[Bug d/99337] New: Sanitizer detect heap-buffer-overflow in checkModFileAlias

zeccav at gmail dot com via Gcc-bugs Tue, 02 Mar 2021 02:36:24 -0800

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99337


            Bug ID: 99337
           Summary: Sanitizer detect heap-buffer-overflow in
                    checkModFileAlias
           Product: gcc
           Version: 11.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: d
          Assignee: ibuclaw at gdcproject dot org
          Reporter: zeccav at gmail dot com
  Target Milestone: ---

The address sanitizer detects the following running 
/home/vitti/gcc-150221-full-address/gcc/gdc
-B/home/vitti/gcc-150221-full-address/gcc compilable/test16798.d 
-I/home/vitti/gcc-150221/libphobos/libdruntime   
-fmodule-file=its.a.dessert.topping=imports/imp16798.d
-fmodule-file=its.a.floorwax=imports/ -S -o test16798.s

dmodule.c:200 is "if (memcmp(dotmods->peekChars(), m, q - m) == 0)"
I split the original if to understand which arm was causing the issue.

ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000010440 at pc
0x1483adc6651e bp 0x7fffd8642480 sp 0x7fffd8641c30
READ of size 21 at 0x602000010440 thread T0
    #0 0x1483adc6651d in MemcmpInterceptorCommon(void*, int (*)(void const*,
void const*, unsigned long), void const*, void const*, unsigned long)
../../../../gcc-150221/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:843
    #1 0x1483adc66b78 in __interceptor_memcmp
../../../../gcc-150221/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:875
    #2 0x1483adc66b78 in __interceptor_memcmp
../../../../gcc-150221/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:870
    #3 0x539741 in checkModFileAlias ../../gcc-150221/gcc/d/dmd/dmodule.c:200
    #4 0x539b45 in getFilename ../../gcc-150221/gcc/d/dmd/dmodule.c:241
    #5 0x53a127 in Module::load(Loc, Array<Identifier*>*, Identifier*)
../../gcc-150221/gcc/d/dmd/dmodule.c:348
    #6 0x4e0c78 in Import::load(Scope*)
../../gcc-150221/gcc/d/dmd/dimport.c:154
    #7 0x4e0ef5 in Import::importAll(Scope*)
../../gcc-150221/gcc/d/dmd/dimport.c:173
    #8 0x4e1b95 in Import::setScope(Scope*)
../../gcc-150221/gcc/d/dmd/dimport.c:243
    #9 0x42f975 in AttribDeclaration::setScope(Scope*)
../../gcc-150221/gcc/d/dmd/attrib.c:142
    #10 0x4359de in ConditionalDeclaration::setScope(Scope*)
../../gcc-150221/gcc/d/dmd/attrib.c:864
    #11 0x53d99b in Module::importAll(Scope*)
../../gcc-150221/gcc/d/dmd/dmodule.c:805
    #12 0x4e0f9c in Import::importAll(Scope*)
../../gcc-150221/gcc/d/dmd/dimport.c:176
    #13 0x53dabc in Module::importAll(Scope*)
../../gcc-150221/gcc/d/dmd/dmodule.c:811
    #14 0x8f0c46 in d_parse_file ../../gcc-150221/gcc/d/d-lang.cc:1038
    #15 0x1fed707 in compile_file ../../gcc-150221/gcc/toplev.c:457
    #16 0x1ff69b9 in do_compile ../../gcc-150221/gcc/toplev.c:2197
    #17 0x1ff721d in toplev::main(int, char**)
../../gcc-150221/gcc/toplev.c:2336
    #18 0x4fba3ef in main ../../gcc-150221/gcc/main.c:39
    #19 0x1483ad4dd1e1 in __libc_start_main (/usr/lib64/libc.so.6+0x281e1)
    #20 0x419c8d in _start
(/home/vitti/gcc-150221-full-address/gcc/d21+0x419c8d)

