https://gcc.gnu.org/bugzilla/show_bug.cgi?id=80798
Bug ID: 80798
Summary: Dynamic stack buffer (alloca) overflow in ObjC
compiler.
Product: gcc
Version: 8.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: objc
Assignee: unassigned at gcc dot gnu.org
Reporter: m.ostapenko at samsung dot com
Target Milestone: ---
Host: x86_64-pc-linux-gnu
Target: x86_64-pc-linux-gnu
Build: x86_64-pc-linux-gnu
Not sure anybody interested, but while testing a patch for ASan alloca/VLA
instrumentation, I encountered the following report:
$ /home/max/build/master/gcc/xgcc -B/home/max/build/master/gcc/
/home/max/workspace/downloads/gcc/gcc/testsuite/objc.dg/property/synthesize-8.m
-fno-diagnostics-show-caret -fdiagnostics-color=never -fgnu-runtime
-I/home/max/workspace/downloads/gcc/gcc/testsuite/../../libobjc
-B/home/max/build/master/x86_64-unknown-linux-gnu/./libobjc/.libs
-L/home/max/build/master/x86_64-unknown-linux-gnu/./libobjc/.libs -S -o
synthesize-8.s
=================================================================
==18068==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address
0x7fff1efd5085 at pc 0x000000688a0c bp 0x7fff1efd5050 sp 0x7fff1efd4800
WRITE of size 6 at 0x7fff1efd5085 thread T0
#0 0x688a0b in __interceptor_strcpy
/home/max/workspace/downloads/gcc/libsanitizer/asan/asan_interceptors.cc:546
#1 0x779b70 in finish_class
/home/max/workspace/downloads/gcc/gcc/objc/objc-act.c:8000
#2 0x77d26f in objc_finish_interface()
/home/max/workspace/downloads/gcc/gcc/objc/objc-act.c:648
#3 0x9af768 in c_parser_translation_unit
/home/max/workspace/downloads/gcc/gcc/c/c-parser.c:1349
#4 0x9af768 in c_parse_file()
/home/max/workspace/downloads/gcc/gcc/c/c-parser.c:18103
#5 0xaaece4 in c_common_parse_file()
/home/max/workspace/downloads/gcc/gcc/c-family/c-opts.c:1107
#6 0x19dcecb in compile_file
/home/max/workspace/downloads/gcc/gcc/toplev.c:467
#7 0x63a6da in do_compile
/home/max/workspace/downloads/gcc/gcc/toplev.c:2003
#8 0x63a6da in toplev::main(int, char**)
/home/max/workspace/downloads/gcc/gcc/toplev.c:2137
#9 0x644784 in main /home/max/workspace/downloads/gcc/gcc/main.c:39
#10 0x7f6cdadd0f44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#11 0x64591d (/home/max/build/master/gcc/cc1obj+0x64591d)
Address 0x7fff1efd5085 is located in stack of thread T0
SUMMARY: AddressSanitizer: dynamic-stack-buffer-overflow
/home/max/workspace/downloads/gcc/libsanitizer/asan/asan_interceptors.cc:546 in
__interceptor_strcpy
Shadow bytes around the buggy address:
0x100063df29c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100063df29d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100063df29e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100063df29f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100063df2a00: 00 00 00 00 00 00 00 00 00 00 00 00 ca ca ca ca
=>0x100063df2a10:[05]cb cb cb cb cb cb cb 00 00 00 00 00 00 00 00
0x100063df2a20: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x100063df2a30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f2
0x100063df2a40: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x100063df2a50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
0x100063df2a60: f1 f1 f8 f8 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Looking to corresponding code:
size_t length = strlen (full_setter_name);
char *setter_name = (char *) alloca (length);
tree ret_type, selector, arg_type, arg_name;
strcpy (setter_name, full_setter_name); // BOOM
It seems that author just forgot about terminating '\0', so the fix is trivial.
