If you compile QEMU with GCC with -fsanitize=address and
-Wstringop-overflow, this causes GCC to produce a false-positive
warning which it does not produce when the sanitizer is not enabled
(and which makes compilation fail if you're using -Werror, as we do
by default for builds from git):
../../hw/net/rtl8139.c: In function ‘rtl8139_io_writeb’:
../../hw/net/rtl8139.c:2264:17: error: writing 8 bytes into a region of size 0 [-Werror=stringop-overflow=]
2264 | memcpy(data_to_checksum, saved_ip_header + 12, 8);
| ^
In file included from ../../hw/net/rtl8139.c:62:
/home/pm215/qemu/include/net/eth.h:50:14: note: at offset [8, 48] into destination object ‘ip_ver_len’ of size 1
50 | uint8_t ip_ver_len; /* version and header length */
| ^~~~~~~~~~
../../hw/net/rtl8139.c:2192:21: error: writing 8 bytes into a region of size 0 [-Werror=stringop-overflow=]
2192 | memcpy(data_to_checksum, saved_ip_header + 12, 8);
| ^
/home/pm215/qemu/include/net/eth.h:50:14: note: at offset [8, 48] into destination object ‘ip_ver_len’ of size 1
50 | uint8_t ip_ver_len; /* version and header length */
| ^~~~~~~~~~
../../hw/net/rtl8139.c:2192:21: error: writing 8 bytes into a region of size 0 [-Werror=stringop-overflow=]
2192 | memcpy(data_to_checksum, saved_ip_header + 12, 8);
| ^
/home/pm215/qemu/include/net/eth.h:50:14: note: at offset [8, 48] into destination object ‘ip_ver_len’ of size 1
50 | uint8_t ip_ver_len; /* version and header length */
| ^~~~~~~~~~
In file included from /home/pm215/qemu/include/system/memory.h:21,
from /home/pm215/qemu/include/hw/pci/pci.h:4,
from /home/pm215/qemu/include/hw/pci/pci_device.h:4,
from ../../hw/net/rtl8139.c:54:
In function ‘stl_he_p’,
inlined from ‘stl_be_p’ at /home/pm215/qemu/include/qemu/bswap.h:371:5,
inlined from ‘rtl8139_cplus_transmit_one’ at ../../hw/net/rtl8139.c:2244:21,
inlined from ‘rtl8139_cplus_transmit’ at ../../hw/net/rtl8139.c:2345:28,
inlined from ‘rtl8139_io_writeb’ at ../../hw/net/rtl8139.c:2728:17:
/home/pm215/qemu/include/qemu/bswap.h:284:5: error: writing 4 bytes into a region of size 0 [-Werror=stringop-overflow=]
284 | __builtin_memcpy(ptr, &v, sizeof(v));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/home/pm215/qemu/include/net/eth.h: In function ‘rtl8139_io_writeb’:
/home/pm215/qemu/include/net/eth.h:50:14: note: at offset [24, 64] into destination object ‘ip_ver_len’ of size 1
50 | uint8_t ip_ver_len; /* version and header length */
| ^~~~~~~~~~
This has been triaged as a bug in GCC:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114494
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99673
(the sanitizer pass rewrites the IR in a way that conflicts with its
use by the warning pass that runs afterwards).
Since this is the only place in our code where we hit this, work
around it by disabling the -Wstringop-overflow in the part of
the function that hits it. We do this only when using the
address sanitizer on GCC, so that we still get the benefit
of the warning in most compilation scenarios.
Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3006
Suggested-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
v2: disable the warning rather than using the incorrect attempt
at a workaround that v1 had.
On the fence about whether this is worth backporting to stable.
---
hw/net/rtl8139.c | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
index 2ad6338ebe..424af73a18 100644
--- a/hw/net/rtl8139.c
+++ b/hw/net/rtl8139.c
@@ -2124,6 +2124,26 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s)
hlen, ip->ip_sum);
}
+ /*
+ * The code in this function triggers a GCC bug where an
+ * interaction between -fsanitize=address and -Wstringop-overflow
+ * results in a false-positive stringop-overflow warning that is
+ * only emitted when the address sanitizer is enabled:
+ * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114494
+ * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99673
+ * GCC incorrectly thinks that the eth_payload_data buffer has
+ * the type and size of the first field in 'struct ip_header', i.e.
