tinycc-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Tinycc-devel] AddressSanitizer: global-buffer-overflow

From: Zhuo Zhang
Subject: [Tinycc-devel] AddressSanitizer: global-buffer-overflow
Date: Thu, 11 Feb 2021 12:18:10 +0000 
A global-buffer overflow occurs in commit 
fbef90a7039b994907db34fde50f6fa5e46ab535 (ASAN on).

System info: ubuntu 18.04, x86-64

Without ASAN, tcc will encounter a segment fault due to this overflow.

$ cat poc.c
a() {
  int b;
  c(b && (void)b);
}

$ ./tcc -c poc.c
poc.c:3: warning: implicit declaration of function 'c'
poc.c:3: error: invalid operand types for binary operation
=================================================================
==34633==ERROR: AddressSanitizer: global-buffer-overflow on address 
0x00000064fcbf at pc 0x0000005f7d1c bp 0x7ffcfcea77d0 sp 0x7ffcfcea77c8
READ of size 1 at 0x00000064fcbf thread T0
    #0 0x5f7d1b  (/root/git/tinycc/tcc+0x5f7d1b)
    #1 0x57c6b7  (/root/git/tinycc/tcc+0x57c6b7)
    #2 0x5a5643  (/root/git/tinycc/tcc+0x5a5643)
    #3 0x5908e2  (/root/git/tinycc/tcc+0x5908e2)
    #4 0x58b3cf  (/root/git/tinycc/tcc+0x58b3cf)
    #5 0x588c25  (/root/git/tinycc/tcc+0x588c25)
    #6 0x5afa26  (/root/git/tinycc/tcc+0x5afa26)
    #7 0x5abf86  (/root/git/tinycc/tcc+0x5abf86)
    #8 0x554412  (/root/git/tinycc/tcc+0x554412)
    #9 0x51b550  (/root/git/tinycc/tcc+0x51b550)
    #10 0x51d252  (/root/git/tinycc/tcc+0x51d252)
    #11 0x51697a  (/root/git/tinycc/tcc+0x51697a)
    #12 0x7f417374bb96 in __libc_start_main 
/build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310
    #13 0x41a5d9 in pthread_getattr_np (/root/git/tinycc/tcc+0x41a5d9)

0x00000064fcbf is located 1 bytes to the left of global variable 'arg_regs' 
defined in './x86_64-gen.c:1215:22' (0x64fcc0) of size 6
0x00000064fcbf is located 48 bytes to the right of global variable '<string 
literal>' defined in './x86_64-gen.c:1539:20' (0x64fc60) of size 47
  '<string literal>' is ascii string 'SSE disabled but floating point arguments 
used'
SUMMARY: AddressSanitizer: global-buffer-overflow 
(/root/git/tinycc/tcc+0x5f7d1b)
Shadow bytes around the buggy address:
  0x0000800c1f40: 00 00 00 00 00 00 01 f9 f9 f9 f9 f9 00 00 00 f9
  0x0000800c1f50: f9 f9 f9 f9 00 00 05 f9 f9 f9 f9 f9 00 00 00 04
  0x0000800c1f60: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 05 f9 f9
  0x0000800c1f70: f9 f9 f9 f9 00 07 f9 f9 f9 f9 f9 f9 00 05 f9 f9
  0x0000800c1f80: f9 f9 f9 f9 00 05 f9 f9 f9 f9 f9 f9 00 00 00 00
=>0x0000800c1f90: 00 07 f9 f9 f9 f9 f9[f9]06 f9 f9 f9 f9 f9 f9 f9
  0x0000800c1fa0: 00 00 00 f9 f9 f9 f9 f9 00 00 02 f9 f9 f9 f9 f9
  0x0000800c1fb0: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 06
  0x0000800c1fc0: f9 f9 f9 f9 00 00 02 f9 f9 f9 f9 f9 02 f9 f9 f9
  0x0000800c1fd0: f9 f9 f9 f9 00 00 07 f9 f9 f9 f9 f9 00 00 00 00
  0x0000800c1fe0: 00 03 f9 f9 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==34633==ABORTING
reply via email to
[Prev in Thread] Current Thread [Next in Thread]