https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81937
Bug ID: 81937
Summary: stack-buffer-overflow on memcpy in
libgfortran/io/unix.c on character(kind=4)
Product: gcc
Version: 8.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: libfortran
Assignee: unassigned at gcc dot gnu.org
Reporter: zeccav at gmail dot com
Target Milestone: ---
Host: x86_64-pc-linux-gnu
Build: trunk 251201
! dtio_14.f90 test case
! compiled with -fsanitize=address -g
! stack-buffer-overflow on memcpy in libgfortran/io/unix.c on character(kind=4)
MODULE p
TYPE :: person
CHARACTER (LEN=20) :: name
INTEGER(4) :: age
CONTAINS
procedure :: pwf
procedure :: prf
GENERIC :: WRITE(FORMATTED) => pwf
GENERIC :: READ(FORMATTED) => prf
END TYPE person
CONTAINS
SUBROUTINE pwf (dtv,unit,iotype,vlist,iostat,iomsg)
CLASS(person), INTENT(IN) :: dtv
INTEGER, INTENT(IN) :: unit
CHARACTER (LEN=*), INTENT(IN) :: iotype
INTEGER, INTENT(IN) :: vlist(:)
INTEGER, INTENT(OUT) :: iostat
CHARACTER (LEN=*), INTENT(INOUT) :: iomsg
WRITE(unit, FMT = *, IOSTAT=iostat) dtv%name, dtv%age
END SUBROUTINE pwf
SUBROUTINE prf (dtv,unit,iotype,vlist,iostat,iomsg)
CLASS(person), INTENT(INOUT) :: dtv
INTEGER, INTENT(IN) :: unit
CHARACTER (LEN=*), INTENT(IN) :: iotype
INTEGER, INTENT(IN) :: vlist(:)
INTEGER, INTENT(OUT) :: iostat
CHARACTER (LEN=*), INTENT(INOUT) :: iomsg
READ (UNIT = UNIT, FMT = *) dtv%name, dtv%age
END SUBROUTINE prf
END MODULE p
PROGRAM test
USE p
TYPE (person) :: chairman, answer
character(kind=1,len=80) :: str1
character(kind=4,len=80) :: str4
str1 = ""
str4 = 4_""
chairman%name="Charlie"
chairman%age=62
answer = chairman
! KIND=1 test
write (str1, *) chairman
if (trim(str1).ne." Charlie 62") call abort
chairman%name="Bogus"
chairman%age=99
read (str1, *) chairman
if (chairman%name.ne.answer%name) call abort
if (chairman%age.ne.answer%age) call abort
! KIND=4 test
write (str4, *) chairman
if (trim(str4).ne.4_" Charlie 62") call abort
chairman%name="Bogus"
chairman%age=99
read (str4, *) chairman
if (chairman%name.ne.answer%name) call abort
if (chairman%age.ne.answer%age) call abort
END PROGRAM test
!=================================================================
!==4920==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fff4c186e30 at pc 0x2ad600909b22 bp 0x7fff4c186170 sp 0x7fff4c185920
!READ of size 4 at 0x7fff4c186e30 thread T0
! #0 0x2ad600909b21 in __interceptor_memcpy
../../../../gcc/libsanitizer/asan/asan_interceptors.cc:456
! #1 0x2ad601a5b07b in mem_read4 ../../../gcc/libgfortran/io/unix.c:856
! #2 0x2ad601a4b9c3 in sread ../../../gcc/libgfortran/io/unix.h:53
! #3 0x2ad601a4b9c3 in next_char_internal
../../../gcc/libgfortran/io/list_read.c:271
! #4 0x2ad601a4b3f8 in eat_spaces
../../../gcc/libgfortran/io/list_read.c:420
! #5 0x2ad601a4b46d in eat_separator
../../../gcc/libgfortran/io/list_read.c:465
! #6 0x2ad601a4c08a in read_integer
../../../gcc/libgfortran/io/list_read.c:1101
! #7 0x2ad601a4efda in list_formatted_read_scalar
../../../gcc/libgfortran/io/list_read.c:2168