+ * one byte, and then complains about all other attempts to access
+ * data in the buffer.
+ *
+ * Work around this by disabling the warning when building with
+ * GCC and the address sanitizer is enabled.
+ */
+#pragma GCC diagnostic push
+#if !defined(__clang__) && defined(QEMU_SANITIZE_ADDRESS)
+#pragma GCC diagnostic ignored "-Wstringop-overflow"
+#endif
+
if ((txdw0 & CP_TX_LGSEN) && ip_protocol == IP_PROTO_TCP)
{
/* Large enough for the TCP header? */
@@ -2307,6 +2327,9 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s)
/* restore IP header */
memcpy(eth_payload_data, saved_ip_header, hlen);
}
+
+#pragma GCC diagnostic pop
+
}
skip_offload:
--
2.43.0
On Thu, 5 Mar 2026 at 14:05, Peter Maydell <peter.maydell@linaro.org> wrote: > > If you compile QEMU with GCC with -fsanitize=address and > -Wstringop-overflow, this causes GCC to produce a false-positive > warning which it does not produce when the sanitizer is not enabled > (and which makes compilation fail if you're using -Werror, as we do > by default for builds from git): Applied to target-arm.next, thanks. -- PMM
Hi, Peter
On 05/03/2026 08:05, Peter Maydell wrote:
> If you compile QEMU with GCC with -fsanitize=address and
> -Wstringop-overflow, this causes GCC to produce a false-positive
> warning which it does not produce when the sanitizer is not enabled
> (and which makes compilation fail if you're using -Werror, as we do
> by default for builds from git):
>
> ../../hw/net/rtl8139.c: In function ‘rtl8139_io_writeb’:
> ../../hw/net/rtl8139.c:2264:17: error: writing 8 bytes into a region of size 0 [-Werror=stringop-overflow=]
> 2264 | memcpy(data_to_checksum, saved_ip_header + 12, 8);
> | ^
> In file included from ../../hw/net/rtl8139.c:62:
> /home/pm215/qemu/include/net/eth.h:50:14: note: at offset [8, 48] into destination object ‘ip_ver_len’ of size 1
> 50 | uint8_t ip_ver_len; /* version and header length */
> | ^~~~~~~~~~
> ../../hw/net/rtl8139.c:2192:21: error: writing 8 bytes into a region of size 0 [-Werror=stringop-overflow=]
> 2192 | memcpy(data_to_checksum, saved_ip_header + 12, 8);
> | ^
> /home/pm215/qemu/include/net/eth.h:50:14: note: at offset [8, 48] into destination object ‘ip_ver_len’ of size 1
> 50 | uint8_t ip_ver_len; /* version and header length */
> | ^~~~~~~~~~
> ../../hw/net/rtl8139.c:2192:21: error: writing 8 bytes into a region of size 0 [-Werror=stringop-overflow=]
> 2192 | memcpy(data_to_checksum, saved_ip_header + 12, 8);
> | ^
> /home/pm215/qemu/include/net/eth.h:50:14: note: at offset [8, 48] into destination object ‘ip_ver_len’ of size 1
> 50 | uint8_t ip_ver_len; /* version and header length */
> | ^~~~~~~~~~
> In file included from /home/pm215/qemu/include/system/memory.h:21,
> from /home/pm215/qemu/include/hw/pci/pci.h:4,
> from /home/pm215/qemu/include/hw/pci/pci_device.h:4,
> from ../../hw/net/rtl8139.c:54:
> In function ‘stl_he_p’,
> inlined from ‘stl_be_p’ at /home/pm215/qemu/include/qemu/bswap.h:371:5,
> inlined from ‘rtl8139_cplus_transmit_one’ at ../../hw/net/rtl8139.c:2244:21,
> inlined from ‘rtl8139_cplus_transmit’ at ../../hw/net/rtl8139.c:2345:28,
> inlined from ‘rtl8139_io_writeb’ at ../../hw/net/rtl8139.c:2728:17:
> /home/pm215/qemu/include/qemu/bswap.h:284:5: error: writing 4 bytes into a region of size 0 [-Werror=stringop-overflow=]
> 284 | __builtin_memcpy(ptr, &v, sizeof(v));
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> /home/pm215/qemu/include/net/eth.h: In function ‘rtl8139_io_writeb’:
> /home/pm215/qemu/include/net/eth.h:50:14: note: at offset [24, 64] into destination object ‘ip_ver_len’ of size 1
> 50 | uint8_t ip_ver_len; /* version and header length */
> | ^~~~~~~~~~
>
> This has been triaged as a bug in GCC:
> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114494
> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99673
> (the sanitizer pass rewrites the IR in a way that conflicts with its
> use by the warning pass that runs afterwards).
