From d3eac7d96de790df51859f63c13838f153b416de Mon Sep 17 00:00:00 2001 From: Jakub Jelinek Date: Tue, 6 Feb 2024 13:00:04 +0100 Subject: [PATCH] asan: Don't fold some strlens with -fsanitize=address [PR110676] The UB on the following testcase isn't diagnosed by -fsanitize=address, because we see that the array has a single element and optimize the strlen to 0. I think it is fine to assume e.g. for range purposes the lower bound for the strlen as long as we don't try to optimize strlen (str) where we know that it returns [26, 42] to 26 + strlen (str + 26), but for the upper bound we really want to punt on optimizing that for -fsanitize=address to read all the bytes of the string and diagnose if we run to object end etc. 2024-02-06 Jakub Jelinek PR sanitizer/110676 * gimple-fold.cc (gimple_fold_builtin_strlen): For -fsanitize=address reset maxlen to sizetype maximum. * gcc.dg/asan/pr110676.c: New test. --- gcc/gimple-fold.cc | 5 +++++ gcc/testsuite/gcc.dg/asan/pr110676.c | 14 ++++++++++++++ 2 files changed, 19 insertions(+) create mode 100644 gcc/testsuite/gcc.dg/asan/pr110676.c diff --git a/gcc/gimple-fold.cc b/gcc/gimple-fold.cc index a46e640692d..5191102df68 100644 --- a/gcc/gimple-fold.cc +++ b/gcc/gimple-fold.cc @@ -4019,6 +4019,11 @@ gimple_fold_builtin_strlen (gimple_stmt_iterator *gsi) maxlen = wi::to_wide (max_object_size (), prec) - 2; } + /* For -fsanitize=address, don't optimize the upper bound of the + length to be able to diagnose UB on non-zero terminated arrays. */ + if (sanitize_flags_p (SANITIZE_ADDRESS)) + maxlen = wi::max_value (TYPE_PRECISION (sizetype), UNSIGNED); + if (minlen == maxlen) { /* Fold the strlen call to a constant. */ diff --git a/gcc/testsuite/gcc.dg/asan/pr110676.c b/gcc/testsuite/gcc.dg/asan/pr110676.c new file mode 100644 index 00000000000..0ae6fdd67b5 --- /dev/null +++ b/gcc/testsuite/gcc.dg/asan/pr110676.c @@ -0,0 +1,14 @@ +/* PR sanitizer/110676 */ +/* { dg-do run } */ +/* { dg-skip-if "" { *-*-* } { "*" } { "-O0" } } */ +/* { dg-shouldfail "asan" } */ + +int +main () +{ + char s[1] = "A"; + return __builtin_strlen (s); +} + +/* { dg-output "ERROR: AddressSanitizer: stack-buffer-overflow on address.*(\n|\r\n|\r)" } */ +/* { dg-output "READ of size.*" } */