[PATCH] asan: Don't fold some strlens with -fsanitize=address [PR110676]

public inbox for gcc-patches@gcc.gnu.org
 help / color / mirror / Atom feed

* [PATCH] asan: Don't fold some strlens with -fsanitize=address [PR110676]
@ 2024-02-06 10:23 Jakub Jelinek
  2024-02-06 11:44 ` Richard Biener
  0 siblings, 1 reply; 2+ messages in thread
From: Jakub Jelinek @ 2024-02-06 10:23 UTC (permalink / raw)
  To: Richard Biener; +Cc: gcc-patches

Hi!

The UB on the following testcase isn't diagnosed by -fsanitize=address,
because we see that the array has a single element and optimize the
strlen to 0.  I think it is fine to assume e.g. for range purposes the
lower bound for the strlen as long as we don't try to optimize
strlen (str)
where we know that it returns [26, 42] to
26 + strlen (str + 26), but for the upper bound we really want to punt
on optimizing that for -fsanitize=address to read all the bytes of the
string and diagnose if we run to object end etc.

Bootstrapped/regtested on x86_64-linux and i686-linux, ok for trunk?

2024-02-06  Jakub Jelinek  <jakub@redhat.com>

	PR sanitizer/110676
	* gimple-fold.cc (gimple_fold_builtin_strlen): For -fsanitize=address
	reset maxlen to sizetype maximum.

	* gcc.dg/asan/pr110676.c: New test.

--- gcc/gimple-fold.cc.jj	2024-01-31 12:24:51.714239628 +0100
+++ gcc/gimple-fold.cc	2024-02-05 21:38:03.829964904 +0100
@@ -4019,6 +4019,11 @@ gimple_fold_builtin_strlen (gimple_stmt_
       maxlen = wi::to_wide (max_object_size (), prec) - 2;
     }
 
+  /* For -fsanitize=address, don't optimize the upper bound of the
+     length to be able to diagnose UB on non-zero terminated arrays.  */
+  if (sanitize_flags_p (SANITIZE_ADDRESS))
+    maxlen = wi::max_value (TYPE_PRECISION (sizetype), UNSIGNED);
+
   if (minlen == maxlen)
     {
       /* Fold the strlen call to a constant.  */
--- gcc/testsuite/gcc.dg/asan/pr110676.c.jj	2024-02-05 21:42:43.657104536 +0100
+++ gcc/testsuite/gcc.dg/asan/pr110676.c	2024-02-05 21:42:39.091167524 +0100
@@ -0,0 +1,14 @@
+/* PR sanitizer/110676 */
+/* { dg-do run } */
+/* { dg-skip-if "" { *-*-* } { "*" } { "-O0" } } */
+/* { dg-shouldfail "asan" } */
+
+int
+main ()
+{
+  char s[1] = "A";
+  return __builtin_strlen (s);
+}
+
+/* { dg-output "ERROR: AddressSanitizer: stack-buffer-overflow on address.*(\n|\r\n|\r)" } */
+/* { dg-output "READ of size.*" } */

	Jakub


^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [PATCH] asan: Don't fold some strlens with -fsanitize=address [PR110676]
  2024-02-06 10:23 [PATCH] asan: Don't fold some strlens with -fsanitize=address [PR110676] Jakub Jelinek
@ 2024-02-06 11:44 ` Richard Biener
  0 siblings, 0 replies; 2+ messages in thread
From: Richard Biener @ 2024-02-06 11:44 UTC (permalink / raw)
  To: Jakub Jelinek; +Cc: gcc-patches

On Tue, 6 Feb 2024, Jakub Jelinek wrote:

> Hi!
> 
> The UB on the following testcase isn't diagnosed by -fsanitize=address,
> because we see that the array has a single element and optimize the
> strlen to 0.  I think it is fine to assume e.g. for range purposes the
> lower bound for the strlen as long as we don't try to optimize
> strlen (str)
> where we know that it returns [26, 42] to
> 26 + strlen (str + 26), but for the upper bound we really want to punt
> on optimizing that for -fsanitize=address to read all the bytes of the
> string and diagnose if we run to object end etc.
> 
> Bootstrapped/regtested on x86_64-linux and i686-linux, ok for trunk?

OK

> 2024-02-06  Jakub Jelinek  <jakub@redhat.com>
> 
> 	PR sanitizer/110676
> 	* gimple-fold.cc (gimple_fold_builtin_strlen): For -fsanitize=address
> 	reset maxlen to sizetype maximum.
> 
> 	* gcc.dg/asan/pr110676.c: New test.
> 
> --- gcc/gimple-fold.cc.jj	2024-01-31 12:24:51.714239628 +0100
> +++ gcc/gimple-fold.cc	2024-02-05 21:38:03.829964904 +0100
> @@ -4019,6 +4019,11 @@ gimple_fold_builtin_strlen (gimple_stmt_
>        maxlen = wi::to_wide (max_object_size (), prec) - 2;
>      }
>  
> +  /* For -fsanitize=address, don't optimize the upper bound of the
> +     length to be able to diagnose UB on non-zero terminated arrays.  */
> +  if (sanitize_flags_p (SANITIZE_ADDRESS))
> +    maxlen = wi::max_value (TYPE_PRECISION (sizetype), UNSIGNED);
> +
>    if (minlen == maxlen)
>      {
>        /* Fold the strlen call to a constant.  */
> --- gcc/testsuite/gcc.dg/asan/pr110676.c.jj	2024-02-05 21:42:43.657104536 +0100
> +++ gcc/testsuite/gcc.dg/asan/pr110676.c	2024-02-05 21:42:39.091167524 +0100
> @@ -0,0 +1,14 @@
> +/* PR sanitizer/110676 */
> +/* { dg-do run } */
> +/* { dg-skip-if "" { *-*-* } { "*" } { "-O0" } } */
> +/* { dg-shouldfail "asan" } */
> +
> +int
> +main ()
> +{
> +  char s[1] = "A";
> +  return __builtin_strlen (s);
> +}
> +
> +/* { dg-output "ERROR: AddressSanitizer: stack-buffer-overflow on address.*(\n|\r\n|\r)" } */
> +/* { dg-output "READ of size.*" } */
> 
> 	Jakub
> 
> 

-- 
Richard Biener <rguenther@suse.de>
SUSE Software Solutions Germany GmbH,
Frankenstrasse 146, 90461 Nuernberg, Germany;
GF: Ivo Totev, Andrew McDonald, Werner Knoblich; (HRB 36809, AG Nuernberg)

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2024-02-06 11:44 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-02-06 10:23 [PATCH] asan: Don't fold some strlens with -fsanitize=address [PR110676] Jakub Jelinek
2024-02-06 11:44 ` Richard Biener

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).