https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61293
Bug ID: 61293
Summary: asan can not find left buffer overflow of
new[]-allocated buffer, frontend help needed
Product: gcc
Version: 4.10.0
Status: UNCONFIRMED
Severity: enhancement
Priority: P3
Component: sanitizer
Assignee: unassigned at gcc dot gnu.org
Reporter: kcc at gcc dot gnu.org
CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
jakub at gcc dot gnu.org, kcc at gcc dot gnu.org,
timurrrr at google dot com
asan does not detect the following case:
TypeWithDtor *a = new TypeWithDtor[N];
a[-1] = ...
https://code.google.com/p/address-sanitizer/issues/detail?id=314
That's because when we have new[] for a type with DTORs,
the actual allocated size is greater.
The code looks something like this:
extra = max(sizeof(long), alignment_of(TypeWithDtor));
ptr = malloc(N + extra);
*(long*)(ptr+extra-sizeof(long)) = N;
return ptr + extra; // must be properly aligned for TypeWithDtor
As the result, we will not detect overwrites of new[] cookie -- scary!
I don't see how we can implement this w/o help from FE.
First, we need to ensure alignment 8 even on 32-bits:
extra = max(8, alignment_of(TypeWithDtor));
Second, we need to poison the first extra bytes.
Lastly, we need to not instrument the legitimate loads/stores of the cookie
generated by the frontend.
All of this has to be done with the help from FE
