[libgfortran] Bug 81937 - stack-buffer-overflow on memcpy

Message ID	34841158-f941-5ed9-d923-a7197d72105f@charter.net
State	New
Headers	show Return-Path: <gcc-patches-return-469414-incoming=patchwork.ozlabs.org@gcc.gnu.org> DomainKey-Signature: a=rsa-sha1; c=nofws; d=gcc.gnu.org; h=list-id :list-unsubscribe:list-archive:list-post:list-help:sender:to:cc :from:subject:message-id:date:mime-version:content-type; q=dns; s=default; b=JPVNNt6VVKxiXLS01jwjDg8XIFUVhbD/zlAaRTEHdQ3ox61ZN8 b0oSMT8GYqcV+h6KreN9pBtkoxvafMMYkaaLXrR2asjdvUe1ZjyN33F6m31dls4k w5JZzx4JiOy3ABYZIywGj5WIms2vuyPBuICjfFmuUuHLX0kYS9MfXEDEU= Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm Precedence: bulk Sender: gcc-patches-owner@gcc.gnu.org To: gfortran <fortran@gcc.gnu.org> Cc: gcc patches <gcc-patches@gcc.gnu.org> From: Jerry DeLisle <jvdelisle@charter.net> Subject: [patch, libgfortran] Bug 81937 - stack-buffer-overflow on memcpy Message-ID: <34841158-f941-5ed9-d923-a7197d72105f@charter.net> Date: Sat, 16 Dec 2017 08:26:33 -0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="------------73ABDF98798C5D8572A9C059"
Series	[libgfortran] Bug 81937 - stack-buffer-overflow on memcpy \| expand [libgfortran] Bug 81937 - stack-buffer-overflow on memcpy

Message ID

34841158-f941-5ed9-d923-a7197d72105f@charter.net

State

New

Headers

DomainKey-Signature: a=rsa-sha1; c=nofws; d=gcc.gnu.org; h=list-id
	:list-unsubscribe:list-archive:list-post:list-help:sender:to:cc
	:from:subject:message-id:date:mime-version:content-type; q=dns;
	s=default; b=JPVNNt6VVKxiXLS01jwjDg8XIFUVhbD/zlAaRTEHdQ3ox61ZN8
	b0oSMT8GYqcV+h6KreN9pBtkoxvafMMYkaaLXrR2asjdvUe1ZjyN33F6m31dls4k
	w5JZzx4JiOy3ABYZIywGj5WIms2vuyPBuICjfFmuUuHLX0kYS9MfXEDEU=
Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm
Precedence: bulk
Sender: gcc-patches-owner@gcc.gnu.org
To: gfortran <fortran@gcc.gnu.org>
Cc: gcc patches <gcc-patches@gcc.gnu.org>
From: Jerry DeLisle <jvdelisle@charter.net>
Subject: [patch, libgfortran] Bug 81937 - stack-buffer-overflow on memcpy
Message-ID: <34841158-f941-5ed9-d923-a7197d72105f@charter.net>
Date: Sat, 16 Dec 2017 08:26:33 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
	rv:52.0) Gecko/20100101 Thunderbird/52.5.0
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="------------73ABDF98798C5D8572A9C059"

Series

[libgfortran] Bug 81937 - stack-buffer-overflow on memcpy | expand

Commit Message

Jerry DeLisle Dec. 16, 2017, 4:26 p.m. UTC

Hi all,

This problem was found with -fsanitize=address.

Turns out we are not correctly tracking the bytes left in the internal unit
string and we were reading memory past the end. I am sure the problem exists in
gcc 7 and I will examine gcc 6 as well and fix this in all cases I see. The
function sread is basically a wrapper on memcpy

The patch is fairly straight forward.

Regression tested on x86_64-pc-linux-gnu. OK for trunk and back ports as I find?

Regards,

Jerry

2017-12-16  Jerry DeLisle  <jvdelisle@gcc.gnu.org>

	PR libgfortran/81937
	* io/list_read.c (next_char_internal): Don't attempt to read
	from the internal unit stream if no bytes are left. Decrement
	bytes_left in the right place.

Comments

Janne Blomqvist Dec. 16, 2017, 7:37 p.m. UTC | #1

On Sat, Dec 16, 2017 at 6:26 PM, Jerry DeLisle <jvdelisle@charter.net> wrote:
> Hi all,
>
> This problem was found with -fsanitize=address.
>
> Turns out we are not correctly tracking the bytes left in the internal unit
> string and we were reading memory past the end. I am sure the problem exists in
> gcc 7 and I will examine gcc 6 as well and fix this in all cases I see. The
> function sread is basically a wrapper on memcpy
>
> The patch is fairly straight forward.
>
> Regression tested on x86_64-pc-linux-gnu. OK for trunk and back ports as I find?
>
> Regards,
>
> Jerry
>
> 2017-12-16  Jerry DeLisle  <jvdelisle@gcc.gnu.org>
>
>         PR libgfortran/81937
>         * io/list_read.c (next_char_internal): Don't attempt to read
>         from the internal unit stream if no bytes are left. Decrement
>         bytes_left in the right place.
>

Looks good, Ok for trunk/7/6. Thanks!

diff --git a/libgfortran/io/list_read.c b/libgfortran/io/list_read.c
index 379050cecad..037f2daa647 100644
--- a/libgfortran/io/list_read.c
+++ b/libgfortran/io/list_read.c
@@ -266,15 +266,19 @@  next_char_internal (st_parameter_dt *dtp)
     }
 
   /* Get the next character and handle end-of-record conditions.  */
-
-  if (is_char4_unit(dtp)) /* Check for kind=4 internal unit.  */
-   length = sread (dtp->u.p.current_unit->s, &c, 1);
+  if (likely (dtp->u.p.current_unit->bytes_left > 0))
+    {
+      if (unlikely (is_char4_unit(dtp))) /* Check for kind=4 internal unit.  */
+       length = sread (dtp->u.p.current_unit->s, &c, 1);
+      else
+       {
+	 char cc;
+	 length = sread (dtp->u.p.current_unit->s, &cc, 1);
+	 c = cc;
+       }
+    }
   else
-   {
-     char cc;
-     length = sread (dtp->u.p.current_unit->s, &cc, 1);
-     c = cc;
-   }
+    length = 0;
 
   if (unlikely (length < 0))
     {
@@ -290,7 +294,6 @@  next_char_internal (st_parameter_dt *dtp)
 	  generate_error (&dtp->common, LIBERROR_INTERNAL_UNIT, NULL);
 	  return '\0';
 	}
-      dtp->u.p.current_unit->bytes_left--;
     }
   else
     {
@@ -302,6 +305,7 @@  next_char_internal (st_parameter_dt *dtp)
 	  dtp->u.p.at_eof = 1;
 	}
     }
+  dtp->u.p.current_unit->bytes_left--;
 
 done:
   dtp->u.p.at_eol = (c == '\n' || c == EOF);

[libgfortran] Bug 81937 - stack-buffer-overflow on memcpy

Commit Message

Comments

Patch