https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105396
Bug ID: 105396 Summary: missed stack-buffer-overflow by -O0 Product: gcc Version: 12.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: sanitizer Assignee: unassigned at gcc dot gnu.org Reporter: shaohua.li at inf dot ethz.ch CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org, jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxin at gcc dot gnu.org Target Milestone: --- For the following code, `gcc -fsanitize=address -O0` misses the buffer-overflow, while `gcc -fsanitize=address -O3` catches it. $cat a.c int main() { int a; int *b[1]; int c[10]; int d[1][1]; for (a = 0; a < 1; a++) d[1][a] = 0; } $ $gcc -fsanitize=address -O0;./a.out $ $gcc -fsanitize=address -O3;./a.out ==1==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffda35c0d4 at pc 0x000000401104 bp 0x7fffda35c0a0 sp 0x7fffda35c098 WRITE of size 4 at 0x7fffda35c0d4 thread T0 #0 0x401103 in main /app/example.c:8 #1 0x7fc3351380b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2) #2 0x40118d in _start (/app/output.s+0x40118d) Address 0x7fffda35c0d4 is located in stack of thread T0 at offset 36 in frame #0 0x40107f in main /app/example.c:2 This frame has 1 object(s): [32, 36) 'd' (line 6) <== Memory access at offset 36 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow /app/example.c:8 in main Shadow bytes around the buggy address: 0x10007b4637c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007b4637d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007b4637e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007b4637f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007b463800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x10007b463810: 00 00 00 00 00 00 f1 f1 f1 f1[04]f3 f3 f3 00 00 0x10007b463820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007b463830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007b463840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007b463850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007b463860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==1==ABORTING