public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug middle-end/97023] New: missing warning on buffer overflow in chained mempcpy
@ 2020-09-11 17:35 msebor at gcc dot gnu.org
2020-09-11 17:35 ` [Bug middle-end/97023] " msebor at gcc dot gnu.org
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: msebor at gcc dot gnu.org @ 2020-09-11 17:35 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97023
Bug ID: 97023
Summary: missing warning on buffer overflow in chained mempcpy
Product: gcc
Version: 11.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: middle-end
Assignee: unassigned at gcc dot gnu.org
Reporter: msebor at gcc dot gnu.org
Target Milestone: ---
-Wstringop-overflow successfully diagnoses a buffer overflow by the second in a
chain of calls to stpcpy but fails to detect the same bug in calls to mempcpy
because it doesn't track function arguments that are returned from builti-ins
like mempcpy or memchr.
$ cat z.c && gcc -O2 -S z.c
char a[7];
void* f (void)
{
void *p = __builtin_stpcpy (a, "123");
p = __builtin_stpcpy (p, "4567"); // warning (good)
return p;
}
void* g (void)
{
void *p = __builtin_mempcpy (a, "123", 3);
p = __builtin_mempcpy (p, "4567", 5); // missing warning
return p;
}
z.c: In function ‘f’:
z.c:5:13: warning: ‘__builtin_memcpy’ writing 5 bytes into a region of size 4
[-Wstringop-overflow=]
5 | void *p = __builtin_stpcpy (a, "123");
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~
z.c:1:6: note: at offset 3 to object ‘a’ with size 7 declared here
1 | char a[7];
| ^
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug middle-end/97023] missing warning on buffer overflow in chained mempcpy
2020-09-11 17:35 [Bug middle-end/97023] New: missing warning on buffer overflow in chained mempcpy msebor at gcc dot gnu.org
@ 2020-09-11 17:35 ` msebor at gcc dot gnu.org
2020-09-15 19:18 ` msebor at gcc dot gnu.org
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: msebor at gcc dot gnu.org @ 2020-09-11 17:35 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97023
Martin Sebor <msebor at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Ever confirmed|0 |1
Keywords| |diagnostic
Status|UNCONFIRMED |ASSIGNED
Assignee|unassigned at gcc dot gnu.org |msebor at gcc dot gnu.org
Blocks| |88443
Last reconfirmed| |2020-09-11
--- Comment #1 from Martin Sebor <msebor at gcc dot gnu.org> ---
I'm testing a fix.
Referenced Bugs:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88443
[Bug 88443] [meta-bug] bogus/missing -Wstringop-overflow warnings
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug middle-end/97023] missing warning on buffer overflow in chained mempcpy
2020-09-11 17:35 [Bug middle-end/97023] New: missing warning on buffer overflow in chained mempcpy msebor at gcc dot gnu.org
2020-09-11 17:35 ` [Bug middle-end/97023] " msebor at gcc dot gnu.org
@ 2020-09-15 19:18 ` msebor at gcc dot gnu.org
2020-10-12 15:07 ` cvs-commit at gcc dot gnu.org
2020-10-12 15:11 ` msebor at gcc dot gnu.org
3 siblings, 0 replies; 5+ messages in thread
From: msebor at gcc dot gnu.org @ 2020-09-15 19:18 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97023
Martin Sebor <msebor at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |patch
Target Milestone|--- |11.0
--- Comment #2 from Martin Sebor <msebor at gcc dot gnu.org> ---
Patch: https://gcc.gnu.org/pipermail/gcc-patches/2020-September/553906.html
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug middle-end/97023] missing warning on buffer overflow in chained mempcpy
2020-09-11 17:35 [Bug middle-end/97023] New: missing warning on buffer overflow in chained mempcpy msebor at gcc dot gnu.org
2020-09-11 17:35 ` [Bug middle-end/97023] " msebor at gcc dot gnu.org
2020-09-15 19:18 ` msebor at gcc dot gnu.org
@ 2020-10-12 15:07 ` cvs-commit at gcc dot gnu.org
2020-10-12 15:11 ` msebor at gcc dot gnu.org
3 siblings, 0 replies; 5+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2020-10-12 15:07 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97023
--- Comment #3 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Martin Sebor <msebor@gcc.gnu.org>:
https://gcc.gnu.org/g:83685efd5fd1623cfc4e4c435ce2773d95d458d1
commit r11-3827-g83685efd5fd1623cfc4e4c435ce2773d95d458d1
Author: Martin Sebor <msebor@redhat.com>
Date: Fri Oct 9 14:48:43 2020 -0600
Generalize compute_objsize to return maximum size/offset instead of failing
(PR middle-end/97023).
Also resolves:
PR middle-end/97342 - bogus -Wstringop-overflow with nonzero signed and
unsigned offsets
PR middle-end/97023 - missing warning on buffer overflow in chained mempcpy
PR middle-end/96384 - bogus -Wstringop-overflow= storing into
multidimensional array with index in range
gcc/ChangeLog:
PR middle-end/97342
PR middle-end/97023
PR middle-end/96384
* builtins.c (access_ref::access_ref): Initialize new member. Use
new enum.
(access_ref::size_remaining): Define new member function.
(inform_access): Handle expressions referencing objects.
(gimple_call_alloc_size): Call get_size_range instead of get_range.
(gimple_call_return_array): New function.
(get_range): Rename...
