E3SM icon indicating copy to clipboard operation
E3SM copied to clipboard

Published 20 hours ago verified publisher icon E3SM-Project

global-buffer-overflow reported by AddressSanitizer in mpas-framework/src/tools/registry/fortprintf.c

Open dqwu opened this issue 2 years ago • 0 comments

I tried to build a simple ne4 F case (--compset F2010 --res ne4_oQU240) on anlgce with "GNU compiler + AddressSanitizer flags", and a global-buffer-overflow issue was reported:

[ 40%] Building Fortran object cmake/lnd/CMakeFiles/lnd.dir/__/__/elm/src/main/LandunitMod.F90.o
...
=================================================================
==963990==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000de4e06 at pc 0x0000004e07f3 bp 0x7ffc35c2b9f0 sp 0x7ffc35c2b9e8
WRITE of size 1 at 0x000000de4e06 thread T0
    #0 0x4e07f2 in fortprintf /scratch/wuda/E3SM/components/mpas-framework/src/tools/registry/fortprintf.c:118
    #1 0x4dd317 in parse_var /scratch/wuda/E3SM/components/mpas-framework/src/tools/registry/gen_inc.c:1649
    #2 0x4ddd7b in parse_struct /scratch/wuda/E3SM/components/mpas-framework/src/tools/registry/gen_inc.c:1812
    #3 0x4dff10 in parse_structs_from_registry /scratch/wuda/E3SM/components/mpas-framework/src/tools/registry/gen_inc.c:2397
    #4 0x4d3899 in parse_reg_xml /scratch/wuda/E3SM/components/mpas-framework/src/tools/registry/parse.c:755
    #5 0x407493 in main /scratch/wuda/E3SM/components/mpas-framework/src/tools/registry/parse.c:63
    #6 0x7f09f71880b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
    #7 0x4076bd in _start (/scratch/wuda/e3sm/scratch/F2010_ne4_oQU240/bld/cmake-bld/mpas-framework/src/tools/parse+0x4076bd)

0x000000de4e06 is located 0 bytes to the right of global variable 'printbuf' defined in '/scratch/wuda/E3SM/components/mpas-framework/src/tools/registry/fortprintf.c:17:6' (0xde4d80) of size 134
SUMMARY: AddressSanitizer: global-buffer-overflow /scratch/wuda/E3SM/components/mpas-framework/src/tools/registry/fortprintf.c:118 in fortprintf

To reproduce this issue on any other E3SM machines, we can add a debug printf and then check e3sm.bldlog

...
#ifdef FORTPRINTF_TESTING
#define MAX_LINE_LEN 20
#else
#define MAX_LINE_LEN 132
#endif

char printbuf[MAX_LINE_LEN+2];
...
		/* Else if we found a place to break the line */
		else if (sp >= 0) {
			snprintf(printbuf, sp+2, "%s", fbuffer);
			i = sp+1;
			if (sp_inquotes && (sp > q)) printbuf[i++] = '\'';
			printbuf[i++] = '&';
			printbuf[i++] = '\n';
                        if (i >= (MAX_LINE_LEN+2)) printf("sp = %d, i = %d\n", sp, i); /* Add a debug printf for testing */
			printbuf[i++] = '\0';
			fprintf(fd, "%s", printbuf);
...

The size of printbuf array is 134 so the index to access it should be less than or equal to 133. When building ne4 F case, sp can be 130 and i can be 134. The content of printbuf is: call mpas_add_att(i1Ptr % attLists(1) % attList, 'long_name', 'Number of edges that surround each of the cells that straddle '&

A possible fix is to increase the size of printbuf array by one: char printbuf[MAX_LINE_LEN+3];

dqwu avatar May 23 '22 22:05 dqwu