[Bug middle-end/77608] missing protection on trivially detectable runtime buffer overflow

2022-01-11 Thread siddhesh at gcc dot gnu.org via Gcc-bugs 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=77608

--- Comment #8 from Siddhesh Poyarekar  ---
The test case for pr 103961 exposed a flaw in my patch, where assuming
wholesize isn't always safe or at least would need more careful consideration. 
I need to think this through some more.

[Bug middle-end/77608] missing protection on trivially detectable runtime buffer overflow

2022-01-06 Thread siddhesh at gcc dot gnu.org via Gcc-bugs 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=77608

Siddhesh Poyarekar  changed:

   What|Removed |Added

 Status|NEW |ASSIGNED

--- Comment #7 from Siddhesh Poyarekar  ---
I've posted a patch:

https://gcc.gnu.org/pipermail/gcc-patches/2022-January/587698.html

which returns the whole size of an object (that's a thing now, since __bos
started handling negative offsets) if the offset is not a constant.  It goes on
top of the dynamic object sizes patchset.

Volatile offsets will need more rework (basically delay the side effects check
into tree-object-size), so I'll do that after all of these patches are through.

[Bug middle-end/77608] missing protection on trivially detectable runtime buffer overflow

2022-01-04 Thread siddhesh at gcc dot gnu.org via Gcc-bugs 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=77608

Siddhesh Poyarekar  changed:

   What|Removed |Added

 CC||siddhesh at gcc dot gnu.org
   Assignee|unassigned at gcc dot gnu.org  |siddhesh at gcc dot 
gnu.org

--- Comment #6 from Siddhesh Poyarekar  ---
The volatile causes it to bail out too early because we avoid operating on
trees with side effects, but at least without it __bos should be able to detect
undefined behaviour.

[Bug middle-end/77608] missing protection on trivially detectable runtime buffer overflow

2021-10-13 Thread kees at outflux dot net via Gcc-bugs 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=77608

Kees Cook  changed:

   What|Removed |Added

 CC||kees at outflux dot net

--- Comment #5 from Kees Cook  ---
I think this behavior may, unfortunately, be "as expected", due to how the
memcpy overflow checks are working (they're checking surrounding object, yes,
like bos(0) would)? The constant-expression bos() calculations do appear to
understand the base pointer object, but when faced with "i", it can't know for
sure -- it might have room (if "i" is < 3), or not. So it must return -1 as it
lacks any other context (like memcpy's "size" argument).

There may, however, be a missing opportunity for tightening the memcpy checker?

For example:


...
volatile unsigned i;

struct weird {
char a[4];
char b[8];
};

int main (void)
{
  {
struct weird instance;
char d [3];

P (d + i);
memcpy (d + i, "abcdef", 5); // always overflows d (the entire object)

i = 7;
P (instance.a + i); // can't see into "i"
P (instance.a + 7); // room left in instance (5), but not "a" (0)

memcpy (instance.a + i, "abcdef", 5); // misses a, doesn't overflow
instance. should this warn?

__builtin_printf ("%.0s", d);
  }
}


-1 -1  0  0
-1 -1  0  0
 5  0  5  5

[Bug middle-end/77608] missing protection on trivially detectable runtime buffer overflow

2017-12-19 Thread msebor at gcc dot gnu.org 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=77608

Martin Sebor  changed:

   What|Removed |Added

   Keywords||diagnostic, patch
 Status|ASSIGNED|NEW
  Known to work||8.0

--- Comment #4 from Martin Sebor  ---
A more modest patch, one that only enhances warnings without changing the
result of __builtin_object_size, has been committed in r255836.
https://gcc.gnu.org/ml/gcc-patches/2017-11/msg01552.html

I'm not working on the __builtin_object_size patch at this time so I'm
unassigning myself from this bug.

[Bug middle-end/77608] missing protection on trivially detectable runtime buffer overflow

2017-12-19 Thread msebor at gcc dot gnu.org 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=77608

--- Comment #3 from Martin Sebor  ---
Author: msebor
Date: Tue Dec 19 19:14:57 2017
New Revision: 255836

URL: https://gcc.gnu.org/viewcvs?rev=255836=gcc=rev
Log:
PR middle-end/77608 - missing protection on trivially detectable runtime buffer
overflow

gcc/ChangeLog:

PR middle-end/77608
* builtins.c (compute_objsize): Handle non-constant offsets.

gcc/testsuite/ChangeLog:

PR middle-end/77608
* gcc.dg/Wstringop-overflow.c: New test.
* gcc/testsuite/c-c++-common/Warray-bounds-3.c: Adjust.


Added:
trunk/gcc/testsuite/gcc.dg/Wstringop-overflow.c
Modified:
trunk/gcc/ChangeLog
trunk/gcc/builtins.c
trunk/gcc/testsuite/ChangeLog
trunk/gcc/testsuite/c-c++-common/Warray-bounds-3.c

[Bug middle-end/77608] missing protection on trivially detectable runtime buffer overflow

2016-09-15 Thread msebor at gcc dot gnu.org 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=77608

Martin Sebor  changed:

   What|Removed |Added

  Known to fail||4.9.3, 5.3.0, 6.2.0, 7.0

--- Comment #2 from Martin Sebor  ---
Patch posted for review:
https://gcc.gnu.org/ml/gcc-patches/2016-09/msg00988.html

[Bug middle-end/77608] missing protection on trivially detectable runtime buffer overflow

2016-09-15 Thread msebor at gcc dot gnu.org 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=77608

Martin Sebor  changed:

   What|Removed |Added

 Status|UNCONFIRMED |ASSIGNED
   Last reconfirmed||2016-09-16
   Assignee|unassigned at gcc dot gnu.org  |msebor at gcc dot 
gnu.org
 Ever confirmed|0   |1

--- Comment #1 from Martin Sebor  ---
Created attachment 39627
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=39627=edit
Lightly tested patch.

The attached patch extends __builtin_object_size to handle non-constant offsets
in POINTER_PLUS expressions.  It also adds handling of ranges although to
benefit from those the VRP pass needs to run before the object size pass.  (It
doesn't handle the test case in comment #0 because of the volatile qualifier.)