[Bug sanitizer/106368] ASan fails to report an error.

Thu, 21 Jul 2022 04:52:15 -0700 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106368

Martin Liška <marxin at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
         Resolution|---                         |INVALID

--- Comment #1 from Martin Liška <marxin at gcc dot gnu.org> ---
ASAN can't detect that because of the following addresses and sizes:

gcc pr106368.c && ./a.out
&f=0x404030
g+1=0x404044
sizeof(f)=24

Thus g + 1 seems fine to ASAN. On the other hand *(g+2) does:

=================================================================
==18451==ERROR: AddressSanitizer: global-buffer-overflow on address
0x00000040421c at pc 0x000000401274 bp 0x7fffffffdab0 sp 0x7fffffffdaa8
READ of size 8 at 0x00000040421c thread T0
    #0 0x401273 in main (/home/marxin/Programming/testcases/a.out+0x401273)
    #1 0x7ffff74405af in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
    #2 0x7ffff7440678 in __libc_start_main_impl ../csu/libc-start.c:392
    #3 0x4010c4 in _start (/home/marxin/Programming/testcases/a.out+0x4010c4)

0x00000040421c is located 4 bytes to the right of global variable 'f' defined
in 'pr106368.c:11:10' (0x404200) of size 24
SUMMARY: AddressSanitizer: global-buffer-overflow
(/home/marxin/Programming/testcases/a.out+0x401273) in main
Shadow bytes around the buggy address:
  0x0000800787f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080078800: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x000080078810: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x000080078820: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x000080078830: f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
=>0x000080078840: 00 00 00[f9]f9 f9 f9 f9 00 00 00 00 00 00 00 00

Btw. UBSAN detects the misaligned address for *(g+1):

pr106368.c:17:22: runtime error: load of misaligned address 0x000000404154 for
type 'long int', which requires 8 byte alignment
0x000000404154: note: pointer points here
  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00
00 00 00 00 00 00 00

Note clang also can't detect that. Thus I tend to close it as invalid.

Reply via email to