[Bug libfortran/99148] sanitizer detects stack-buffer-overflow in unpack_generic.c

zeccav at gmail dot com gcc-bugzilla@gcc.gnu.org
Sat Feb 20 08:52:51 GMT 2021 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99148

--- Comment #1 from Vittorio Zecca <zeccav at gmail dot com> ---
Reproduction of this issue requires an address sanitized version of
libgfortran.

I narrowed the issue to unpack0_char changing
{
  gfc_array_char tmp;

  if (unlikely(compile_options.bounds_check))
    unpack_bounds (ret, vector, mask, NULL);

  memset (&tmp, 0, sizeof (tmp));
  GFC_DTYPE_CLEAR(&tmp);
  tmp.base_addr = field;
  unpack_internal (ret, vector, mask, &tmp, vector_length);

into 

{
  gfc_array_char tmp;

  if (unlikely(compile_options.bounds_check))
    unpack_bounds (ret, vector, mask, NULL);

printf("sizeof(tmp)=%ld\n",sizeof(tmp));//vz
  memset (&tmp, 0, sizeof (tmp));
  GFC_DTYPE_CLEAR(&tmp);
  tmp.base_addr = field;
  int nvz=(&tmp)->dim[0]._stride;
  unpack_internal (ret, vector, mask, &tmp, vector_length);

I found sizeof(tmp)==40

and an address sanitizer error at the "int nvz" definition
This is the execution output:

LD_PRELOAD=~/libasan.so ./a.out
sizeof(tmp)=40
=================================================================
==44953==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffe78341c78 at pc 0x15270f525567 bp 0x7ffe78341bd0 sp 0x7ffe78341bc8
READ of size 8 at 0x7ffe78341c78 thread T0
    #0 0x15270f525566 in _gfortran_unpack0_char
../../../gcc-150221/libgfortran/intrinsics/unpack_generic.c:630
    #1 0x40139f in MAIN__ /home/vitti/f95/gfbug153.f:15
    #2 0x40146d in main /home/vitti/f95/gfbug153.f:16
    #3 0x15270eaa71e1 in __libc_start_main (/usr/lib64/libc.so.6+0x281e1)
    #4 0x4010ad in _start (/home/vitti/1TB/f95/a.out+0x4010ad)

Address 0x7ffe78341c78 is located in stack of thread T0 at offset 88 in frame
    #0 0x15270f5252a2 in _gfortran_unpack0_char
../../../gcc-150221/libgfortran/intrinsics/unpack_generic.c:620

  This frame has 1 object(s):
    [48, 88) 'tmp' (line 621) <== Memory access at offset 88 overflows this
variable


I do not know if it is a false positive or a genuine bug.
But I hope this helps if you cannot generate a sanitized version of
libgfortran.

More information about the Gcc-bugs mailing list