public inbox for gcc-bugs@sourceware.org help / color / mirror / Atom feed
From: "kees at outflux dot net" <gcc-bugzilla@gcc.gnu.org> To: gcc-bugs@gcc.gnu.org Subject: [Bug middle-end/77608] missing protection on trivially detectable runtime buffer overflow Date: Wed, 13 Oct 2021 16:14:06 +0000 [thread overview] Message-ID: <bug-77608-4-8YiEerB4vW@http.gcc.gnu.org/bugzilla/> (raw) In-Reply-To: <bug-77608-4@http.gcc.gnu.org/bugzilla/> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=77608 Kees Cook <kees at outflux dot net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kees at outflux dot net --- Comment #5 from Kees Cook <kees at outflux dot net> --- I think this behavior may, unfortunately, be "as expected", due to how the memcpy overflow checks are working (they're checking surrounding object, yes, like bos(0) would)? The constant-expression bos() calculations do appear to understand the base pointer object, but when faced with "i", it can't know for sure -- it might have room (if "i" is < 3), or not. So it must return -1 as it lacks any other context (like memcpy's "size" argument). There may, however, be a missing opportunity for tightening the memcpy checker? For example: ... volatile unsigned i; struct weird { char a[4]; char b[8]; }; int main (void) { { struct weird instance; char d [3]; P (d + i); memcpy (d + i, "abcdef", 5); // always overflows d (the entire object) i = 7; P (instance.a + i); // can't see into "i" P (instance.a + 7); // room left in instance (5), but not "a" (0) memcpy (instance.a + i, "abcdef", 5); // misses a, doesn't overflow instance. should this warn? __builtin_printf ("%.0s", d); } } -1 -1 0 0 -1 -1 0 0 5 0 5 5
next parent reply other threads:[~2021-10-13 16:14 UTC|newest] Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top [not found] <bug-77608-4@http.gcc.gnu.org/bugzilla/> 2021-10-13 16:14 ` kees at outflux dot net [this message] 2022-01-04 19:56 ` siddhesh at gcc dot gnu.org 2022-01-07 4:18 ` siddhesh at gcc dot gnu.org 2022-01-11 14:54 ` siddhesh at gcc dot gnu.org
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-77608-4-8YiEerB4vW@http.gcc.gnu.org/bugzilla/ \ --to=gcc-bugzilla@gcc.gnu.org \ --cc=gcc-bugs@gcc.gnu.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).