>
> Since this is the only place in our code where we hit this, work
> around it by disabling the -Wstringop-overflow in the part of
> the function that hits it. We do this only when using the
> address sanitizer on GCC, so that we still get the benefit
> of the warning in most compilation scenarios.
>
> Cc: qemu-stable@nongnu.org
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3006
> Suggested-by: Daniel P. Berrangé <berrange@redhat.com>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> ---
> v2: disable the warning rather than using the incorrect attempt
> at a workaround that v1 had.
>
> On the fence about whether this is worth backporting to stable.
> ---
> hw/net/rtl8139.c | 23 +++++++++++++++++++++++
> 1 file changed, 23 insertions(+)
>
> diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
> index 2ad6338ebe..424af73a18 100644
> --- a/hw/net/rtl8139.c
> +++ b/hw/net/rtl8139.c
> @@ -2124,6 +2124,26 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s)
> hlen, ip->ip_sum);
> }
>
> + /*
> + * The code in this function triggers a GCC bug where an
> + * interaction between -fsanitize=address and -Wstringop-overflow
> + * results in a false-positive stringop-overflow warning that is
> + * only emitted when the address sanitizer is enabled:
> + * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114494
> + * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99673
> + * GCC incorrectly thinks that the eth_payload_data buffer has
> + * the type and size of the first field in 'struct ip_header', i.e.
> + * one byte, and then complains about all other attempts to access
> + * data in the buffer.
> + *
> + * Work around this by disabling the warning when building with
> + * GCC and the address sanitizer is enabled.
> + */
> +#pragma GCC diagnostic push
> +#if !defined(__clang__) && defined(QEMU_SANITIZE_ADDRESS)
> +#pragma GCC diagnostic ignored "-Wstringop-overflow"
> +#endif
> +
> if ((txdw0 & CP_TX_LGSEN) && ip_protocol == IP_PROTO_TCP)
> {
> /* Large enough for the TCP header? */
> @@ -2307,6 +2327,9 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s)
> /* restore IP header */
> memcpy(eth_payload_data, saved_ip_header, hlen);
> }
> +
> +#pragma GCC diagnostic pop
> +
> }
>
> skip_offload:
Thanks for addressing this issue. LGTM.
Tested-by: Yodel Eldar <yodel.eldar@yodel.dev>
On 05/03/2026 15.05, Peter Maydell wrote: > If you compile QEMU with GCC with -fsanitize=address and > -Wstringop-overflow, this causes GCC to produce a false-positive > warning which it does not produce when the sanitizer is not enabled > (and which makes compilation fail if you're using -Werror, as we do > by default for builds from git): > > ../../hw/net/rtl8139.c: In function ‘rtl8139_io_writeb’: > ../../hw/net/rtl8139.c:2264:17: error: writing 8 bytes into a region of size 0 [-Werror=stringop-overflow=] > 2264 | memcpy(data_to_checksum, saved_ip_header + 12, 8); > | ^ > In file included from ../../hw/net/rtl8139.c:62: > /home/pm215/qemu/include/net/eth.h:50:14: note: at offset [8, 48] into destination object ‘ip_ver_len’ of size 1 > 50 | uint8_t ip_ver_len; /* version and header length */ > | ^~~~~~~~~~ > ../../hw/net/rtl8139.c:2192:21: error: writing 8 bytes into a region of size 0 [-Werror=stringop-overflow=] > 2192 | memcpy(data_to_checksum, saved_ip_header + 12, 8); > | ^ > /home/pm215/qemu/include/net/eth.h:50:14: note: at offset [8, 48] into destination object ‘ip_ver_len’ of size 1 > 50 | uint8_t ip_ver_len; /* version and header length */ > | ^~~~~~~~~~ > ../../hw/net/rtl8139.c:2192:21: error: writing 8 bytes into a region of size 0 [-Werror=stringop-overflow=] > 2192 | memcpy(data_to_checksum, saved_ip_header + 12, 8); > | ^ > /home/pm215/qemu/include/net/eth.h:50:14: