[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] mcel-tests: fix read overrun in test case
|
From: |
Bruno Haible |
|
Subject: |
Re: [PATCH] mcel-tests: fix read overrun in test case |
|
Date: |
Tue, 07 Nov 2023 10:51:04 +0100 |
Paul Eggert wrote:
> * tests/test-mcel.c (main): Don’t overrun test input buffer.
Could this bug have been detected with the "usual tools"?
* Valgrind: no.
* gcc -fsanitize=undefined: no
* clang
-fsanitize=undefined,signed-integer-overflow,shift,integer-divide-by-zero
-fno-sanitize=pointer-overflow: no
* gcc -fsanitize=address: yes, see below
* clang -fsanitize=address: yes, see below
Output from gcc -fsanitize=address -O1 -fno-omit-frame-pointer -ggdb:
ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffa4e73f83 at pc
0x5584972d903a bp 0x7fffa4e73e40 sp 0x7fffa4e73e30
READ of size 1 at 0x7fffa4e73f83 thread T0
#0 0x5584972d9039 in mcel_scant ../../gltests/../gllib/mcel.h:280
#1 0x5584972d9039 in main ../../gltests/test-mcel.c:128
#2 0x7f5bbdce4d8f in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
#3 0x7f5bbdce4e3f in __libc_start_main_impl ../csu/libc-start.c:392
#4 0x5584972d8264 in _start
(/GNULIB/testdir5/build-64/gltests/test-mcel+0x1264)
Address 0x7fffa4e73f83 is located in stack of thread T0 at offset 227 in frame
#0 0x5584972d8342 in main ../../gltests/test-mcel.c:48
This frame has 9 object(s):
[32, 36) 'ch' (line 117)
[48, 52) 'ch'
[64, 68) 'ch'
[80, 84) 'ch'
[96, 104) 'mbs' (line 116)
[128, 136) 'mbs'
[160, 168) 'mbs'
[192, 200) 'mbs'
[224, 227) 'ijk' (line 115) <== Memory access at offset 227 overflows this
variable
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
../../gltests/../gllib/mcel.h:280 in mcel_scant
Output from clang -fsanitize=address -O1 -fno-omit-frame-pointer -ggdb:
ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fc857f000b3 at pc
0x5627c5eae105 bp 0x7ffc1be765b0 sp 0x7ffc1be765a8
READ of size 1 at 0x7fc857f000b3 thread T0
#0 0x5627c5eae104 in mcel_scant
/GNULIB/testdir5/build-64-clang/gltests/../../gltests/../gllib/mcel.h:280:12
#1 0x5627c5eae104 in main
/GNULIB/testdir5/build-64-clang/gltests/../../gltests/test-mcel.c:128:26
#2 0x7fc859aebd8f in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#3 0x7fc859aebe3f in __libc_start_main csu/../csu/libc-start.c:392:3
#4 0x5627c5dda2f4 in _start
(/GNULIB/testdir5/build-64-clang/gltests/test-mcel+0x1e2f4)
Address 0x7fc857f000b3 is located in stack of thread T0 at offset 179 in frame
#0 0x5627c5ead20f in main
/GNULIB/testdir5/build-64-clang/gltests/../../gltests/test-mcel.c:48
This frame has 9 object(s):
[32, 40) 'mbs.i.i.i'
[64, 68) 'ch.i.i.i'
[80, 88) 'mbs.i.i'
[112, 116) 'ch.i.i'
[128, 136) 'mbs.i'
[160, 164) 'ch.i'
[176, 179) 'ijk' (line 115) <== Memory access at offset 179 overflows this
variable
[192, 200) 'mbs' (line 116)
[224, 228) 'ch365' (line 117)
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
/GNULIB/testdir5/build-64-clang/gltests/../../gltests/../gllib/mcel.h:280:12 in
mcel_scant