[Bug fortran/94975] New: Address sanitizations show heap-buffer-overflow with class(*) allocated to character on assignment

public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed

* [Bug fortran/94975] New: Address sanitizations show  heap-buffer-overflow with class(*) allocated to character on assignment
@ 2020-05-06 15:21 vladimir.fuka at gmail dot com
  2020-05-06 15:26 ` [Bug fortran/94975] " vladimir.fuka at gmail dot com
  2020-07-08 12:00 ` dominiq at lps dot ens.fr
  0 siblings, 2 replies; 3+ messages in thread
From: vladimir.fuka at gmail dot com @ 2020-05-06 15:21 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94975

            Bug ID: 94975
           Summary: Address sanitizations show  heap-buffer-overflow with
                    class(*) allocated to character on assignment
           Product: gcc
           Version: unknown
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: fortran
          Assignee: unassigned at gcc dot gnu.org
          Reporter: vladimir.fuka at gmail dot com
  Target Milestone: ---

With GCC 7-10 (bit libasan from 10)

  class(*), allocatable :: p

  p = "abc"

  select type(p)
    type is (character(*))
      print *, p
  end select

end


causes


> gfortran-10 star_character.f90 -fsanitize=address
> ./a.out 
=================================================================
==12833==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000000071 at pc 0x7fa43e30e9b9 bp 0x7fffe526aa50 sp 0x7fffe526a200
WRITE of size 3 at 0x602000000071 thread T0
    #0 0x7fa43e30e9b8 in __interceptor_memmove
(/usr/lib64/libasan.so.6+0x3b9b8)
    #1 0x400ddc in __copy_character_1.0
(/home/lada/f/testy/bugs/a.out+0x400ddc)
    #2 0x401078 in MAIN__ (/home/lada/f/testy/bugs/a.out+0x401078)
    #3 0x401305 in main (/home/lada/f/testy/bugs/a.out+0x401305)
    #4 0x7fa43d2f0349 in __libc_start_main (/lib64/libc.so.6+0x24349)
    #5 0x400c99 in _start (/home/lada/f/testy/bugs/a.out+0x400c99)

0x602000000071 is located 0 bytes to the right of 1-byte region
[0x602000000070,0x602000000071)
allocated by thread T0 here:
    #0 0x7fa43e37f3df in malloc (/usr/lib64/libasan.so.6+0xac3df)
    #1 0x400fca in MAIN__ (/home/lada/f/testy/bugs/a.out+0x400fca)
    #2 0x401305 in main (/home/lada/f/testy/bugs/a.out+0x401305)
    #3 0x7fa43d2f0349 in __libc_start_main (/lib64/libc.so.6+0x24349)

SUMMARY: AddressSanitizer: heap-buffer-overflow
(/usr/lib64/libasan.so.6+0x3b9b8) in __interceptor_memmove
Shadow bytes around the buggy address:
  0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fff8000: fa fa 06 fa fa fa 07 fa fa fa 07 fa fa fa[01]fa
  0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==12833==ABORTING



while

  class(*), allocatable :: p

  allocate(p, source = "abc")

  select type(p)
    type is (character(*))
      print *, p
  end select

end


is clean and prints "abc".  That is also written with the former without
address sanitizations.

Tested on OpenSuSE Leap 15.1.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* [Bug fortran/94975] Address sanitizations show heap-buffer-overflow with class(*) allocated to character on assignment
  2020-05-06 15:21 [Bug fortran/94975] New: Address sanitizations show heap-buffer-overflow with class(*) allocated to character on assignment vladimir.fuka at gmail dot com
@ 2020-05-06 15:26 ` vladimir.fuka at gmail dot com
  2020-07-08 12:00 ` dominiq at lps dot ens.fr
  1 sibling, 0 replies; 3+ messages in thread
From: vladimir.fuka at gmail dot com @ 2020-05-06 15:26 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94975

--- Comment #1 from Vladimir Fuka <vladimir.fuka at gmail dot com> ---
It is probably discussed here
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=83118 but that was not possible to
find it by the search as the title is not directly related.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* [Bug fortran/94975] Address sanitizations show heap-buffer-overflow with class(*) allocated to character on assignment
  2020-05-06 15:21 [Bug fortran/94975] New: Address sanitizations show heap-buffer-overflow with class(*) allocated to character on assignment vladimir.fuka at gmail dot com
  2020-05-06 15:26 ` [Bug fortran/94975] " vladimir.fuka at gmail dot com
@ 2020-07-08 12:00 ` dominiq at lps dot ens.fr
  1 sibling, 0 replies; 3+ messages in thread
From: dominiq at lps dot ens.fr @ 2020-07-08 12:00 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94975

Dominique d'Humieres <dominiq at lps dot ens.fr> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
     Ever confirmed|0                           |1
           Priority|P3                          |P4
             Status|UNCONFIRMED                 |NEW
   Last reconfirmed|                            |2020-07-08

--- Comment #2 from Dominique d'Humieres <dominiq at lps dot ens.fr> ---
Confirmed from at least GCC7.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2020-07-08 12:00 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-06 15:21 [Bug fortran/94975] New: Address sanitizations show heap-buffer-overflow with class(*) allocated to character on assignment vladimir.fuka at gmail dot com
2020-05-06 15:26 ` [Bug fortran/94975] " vladimir.fuka at gmail dot com
2020-07-08 12:00 ` dominiq at lps dot ens.fr

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).