[Bug sanitizer/107258] ASAN at -O1 failed to detect a stack-under-flow

Fri, 14 Oct 2022 02:04:17 -0700 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107258

Martin Liška <marxin at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |INVALID
             Status|UNCONFIRMED                 |RESOLVED

--- Comment #1 from Martin Liška <marxin at gcc dot gnu.org> ---
Well, it's a stack underflow and it depends how are the variables placed in the
stack frame:

setting a = -1 is caught also in -O1:

==3723==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fffffffd5dc at pc 0x000000401404 bp 0x7fffffffd580 sp 0x7fffffffd578
READ of size 4 at 0x7fffffffd5dc thread T0
    #0 0x401403 in main (/home/marxin/Programming/testcases/a.out+0x401403)
    #1 0x7ffff762c5af in __libc_start_call_main (/lib64/libc.so.6+0x275af)
    #2 0x7ffff762c678 in __libc_start_main_impl (/lib64/libc.so.6+0x27678)
    #3 0x4010e4 in _start ../sysdeps/x86_64/start.S:115

Address 0x7fffffffd5dc is located in stack of thread T0 at offset 76 in frame
    #0 0x4012ab in main (/home/marxin/Programming/testcases/a.out+0x4012ab)

  This frame has 2 object(s):
    [48, 64) 'g' (line 13)
    [80, 120) 'b' (line 3) <== Memory access at offset 76 underflows this
variable
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
(/home/marxin/Programming/testcases/a.out+0x401403) in main
Shadow bytes around the buggy address:
  0x10007fff7a60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7a70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7a90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7aa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10007fff7ab0: 00 00 f1 f1 f1 f1 f1 f1 00 00 f2[f2]00 00 00 00
  0x10007fff7ac0: 00 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
  0x10007fff7ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):

As seen using a == -5 causes we load variable 'g'. That's the risk of bigger
overflows and they can happen.

Reply via email to