffer overflow
           Product: gcc
           Version: 6.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c++
          Assignee: unassigned at gcc dot gnu.org
          Reporter: msebor at gcc dot gnu.org
  Target Milestone: ---

C++ placement new expression is known to be subject to buffer overflow flaws
(see for example [1]).  For instance, in the program below, the placement new
expression writes past the end of the local buffer buf.  In many cases of its
use (including the one below), GCC has sufficient information to detect and
diagnose such defects.  This bug tracks the proposed implementation of this
detection.

#include <new>

struct S {
    int a [4];
} s;

void f (S *s) {
    char buf [sizeof s];
    S *t = new (buf) S (*s);

    // ...
}

A New Class of Buffer Overflow Attacks, Kundu, A., Bertino, E., 31st
International Conference on Distributed Computing Systems (ICDCS), 2011
http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5961725