[Bug middle-end/77608] missing protection on trivially detectable runtime buffer overflow
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=77608 --- Comment #8 from Siddhesh Poyarekar --- The test case for pr 103961 exposed a flaw in my patch, where assuming wholesize isn't always safe or at least would need more careful consideration. I need to think this through some more.
[Bug middle-end/77608] missing protection on trivially detectable runtime buffer overflow
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=77608 Siddhesh Poyarekar changed: What|Removed |Added Status|NEW |ASSIGNED --- Comment #7 from Siddhesh Poyarekar --- I've posted a patch: https://gcc.gnu.org/pipermail/gcc-patches/2022-January/587698.html which returns the whole size of an object (that's a thing now, since __bos started handling negative offsets) if the offset is not a constant. It goes on top of the dynamic object sizes patchset. Volatile offsets will need more rework (basically delay the side effects check into tree-object-size), so I'll do that after all of these patches are through.
[Bug middle-end/77608] missing protection on trivially detectable runtime buffer overflow
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=77608 Siddhesh Poyarekar changed: What|Removed |Added CC||siddhesh at gcc dot gnu.org Assignee|unassigned at gcc dot gnu.org |siddhesh at gcc dot gnu.org --- Comment #6 from Siddhesh Poyarekar --- The volatile causes it to bail out too early because we avoid operating on trees with side effects, but at least without it __bos should be able to detect undefined behaviour.
[Bug middle-end/77608] missing protection on trivially detectable runtime buffer overflow
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=77608 Kees Cook changed: What|Removed |Added CC||kees at outflux dot net --- Comment #5 from Kees Cook --- I think this behavior may, unfortunately, be "as expected", due to how the memcpy overflow checks are working (they're checking surrounding object, yes, like bos(0) would)? The constant-expression bos() calculations do appear to understand the base pointer object, but when faced with "i", it can't know for sure -- it might have room (if "i" is < 3), or not. So it must return -1 as it lacks any other context (like memcpy's "size" argument). There may, however, be a missing opportunity for tightening the memcpy checker? For example: ... volatile unsigned i; struct weird { char a[4]; char b[8]; }; int main (void) { { struct weird instance; char d [3]; P (d + i); memcpy (d + i, "abcdef", 5); // always overflows d (the entire object) i = 7; P (instance.a + i); // can't see into "i" P (instance.a + 7); // room left in instance (5), but not "a" (0) memcpy (instance.a + i, "abcdef", 5); // misses a, doesn't overflow instance. should this warn? __builtin_printf ("%.0s", d); } } -1 -1 0 0 -1 -1 0 0 5 0 5 5
[Bug middle-end/77608] missing protection on trivially detectable runtime buffer overflow
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=77608 Martin Sebor changed: What|Removed |Added Keywords||diagnostic, patch Status|ASSIGNED|NEW Known to work||8.0 --- Comment #4 from Martin Sebor --- A more modest patch, one that only enhances warnings without changing the result of __builtin_object_size, has been committed in r255836. https://gcc.gnu.org/ml/gcc-patches/2017-11/msg01552.html I'm not working on the __builtin_object_size patch at this time so I'm unassigning myself from this bug.
[Bug middle-end/77608] missing protection on trivially detectable runtime buffer overflow
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=77608 --- Comment #3 from Martin Sebor --- Author: msebor Date: Tue Dec 19 19:14:57 2017 New Revision: 255836 URL: https://gcc.gnu.org/viewcvs?rev=255836=gcc=rev Log: PR middle-end/77608 - missing protection on trivially detectable runtime buffer overflow gcc/ChangeLog: PR middle-end/77608 * builtins.c (compute_objsize): Handle non-constant offsets. gcc/testsuite/ChangeLog: PR middle-end/77608 * gcc.dg/Wstringop-overflow.c: New test. * gcc/testsuite/c-c++-common/Warray-bounds-3.c: Adjust. Added: trunk/gcc/testsuite/gcc.dg/Wstringop-overflow.c Modified: trunk/gcc/ChangeLog trunk/gcc/builtins.c trunk/gcc/testsuite/ChangeLog trunk/gcc/testsuite/c-c++-common/Warray-bounds-3.c
[Bug middle-end/77608] missing protection on trivially detectable runtime buffer overflow
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=77608 Martin Sebor changed: What|Removed |Added Known to fail||4.9.3, 5.3.0, 6.2.0, 7.0 --- Comment #2 from Martin Sebor --- Patch posted for review: https://gcc.gnu.org/ml/gcc-patches/2016-09/msg00988.html
[Bug middle-end/77608] missing protection on trivially detectable runtime buffer overflow
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=77608 Martin Sebor changed: What|Removed |Added Status|UNCONFIRMED |ASSIGNED Last reconfirmed||2016-09-16 Assignee|unassigned at gcc dot gnu.org |msebor at gcc dot gnu.org Ever confirmed|0 |1 --- Comment #1 from Martin Sebor --- Created attachment 39627 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=39627=edit Lightly tested patch. The attached patch extends __builtin_object_size to handle non-constant offsets in POINTER_PLUS expressions. It also adds handling of ranges although to benefit from those the VRP pass needs to run before the object size pass. (It doesn't handle the test case in comment #0 because of the volatile qualifier.)