Re: [PATCH] asan: Don't fold some strlens with -fsanitize=address [PR110676]

Tue, 06 Feb 2024 03:45:10 -0800 

On Tue, 6 Feb 2024, Jakub Jelinek wrote:

> Hi!
> 
> The UB on the following testcase isn't diagnosed by -fsanitize=address,
> because we see that the array has a single element and optimize the
> strlen to 0.  I think it is fine to assume e.g. for range purposes the
> lower bound for the strlen as long as we don't try to optimize
> strlen (str)
> where we know that it returns [26, 42] to
> 26 + strlen (str + 26), but for the upper bound we really want to punt
> on optimizing that for -fsanitize=address to read all the bytes of the
> string and diagnose if we run to object end etc.
> 
> Bootstrapped/regtested on x86_64-linux and i686-linux, ok for trunk?

OK

> 2024-02-06  Jakub Jelinek  <ja...@redhat.com>
> 
>       PR sanitizer/110676
>       * gimple-fold.cc (gimple_fold_builtin_strlen): For -fsanitize=address
>       reset maxlen to sizetype maximum.
> 
>       * gcc.dg/asan/pr110676.c: New test.
> 
> --- gcc/gimple-fold.cc.jj     2024-01-31 12:24:51.714239628 +0100
> +++ gcc/gimple-fold.cc        2024-02-05 21:38:03.829964904 +0100
> @@ -4019,6 +4019,11 @@ gimple_fold_builtin_strlen (gimple_stmt_
>        maxlen = wi::to_wide (max_object_size (), prec) - 2;
>      }
>  
> +  /* For -fsanitize=address, don't optimize the upper bound of the
> +     length to be able to diagnose UB on non-zero terminated arrays.  */
> +  if (sanitize_flags_p (SANITIZE_ADDRESS))
> +    maxlen = wi::max_value (TYPE_PRECISION (sizetype), UNSIGNED);
> +
>    if (minlen == maxlen)
>      {
>        /* Fold the strlen call to a constant.  */
> --- gcc/testsuite/gcc.dg/asan/pr110676.c.jj   2024-02-05 21:42:43.657104536 
> +0100
> +++ gcc/testsuite/gcc.dg/asan/pr110676.c      2024-02-05 21:42:39.091167524 
> +0100
> @@ -0,0 +1,14 @@
> +/* PR sanitizer/110676 */
> +/* { dg-do run } */
> +/* { dg-skip-if "" { *-*-* } { "*" } { "-O0" } } */
> +/* { dg-shouldfail "asan" } */
> +
> +int
> +main ()
> +{
> +  char s[1] = "A";
> +  return __builtin_strlen (s);
> +}
> +
> +/* { dg-output "ERROR: AddressSanitizer: stack-buffer-overflow on 
> address.*(\n|\r\n|\r)" } */
> +/* { dg-output "READ of size.*" } */
> 
>       Jakub
> 
> 

-- 
Richard Biener <rguent...@suse.de>
SUSE Software Solutions Germany GmbH,
Frankenstrasse 146, 90461 Nuernberg, Germany;
GF: Ivo Totev, Andrew McDonald, Werner Knoblich; (HRB 36809, AG Nuernberg)

Reply via email to