[Bug sanitizer/82501] AddressSanitizer does not handle negative offset for first global variable

marxin at gcc dot gnu.org Thu, 21 Feb 2019 02:56:18 -0800

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82501


--- Comment #12 from Martin Liška <marxin at gcc dot gnu.org> ---
While playing with the patch I noticed that there's a significant different in
between GCC 7 and GCC8:

$ cat global4.c
int f;

int main()
{
  return *(&f+1);
}

$ g++-7 -fsanitize=address global4.c -fno-common && ./a.out 
=================================================================
==12692==ERROR: AddressSanitizer: global-buffer-overflow on address
0x0000004040e4 at pc 0x000000401193 bp 0x7fffffffdc00 sp 0x7fffffffdbf8
READ of size 4 at 0x0000004040e4 thread T0
    #0 0x401192 in main (/home/marxin/Programming/testcases/a.out+0x401192)
    #1 0x7ffff6cedb7a in __libc_start_main (/lib64/libc.so.6+0x23b7a)
    #2 0x4010a9 in _start (/home/marxin/Programming/testcases/a.out+0x4010a9)

0x0000004040e4 is located 0 bytes to the right of global variable 'f' defined
in 'global4.c:1:5' (0x4040e0) of size 4
SUMMARY: AddressSanitizer: global-buffer-overflow
(/home/marxin/Programming/testcases/a.out+0x401192) in main
Shadow bytes around the buggy address:
  0x0000800787c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800787d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800787e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800787f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080078800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x000080078810: 00 00 00 00 00 00 00 00 00 00 00 00[04]f9 f9 f9
  0x000080078820: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080078830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080078840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080078850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080078860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Here there's really no left global red zone.

However:
g++-8 -fsanitize=address global4.c -fno-common && ./a.out 
=================================================================
==12713==ERROR: AddressSanitizer: global-buffer-overflow on address
0x0000004040e4 at pc 0x00000040118e bp 0x7fffffffdc00 sp 0x7fffffffdbf8
READ of size 4 at 0x0000004040e4 thread T0
    #0 0x40118d in main (/home/marxin/Programming/testcases/a.out+0x40118d)
    #1 0x7ffff7076b7a in __libc_start_main ../csu/libc-start.c:308
    #2 0x4010a9 in _start (/home/marxin/Programming/testcases/a.out+0x4010a9)

0x0000004040e4 is located 0 bytes to the right of global variable 'f' defined
in 'global4.c:1:5' (0x4040e0) of size 4
SUMMARY: AddressSanitizer: global-buffer-overflow
(/home/marxin/Programming/testcases/a.out+0x40118d) in main
Shadow bytes around the buggy address:
  0x0000800787c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800787d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800787e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800787f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080078800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x000080078810: f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 00[04]f9 f9 f9
  0x000080078820: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080078830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080078840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080078850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080078860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

There's a left 'f9', but the variable has 4 x '00' which is wrong. That's
probably due to some alignment. But fixing that would fix the underlying
problem of this PR.

There's no assembly changes .s file in between GCC 7 and GCC 8. So a
libsanitizer difference.

However, clang-7 does following:

$ clang -fsanitize=address global4.c -fno-common && ./a.out 
=================================================================
==12765==ERROR: AddressSanitizer: global-buffer-overflow on address
0x000000dd0844 at pc 0x0000004f41ac bp 0x7fffffffdbf0 sp 0x7fffffffdbe8
READ of size 4 at 0x000000dd0844 thread T0
    #0 0x4f41ab in main (/home/marxin/Programming/testcases/a.out+0x4f41ab)
    #1 0x7ffff7c52b7a in __libc_start_main
/usr/src/debug/glibc-2.29-1.3.x86_64/csu/../csu/libc-start.c:308:16
    #2 0x41d2d9 in _start
/home/abuild/rpmbuild/BUILD/glibc-2.29/csu/../sysdeps/x86_64/start.S:120

0x000000dd0844 is located 0 bytes to the right of global variable 'f' defined
in 'global4.c:1:5' (0xdd0840) of size 4
SUMMARY: AddressSanitizer: global-buffer-overflow
(/home/marxin/Programming/testcases/a.out+0x4f41ab) in main
Shadow bytes around the buggy address:
  0x0000801b20b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000801b20c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000801b20d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000801b20e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000801b20f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000801b2100: 00 00 00 00 00 00 00 00[04]f9 f9 f9 f9 f9 f9 f9
  0x0000801b2110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000801b2120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000801b2130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000801b2140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000801b2150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

[Bug sanitizer/82501] AddressSanitizer does not handle negative offset for first global variable

Reply via email to