https://gcc.gnu.org/bugzilla/show_bug.cgi?id=64964
Bug ID: 64964
Summary: -D_FORTIFY_SOURCE=2 passes incorrect length to _chk
functions in some cases
Product: gcc
Version: 5.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c
Assignee: unassigned at gcc dot gnu.org
Reporter: nszabolcs at gmail dot com
in the following simple testcase the valid length of x.a+1 is 1, but 2 is
passed to __strcpy_chk according to the asm (gcc-4.8 gets it right, glibc
debug/tst-chk3 and debug/tst-chk6 testcases fail now with gcc built from trunk)
at runtime x.b[0] gets clobbered with 0 and there is no failure reported.
$ cat chk.c
#include <string.h>
int main()
{
char *volatile s = "A";
struct { char a[2]; char b[1]; } x;
strcpy(x.a+1, s);
return 0;
}
$ gcc -D_FORTIFY_SOURCE=2 -O -S chk.c
$ cat chk.s
.file "chk.c"
.section .rodata.str1.1,"aMS",@progbits,1
.LC0:
.string "A"
.text
.globl main
.type main, @function
main:
.LFB22:
.cfi_startproc
subq $24, %rsp
.cfi_def_cfa_offset 32
movq $.LC0, 8(%rsp)
movq 8(%rsp), %rsi
movl $2, %edx
leaq 1(%rsp), %rdi
call __strcpy_chk
movl $0, %eax
addq $24, %rsp
.cfi_def_cfa_offset 8
ret
.cfi_endproc
.LFE22:
.size main, .-main
.ident "GCC: (GNU) 5.0.0 20150205 (experimental)"
.section .note.GNU-stack,"",@progbits