(get_offset_range): ...to this. Improve detection of ranges from
types of expressions.
(gimple_call_return_array): Adjust calls to get_range per above.
(compute_objsize): Same. Set maximum size or offset instead of
failing for unknown objects and handle more kinds of expressions.
(compute_objsize): Call access_ref::size_remaining.
(compute_objsize): Have transitional wrapper fail for pointers
into unknown objects.
(expand_builtin_strncmp): Call access_ref::size_remaining and
handle new cases.
* builtins.h (access_ref::size_remaining): Declare new member
function.
(access_ref::set_max_size_range): Define new member function.
(access_ref::add_ofset, access_ref::add_max_ofset): Same.
(access_ref::add_base0): New data member.
* calls.c (get_size_range): Change argument type. Handle new
condition.
* calls.h (get_size_range): Adjust signature.
(enum size_range_flags): Define new type.
* gimple-ssa-warn-restrict.c (builtin_memref::builtin_memref):
Correct
argument to get_size_range.
* tree-ssa-strlen.c (get_range): Handle anti-ranges.
(maybe_warn_overflow): Check DECL_P before assuming it's one.
gcc/testsuite/ChangeLog:
PR middle-end/97342
PR middle-end/97023
PR middle-end/96384
* c-c++-common/Wrestrict.c: Adjust comment.
* gcc.dg/Wstringop-overflow-34.c: Remove xfail.
* gcc.dg/Wstringop-overflow-43.c: Remove xfails. Adjust regex
patterns.
* gcc.dg/pr51683.c: Prune out expected warning.
* gcc.target/i386/pr60693.c: Same.
* g++.dg/warn/Wplacement-new-size-8.C: New test.
* gcc.dg/Wstringop-overflow-41.c: New test.
* gcc.dg/Wstringop-overflow-44.s: New test.
* gcc.dg/Wstringop-overflow-45.c: New test.
* gcc.dg/Wstringop-overflow-46.c: New test.
* gcc.dg/Wstringop-overflow-47.c: New test.
* gcc.dg/Wstringop-overflow-49.c: New test.
* gcc.dg/Wstringop-overflow-50.c: New test.
* gcc.dg/Wstringop-overflow-51.c: New test.
* gcc.dg/Wstringop-overflow-52.c: New test.
* gcc.dg/Wstringop-overflow-53.c: New test.
* gcc.dg/Wstringop-overflow-54.c: New test.
* gcc.dg/Wstringop-overflow-55.c: New test.
* gcc.dg/Wstringop-overread-5.c: New test.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug middle-end/97023] missing warning on buffer overflow in chained mempcpy
2020-09-11 17:35 [Bug middle-end/97023] New: missing warning on buffer overflow in chained mempcpy msebor at gcc dot gnu.org
` (2 preceding siblings ...)
2020-10-12 15:07 ` cvs-commit at gcc dot gnu.org
@ 2020-10-12 15:11 ` msebor at gcc dot gnu.org
3 siblings, 0 replies; 5+ messages in thread
From: msebor at gcc dot gnu.org @ 2020-10-12 15:11 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97023
Martin Sebor <msebor at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution|--- |FIXED
--- Comment #4 from Martin Sebor <msebor at gcc dot gnu.org> ---
Implemented in r11-3827. GCC 11 diagnoses both invalid calls. With
-Warray-bounds:
$ gcc -O2 -S -Wall pr97023.c
pr97023.c: In function ‘f’:
pr97023.c:5:13: warning: ‘__builtin_memcpy’ writing 5 bytes into a region of
size 4 [-Wstringop-overflow=]
5 | void *p = __builtin_stpcpy (a, "123");
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~
pr97023.c:1:6: note: at offset 3 to object ‘a’ with size 7 declared here
1 | char a[7];
| ^
pr97023.c: In function ‘g’:
pr97023.c:13:7: warning: ‘__builtin_mempcpy’ forming offset 4 is out of the
bounds [0, 4] [-Warray-bounds]
13 | p = __builtin_mempcpy (p, "4567", 5); // missing warning
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
and without:
$ gcc -O2 -S -Wall -Wno-array-bounds pr97023.c
pr97023.c: In function ‘f’:
pr97023.c:5:13: warning: ‘__builtin_memcpy’ writing 5 bytes into a region of
size 4 [-Wstringop-overflow=]
5 | void *p = __builtin_stpcpy (a, "123");
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~
pr97023.c:1:6: note: at offset 3 to object ‘a’ with size 7 declared here
1 | char a[7];
| ^
pr97023.c: In function ‘g’:
pr97023.c:13:7: warning: ‘__builtin_mempcpy’ writing 5 bytes into a region of
size 4 overflows the destination [-Wstringop-overflow=]
13 | p = __builtin_mempcpy (p, "4567", 5); // missing warning
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
pr97023.c:1:6: note: at offset 3 into destination object ‘a’
1 | char a[7];
| ^
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-10-12 15:11 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-09-11 17:35 [Bug middle-end/97023] New: missing warning on buffer overflow in chained mempcpy msebor at gcc dot gnu.org
2020-09-11 17:35 ` [Bug middle-end/97023] " msebor at gcc dot gnu.org
2020-09-15 19:18 ` msebor at gcc dot gnu.org
2020-10-12 15:07 ` cvs-commit at gcc dot gnu.org
2020-10-12 15:11 ` msebor at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).