Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gccgo: heap-buffer-overflow in Lex::skip_cpp_comment #11577

Closed
dvyukov opened this issue Jul 3, 2015 · 2 comments
Closed

gccgo: heap-buffer-overflow in Lex::skip_cpp_comment #11577

dvyukov opened this issue Jul 3, 2015 · 2 comments
Labels
FrozenDueToAge Thinking
Milestone
Gccgo

Comments

@dvyukov
Copy link
Member

dvyukov commented Jul 3, 2015

gccgo built with asan crashes on the following input (quoted form):

    "package\rG\n//line \u205f" +
    "\u205f\u205f\u205f\u205f\u205f\u205f\xe2\x81" +
    "\x9f\u205f\u205f\u205f\u205f\u205f\u205f\xe2" +
    "\x81\x9f\u205f\u205f\u205f\u205f\u205f\u205f" +
    "\u205f\u205f\u205f\u205f\u205f\u205f\xe2\x81" +
    "\x9f\u205f\u205f\u205f\u205f\u205f:1"

==100579==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c00000bab8 at pc 0x000000681676 bp 0x7fff65a42dc0 sp 0x7fff65a42570
READ of size 14 at 0x60c00000bab8 thread T0
    #0 0x681675 in __interceptor_memcmp ../../../../libsanitizer/asan/asan_interceptors.cc:332
    #1 0x7e489e in Lex::skip_cpp_comment() ../../gcc/go/gofrontend/lex.cc:1731
    #2 0x7e6dda in Lex::next_token() ../../gcc/go/gofrontend/lex.cc:593
    #3 0x7e80a4 in Parse::advance_token() ../../gcc/go/gofrontend/parse.cc:80
    #4 0x8141d2 in Parse::program() ../../gcc/go/gofrontend/parse.cc:5648
    #5 0x78966f in go_parse_input_files(char const**, unsigned int, bool, bool) ../../gcc/go/gofrontend/go.cc:73
    #6 0x77c961 in go_langhook_parse_file ../../gcc/go/go-lang.c:304
    #7 0x14ae7f2 in compile_file ../../gcc/toplev.c:551
    #8 0x61fe29 in do_compile ../../gcc/toplev.c:2061
    #9 0x61fe29 in toplev::main(int, char**) ../../gcc/toplev.c:2162
    #10 0x629457 in main ../../gcc/main.c:39
    #11 0x7f00dcfd4ec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #12 0x62a292  (/usr/local/google/home/dvyukov/src/gcc/build_asan/gcc/go1+0x62a292)

0x60c00000bab8 is located 0 bytes to the right of 120-byte region [0x60c00000ba40,0x60c00000bab8)
allocated by thread T0 here:
    #0 0x6a1eca in operator new[](unsigned long) ../../../../libsanitizer/asan/asan_new_delete.cc:62
    #1 0x7df932 in Lex::Lex(char const*, _IO_FILE*, Linemap*) ../../gcc/go/gofrontend/lex.cc:448

SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../libsanitizer/asan/asan_interceptors.cc:332 __interceptor_memcmp
Shadow bytes around the buggy address:
  0x0c187fff9700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff9710: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff9720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff9730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff9740: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c187fff9750: 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa
  0x0c187fff9760: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c187fff9770: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c187fff9780: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
  0x0c187fff9790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c187fff97a0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe

gcc version 6.0.0 2015070 (experimental) (GCC)
@dvyukov
Copy link
Member Author

dvyukov commented Jul 3, 2015

@paranoiacblack

@ianlancetaylor ianlancetaylor added this to the Gccgo milestone Jul 10, 2015
@gopherbot
Copy link
Contributor

CL https://golang.org/cl/14182 mentions this issue.

pbeeler pushed a commit to SaberMod/GCC_SaberMod that referenced this issue Sep 12, 2015
compiler: Avoid unsafe memcmp for nointerface comments.
2564602 
    
    Fixes golang/go#11577.
    
    Reviewed-on: https://go-review.googlesource.com/14182


git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@227699 138bc75d-0d04-0410-961f-82ee72b054a4
@golang golang locked and limited conversation to collaborators Sep 22, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge Thinking
Projects
None yet
Milestone
Gccgo
Development

No branches or pull requests
4 participants
@paranoiacblack @dvyukov @ianlancetaylor @gopherbot