public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug fortran/99688] New: AddressSanitizer: stack-buffer-overflow on address at gfc_match_name(char*) gcc/fortran/match.c:685
@ 2021-03-20 20:00 marxin at gcc dot gnu.org
2021-03-20 20:00 ` [Bug fortran/99688] " marxin at gcc dot gnu.org
` (6 more replies)
0 siblings, 7 replies; 8+ messages in thread
From: marxin at gcc dot gnu.org @ 2021-03-20 20:00 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99688
Bug ID: 99688
Summary: AddressSanitizer: stack-buffer-overflow on address at
gfc_match_name(char*) gcc/fortran/match.c:685
Product: gcc
Version: 11.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: fortran
Assignee: unassigned at gcc dot gnu.org
Reporter: marxin at gcc dot gnu.org
Blocks: 86656
Target Milestone: ---
I see the following ASAN issue:
$ ./xgcc -B. /home/marxin/Programming/gcc/gcc/testsuite/gfortran.dg/pr95828.f90
-c
=================================================================
==28113==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fffffffd3af at pc 0x000000ba5a30 bp 0x7fffffffd080 sp 0x7fffffffd078
WRITE of size 1 at 0x7fffffffd3af thread T0
#0 0xba5a2f in gfc_match_name(char*)
/home/marxin/Programming/gcc2/gcc/fortran/match.c:685
#1 0xba7af8 in gfc_match(char const*, ...)
/home/marxin/Programming/gcc2/gcc/fortran/match.c:1186
#2 0xbc4846 in gfc_match_select_rank()
/home/marxin/Programming/gcc2/gcc/fortran/match.c:6654
#3 0xc3db48 in match_word
/home/marxin/Programming/gcc2/gcc/fortran/parse.c:65
#4 0xc3f4bd in decode_statement
/home/marxin/Programming/gcc2/gcc/fortran/parse.c:429
#5 0xc46cce in next_free
/home/marxin/Programming/gcc2/gcc/fortran/parse.c:1316
#6 0xc478b8 in next_statement
/home/marxin/Programming/gcc2/gcc/fortran/parse.c:1548
#7 0xc4fd5b in parse_spec
/home/marxin/Programming/gcc2/gcc/fortran/parse.c:3967
#8 0xc58f22 in parse_progunit
/home/marxin/Programming/gcc2/gcc/fortran/parse.c:5896
#9 0xc5851c in parse_contained
/home/marxin/Programming/gcc2/gcc/fortran/parse.c:5797
#10 0xc5a10c in parse_module
/home/marxin/Programming/gcc2/gcc/fortran/parse.c:6170
#11 0xc5c26c in gfc_parse_file()
/home/marxin/Programming/gcc2/gcc/fortran/parse.c:6465
#12 0xd76343 in gfc_be_parse_file
/home/marxin/Programming/gcc2/gcc/fortran/f95-lang.c:212
#13 0x229bd2e in compile_file
/home/marxin/Programming/gcc2/gcc/toplev.c:457
#14 0x22a50ef in do_compile /home/marxin/Programming/gcc2/gcc/toplev.c:2201
#15 0x22a5953 in toplev::main(int, char**)
/home/marxin/Programming/gcc2/gcc/toplev.c:2340
#16 0x4c85cad in main /home/marxin/Programming/gcc2/gcc/main.c:39
#17 0x7ffff7095b24 in __libc_start_main ../csu/libc-start.c:332
#18 0xa349ed in _start
(/home/marxin/Programming/gcc2/objdir/gcc/f951+0xa349ed)
Address 0x7fffffffd3af is located in stack of thread T0 at offset 191 in frame
#0 0xbc4644 in gfc_match_select_rank()
/home/marxin/Programming/gcc2/gcc/fortran/match.c:6634
This frame has 4 object(s):
[32, 40) 'expr1' (line 6635)
[64, 72) 'expr2' (line 6635)
[96, 104) 'ns' (line 6639)
[128, 191) 'name' (line 6637) <== Memory access at offset 191 overflows
this variable
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
/home/marxin/Programming/gcc2/gcc/fortran/match.c:685 in gfc_match_name(char*)
Shadow bytes around the buggy address:
0x10007fff7a20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
0x10007fff7a30: f1 f1 00 00 f2 f2 00 00 00 f3 f3 f3 f3 f3 00 00
0x10007fff7a40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7a50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
0x10007fff7a60: f1 f1 00 f2 f2 f2 00 f2 f2 f2 00 f2 f2 f2 00 00
=>0x10007fff7a70: 00 00 00 00 00[07]f3 f3 f3 f3 00 00 00 00 00 00
0x10007fff7a80: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x10007fff7a90: 04 f2 04 f2 00 00 f3 f3 00 00 00 00 00 00 00 00
0x10007fff7aa0: f1 f1 f1 f1 f1 f1 04 f2 04 f3 f3 f3 00 00 00 00
0x10007fff7ab0: 00 00 00 00 f1 f1 f1 f1 00 00 f3 f3 00 00 00 00
0x10007fff7ac0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==28113==ABORTING
Referenced Bugs:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=86656
[Bug 86656] [meta-bug] Issues found with -fsanitize=address
