https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95279
Bug ID: 95279
Summary: UBSan doesn't seem to detect pointer overflow in
certain cases
Product: gcc
Version: 10.1.1
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: sanitizer
Assignee: unassigned at gcc dot gnu.org
Reporter: frantisek at sumsal dot cz
CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxin at
gcc dot gnu.org
Target Milestone: ---
Created attachment 48583
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=48583&action=edit
repro.i
Hello,
One of our systemd fuzzers caught a pointer overflow issue and after adding the
reproducer into our test suite I noticed that the scenario seems to be detected
only by clang - gcc remains silent.
Reproducer:
#include <stdio.h>
#include <stdint.h>
int main(int argc, char *argv[]) {
const void *p = (uint8_t*)0x406310;
size_t s = -1;
void *r;
r = (uint8_t*)p + s;
printf("0x%lx\n", (unsigned long)r);
return 0;
}
### gcc (GCC) 10.1.1 20200507 (Red Hat 10.1.1-1)
$ export UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1
$ gcc -fsanitize=undefined -g -save-temps -o repro repro.c
$ ./repro
0x40630f
### clang version 10.0.0 (Fedora 10.0.0-1.fc33)
$ export UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1
$ clang -fsanitize=undefined -g -save-temps -o repro repro.c
$ ./repro
repro.c:9:18: runtime error: addition of unsigned offset to 0x000000406310
overflowed to 0x00000040630f
#0 0x427f1b in main /root/systemd/repro.c:9:18
#1 0x7f5e0cbd3151 in __libc_start_main (/lib64/libc.so.6+0x27151)
#2 0x40347d in _start (/root/systemd/repro+0x40347d)
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior repro.c:9:18 in
