[Bug driver/72765] New: Dynamic stack buffer overflow in GCC driver with -save-temps switch.

m.ostapenko at samsung dot com Mon, 01 Aug 2016 04:22:06 -0700

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=72765


            Bug ID: 72765
           Summary: Dynamic stack buffer overflow in GCC driver with
                    -save-temps switch.
           Product: gcc
           Version: 7.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: driver
          Assignee: unassigned at gcc dot gnu.org
          Reporter: m.ostapenko at samsung dot com
  Target Milestone: ---
              Host: x86_64-pc-linux-gnu
            Target: x86_64-pc-linux-gnu
             Build: x86_64-pc-linux-gnu

When testing experimental allocas and VLAs handling in AddressSanitizer, I've
got such an error during GCC's "make check":

max@max:~/build/master$ /home/max/build/master/gcc/testsuite/g++/../../xg++
-B/home/max/build/master/gcc/testsuite/g++/../../
/home/max/workspace/downloads/gcc/gcc/testsuite/c-c++-common/cilk-plus/CK/pr69826-2.c
-fno-diagnostics-show-caret -fdiagnostics-color=never -nostdinc++
-I/home/max/build/master/x86_64-unknown-linux-gnu/libstdc++-v3/include/x86_64-unknown-linux-gnu
-I/home/max/build/master/x86_64-unknown-linux-gnu/libstdc++-v3/include
-I/home/max/workspace/downloads/gcc/libstdc++-v3/libsupc++
-I/home/max/workspace/downloads/gcc/libstdc++-v3/include/backward
-I/home/max/workspace/downloads/gcc/libstdc++-v3/testsuite/util
-fmessage-length=0 -g -O2 -fcilkplus -save-temps
-B/home/max/build/master/x86_64-unknown-linux-gnu/./libcilkrts/
-L/home/max/build/master/x86_64-unknown-linux-gnu/./libcilkrts/.libs
-L/home/max/build/master/x86_64-unknown-linux-gnu/./libstdc++-v3/src/.libs
-B/home/max/build/master/x86_64-unknown-linux-gnu/./libstdc++-v3/src/.libs
-L/home/max/build/master/x86_64-unknown-linux-gnu/./libstdc++-v3/src/.libs
-B/home/max/build/master/x86_64-unknown-linux-gnu/./libitm/
-L/home/max/build/master/x86_64-unknown-linux-gnu/./libitm/.libs -lm -o
./pr69826-2.exe 

=================================================================
==32062==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address
0x7ffc9059d2cc at pc 0x00000044fc2c bp 0x7ffc9059d250 sp 0x7ffc9059ca00
READ of size 13 at 0x7ffc9059d2cc thread T0
    #0 0x44fc2b in __interceptor_memcpy
/home/max/workspace/downloads/gcc/libsanitizer/asan/asan_interceptors.cc:436
    #1 0x4e1397 in save_string /home/max/workspace/downloads/gcc/gcc/gcc.c:8368
    #2 0x4f3027 in do_spec_1 /home/max/workspace/downloads/gcc/gcc/gcc.c:5423
    #3 0x4f60f4 in process_brace_body
/home/max/workspace/downloads/gcc/gcc/gcc.c:6431
    #4 0x4f60f4 in handle_braces
/home/max/workspace/downloads/gcc/gcc/gcc.c:6345
    #5 0x4f2eb7 in do_spec_1 /home/max/workspace/downloads/gcc/gcc/gcc.c:5802
    #6 0x4f60f4 in process_brace_body
/home/max/workspace/downloads/gcc/gcc/gcc.c:6431
    #7 0x4f60f4 in handle_braces
/home/max/workspace/downloads/gcc/gcc/gcc.c:6345
    #8 0x4f2eb7 in do_spec_1 /home/max/workspace/downloads/gcc/gcc/gcc.c:5802
    #9 0x4f1a91 in do_spec_1 /home/max/workspace/downloads/gcc/gcc/gcc.c:5917
    #10 0x4f60f4 in process_brace_body
/home/max/workspace/downloads/gcc/gcc/gcc.c:6431
    #11 0x4f60f4 in handle_braces
/home/max/workspace/downloads/gcc/gcc/gcc.c:6345
    #12 0x4f2eb7 in do_spec_1 /home/max/workspace/downloads/gcc/gcc/gcc.c:5802
    #13 0x4f60f4 in process_brace_body
/home/max/workspace/downloads/gcc/gcc/gcc.c:6431
    #14 0x4f60f4 in handle_braces
/home/max/workspace/downloads/gcc/gcc/gcc.c:6345
    #15 0x4f2eb7 in do_spec_1 /home/max/workspace/downloads/gcc/gcc/gcc.c:5802
    #16 0x4f60f4 in process_brace_body
/home/max/workspace/downloads/gcc/gcc/gcc.c:6431
    #17 0x4f60f4 in handle_braces
/home/max/workspace/downloads/gcc/gcc/gcc.c:6345
    #18 0x4f2eb7 in do_spec_1 /home/max/workspace/downloads/gcc/gcc/gcc.c:5802
    #19 0x4f60f4 in process_brace_body
/home/max/workspace/downloads/gcc/gcc/gcc.c:6431
    #20 0x4f60f4 in handle_braces
/home/max/workspace/downloads/gcc/gcc/gcc.c:6345
    #21 0x4f2eb7 in do_spec_1 /home/max/workspace/downloads/gcc/gcc/gcc.c:5802
    #22 0x4f474b in do_spec_2 /home/max/workspace/downloads/gcc/gcc/gcc.c:4841
    #23 0x4f719e in do_spec(char const*)
/home/max/workspace/downloads/gcc/gcc/gcc.c:4808
    #24 0x4f74fe in driver::do_spec_on_infiles() const
/home/max/workspace/downloads/gcc/gcc/gcc.c:8076
    #25 0x406e59 in driver::main(int, char**)
/home/max/workspace/downloads/gcc/gcc/gcc.c:7216
    #26 0x407747 in main /home/max/workspace/downloads/gcc/gcc/gcc-main.c:46
    #27 0x7f1513415ec4 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #28 0x408509  (/home/max/build/master/gcc/xg+++0x408509)

Address 0x7ffc9059d2cc is located in stack of thread T0
SUMMARY: AddressSanitizer: dynamic-stack-buffer-overflow
/home/max/workspace/downloads/gcc/libsanitizer/asan/asan_interceptors.cc:436 in
__interceptor_memcpy
Shadow bytes around the buggy address:
  0x1000120aba00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000120aba10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000120aba20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000120aba30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000120aba40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1000120aba50: 00 00 00 00 ca ca ca ca 00[04]cb cb cb cb cb cb
  0x1000120aba60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000120aba70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000120aba80: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
  0x1000120aba90: 00 00 00 00 f2 f2 f2 f2 00 00 00 00 00 00 00 00
  0x1000120abaa0: 00 00 00 00 00 00 00 00 00 00 f4 f4 f3 f3 f3 f3
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==32062==ABORTING


Looking to corresponding code:

static char *
save_string (const char *s, int len)
{
  char *result = XNEWVEC (char, len + 1);
  memcpy (result, s, len);
  result[len] = 0;
  return result;
}

Here:
s == "pr69826-2.s"
strlen (s) == 11
len == 13

Thus, we have an overflow on s im memcpy (we have only 12 valid bytes). Not
sure this is a serious problem, but sounds like a small bug.

[Bug driver/72765] New: Dynamic stack buffer overflow in GCC driver with -save-temps switch.

Reply via email to