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug fortran/99688] AddressSanitizer: stack-buffer-overflow on address at gfc_match_name(char*) gcc/fortran/match.c:685
2021-03-20 20:00 [Bug fortran/99688] New: AddressSanitizer: stack-buffer-overflow on address at gfc_match_name(char*) gcc/fortran/match.c:685 marxin at gcc dot gnu.org
@ 2021-03-20 20:00 ` marxin at gcc dot gnu.org
2021-03-20 20:41 ` anlauf at gcc dot gnu.org
` (5 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: marxin at gcc dot gnu.org @ 2021-03-20 20:00 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99688
Martin Liška <marxin at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |NEW
Last reconfirmed| |2021-03-20
Priority|P3 |P4
Ever confirmed|0 |1
Target Milestone|--- |11.0
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug fortran/99688] AddressSanitizer: stack-buffer-overflow on address at gfc_match_name(char*) gcc/fortran/match.c:685
2021-03-20 20:00 [Bug fortran/99688] New: AddressSanitizer: stack-buffer-overflow on address at gfc_match_name(char*) gcc/fortran/match.c:685 marxin at gcc dot gnu.org
2021-03-20 20:00 ` [Bug fortran/99688] " marxin at gcc dot gnu.org
@ 2021-03-20 20:41 ` anlauf at gcc dot gnu.org
2021-03-21 16:09 ` burnus at gcc dot gnu.org
` (4 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: anlauf at gcc dot gnu.org @ 2021-03-20 20:41 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99688
anlauf at gcc dot gnu.org changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |anlauf at gcc dot gnu.org
--- Comment #1 from anlauf at gcc dot gnu.org ---
I do not see the issue with valgrind, but does the following obvious patch
help?
diff --git a/gcc/fortran/match.c b/gcc/fortran/match.c
index 4d5890fd523..9941887453f 100644
--- a/gcc/fortran/match.c
+++ b/gcc/fortran/match.c
@@ -6634,7 +6634,7 @@ gfc_match_select_rank (void)
{
gfc_expr *expr1, *expr2 = NULL;
match m;
- char name[GFC_MAX_SYMBOL_LEN];
+ char name[GFC_MAX_SYMBOL_LEN + 1];
gfc_symbol *sym, *sym2;
gfc_namespace *ns = gfc_current_ns;
gfc_array_spec *as = NULL;
There might be a similar issue with SELECT TYPE (gfc_match_select_type).
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug fortran/99688] AddressSanitizer: stack-buffer-overflow on address at gfc_match_name(char*) gcc/fortran/match.c:685
2021-03-20 20:00 [Bug fortran/99688] New: AddressSanitizer: stack-buffer-overflow on address at gfc_match_name(char*) gcc/fortran/match.c:685 marxin at gcc dot gnu.org
2021-03-20 20:00 ` [Bug fortran/99688] " marxin at gcc dot gnu.org
2021-03-20 20:41 ` anlauf at gcc dot gnu.org
@ 2021-03-21 16:09 ` burnus at gcc dot gnu.org
2021-03-22 8:51 ` cvs-commit at gcc dot gnu.org
` (3 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: burnus at gcc dot gnu.org @ 2021-03-21 16:09 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99688
Tobias Burnus <burnus at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |burnus at gcc dot gnu.org
--- Comment #2 from Tobias Burnus <burnus at gcc dot gnu.org> ---
Patch: https://gcc.gnu.org/pipermail/gcc-patches/2021-March/567066.html
Should fix this issue and three other issues.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug fortran/99688] AddressSanitizer: stack-buffer-overflow on address at gfc_match_name(char*) gcc/fortran/match.c:685
2021-03-20 20:00 [Bug fortran/99688] New: AddressSanitizer: stack-buffer-overflow on address at gfc_match_name(char*) gcc/fortran/match.c:685 marxin at gcc dot gnu.org
` (2 preceding siblings ...)
2021-03-21 16:09 ` burnus at gcc dot gnu.org
@ 2021-03-22 8:51 ` cvs-commit at gcc dot gnu.org
2021-03-23 9:00 ` cvs-commit at gcc dot gnu.org
` (2 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2021-03-22 8:51 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99688
--- Comment #3 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Tobias Burnus <burnus@gcc.gnu.org>:
https://gcc.gnu.org/g:0e792ee11aa6ebb6f61e9ed33eb06e260f0ec703
commit r11-7758-g0e792ee11aa6ebb6f61e9ed33eb06e260f0ec703
Author: Tobias Burnus <tobias@codesourcery.com>
Date: Mon Mar 22 09:49:48 2021 +0100
Fortran: Fix 'name' bound size [PR99688]
gcc/fortran/ChangeLog:
PR fortran/99688
* match.c (select_type_set_tmp, gfc_match_select_type,
gfc_match_select_rank): Fix 'name' buffersize to avoid out of
bounds.