note: at offset [8, 48] into destination object ‘ip_ver_len’ of size 1 > 50 | uint8_t ip_ver_len; /* version and header length */ > | ^~~~~~~~~~ > In file included from /home/pm215/qemu/include/system/memory.h:21, > from /home/pm215/qemu/include/hw/pci/pci.h:4, > from /home/pm215/qemu/include/hw/pci/pci_device.h:4, > from ../../hw/net/rtl8139.c:54: > In function ‘stl_he_p’, > inlined from ‘stl_be_p’ at /home/pm215/qemu/include/qemu/bswap.h:371:5, > inlined from ‘rtl8139_cplus_transmit_one’ at ../../hw/net/rtl8139.c:2244:21, > inlined from ‘rtl8139_cplus_transmit’ at ../../hw/net/rtl8139.c:2345:28, > inlined from ‘rtl8139_io_writeb’ at ../../hw/net/rtl8139.c:2728:17: > /home/pm215/qemu/include/qemu/bswap.h:284:5: error: writing 4 bytes into a region of size 0 [-Werror=stringop-overflow=] > 284 | __builtin_memcpy(ptr, &v, sizeof(v)); > | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > /home/pm215/qemu/include/net/eth.h: In function ‘rtl8139_io_writeb’: > /home/pm215/qemu/include/net/eth.h:50:14: note: at offset [24, 64] into destination object ‘ip_ver_len’ of size 1 > 50 | uint8_t ip_ver_len; /* version and header length */ > | ^~~~~~~~~~ > > This has been triaged as a bug in GCC: > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114494 > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99673 > (the sanitizer pass rewrites the IR in a way that conflicts with its > use by the warning pass that runs afterwards). > > Since this is the only place in our code where we hit this, work > around it by disabling the -Wstringop-overflow in the part of > the function that hits it. We do this only when using the > address sanitizer on GCC, so that we still get the benefit > of the warning in most compilation scenarios. > > Cc: qemu-stable@nongnu.org > Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3006 > Suggested-by: Daniel P. Berrangé <berrange@redhat.com> > Signed-off-by: Peter Maydell <peter.maydell@linaro.org> > --- > v2: disable the warning rather than using the incorrect attempt > at a workaround that v1 had. > > On the fence about whether this is worth backporting to stable. It's easy enough, so I think it's a good idea to backport to stable. Reviewed-by: Thomas Huth <thuth@redhat.com>
Peter Maydell <peter.maydell@linaro.org> writes:
> If you compile QEMU with GCC with -fsanitize=address and
> -Wstringop-overflow, this causes GCC to produce a false-positive
> warning which it does not produce when the sanitizer is not enabled
> (and which makes compilation fail if you're using -Werror, as we do
> by default for builds from git):
>
> ../../hw/net/rtl8139.c: In function ‘rtl8139_io_writeb’:
> ../../hw/net/rtl8139.c:2264:17: error: writing 8 bytes into a region of size 0 [-Werror=stringop-overflow=]
> 2264 | memcpy(data_to_checksum, saved_ip_header + 12, 8);
> | ^
> In file included from ../../hw/net/rtl8139.c:62:
> /home/pm215/qemu/include/net/eth.h:50:14: note: at offset [8, 48] into destination object ‘ip_ver_len’ of size 1
> 50 | uint8_t ip_ver_len; /* version and header length */
> | ^~~~~~~~~~
> ../../hw/net/rtl8139.c:2192:21: error: writing 8 bytes into a region of size 0 [-Werror=stringop-overflow=]
> 2192 | memcpy(data_to_checksum, saved_ip_header + 12, 8);
> | ^
> /home/pm215/qemu/include/net/eth.h:50:14: note: at offset [8, 48] into destination object ‘ip_ver_len’ of size 1
> 50 | uint8_t ip_ver_len; /* version and header length */
> | ^~~~~~~~~~
> ../../hw/net/rtl8139.c:2192:21: error: writing 8 bytes into a region of size 0 [-Werror=stringop-overflow=]
> 2192 | memcpy(data_to_checksum, saved_ip_header + 12, 8);
> | ^
> /home/pm215/qemu/include/net/eth.h:50:14: note: at offset [8, 48] into destination object ‘ip_ver_len’ of size 1
