git
/
gcc
mirror of git://gcc.gnu.org/git/gcc.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

re PR sanitizer/65280 (-fsanitize=bounds does not detect out-of-bounds access) 

PR sanitizer/65280
	* doc/invoke.texi: Update description of -fsanitize=bounds.

	* c-ubsan.c (ubsan_instrument_bounds): Check for COMPONENT_REF
	before trying to figure out whether we have a flexible array member.

	* c-c++-common/ubsan/bounds-1.c: Add testing of flexible array
	member-like arrays.
	* c-c++-common/ubsan/bounds-8.c: New test.
	* c-c++-common/ubsan/bounds-9.c: New test.
	* gcc.dg/ubsan/bounds-2.c: New test.

Co-Authored-By: Martin Uecker <uecker@eecs.berkeley.edu>

From-SVN: r221250
This commit is contained in:
Marek Polacek 2015-03-06 23:44:56 +00:00 committed by Marek Polacek
parent a78cbe2976
commit 04fd785e38
9 changed files with 88 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
gcc/ChangeLog
View File

@ -1,3 +1,9 @@
2015-03-07 Marek Polacek <polacek@redhat.com>
Martin Uecker <uecker@eecs.berkeley.edu>
PR sanitizer/65280
* doc/invoke.texi: Update description of -fsanitize=bounds.
2015-03-06 Wilco Dijkstra <wilco.dijkstra@arm.com> 2015-03-06 Wilco Dijkstra <wilco.dijkstra@arm.com>
* tree-ssa-phiopt.c (neg_replacement): Remove. * tree-ssa-phiopt.c (neg_replacement): Remove.

6
gcc/c-family/ChangeLog
View File

@ -1,3 +1,9 @@
2015-03-07 Marek Polacek <polacek@redhat.com>
PR sanitizer/65280
* c-ubsan.c (ubsan_instrument_bounds): Check for COMPONENT_REF
before trying to figure out whether we have a flexible array member.
2015-03-06 Eric Botcazou <ebotcazou@adacore.com> 2015-03-06 Eric Botcazou <ebotcazou@adacore.com>
Jonathan Wakely <jwakely.gcc@gmail.com> Jonathan Wakely <jwakely.gcc@gmail.com>

5
gcc/c-family/c-ubsan.c
View File

@ -303,8 +303,9 @@ ubsan_instrument_bounds (location_t loc, tree array, tree *index,
/* Detect flexible array members and suchlike. */ /* Detect flexible array members and suchlike. */
tree base = get_base_address (array); tree base = get_base_address (array);
if (base && (TREE_CODE (base) == INDIRECT_REF if (TREE_CODE (array) == COMPONENT_REF
|| TREE_CODE (base) == MEM_REF)) && base && (TREE_CODE (base) == INDIRECT_REF
|| TREE_CODE (base) == MEM_REF))
{ {
tree next = NULL_TREE; tree next = NULL_TREE;
tree cref = array; tree cref = array;

4
gcc/doc/invoke.texi
View File

@ -5704,8 +5704,8 @@ a++;
@item -fsanitize=bounds @item -fsanitize=bounds
@opindex fsanitize=bounds @opindex fsanitize=bounds
This option enables instrumentation of array bounds. Various out of bounds This option enables instrumentation of array bounds. Various out of bounds
accesses are detected. Flexible array members and initializers of variables accesses are detected. Flexible array members, flexible array member-like
with static storage are not instrumented. arrays, and initializers of variables with static storage are not instrumented.
@item -fsanitize=alignment @item -fsanitize=alignment
@opindex fsanitize=alignment @opindex fsanitize=alignment