* resolve.c (resolve_select_type): Likewise.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug fortran/99688] AddressSanitizer: stack-buffer-overflow on address at gfc_match_name(char*) gcc/fortran/match.c:685
2021-03-20 20:00 [Bug fortran/99688] New: AddressSanitizer: stack-buffer-overflow on address at gfc_match_name(char*) gcc/fortran/match.c:685 marxin at gcc dot gnu.org
` (3 preceding siblings ...)
2021-03-22 8:51 ` cvs-commit at gcc dot gnu.org
@ 2021-03-23 9:00 ` cvs-commit at gcc dot gnu.org
2021-03-24 8:15 ` cvs-commit at gcc dot gnu.org
2021-03-24 8:17 ` burnus at gcc dot gnu.org
6 siblings, 0 replies; 8+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2021-03-23 9:00 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99688
--- Comment #4 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The releases/gcc-10 branch has been updated by Tobias Burnus
<burnus@gcc.gnu.org>:
https://gcc.gnu.org/g:129afa080badc7884c08668ed67a1e4da61bb7da
commit r10-9522-g129afa080badc7884c08668ed67a1e4da61bb7da
Author: Tobias Burnus <tobias@codesourcery.com>
Date: Mon Mar 22 09:49:48 2021 +0100
Fortran: Fix 'name' bound size [PR99688]
gcc/fortran/ChangeLog:
PR fortran/99688
* match.c (select_type_set_tmp, gfc_match_select_type,
gfc_match_select_rank): Fix 'name' buffersize to avoid out of
bounds.
* resolve.c (resolve_select_type): Likewise.
(cherry picked from commit 0e792ee11aa6ebb6f61e9ed33eb06e260f0ec703)
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug fortran/99688] AddressSanitizer: stack-buffer-overflow on address at gfc_match_name(char*) gcc/fortran/match.c:685
2021-03-20 20:00 [Bug fortran/99688] New: AddressSanitizer: stack-buffer-overflow on address at gfc_match_name(char*) gcc/fortran/match.c:685 marxin at gcc dot gnu.org
` (4 preceding siblings ...)
2021-03-23 9:00 ` cvs-commit at gcc dot gnu.org
@ 2021-03-24 8:15 ` cvs-commit at gcc dot gnu.org
2021-03-24 8:17 ` burnus at gcc dot gnu.org
6 siblings, 0 replies; 8+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2021-03-24 8:15 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99688
--- Comment #5 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The releases/gcc-9 branch has been updated by Tobias Burnus
<burnus@gcc.gnu.org>:
https://gcc.gnu.org/g:cdce7732ed2c91f6cc73f83bf05ab971b9d0a62e
commit r9-9305-gcdce7732ed2c91f6cc73f83bf05ab971b9d0a62e
Author: Tobias Burnus <tobias@codesourcery.com>
Date: Mon Mar 22 09:49:48 2021 +0100
Fortran: Fix 'name' bound size [PR99688]
gcc/fortran/ChangeLog:
PR fortran/99688
* match.c (select_type_set_tmp, gfc_match_select_type) Fix 'name'
buffersize to avoid out of bounds.
* resolve.c (resolve_select_type): Likewise.
(cherry picked from commit 0e792ee11aa6ebb6f61e9ed33eb06e260f0ec703)
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug fortran/99688] AddressSanitizer: stack-buffer-overflow on address at gfc_match_name(char*) gcc/fortran/match.c:685
2021-03-20 20:00 [Bug fortran/99688] New: AddressSanitizer: stack-buffer-overflow on address at gfc_match_name(char*) gcc/fortran/match.c:685 marxin at gcc dot gnu.org
` (5 preceding siblings ...)
2021-03-24 8:15 ` cvs-commit at gcc dot gnu.org
@ 2021-03-24 8:17 ` burnus at gcc dot gnu.org
6 siblings, 0 replies; 8+ messages in thread
From: burnus at gcc dot gnu.org @ 2021-03-24 8:17 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99688
Tobias Burnus <burnus at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #6 from Tobias Burnus <burnus at gcc dot gnu.org> ---
FIXED on mainline (GCC 11) and on GCC 9 and 10.
Martin: Thanks for running asan-bootstrap!
Harald: Thanks for the debugging/first patch!
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2021-03-24 8:17 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-20 20:00 [Bug fortran/99688] New: AddressSanitizer: stack-buffer-overflow on address at gfc_match_name(char*) gcc/fortran/match.c:685 marxin at gcc dot gnu.org
2021-03-20 20:00 ` [Bug fortran/99688] " marxin at gcc dot gnu.org
2021-03-20 20:41 ` anlauf at gcc dot gnu.org
2021-03-21 16:09 ` burnus at gcc dot gnu.org
2021-03-22 8:51 ` cvs-commit at gcc dot gnu.org
2021-03-23 9:00 ` cvs-commit at gcc dot gnu.org
2021-03-24 8:15 ` cvs-commit at gcc dot gnu.org
2021-03-24 8:17 ` burnus at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).