asan false negatives heap overflow

[benqwu]

test code

void asan_test(void)
{
  int rc;
  void *buf1;
  char buf2[8192];

  memset(buf2, 0x6b, sizeof(buf2));
  rc = posix_memalign(&buf1, 4096, 4096);
  if (rc) {
    exit(0);
  }
  memcpy(buf1, buf2, 8192 - 8); //asan report an error
 //memcpy(buf1, buf2, 8192); //asan does not report an error
}

Question 1

When I use this code, asan report an error. See log1.
memcpy(buf1, buf2, 8192 - 8);

But I ues this code, asan does not report an error, why? See log2.
memcpy(buf1, buf2, 8192);

log1
buf1=0x6072000cd000, shadow bytes at 0x0c0ec0011dfe

=================================================================
==3618== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6072000ceff7 at pc 0x7738a5 bp 0x7ffcef7518e0 sp 0x7ffcef7518d0
WRITE of size 1 at 0x6072000ceff7 thread T0 (reactor_1)
#0 0x7738a4 (/home/wbq/uns_daily_memcpy/output/bin/main+0x7738a4)
#1 0x7742aa (/home/wbq/uns_daily_memcpy/output/bin/main+0x7742aa)
#2 0x6b94c4 (/home/wbq/uns_daily_memcpy/output/bin/main+0x6b94c4)
#3 0x43d0f1 (/home/wbq/uns_daily_memcpy/output/bin/main+0x43d0f1)
#4 0x43d706 (/home/wbq/uns_daily_memcpy/output/bin/main+0x43d706)
#5 0x43e89a (/home/wbq/uns_daily_memcpy/output/bin/main+0x43e89a)
#6 0x40c4ee (/home/wbq/uns_daily_memcpy/output/bin/main+0x40c4ee)
#7 0x7fa5d3d91c04 (/usr/lib64/libc-2.17.so+0x21c04)
#8 0x40d1e3 (/home/wbq/uns_daily_memcpy/output/bin/main+0x40d1e3)
0x6072000ceff7 is located 4087 bytes to the right of 4096-byte region [0x6072000cd000,0x6072000ce000)
allocated by thread T0 (reactor_1) here:
#0 0x7fa5d53514b8 (/usr/lib64/libasan.so.0.0.0+0x164b8)
#1 0x7736b5 (/home/wbq/uns_daily_memcpy/output/bin/main+0x7736b5)
#2 0x7742aa (/home/wbq/uns_daily_memcpy/output/bin/main+0x7742aa)
#3 0x6b94c4 (/home/wbq/uns_daily_memcpy/output/bin/main+0x6b94c4)
#4 0x43d0f1 (/home/wbq/uns_daily_memcpy/output/bin/main+0x43d0f1)
#5 0x43d706 (/home/wbq/uns_daily_memcpy/output/bin/main+0x43d706)
#6 0x43e89a (/home/wbq/uns_daily_memcpy/output/bin/main+0x43e89a)
#7 0x40c4ee (/home/wbq/uns_daily_memcpy/output/bin/main+0x40c4ee)
#8 0x7fa5d3d91c04 (/usr/lib64/libc-2.17.so+0x21c04)
Shadow bytes around the buggy address:
0x0c0ec0011da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0ec0011db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0ec0011dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0ec0011dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0ec0011de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0ec0011df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa
0x0c0ec0011e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0ec0011e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0ec0011e20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c0ec0011e30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c0ec0011e40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==3618== ABORTING

log2
buf1=0x6072000cd000, shadow bytes at 0x0c0ec0011dff
gdb dump info:

0xc0ec0011de0: 0xfafafafa 0xfafafafa 0xfafafafa 0xfafafafa
0xc0ec0011df0: 0xfafafafa 0xfafafafa 0xfafafafa 0xfafafafa
0xc0ec0011e00: 0xfafafafa 0xfafafafa 0xfafafafa 0xfafafafa
0xc0ec0011e10: 0xfafafafa 0xfafafafa 0xfafafafa 0xfafafafa
0xc0ec0011e20: 0xfdfdfdfd 0xfdfdfdfd 0xfdfdfdfd 0xfdfdfdfd
0xc0ec0011e30: 0xfdfdfdfd 0xfdfdfdfd 0xfdfdfdfd 0xfdfdfdfd
0xc0ec0011e40: 0xfdfdfdfd 0xfdfdfdfd 0xfdfdfdfd 0xfdfdfdfd
0xc0ec0011e50: 0xfdfdfdfd 0xfdfdfdfd 0xfdfdfdfd 0xfdfdfdfd
0xc0ec0011e60: 0xfdfdfdfd 0xfdfdfdfd 0xfdfdfdfd 0xfdfdfdfd

GCC VERSION
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/opt/rh/devtoolset-7/root/usr/libexec/gcc/x86_64-redhat-linux/7/lto-wrapper
Target: x86_64-redhat-linux
Configured with: ../configure --enable-bootstrap --enable-languages=c,c++,fortran,lto --prefix=/opt/rh/devtoolset-7/root/usr --mandir=/opt/rh/devtoolset-7/root/usr/share/man --infodir=/opt/rh/devtoolset-7/root/usr/share/info --with-bugurl=http://bugzilla.redhat.com/bugzilla --enable-shared --enable-threads=posix --enable-checking=release --enable-multilib --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-gnu-unique-object --enable-linker-build-id --with-gcc-major-version-only --enable-plugin --with-linker-hash-style=gnu --enable-initfini-array --with-default-libstdcxx-abi=gcc4-compatible --with-isl=/builddir/build/BUILD/gcc-7.2.1-20170829/obj-x86_64-redhat-linux/isl-install --enable-libmpx --enable-gnu-indirect-function --with-tune=generic --with-arch_32=i686 --build=x86_64-redhat-linux
Thread model: posix
gcc version 7.2.1 20170829 (Red Hat 7.2.1-1) (GCC)

Question 2

It is an overflow memcpy, but the shadow byte is Heap left redzone: fa
, why not Heap righ redzone: fb?

[benqwu]

I found that gcc version is 4.8.5 which is too old.