Thanks to visit codestin.com
Credit goes to github.com

Skip to content

UBsan warns on access to 0 sized arrays in union #43953

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
m-gupta opened this issue Jan 21, 2020 · 7 comments
Closed

UBsan warns on access to 0 sized arrays in union #43953

m-gupta opened this issue Jan 21, 2020 · 7 comments
Labels
bugzilla Issues migrated from bugzilla clang:codegen IR generation bugs: mangling, exceptions, etc. compiler-rt:ubsan Undefined behavior sanitizer

Comments

@m-gupta
Copy link
Contributor

m-gupta commented Jan 21, 2020
edited by Endilll
Loading

Bugzilla Link 44608
Version unspecified
OS Linux
CC @cmtice,@dwblaikie,@gburgessiv,@kcc,@vitalybuka

Extended Description

Copied from Chrome OS bug
https://bugs.chromium.org/p/chromium/issues/detail?id=1043405

One of the programs in Chrome OS uses a 0 sized array inside a union.
ubsan errors on oob accesses to this member. Given that this array is 0 sized, should accesses to it be treated differently?

Relevant struct snippet from
https://chromium.git.corp.google.com/chromiumos/platform/vboot_reference/+/f5367d598a985520a8c935f68ac90d295c7b8d8e/firmware/2lib/include/2sha.h

struct vb2_hash {
	/* enum vb2_hash_algorithm. Fixed width for serialization.
	   Single byte to avoid endianness issues. */
	uint8_t algo;
	/* Padding to align and to match existing CBFS attribute. */
	uint8_t reserved[3];
	/* The actual digest. Can add new types here as required. */
	union {
		uint8_t raw[0]; // triggers ubsan oob checks
#if VB2_SUPPORT_SHA1
		uint8_t sha1[VB2_SHA1_DIGEST_SIZE];
#endif
#if VB2_SUPPORT_SHA256
		uint8_t sha256[VB2_SHA256_DIGEST_SIZE];
#endif
#if VB2_SUPPORT_SHA512
		uint8_t sha512[VB2_SHA512_DIGEST_SIZE];
#endif
	} bytes;  /* This has a name so that it's easy to sizeof(). */
};
@llvmbot llvmbot transferred this issue from llvm/llvm-bugzilla-archive Dec 10, 2021
@Endilll
Copy link
Contributor

Endilll commented Apr 27, 2025

CC @AaronBallman

@Endilll Endilll added the clang:to-be-triaged Should not be used for new issues label Apr 27, 2025
@AaronBallman AaronBallman added compiler-rt:ubsan Undefined behavior sanitizer question A question, not bug report. Check out https://llvm.org/docs/GettingInvolved.html instead! clang:codegen IR generation bugs: mangling, exceptions, etc. and removed clang:to-be-triaged Should not be used for new issues labels Apr 28, 2025
@llvmbot
Copy link
Member

llvmbot commented Apr 28, 2025

@llvm/issue-subscribers-clang-codegen

Author: None (m-gupta)

| | | | --- | --- | | Bugzilla Link | [44608](https://llvm.org/bz44608) | | Version | unspecified | | OS | Linux | | CC | @cmtice,@dwblaikie,@gburgessiv,@kcc,@vitalybuka |

Extended Description

Copied from Chrome OS bug
https://bugs.chromium.org/p/chromium/issues/detail?id=1043405

One of the programs in Chrome OS uses a 0 sized array inside a union.
ubsan errors on oob accesses to this member. Given that this array is 0 sized, should accesses to it be treated differently?

Relevant struct snippet from
https://chromium.git.corp.google.com/chromiumos/platform/vboot_reference/+/f5367d598a985520a8c935f68ac90d295c7b8d8e/firmware/2lib/include/2sha.h

struct vb2_hash {
	/* enum vb2_hash_algorithm. Fixed width for serialization.
	   Single byte to avoid endianness issues. */
	uint8_t algo;
	/* Padding to align and to match existing CBFS attribute. */
	uint8_t reserved[3];
	/* The actual digest. Can add new types here as required. */
	union {
		uint8_t raw[0]; // triggers ubsan oob checks
#if VB2_SUPPORT_SHA1
		uint8_t sha1[VB2_SHA1_DIGEST_SIZE];
#endif
#if VB2_SUPPORT_SHA256
		uint8_t sha256[VB2_SHA256_DIGEST_SIZE];
#endif
#if VB2_SUPPORT_SHA512
		uint8_t sha512[VB2_SHA512_DIGEST_SIZE];
#endif
	} bytes;  /* This has a name so that it's easy to sizeof(). */
};

@AaronBallman
Copy link
Collaborator

I think any attempted read or write of a zero-sized object should be caught by UBSan because that access is trying to do something out of bounds. CC @zygoloid for additional opinions

@zygoloid
Copy link
Collaborator

We have explicit code to test whether we're indexing a flexible array member and disable the UBSan check, and we unconditionally treat an array of 0 elements in a union as being a flexible array member. I also can't reproduce the problem with a simple testcase. So maybe this is fixed already?

@AaronBallman AaronBallman added the needs-reduction Large reproducer that should be reduced into a simpler form label Apr 30, 2025
@AaronBallman
Copy link
Collaborator

Your simple test case doesn't reproduce an issue in any version of Clang, so perhaps the issue requires a particular test case?

@zygoloid
Copy link
Collaborator

It looks to me like that testcase reproduces the problem with Clang 10 and before, and not with Clang 11 onwards. So I think this was fixed in Clang 11.

@zygoloid zygoloid removed the needs-reduction Large reproducer that should be reduced into a simpler form label Apr 30, 2025
@AaronBallman AaronBallman removed the question A question, not bug report. Check out https://llvm.org/docs/GettingInvolved.html instead! label May 1, 2025
@AaronBallman
Copy link
Collaborator

Thanks! Closing the issue as resolved, but if the issue does still reproduce for you with Clang 20 (or better yet, on main), please reopen.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bugzilla Issues migrated from bugzilla clang:codegen IR generation bugs: mangling, exceptions, etc. compiler-rt:ubsan Undefined behavior sanitizer
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@zygoloid @AaronBallman @Endilll @m-gupta @llvmbot