[Bug sanitizer/97490] New: [10/11 Regression] false-positive -Wstringop-overflow= with address sanitizer

Mon, 19 Oct 2020 04:16:03 -0700 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97490

            Bug ID: 97490
           Summary: [10/11 Regression] false-positive -Wstringop-overflow=
                    with address sanitizer
           Product: gcc
           Version: 10.2.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: sanitizer
          Assignee: unassigned at gcc dot gnu.org
          Reporter: arnd at linaro dot org
                CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
                    jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxin at 
gcc dot gnu.org
  Target Milestone: ---

Building the Linux kernel with gcc-10.1 or higher shows a couple of warnings in
one file:

drivers/net/wireless/ath/ath9k/dynack.c:209:14: warning: writing 4 bytes into a
region of size 0 [-Wstringop-overflow=]

I manually created a reduced test case:

typedef unsigned int u32;
typedef unsigned short u16;
typedef unsigned char u8;
typedef _Bool bool;
static inline void _ether_addr_copy(u8 *dst, const u8 *src)
{
        *(u32 *)dst = *(const u32 *)src;
        *(u16 *)(dst + 4) = *(const u16 *)(src + 4);
}
struct _ieee80211_hdr {
        u8 addr1[6];
};
struct _haddr_pair {
        u8 h_dest[6];
};
struct _ath_dyn_txbuf {
        u16 t_rb;
        struct _haddr_pair addr[64];
};
struct _ath_dynack {
        bool enabled;
        struct _ath_dyn_txbuf st_rbf;
};
struct _ath_hw {
        int reg_ops;
        struct _ath_dynack dynack;
};
void _ath_dynack_sample_tx_ts(struct _ath_hw *ah, struct _ieee80211_hdr *hdr)
{
        struct _ath_dynack *da = &ah->dynack;
        struct _haddr_pair *addr;

        if (!da->enabled)
                return;

        addr = &da->st_rbf.addr[da->st_rbf.t_rb];
        _ether_addr_copy(addr->h_dest, hdr->addr1);
}

$ gcc-10 -O2 -Wall -fsanitize=kernel-address -c dynack.c
test.c: In function '_ath_dynack_sample_tx_ts':
test.c:8:21: warning: writing 4 bytes into a region of size 0
[-Wstringop-overflow=]
    8 |         *(u32 *)dst = *(const u32 *)src;
      |         ~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~
test.c:26:14: note: at offset 0 to object 'enabled' with size 1 declared here
   26 |         bool enabled;
      |              ^~~~~~~
test.c:9:27: warning: writing 2 bytes into a region of size 0
[-Wstringop-overflow=]
    9 |         *(u16 *)(dst + 4) = *(const u16 *)(src + 4);
      |         ~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~
test.c:26:14: note: at offset 0 to object 'enabled' with size 1 declared here
   26 |         bool enabled;
      |              ^~~~~~~

See also https://godbolt.org/z/K5jcM8
I checked locally that this happens on all target architectures I tried, but
not with gcc-9. The code in the kernel only produces a warning on architectures
that are assumed to allow unaligned load/store instructions, otherwise a
different ether_addr_copy() function is used.

Reply via email to