clone 957485 -1
reassign -1 gcc-10
retitle -1 gcc-10: bogus array-bounds error when using strncpy on strings
embedded in a structure
block 957485 by -1
thanks
On 2020-04-17 11:05, Matthias Klose wrote:
> Package: src:libusb
> Version: 2:0.1.12-32
> Severity: normal
> Tags: sid bullseye
> User: debian-...@lists.debian.org
> Usertags: ftbfs-gcc-10
>
> Please keep this issue open in the bug tracker for the package it
> was filed for. If a fix in another package is required, please
> file a bug for the other package (or clone), and add a block in this
> package. Please keep the issue open until the package can be built in
> a follow-up test rebuild.
>
> The package fails to build in a test rebuild on at least amd64 with
> gcc-10/g++-10, but succeeds to build with gcc-9/g++-9. The
> severity of this report will be raised before the bullseye release,
> so nothing has to be done for the buster release.
[ snip ]
> libtool: compile: g++ -DHAVE_CONFIG_H -I. -Wdate-time -D_FORTIFY_SOURCE=2 -g
> -O2 -fdebug-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector-strong -Wformat
> -Werror=format-security -c ../usbpp.cpp -fPIC -DPIC -o .libs/usbpp.o
> In file included from /usr/include/string.h:495,
> from ../linux.c:11:
> In function ‘strncpy’,
> inlined from ‘usb_os_find_busses’ at ../linux.c:361:5:
> /usr/include/x86_64-linux-gnu/bits/string_fortified.h:106:10: error:
> ‘__builtin_strncpy’ offset [275, 4095] from the object at ‘entry’ is out of
> the bounds of referenced subobject ‘d_name’ with type ‘char[256]’ at offset
> 19 [-Werror=array-bounds]
> 106 | return __builtin___strncpy_chk (__dest, __src, __len, __bos
> (__dest));
> |
> ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> In file included from /usr/include/dirent.h:61,
> from ../linux.c:16:
> ../linux.c: In function ‘usb_os_find_busses’:
> /usr/include/x86_64-linux-gnu/bits/dirent.h:33:10: note: subobject ‘d_name’
> declared here
> 33 | char d_name[256]; /* We must not include limits.h! */
> | ^~~~~~
This is a bogus warning, assuming the string is not properly null
terminated. This is not an acceptable assumption, otherwise it would not
even be possible to call strlen() without a warning.
Please see the attached file for a simple reproducer.
--
Aurelien Jarno GPG: 4096R/1DDD8C9B
aurel...@aurel32.net http://www.aurel32.net
/* Compile with gcc-10 -O2 -c testcase.c -Wall -Wformat -Werror=format-security */
#include <string.h>
struct a
{
int pad;
char string[512];
};
struct b
{
int pad;
char string[256];
};
int f(struct a *d, struct b *s)
{
int l;
/* No warning here, so GCC 10 assumes that d->string is properly
* null terminated. */
l = strlen(d->string);
/* Warning here, GCC 10 assumes that d->string is *not* properly
* null terminated */
strncpy(d->string, s->string, sizeof(d->string));
return l;
}
