https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109198
Bug ID: 109198
Summary: ASAN False-positive stack-buffer-overflow on
pthread_join with a static buffer over 256 bytes
Product: gcc
Version: 12.2.1
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c
Assignee: unassigned at gcc dot gnu.org
Reporter: dimitri at ouroboros dot rocks
Target Milestone: ---
Created attachment 54706
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=54706&action=edit
reproducer
The GCC address sanitizer reports a stack-buffer-overflow on pthread_join when
the cancelled thread has a statically allocated buffer that exceeds 256 bytes.
I have not found run-time flags or compiler options for fsanitize that prevent
this, so if this is some setting that I missed, I apologize. The clang address
sanitizer does not report this stack-buffer-overflow.
The following code would trigger the stack-buffer-overflow when joined.
static void * thr1(void * o)
{
char buf[257];
(void) o;
(void) buf;
while(1)
sleep(5);
return (void *) 0;
}
A minimal reproducer is attached.
Compile and run the attached example with gcc 12.2.1 yields:
$ gcc -fsanitize=address -lpthread -o tpj test_pthread_join.c
$ ./tpj
Created threads
Cancelled thr1
Reaped thr1
Cancelled thr2
=================================================================
==17054==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ff8c21fde11 at pc 0x7ff8c4a5a3cb bp 0x7ff8c21fddd0 sp 0x7ff8c21fd588
WRITE of size 24 at 0x7ff8c21fde11 thread T-1
#0 0x7ff8c4a5a3ca in __interceptor_sigaltstack
/usr/src/debug/gcc/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:10168
#1 0x7ff8c4adfe89 in __sanitizer::UnsetAlternateSignalStack()
/usr/src/debug/gcc/gcc/libsanitizer/sanitizer_common/sanitizer_posix_libcdep.cpp:189
#2 0x7ff8c4aceb95 in __asan::AsanThread::Destroy()
/usr/src/debug/gcc/gcc/libsanitizer/asan/asan_thread.cpp:110
#3 0x7ff8c489bd60 (/usr/lib/libc.so.6+0x82d60)
#4 0x7ff8c489ea3d (/usr/lib/libc.so.6+0x85a3d)
#5 0x7ff8c4920d8f (/usr/lib/libc.so.6+0x107d8f)
Address 0x7ff8c21fde11 is a wild pointer inside of access range of size
0x000000000018.
SUMMARY: AddressSanitizer: stack-buffer-overflow
/usr/src/debug/gcc/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:10168
in __interceptor_sigaltstack
Shadow bytes around the buggy address:
0x0fff98437b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fff98437b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fff98437b90: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x0fff98437ba0: f1 f1 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fff98437bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fff98437bc0: 00 00[01]f3 f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00
0x0fff98437bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fff98437be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fff98437bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fff98437c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fff98437c10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==17054==ABORTING
Kind regards,
Dimitri
