https://gcc.gnu.org/bugzilla/show_bug.cgi?id=100665
Bug ID: 100665
Summary: [hwsanitizer] nested funtion pointer is tagged but
never checked.
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: sanitizer
Assignee: unassigned at gcc dot gnu.org
Reporter: crazylht at gmail dot com
CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
hjl.tools at gmail dot com, jakub at gcc dot gnu.org,
kcc at gcc dot gnu.org, marxin at gcc dot gnu.org,
matmal01 at gcc dot gnu.org
Target Milestone: ---
testcase is gcc/testsuite/gcc.dg/hwasan/nested-functions-0.c
__attribute__((noinline))
int *Ident(void *x) {
return x;
}
int __attribute__ ((noinline))
intermediate (void (*f) (int, char),
char num)
{
if (num == 1)
/* NOTE: We need to overrun by an amount greater than the "extra data" in a
nonlocal goto structure. The entire structure is allocated on the stack
with a single tag, which means hwasan can't tell if a closed-over buffer
was overrun by an amount small enough that the access was still to some
data in that nonlocal goto structure. */
f (100, 100);
else
f (3, 100);
/* Just return something ... */
return num % 3;
}
int* __attribute__ ((noinline))
nested_function (char num)
{
int big_array[16];
int other_array[16];
void store (int index, char value)
{ big_array[index] = value; }
return Ident(&other_array[intermediate (store, num)]);
}
#ifndef MAIN
int main ()
{
nested_function (0);
return 0;
}
#endif
nest function store is defined and resides one the stack of nested_function,
function pointer of store will be tagged since hwasan thought it was stack
variable, but since there's no explicit load for the function pointer, the tag
is never checked, so i wonder, is hwasan supposed to tag the function pointer?