! #8 0x2ad601a505f9 in _gfortrani_list_formatted_read
../../../gcc/libgfortran/io/list_read.c:2332
! #9 0x40164e in __p_MOD_prf
/home/vitti/1tb/vitti/test/gcc/gcc/testsuite/gfortran.dg/p.f90:32
! #10 0x2ad601a4eefd in list_formatted_read_scalar
../../../gcc/libgfortran/io/list_read.c:2222
! #11 0x2ad601a505f9 in _gfortrani_list_formatted_read
../../../gcc/libgfortran/io/list_read.c:2332
! #12 0x40291a in test
/home/vitti/1tb/vitti/test/gcc/gcc/testsuite/gfortran.dg/p.f90:59
! #13 0x402a8c in main
/home/vitti/1tb/vitti/test/gcc/gcc/testsuite/gfortran.dg/p.f90:37
! #14 0x2ad60242f509 in __libc_start_main (/usr/lib64/libc.so.6+0x20509)
! #15 0x4011f9 in _start
(/home/vitti/1tb/vitti/test/gcc-251201/gcc/testsuite/gfortran.dg/a.out+0x4011f9)
!Address 0x7fff4c186e30 is located in stack of thread T0 at offset 992 in frame
! #0 0x401ad0 in test
/home/vitti/1tb/vitti/test/gcc/gcc/testsuite/gfortran.dg/p.f90:36
! This frame has 14 object(s):
! [32, 36) 'len.7'
! [96, 100) 'len.13'
! [160, 168) 'pstr.6'
! [224, 232) 'pstr.12'
! [288, 304) 'class.5'
! [352, 368) 'class.9'
! [416, 432) 'class.11'
! [480, 496) 'class.15'
! [544, 624) 'str1'
! [672, 992) 'str4' <== Memory access at offset 992 overflows this variable
! [1024, 1504) 'dt_parm.4'
! [1536, 2016) 'dt_parm.8'
! [2048, 2528) 'dt_parm.10'
! [2560, 3040) 'dt_parm.14'
!HINT: this may be a false positive if your program uses some custom stack
unwind mechanism or swapcontext
! (longjmp and C++ exceptions *are* supported)
!SUMMARY: AddressSanitizer: stack-buffer-overflow
../../../../gcc/libsanitizer/asan/asan_interceptors.cc:456 in
__interceptor_memcpy
!Shadow bytes around the buggy address:
! 0x100069828d70: f2 f2 f2 f2 f2 f2 00 00 f2 f2 f2 f2 f2 f2 00 00
! 0x100069828d80: f2 f2 f2 f2 f2 f2 00 00 f2 f2 f2 f2 f2 f2 00 00
! 0x100069828d90: 00 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 f2 00 00
! 0x100069828da0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
! 0x100069828db0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
!=>0x100069828dc0: 00 00 00 00 00 00[f2]f2 f2 f2 00 00 00 00 00 00
! 0x100069828dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
! 0x100069828de0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
! 0x100069828df0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
! 0x100069828e00: 00 00 00 00 00 00 f2 f2 f2 f2 00 00 00 00 00 00
! 0x100069828e10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
!Shadow byte legend (one shadow byte represents 8 application bytes):
! Addressable: 00
! Partially addressable: 01 02 03 04 05 06 07
! Heap left redzone: fa
! Freed heap region: fd
! Stack left redzone: f1
! Stack mid redzone: f2
! Stack right redzone: f3
! Stack after return: f5
! Stack use after scope: f8
! Global redzone: f9
! Global init order: f6
! Poisoned by user: f7
! Container overflow: fc
! Array cookie: ac
! Intra object redzone: bb
! ASan internal: fe
! Left alloca redzone: ca
! Right alloca redzone: cb
!==4920==ABORTING