10
gcc/testsuite/ChangeLog
View File

@ -1,3 +1,13 @@
2015-03-07 Marek Polacek <polacek@redhat.com>
Martin Uecker <uecker@eecs.berkeley.edu>
PR sanitizer/65280
* c-c++-common/ubsan/bounds-1.c: Add testing of flexible array
member-like arrays.
* c-c++-common/ubsan/bounds-8.c: New test.
* c-c++-common/ubsan/bounds-9.c: New test.
* gcc.dg/ubsan/bounds-2.c: New test.
2015-03-05 Martin Sebor <msebor@redhat.com> 2015-03-05 Martin Sebor <msebor@redhat.com>
* PR testsuite/63175 * PR testsuite/63175

6
gcc/testsuite/c-c++-common/ubsan/bounds-1.c
View File

@ -6,6 +6,7 @@
struct S { int a[10]; }; struct S { int a[10]; };
struct T { int l; int a[]; }; struct T { int l; int a[]; };
struct U { int l; int a[0]; }; struct U { int l; int a[0]; };
struct V { int l; int a[1]; };
__attribute__ ((noinline, noclone)) __attribute__ ((noinline, noclone))
void void
@ -64,9 +65,14 @@ main (void)
struct T *t = (struct T *) __builtin_malloc (sizeof (struct T) + 10); struct T *t = (struct T *) __builtin_malloc (sizeof (struct T) + 10);
t->a[1] = 1; t->a[1] = 1;
/* Don't instrument zero-sized arrays (GNU extension). */
struct U *u = (struct U *) __builtin_malloc (sizeof (struct U) + 10); struct U *u = (struct U *) __builtin_malloc (sizeof (struct U) + 10);
u->a[1] = 1; u->a[1] = 1;
/* Don't instrument last array in a struct. */
struct V *v = (struct V *) __builtin_malloc (sizeof (struct V) + 10);
v->a[1] = 1;
long int *d[10][5]; long int *d[10][5];
d[9][0] = (long int *) 0; d[9][0] = (long int *) 0;
d[8][3] = d[9][0]; d[8][3] = d[9][0];

13
gcc/testsuite/c-c++-common/ubsan/bounds-8.c Normal file
View File

@ -0,0 +1,13 @@
/* PR sanitizer/65280 */
/* { dg-do run } */
/* { dg-options "-fsanitize=bounds" } */
int
main (void)
{
int *t = (int *) __builtin_malloc (sizeof (int) * 10);
int (*a)[1] = (int (*)[1]) t;
(*a)[2] = 1;
}
/* { dg-output "index 2 out of bounds for type 'int \\\[1\\\]'\[^\n\r]*(\n|\r\n|\r)" } */

24
gcc/testsuite/c-c++-common/ubsan/bounds-9.c Normal file
View File

@ -0,0 +1,24 @@
/* PR sanitizer/65280 */
/* { dg-do run } */
/* { dg-options "-fsanitize=bounds" } */
/* Origin: Martin Uecker <uecker@eecs.berkeley.edu> */
void
foo (volatile int (*a)[3])
{
(*a)[3] = 1; // error
a[0][0] = 1; // ok
a[1][0] = 1; // ok
a[1][4] = 1; // error
}
int
main ()
{
volatile int a[20];
foo ((int (*)[3]) &a);
return 0;
}
/* { dg-output "index 3 out of bounds for type 'int \\\[3\\\]'\[^\n\r]*(\n|\r\n|\r)" } */
/* { dg-output "\[^\n\r]*index 4 out of bounds for type 'int \\\[3\\\]'" } */

18
gcc/testsuite/gcc.dg/ubsan/bounds-2.c Normal file
View File

@ -0,0 +1,18 @@
/* PR sanitizer/65280 */
/* { dg-do run } */
/* { dg-options "-fsanitize=bounds" } */
void
foo (int n, int (*b)[n])
{
(*b)[n] = 1;
}
int
main ()
{
int a[20];
foo (3, (int (*)[3]) &a);
}
/* { dg-output "index 3 out of bounds for type 'int \\\[\\\*\\\]'\[^\n\r]*(\n|\r\n|\r)" } */