clone 957485 -1 reassign -1 gcc-10 retitle -1 gcc-10: bogus array-bounds error when using strncpy on strings embedded in a structure block 957485 by -1 thanks
On 2020-04-17 11:05, Matthias Klose wrote: > Package: src:libusb > Version: 2:0.1.12-32 > Severity: normal > Tags: sid bullseye > User: debian-...@lists.debian.org > Usertags: ftbfs-gcc-10 > > Please keep this issue open in the bug tracker for the package it > was filed for. If a fix in another package is required, please > file a bug for the other package (or clone), and add a block in this > package. Please keep the issue open until the package can be built in > a follow-up test rebuild. > > The package fails to build in a test rebuild on at least amd64 with > gcc-10/g++-10, but succeeds to build with gcc-9/g++-9. The > severity of this report will be raised before the bullseye release, > so nothing has to be done for the buster release. [ snip ] > libtool: compile: g++ -DHAVE_CONFIG_H -I. -Wdate-time -D_FORTIFY_SOURCE=2 -g > -O2 -fdebug-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector-strong -Wformat > -Werror=format-security -c ../usbpp.cpp -fPIC -DPIC -o .libs/usbpp.o > In file included from /usr/include/string.h:495, > from ../linux.c:11: > In function ‘strncpy’, > inlined from ‘usb_os_find_busses’ at ../linux.c:361:5: > /usr/include/x86_64-linux-gnu/bits/string_fortified.h:106:10: error: > ‘__builtin_strncpy’ offset [275, 4095] from the object at ‘entry’ is out of > the bounds of referenced subobject ‘d_name’ with type ‘char[256]’ at offset > 19 [-Werror=array-bounds] > 106 | return __builtin___strncpy_chk (__dest, __src, __len, __bos > (__dest)); > | > ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > In file included from /usr/include/dirent.h:61, > from ../linux.c:16: > ../linux.c: In function ‘usb_os_find_busses’: > /usr/include/x86_64-linux-gnu/bits/dirent.h:33:10: note: subobject ‘d_name’ > declared here > 33 | char d_name[256]; /* We must not include limits.h! */ > | ^~~~~~ This is a bogus warning, assuming the string is not properly null terminated. This is not an acceptable assumption, otherwise it would not even be possible to call strlen() without a warning. Please see the attached file for a simple reproducer. -- Aurelien Jarno GPG: 4096R/1DDD8C9B aurel...@aurel32.net http://www.aurel32.net
/* Compile with gcc-10 -O2 -c testcase.c -Wall -Wformat -Werror=format-security */ #include <string.h> struct a { int pad; char string[512]; }; struct b { int pad; char string[256]; }; int f(struct a *d, struct b *s) { int l; /* No warning here, so GCC 10 assumes that d->string is properly * null terminated. */ l = strlen(d->string); /* Warning here, GCC 10 assumes that d->string is *not* properly * null terminated */ strncpy(d->string, s->string, sizeof(d->string)); return l; }