> 50 | uint8_t ip_ver_len; /* version and header length */
> | ^~~~~~~~~~
> In file included from /home/pm215/qemu/include/system/memory.h:21,
> from /home/pm215/qemu/include/hw/pci/pci.h:4,
> from /home/pm215/qemu/include/hw/pci/pci_device.h:4,
> from ../../hw/net/rtl8139.c:54:
> In function ‘stl_he_p’,
> inlined from ‘stl_be_p’ at /home/pm215/qemu/include/qemu/bswap.h:371:5,
> inlined from ‘rtl8139_cplus_transmit_one’ at ../../hw/net/rtl8139.c:2244:21,
> inlined from ‘rtl8139_cplus_transmit’ at ../../hw/net/rtl8139.c:2345:28,
> inlined from ‘rtl8139_io_writeb’ at ../../hw/net/rtl8139.c:2728:17:
> /home/pm215/qemu/include/qemu/bswap.h:284:5: error: writing 4 bytes into a region of size 0 [-Werror=stringop-overflow=]
> 284 | __builtin_memcpy(ptr, &v, sizeof(v));
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> /home/pm215/qemu/include/net/eth.h: In function ‘rtl8139_io_writeb’:
> /home/pm215/qemu/include/net/eth.h:50:14: note: at offset [24, 64] into destination object ‘ip_ver_len’ of size 1
> 50 | uint8_t ip_ver_len; /* version and header length */
> | ^~~~~~~~~~
>
> This has been triaged as a bug in GCC:
> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114494
> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99673
> (the sanitizer pass rewrites the IR in a way that conflicts with its
> use by the warning pass that runs afterwards).
>
> Since this is the only place in our code where we hit this, work
> around it by disabling the -Wstringop-overflow in the part of
> the function that hits it. We do this only when using the
> address sanitizer on GCC, so that we still get the benefit
> of the warning in most compilation scenarios.
>
> Cc: qemu-stable@nongnu.org
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3006
> Suggested-by: Daniel P. Berrangé <berrange@redhat.com>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> ---
> v2: disable the warning rather than using the incorrect attempt
> at a workaround that v1 had.
>
> On the fence about whether this is worth backporting to stable.
> ---
> hw/net/rtl8139.c | 23 +++++++++++++++++++++++
> 1 file changed, 23 insertions(+)
>
> diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
> index 2ad6338ebe..424af73a18 100644
> --- a/hw/net/rtl8139.c
> +++ b/hw/net/rtl8139.c
> @@ -2124,6 +2124,26 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s)
> hlen, ip->ip_sum);
> }
>
> + /*
> + * The code in this function triggers a GCC bug where an
> + * interaction between -fsanitize=address and -Wstringop-overflow
> + * results in a false-positive stringop-overflow warning that is
> + * only emitted when the address sanitizer is enabled:
> + * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114494
> + * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99673
> + * GCC incorrectly thinks that the eth_payload_data buffer has
> + * the type and size of the first field in 'struct ip_header', i.e.
> + * one byte, and then complains about all other attempts to access
> + * data in the buffer.
> + *
> + * Work around this by disabling the warning when building with
> + * GCC and the address sanitizer is enabled.
> + */
> +#pragma GCC diagnostic push
> +#if !defined(__clang__) && defined(QEMU_SANITIZE_ADDRESS)
> +#pragma GCC diagnostic ignored "-Wstringop-overflow"
> +#endif
> +
> if ((txdw0 & CP_TX_LGSEN) && ip_protocol == IP_PROTO_TCP)
> {
> /* Large enough for the TCP header? */
> @@ -2307,6 +2327,9 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s)
> /* restore IP header */
> memcpy(eth_payload_data, saved_ip_header, hlen);
> }
> +
> +#pragma GCC diagnostic pop
> +
> }
>
> skip_offload:
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
--
Alex Bennée
Virtualisation Tech Lead @ Linaro
© 2016 - 2026 Red Hat, Inc.