[Bug sanitizer/107696] GCC trunk misses a stack-buffer-overflow

2022-11-15 Thread shaohua.li at inf dot ethz.ch via Gcc-bugs 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107696

--- Comment #4 from Li Shaohua  ---
Thanks for the prompt reply.

[Bug sanitizer/107696] GCC trunk misses a stack-buffer-overflow

2022-11-15 Thread marxin at gcc dot gnu.org via Gcc-bugs 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107696

--- Comment #3 from Martin Liška  ---
So here again depends on the order of stack variables and a[4] is a valid
access to 'b' variable, see what happens with a[6]:

=
==6539==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fffd5f8 at pc 0x00401291 bp 0x7fffd590 sp 0x7fffd588
WRITE of size 4 at 0x7fffd5f8 thread T0
#0 0x401290 in main (/home/marxin/Programming/testcases/a.out+0x401290)
#1 0x7762c5af in __libc_start_call_main (/lib64/libc.so.6+0x275af)
#2 0x7762c678 in __libc_start_main_impl (/lib64/libc.so.6+0x27678)
#3 0x4010c4 in _start ../sysdeps/x86_64/start.S:115

Address 0x7fffd5f8 is located in stack of thread T0 at offset 72 in frame
#0 0x4011a5 in main (/home/marxin/Programming/testcases/a.out+0x4011a5)

  This frame has 2 object(s):
[48, 52) 'a' (line 3)
[64, 72) 'b' (line 2) <== Memory access at offset 72 overflows this
variable
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
  (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
(/home/marxin/Programming/testcases/a.out+0x401290) in main
Shadow bytes around the buggy address:
  0x10007fff7a60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7a70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7a90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7aa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10007fff7ab0: 00 00 00 00 00 00 f1 f1 f1 f1 f1 f1 04 f2 00[f3]
  0x10007fff7ac0: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00

[Bug sanitizer/107696] GCC trunk misses a stack-buffer-overflow

2022-11-15 Thread shaohua.li at inf dot ethz.ch via Gcc-bugs 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107696

--- Comment #2 from Li Shaohua  ---
(In reply to Martin Liška from comment #1)
> > int i;
> > int a[1];
> > for (; i < 1;){ 
> 
> This depends on the uninitialized value of 'i', which is:
> 
> (gdb) p i
> $1 = 32767
> 
> if I run it with -O0 on my local machine. You can try
> -ftrivial-auto-var-init=zero.

Sorry, I over-reduced the test, for the following new test, I can still observe
the inconsistent results across optimization levels:

Compiler explorer: https://godbolt.org/z/b7x9zx5Ej
% cat a.c
int main() {
int b[2];
int a[1];
int i;
for (i=0; i < 1; i++) 
i = i + 3;
a[i] = 1;
}
%

[Bug sanitizer/107696] GCC trunk misses a stack-buffer-overflow

2022-11-15 Thread marxin at gcc dot gnu.org via Gcc-bugs 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107696

Martin Liška  changed:

   What|Removed |Added

 Status|UNCONFIRMED |RESOLVED
 Resolution|--- |INVALID

--- Comment #1 from Martin Liška  ---
> int i;
> int a[1];
> for (; i < 1;){ 

This depends on the uninitialized value of 'i', which is:

(gdb) p i
$1 = 32767

if I run it with -O0 on my local machine. You can try
-ftrivial-auto-var-init=zero.