[Bug libfortran/99148] sanitizer detects stack-buffer-overflow in unpack_generic.c
zeccav at gmail dot com
gcc-bugzilla@gcc.gnu.org
Sat Feb 20 08:52:51 GMT 2021
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99148
--- Comment #1 from Vittorio Zecca <zeccav at gmail dot com> ---
Reproduction of this issue requires an address sanitized version of
libgfortran.
I narrowed the issue to unpack0_char changing
{
gfc_array_char tmp;
if (unlikely(compile_options.bounds_check))
unpack_bounds (ret, vector, mask, NULL);
memset (&tmp, 0, sizeof (tmp));
GFC_DTYPE_CLEAR(&tmp);
tmp.base_addr = field;
unpack_internal (ret, vector, mask, &tmp, vector_length);
into
{
gfc_array_char tmp;
if (unlikely(compile_options.bounds_check))
unpack_bounds (ret, vector, mask, NULL);
printf("sizeof(tmp)=%ld\n",sizeof(tmp));//vz
memset (&tmp, 0, sizeof (tmp));
GFC_DTYPE_CLEAR(&tmp);
tmp.base_addr = field;
int nvz=(&tmp)->dim[0]._stride;
unpack_internal (ret, vector, mask, &tmp, vector_length);
I found sizeof(tmp)==40
and an address sanitizer error at the "int nvz" definition
This is the execution output:
LD_PRELOAD=~/libasan.so ./a.out
sizeof(tmp)=40
=================================================================
==44953==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffe78341c78 at pc 0x15270f525567 bp 0x7ffe78341bd0 sp 0x7ffe78341bc8
READ of size 8 at 0x7ffe78341c78 thread T0
#0 0x15270f525566 in _gfortran_unpack0_char
../../../gcc-150221/libgfortran/intrinsics/unpack_generic.c:630
#1 0x40139f in MAIN__ /home/vitti/f95/gfbug153.f:15
#2 0x40146d in main /home/vitti/f95/gfbug153.f:16
#3 0x15270eaa71e1 in __libc_start_main (/usr/lib64/libc.so.6+0x281e1)
#4 0x4010ad in _start (/home/vitti/1TB/f95/a.out+0x4010ad)
Address 0x7ffe78341c78 is located in stack of thread T0 at offset 88 in frame
#0 0x15270f5252a2 in _gfortran_unpack0_char
../../../gcc-150221/libgfortran/intrinsics/unpack_generic.c:620
This frame has 1 object(s):
[48, 88) 'tmp' (line 621) <== Memory access at offset 88 overflows this
variable
I do not know if it is a false positive or a genuine bug.
But I hope this helps if you cannot generate a sanitized version of
libgfortran.
More information about the Gcc-bugs
mailing list