[Bug libfortran/81939] valgrind error message in build_float_string and heap-buffer-overflow on address sanitized libgfortran.so

dominiq at lps dot ens.fr Wed, 30 Aug 2017 05:33:25 -0700

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81939


Dominique d'Humieres <dominiq at lps dot ens.fr> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |NEW
   Last reconfirmed|                            |2017-08-30
     Ever confirmed|0                           |1

--- Comment #1 from Dominique d'Humieres <dominiq at lps dot ens.fr> ---
With an instrumented gfortran (Configured with: ../work/configure
--prefix=/opt/gcc/gcc8g --enable-languages=c,c++,fortran --with-gmp=/opt/mp-new
--with-system-zlib --with-isl=/opt/mp-new --disable-bootstrap
--disable-multilib --disable-libstdcxx CFLAGS='-L/opt/gcc/gcc8w/lib -lasan
-lubsan -fsanitize=address,undefined,leak -Og -g -fno-omit-frame-pointer'
CXXFLAGS='-fsanitize=address,undefined,leak -Og -g -fno-omit-frame-pointer'
LDFLAGS='-L/opt/gcc/gcc8w/lib -lasan -lubsan -ldl -lpthread'
) I get at runtime

=================================================================
==11558==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6120000002f7 at pc 0x000104bf6a23 bp 0x7fff5b70eec0 sp 0x7fff5b70eeb8
WRITE of size 1 at 0x6120000002f7 thread T0
    #0 0x104bf6a22 in build_float_string
(/opt/gcc/gcc7gp/lib/libgfortran.4.dylib+0x702a22)
    #1 0x104bf7cd6 in get_float_string
(/opt/gcc/gcc7gp/lib/libgfortran.4.dylib+0x703cd6)
    #2 0x104bfa687 in write_float_0
(/opt/gcc/gcc7gp/lib/libgfortran.4.dylib+0x706687)
    #3 0x104bfc83e in _gfortrani_write_f
(/opt/gcc/gcc7gp/lib/libgfortran.4.dylib+0x70883e)
    #4 0x104bd08b5 in formatted_transfer_scalar_write
(/opt/gcc/gcc7gp/lib/libgfortran.4.dylib+0x6dc8b5)
    #5 0x104bd32fe in formatted_transfer
(/opt/gcc/gcc7gp/lib/libgfortran.4.dylib+0x6df2fe)
    #6 0x104bbf67a in _gfortran_transfer_real
(/opt/gcc/gcc7gp/lib/libgfortran.4.dylib+0x6cb67a)
    #7 0x104bbf69b in _gfortran_transfer_real_write
(/opt/gcc/gcc7gp/lib/libgfortran.4.dylib+0x6cb69b)
    #8 0x1044edcdf in MAIN__
(/Users/dominiq/Documents/Fortran/g95bench/win/f90/bug/a.out+0x100000cdf)
    #9 0x1044ede7c in main
(/Users/dominiq/Documents/Fortran/g95bench/win/f90/bug/a.out+0x100000e7c)
    #10 0x7fffbcb65234 in start (/usr/lib/system/libdyld.dylib+0x5234)

0x6120000002f7 is located 0 bytes to the right of 311-byte region
[0x6120000001c0,0x6120000002f7)
allocated by thread T0 here:
    #0 0x10606877d in wrap_malloc (/opt/gcc/gcc7a/lib/libasan.4.dylib+0x6377d)
    #1 0x1044f7541 in _gfortrani_xmalloc
(/opt/gcc/gcc7gp/lib/libgfortran.4.dylib+0x3541)
    #2 0x104bef354 in select_string
(/opt/gcc/gcc7gp/lib/libgfortran.4.dylib+0x6fb354)
    #3 0x104bfa5fc in write_float_0
(/opt/gcc/gcc7gp/lib/libgfortran.4.dylib+0x7065fc)
    #4 0x104bfc83e in _gfortrani_write_f
(/opt/gcc/gcc7gp/lib/libgfortran.4.dylib+0x70883e)
    #5 0x104bd08b5 in formatted_transfer_scalar_write
(/opt/gcc/gcc7gp/lib/libgfortran.4.dylib+0x6dc8b5)
    #6 0x104bd32fe in formatted_transfer
(/opt/gcc/gcc7gp/lib/libgfortran.4.dylib+0x6df2fe)
    #7 0x104bbf67a in _gfortran_transfer_real
(/opt/gcc/gcc7gp/lib/libgfortran.4.dylib+0x6cb67a)
    #8 0x104bbf69b in _gfortran_transfer_real_write
(/opt/gcc/gcc7gp/lib/libgfortran.4.dylib+0x6cb69b)
    #9 0x1044edcdf in MAIN__
(/Users/dominiq/Documents/Fortran/g95bench/win/f90/bug/a.out+0x100000cdf)
    #10 0x1044ede7c in main
(/Users/dominiq/Documents/Fortran/g95bench/win/f90/bug/a.out+0x100000e7c)
    #11 0x7fffbcb65234 in start (/usr/lib/system/libdyld.dylib+0x5234)

SUMMARY: AddressSanitizer: heap-buffer-overflow
(/opt/gcc/gcc7gp/lib/libgfortran.4.dylib+0x702a22) in build_float_string
Shadow bytes around the buggy address:
  0x1c2400000000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x1c2400000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c2400000020: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
  0x1c2400000030: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x1c2400000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1c2400000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[07]fa
  0x1c2400000060: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x1c2400000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c2400000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
  0x1c2400000090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c24000000a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==11558==ABORTING

Program received signal SIGABRT: Process abort signal.

Also present in gcc7.

[Bug libfortran/81939] valgrind error message in build_float_string and heap-buffer-overflow on address sanitized libgfortran.so

Reply via email to