[Bug middle-end/77608] missing protection on trivially detectable runtime buffer overflow

public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed

From: "kees at outflux dot net" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug middle-end/77608] missing protection on trivially detectable runtime buffer overflow
Date: Wed, 13 Oct 2021 16:14:06 +0000	[thread overview]
Message-ID: <bug-77608-4-8YiEerB4vW@http.gcc.gnu.org/bugzilla/> (raw)
In-Reply-To: <bug-77608-4@http.gcc.gnu.org/bugzilla/>

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=77608

Kees Cook <kees at outflux dot net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |kees at outflux dot net

--- Comment #5 from Kees Cook <kees at outflux dot net> ---
I think this behavior may, unfortunately, be "as expected", due to how the
memcpy overflow checks are working (they're checking surrounding object, yes,
like bos(0) would)? The constant-expression bos() calculations do appear to
understand the base pointer object, but when faced with "i", it can't know for
sure -- it might have room (if "i" is < 3), or not. So it must return -1 as it
lacks any other context (like memcpy's "size" argument).

There may, however, be a missing opportunity for tightening the memcpy checker?

For example:


...
volatile unsigned i;

struct weird {
    char a[4];
    char b[8];
};

int main (void)
{
  {
    struct weird instance;
    char d [3];

    P (d + i);
    memcpy (d + i, "abcdef", 5); // always overflows d (the entire object)

    i = 7;
    P (instance.a + i); // can't see into "i"
    P (instance.a + 7); // room left in instance (5), but not "a" (0)

    memcpy (instance.a + i, "abcdef", 5); // misses a, doesn't overflow
instance. should this warn?

    __builtin_printf ("%.0s", d);
  }
}


-1 -1  0  0
-1 -1  0  0
 5  0  5  5

next      parent reply	other threads:[~2021-10-13 16:14 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <bug-77608-4@http.gcc.gnu.org/bugzilla/>
2021-10-13 16:14 ` kees at outflux dot net [this message]
2022-01-04 19:56 ` siddhesh at gcc dot gnu.org
2022-01-07  4:18 ` siddhesh at gcc dot gnu.org
2022-01-11 14:54 ` siddhesh at gcc dot gnu.org

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bug-77608-4-8YiEerB4vW@http.gcc.gnu.org/bugzilla/ \
    --to=gcc-bugzilla@gcc.gnu.org \
    --cc=gcc-bugs@gcc.gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).