match.c:685

marxin at gcc dot gnu.org via Gcc-bugs Sat, 20 Mar 2021 13:00:10 -0700

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99688


            Bug ID: 99688
           Summary: AddressSanitizer: stack-buffer-overflow on address at
                    gfc_match_name(char*) gcc/fortran/match.c:685
           Product: gcc
           Version: 11.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: fortran
          Assignee: unassigned at gcc dot gnu.org
          Reporter: marxin at gcc dot gnu.org
            Blocks: 86656
  Target Milestone: ---

I see the following ASAN issue:

$ ./xgcc -B. /home/marxin/Programming/gcc/gcc/testsuite/gfortran.dg/pr95828.f90
-c
=================================================================
==28113==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fffffffd3af at pc 0x000000ba5a30 bp 0x7fffffffd080 sp 0x7fffffffd078
WRITE of size 1 at 0x7fffffffd3af thread T0
    #0 0xba5a2f in gfc_match_name(char*)
/home/marxin/Programming/gcc2/gcc/fortran/match.c:685
    #1 0xba7af8 in gfc_match(char const*, ...)
/home/marxin/Programming/gcc2/gcc/fortran/match.c:1186
    #2 0xbc4846 in gfc_match_select_rank()
/home/marxin/Programming/gcc2/gcc/fortran/match.c:6654
    #3 0xc3db48 in match_word
/home/marxin/Programming/gcc2/gcc/fortran/parse.c:65
    #4 0xc3f4bd in decode_statement
/home/marxin/Programming/gcc2/gcc/fortran/parse.c:429
    #5 0xc46cce in next_free
/home/marxin/Programming/gcc2/gcc/fortran/parse.c:1316
    #6 0xc478b8 in next_statement
/home/marxin/Programming/gcc2/gcc/fortran/parse.c:1548
    #7 0xc4fd5b in parse_spec
/home/marxin/Programming/gcc2/gcc/fortran/parse.c:3967
    #8 0xc58f22 in parse_progunit
/home/marxin/Programming/gcc2/gcc/fortran/parse.c:5896
    #9 0xc5851c in parse_contained
/home/marxin/Programming/gcc2/gcc/fortran/parse.c:5797
    #10 0xc5a10c in parse_module
/home/marxin/Programming/gcc2/gcc/fortran/parse.c:6170
    #11 0xc5c26c in gfc_parse_file()
/home/marxin/Programming/gcc2/gcc/fortran/parse.c:6465
    #12 0xd76343 in gfc_be_parse_file
/home/marxin/Programming/gcc2/gcc/fortran/f95-lang.c:212
    #13 0x229bd2e in compile_file
/home/marxin/Programming/gcc2/gcc/toplev.c:457
    #14 0x22a50ef in do_compile /home/marxin/Programming/gcc2/gcc/toplev.c:2201
    #15 0x22a5953 in toplev::main(int, char**)
/home/marxin/Programming/gcc2/gcc/toplev.c:2340
    #16 0x4c85cad in main /home/marxin/Programming/gcc2/gcc/main.c:39
    #17 0x7ffff7095b24 in __libc_start_main ../csu/libc-start.c:332
    #18 0xa349ed in _start
(/home/marxin/Programming/gcc2/objdir/gcc/f951+0xa349ed)

Address 0x7fffffffd3af is located in stack of thread T0 at offset 191 in frame
    #0 0xbc4644 in gfc_match_select_rank()
/home/marxin/Programming/gcc2/gcc/fortran/match.c:6634

  This frame has 4 object(s):
    [32, 40) 'expr1' (line 6635)
    [64, 72) 'expr2' (line 6635)
    [96, 104) 'ns' (line 6639)
    [128, 191) 'name' (line 6637) <== Memory access at offset 191 overflows
this variable
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
/home/marxin/Programming/gcc2/gcc/fortran/match.c:685 in gfc_match_name(char*)
Shadow bytes around the buggy address:
  0x10007fff7a20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
  0x10007fff7a30: f1 f1 00 00 f2 f2 00 00 00 f3 f3 f3 f3 f3 00 00
  0x10007fff7a40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7a50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
  0x10007fff7a60: f1 f1 00 f2 f2 f2 00 f2 f2 f2 00 f2 f2 f2 00 00
=>0x10007fff7a70: 00 00 00 00 00[07]f3 f3 f3 f3 00 00 00 00 00 00
  0x10007fff7a80: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
  0x10007fff7a90: 04 f2 04 f2 00 00 f3 f3 00 00 00 00 00 00 00 00
  0x10007fff7aa0: f1 f1 f1 f1 f1 f1 04 f2 04 f3 f3 f3 00 00 00 00
  0x10007fff7ab0: 00 00 00 00 f1 f1 f1 f1 00 00 f3 f3 00 00 00 00
  0x10007fff7ac0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==28113==ABORTING


Referenced Bugs:

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=86656
[Bug 86656] [meta-bug] Issues found with -fsanitize=address

[Bug fortran/99688] New: AddressSanitizer: stack-buffer-overflow on address at gfc_match_name(char*) gcc/fortran/match.c:685

Reply via email to