[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Tinycc-devel] AddressSanitizer: global-buffer-overflow
From: |
Zhuo Zhang |
Subject: |
[Tinycc-devel] AddressSanitizer: global-buffer-overflow |
Date: |
Thu, 11 Feb 2021 12:18:10 +0000 |
A global-buffer overflow occurs in commit
fbef90a7039b994907db34fde50f6fa5e46ab535 (ASAN on).
System info: ubuntu 18.04, x86-64
Without ASAN, tcc will encounter a segment fault due to this overflow.
$ cat poc.c
a() {
int b;
c(b && (void)b);
}
$ ./tcc -c poc.c
poc.c:3: warning: implicit declaration of function 'c'
poc.c:3: error: invalid operand types for binary operation
=================================================================
==34633==ERROR: AddressSanitizer: global-buffer-overflow on address
0x00000064fcbf at pc 0x0000005f7d1c bp 0x7ffcfcea77d0 sp 0x7ffcfcea77c8
READ of size 1 at 0x00000064fcbf thread T0
#0 0x5f7d1b (/root/git/tinycc/tcc+0x5f7d1b)
#1 0x57c6b7 (/root/git/tinycc/tcc+0x57c6b7)
#2 0x5a5643 (/root/git/tinycc/tcc+0x5a5643)
#3 0x5908e2 (/root/git/tinycc/tcc+0x5908e2)
#4 0x58b3cf (/root/git/tinycc/tcc+0x58b3cf)
#5 0x588c25 (/root/git/tinycc/tcc+0x588c25)
#6 0x5afa26 (/root/git/tinycc/tcc+0x5afa26)
#7 0x5abf86 (/root/git/tinycc/tcc+0x5abf86)
#8 0x554412 (/root/git/tinycc/tcc+0x554412)
#9 0x51b550 (/root/git/tinycc/tcc+0x51b550)
#10 0x51d252 (/root/git/tinycc/tcc+0x51d252)
#11 0x51697a (/root/git/tinycc/tcc+0x51697a)
#12 0x7f417374bb96 in __libc_start_main
/build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310
#13 0x41a5d9 in pthread_getattr_np (/root/git/tinycc/tcc+0x41a5d9)
0x00000064fcbf is located 1 bytes to the left of global variable 'arg_regs'
defined in './x86_64-gen.c:1215:22' (0x64fcc0) of size 6
0x00000064fcbf is located 48 bytes to the right of global variable '<string
literal>' defined in './x86_64-gen.c:1539:20' (0x64fc60) of size 47
'<string literal>' is ascii string 'SSE disabled but floating point arguments
used'
SUMMARY: AddressSanitizer: global-buffer-overflow
(/root/git/tinycc/tcc+0x5f7d1b)
Shadow bytes around the buggy address:
0x0000800c1f40: 00 00 00 00 00 00 01 f9 f9 f9 f9 f9 00 00 00 f9
0x0000800c1f50: f9 f9 f9 f9 00 00 05 f9 f9 f9 f9 f9 00 00 00 04
0x0000800c1f60: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 05 f9 f9
0x0000800c1f70: f9 f9 f9 f9 00 07 f9 f9 f9 f9 f9 f9 00 05 f9 f9
0x0000800c1f80: f9 f9 f9 f9 00 05 f9 f9 f9 f9 f9 f9 00 00 00 00
=>0x0000800c1f90: 00 07 f9 f9 f9 f9 f9[f9]06 f9 f9 f9 f9 f9 f9 f9
0x0000800c1fa0: 00 00 00 f9 f9 f9 f9 f9 00 00 02 f9 f9 f9 f9 f9
0x0000800c1fb0: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 06
0x0000800c1fc0: f9 f9 f9 f9 00 00 02 f9 f9 f9 f9 f9 02 f9 f9 f9
0x0000800c1fd0: f9 f9 f9 f9 00 00 07 f9 f9 f9 f9 f9 00 00 00 00
0x0000800c1fe0: 00 03 f9 f9 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==34633==ABORTING
- [Tinycc-devel] AddressSanitizer: global-buffer-overflow,
Zhuo Zhang <=