MSan may incorrectly report buffer overflow due to undefined behavior #51

kcwu · 2016-11-27T18:53:32Z

I cannot recall the exact case confusing MSan. Something like this:

short bar[N];
short foo[len];  // len=0;

MSan may report buffer overflow when access bar.

Build w3m with clang -fsanitize=undefined

case1

00000000: 3c74 6162 6c65 3e30 3c74 643e            <table>0<td>

$ w3m.ubsan -T text/html -dump case1
table.c:1222:18: runtime error: variable length array bound evaluates to non-positive value 0

case2

00000000: 3c74 6162 6c65 3e                        <table>

$ w3m.ubsan -T text/html -dump case2
table.c:1574:20: runtime error: variable length array bound evaluates to non-positive value 0

I don't know they are security related or not. But since MSan may be confused. I think they are worth to fix.

This is found by afl-fuzz.

The text was updated successfully, but these errors were encountered:

kcwu · 2016-12-10T16:22:09Z

Ah, should be MSan, not ASan. I modified the text of description. I will add concrete case later.

Compiling with GCC 10.2 with -fsanitize=address,undefined valgrind reports: table.c:1632:8: runtime error: variable length array bound evaluates to non-positive value 0 table.c:1266:11: runtime error: variable length array bound evaluates to non-positive value 0 table.c:1267:12: runtime error: variable length array bound evaluates to non-positive value 0 'maxcell' is initialized to -1 which results in a size of 0 during the first iteration. Though the array is only accessed if maxcell >= 0, using a variable length array with a size < 1 is undefined behaviour (see e.g. C99 6.7.5.2,p5). This closes issue tats#51 .

Compiling with GCC 10.2 with -fsanitize=address,undefined valgrind and opening the 'opions panel' reports: table.c:1632:8: runtime error: variable length array bound evaluates to non-positive value 0 table.c:1266:11: runtime error: variable length array bound evaluates to non-positive value 0 table.c:1267:12: runtime error: variable length array bound evaluates to non-positive value 0 'maxcell' is initialized to -1 which results in a size of 0 during the first iteration. Though the array is only accessed if maxcell >= 0, using a variable length array with a size < 1 is undefined behaviour (see e.g. C99 6.7.5.2,p5). This closes issue tats#51 .

tats · 2021-09-05T09:54:53Z

Fixed with #192

Compiling with GCC 10.2 with -fsanitize=address,undefined valgrind and opening the 'opions panel' reports: table.c:1632:8: runtime error: variable length array bound evaluates to non-positive value 0 table.c:1266:11: runtime error: variable length array bound evaluates to non-positive value 0 table.c:1267:12: runtime error: variable length array bound evaluates to non-positive value 0 'maxcell' is initialized to -1 which results in a size of 0 during the first iteration. Though the array is only accessed if maxcell >= 0, using a variable length array with a size < 1 is undefined behaviour (see e.g. C99 6.7.5.2,p5). This closes issue tats#51 .

kcwu changed the title ~~ASan may incorrectly report buffer overflow due to undefined behavior~~ MSan may incorrectly report buffer overflow due to undefined behavior Dec 10, 2016

rkta mentioned this issue Sep 1, 2021

Ensure VLA size is at least one #192

Merged

tats closed this as completed Sep 5, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

MSan may incorrectly report buffer overflow due to undefined behavior #51

MSan may incorrectly report buffer overflow due to undefined behavior #51

kcwu commented Nov 27, 2016 •

edited

kcwu commented Dec 10, 2016

tats commented Sep 5, 2021

MSan may incorrectly report buffer overflow due to undefined behavior #51

MSan may incorrectly report buffer overflow due to undefined behavior #51

Comments

kcwu commented Nov 27, 2016 • edited

kcwu commented Dec 10, 2016

tats commented Sep 5, 2021

kcwu commented Nov 27, 2016 •

edited