[Bug c/120658] OPTIMIZATION: STRING HANDLING: wrong results under exotic conditions.

Tue, 17 Jun 2025 01:14:30 -0700 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=120658

Eric Botcazou <ebotcazou at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |INVALID
                 CC|                            |ebotcazou at gcc dot gnu.org
             Status|UNCONFIRMED                 |RESOLVED

--- Comment #3 from Eric Botcazou <ebotcazou at gcc dot gnu.org> ---
Compiling with -fsanitize=address -g yields:

TO_BASE( (uint)x1i, 10 )    : 4287654321 
=================================================================
==11341==ERROR: AddressSanitizer: stack-use-after-scope on address
0x7fca89d000d6 at pc 0x7fca8be9ef7c bp 0x7ffeeb477d40 sp 0x7ffeeb477500
READ of size 11 at 0x7fca89d000d6 thread T0
    #0 0x7fca8be9ef7b  (/usr/lib64/libasan.so.8+0x9ef7b) (BuildId:
4ee117fa2a132af1da9f17a0a5fe1f888398d50f)
    #1 0x7fca8becac3a in vprintf (/usr/lib64/libasan.so.8+0xcac3a) (BuildId:
4ee117fa2a132af1da9f17a0a5fe1f888398d50f)
    #2 0x7fca8becc82e in printf (/usr/lib64/libasan.so.8+0xcc82e) (BuildId:
4ee117fa2a132af1da9f17a0a5fe1f888398d50f)
    #3 0x401198 in main /home/eric/bin_dec_conversion.c:159
    #4 0x7fca8ba40e6b in __libc_start_call_main (/lib64/libc.so.6+0x40e6b)
(BuildId: 8cd6cc55dddb025d49c90d45e7ace66d04f55c4a)
    #5 0x7fca8ba40f34 in __libc_start_main_alias_1 (/lib64/libc.so.6+0x40f34)
(BuildId: 8cd6cc55dddb025d49c90d45e7ace66d04f55c4a)
    #6 0x400ac0 in _start ../sysdeps/x86_64/start.S:115

Address 0x7fca89d000d6 is located in stack of thread T0 at offset 214 in frame
    #0 0x400ccc in main /home/eric/bin_dec_conversion.c:140

  This frame has 11 object(s):
    [32, 36) 'x1i' (line 142)
    [48, 56) 'start1' (line 141)
    [80, 88) 'end1' (line 141)
    [112, 145) '<unknown>'
    [192, 225) '<unknown>' <== Memory access at offset 214 is inside this
variable
    [272, 305) '<unknown>'
    [352, 385) '<unknown>'
    [432, 465) '<unknown>'
    [512, 545) '<unknown>'
    [592, 848) 'chbuf256' (line 144)
    [912, 1169) 'chbuf257' (line 146)
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-use-after-scope
(/usr/lib64/libasan.so.8+0x9ef7b) (BuildId:
4ee117fa2a132af1da9f17a0a5fe1f888398d50f) 
Shadow bytes around the buggy address:
  0x7fca89cffe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7fca89cffe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7fca89cfff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7fca89cfff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7fca89d00000: f1 f1 f1 f1 04 f2 00 f2 f2 f2 00 f2 f2 f2 00 00
=>0x7fca89d00080: 00 00 01 f2 f2 f2 f2 f2 f8 f8[f8]f8 f8 f2 f2 f2
  0x7fca89d00100: f2 f2 00 00 00 00 01 f2 f2 f2 f2 f2 00 00 00 00
  0x7fca89d00180: 01 f2 f2 f2 f2 f2 00 00 00 00 01 f2 f2 f2 f2 f2
  0x7fca89d00200: 00 00 00 00 01 f2 f2 f2 f2 f2 00 00 00 00 00 00
  0x7fca89d00280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7fca89d00300: 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

In other words, there is a buffer overflow in the code caused by the compound
literal nested in the TO_BASE macro.

Reply via email to