0x602000010440 is located 0 bytes to the right of 16-byte region
[0x602000010430,0x602000010440)
allocated by thread T0 here:
    #0 0x1483adc85a8f in __interceptor_malloc
../../../../gcc-150221/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x52231eb in xmalloc ../../gcc-150221/libiberty/xmalloc.c:147
    #2 0x7cbb2a in Mem::xrealloc(void*, unsigned long)
../../gcc-150221/gcc/d/dmd/root/rmem.c:83
    #3 0x78c726 in OutBuffer::reserve(unsigned long)
../../gcc-150221/gcc/d/dmd/root/outbuffer.c:30
    #4 0x78ca2c in OutBuffer::write(void const*, unsigned long)
../../gcc-150221/gcc/d/dmd/root/outbuffer.c:59
    #5 0x78cb15 in OutBuffer::writestring(char const*)
../../gcc-150221/gcc/d/dmd/root/outbuffer.c:66
    #6 0x539662 in checkModFileAlias ../../gcc-150221/gcc/d/dmd/dmodule.c:192
    #7 0x539b45 in getFilename ../../gcc-150221/gcc/d/dmd/dmodule.c:241
    #8 0x53a127 in Module::load(Loc, Array<Identifier*>*, Identifier*)
../../gcc-150221/gcc/d/dmd/dmodule.c:348
    #9 0x4e0c78 in Import::load(Scope*)
../../gcc-150221/gcc/d/dmd/dimport.c:154
    #10 0x4e0ef5 in Import::importAll(Scope*)
../../gcc-150221/gcc/d/dmd/dimport.c:173
    #11 0x4e1b95 in Import::setScope(Scope*)
../../gcc-150221/gcc/d/dmd/dimport.c:243
    #12 0x42f975 in AttribDeclaration::setScope(Scope*)
../../gcc-150221/gcc/d/dmd/attrib.c:142
    #13 0x4359de in ConditionalDeclaration::setScope(Scope*)
../../gcc-150221/gcc/d/dmd/attrib.c:864
    #14 0x53d99b in Module::importAll(Scope*)
../../gcc-150221/gcc/d/dmd/dmodule.c:805
    #15 0x4e0f9c in Import::importAll(Scope*)
../../gcc-150221/gcc/d/dmd/dimport.c:176
    #16 0x53dabc in Module::importAll(Scope*)
../../gcc-150221/gcc/d/dmd/dmodule.c:811
    #17 0x8f0c46 in d_parse_file ../../gcc-150221/gcc/d/d-lang.cc:1038
    #18 0x1fed707 in compile_file ../../gcc-150221/gcc/toplev.c:457
    #19 0x1ff69b9 in do_compile ../../gcc-150221/gcc/toplev.c:2197
    #20 0x1ff721d in toplev::main(int, char**)
../../gcc-150221/gcc/toplev.c:2336
    #21 0x4fba3ef in main ../../gcc-150221/gcc/main.c:39
    #22 0x1483ad4dd1e1 in __libc_start_main (/usr/lib64/libc.so.6+0x281e1)

SUMMARY: AddressSanitizer: heap-buffer-overflow
../../../../gcc-150221/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:843
in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned
long), void const*, void const*, unsigned long)
Shadow bytes around the buggy address:
  0x0c047fffa030: fa fa 00 00 fa fa 00 00 fa fa fd fd fa fa 00 00
  0x0c047fffa040: fa fa fd fd fa fa 00 00 fa fa fd fd fa fa 00 00
  0x0c047fffa050: fa fa 00 00 fa fa fd fd fa fa 00 00 fa fa 00 00
  0x0c047fffa060: fa fa 00 00 fa fa fd fd fa fa 00 00 fa fa 00 00
  0x0c047fffa070: fa fa 00 00 fa fa fd fd fa fa 00 00 fa fa 00 00
=>0x0c047fffa080: fa fa 00 00 fa fa 00 00[fa]fa fa fa fa fa fa fa
  0x0c047fffa090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffa0a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffa0b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffa0c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fffa0d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2247079==ABORTING

[Bug d/99337] New: Sanitizer detect heap-buffer-overflow in checkModFileAlias

Reply via email to