global-buffer-overflow in ADFI_string_2_C_string

Description

The address sanitizer of gcc 8.3.0 detected two global-buffer-overflows in ADFI_string_2_C_string when our application processes a CGNS file. CGNS 3.4.0 was compiled with CMAKE_C_FLAGS_DEBUG="-ggdb -fno-common -O0 -fsanitize=address -fsanitize-recover=address"

Here is the sanitizer output:

==16462==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fc7b400ca3f at pc 0x7fc7b3fe7008 bp 0x7ffd84638a70 sp 0x7ffd84638a68
READ of size 1 at 0x7fc7b400ca3f thread T0
#0 0x7fc7b3fe7007 in ADFI_string_2_C_string /home/geis_go/tmp/CGNS/src/adf/ADF_internals.c:7411
#1 0x7fc7b3fcdb60 in ADFI_evaluate_datatype /home/geis_go/tmp/CGNS/src/adf/ADF_internals.c:3165
#2 0x7fc7b3fab4c0 in ADF_Put_Dimension_Information /home/geis_go/tmp/CGNS/src/adf/ADF_interface.c:2369
#3 0x7fc7b3fa2863 in ADF_Delete /home/geis_go/tmp/CGNS/src/adf/ADF_interface.c:1218
#4 0x7fc7b3f0c208 in cgio_delete_node /home/geis_go/tmp/CGNS/src/cgns_io.c:1167
#5 0x7fc7b3eaa53b in cgi_delete_node /home/geis_go/tmp/CGNS/src/cgns_internals.c:7924
#6 0x7fc7b3ed0b51 in cgi_descr_address /home/geis_go/tmp/CGNS/src/cgns_internals.c:11335
#7 0x7fc7b3f61567 in cg_descriptor_write /home/geis_go/tmp/CGNS/src/cgnslib.c:10396
#8 0xe4403f in writeVolumeSourcesToCGNS IO/writeVolumeSourceToBlockContainer.c:246
#9 0xe4440a in writeVolumeSourceToBlockContainerFamily IO/writeVolumeSourceToBlockContainer.c:318
#10 0x40f0c6 in main MAIN/prepMain.c:600
#11 0x7fc7b173eb44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
#12 0x40eb38 (/home/geis_go/work/trace_suite_clean/prep/PREPdebug+0x40eb38)

0x7fc7b400ca3f is located 28 bytes to the right of global variable '*.LC93' defined in '/home/geis_go/tmp/CGNS/src/adf/ADF_interface.c' (0x7fc7b400ca20) of size 3
'*.LC93' is ascii string 'MT'
SUMMARY: AddressSanitizer: global-buffer-overflow /home/geis_go/tmp/CGNS/src/adf/ADF_internals.c:7411 in ADFI_string_2_C_string
Shadow bytes around the buggy address:
0x0ff9767f98f0: 00 07 f9 f9 f9 f9 f9 f9 00 00 06 f9 f9 f9 f9 f9
0x0ff9767f9900: 00 00 00 00 03 f9 f9 f9 f9 f9 f9 f9 00 00 05 f9
0x0ff9767f9910: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff9767f9920: 00 00 00 00 00 00 00 00 02 f9 f9 f9 f9 f9 f9 f9
0x0ff9767f9930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff9767f9940: 00 00 00 00 03 f9 f9[f9]f9 f9 f9 f9 00 00 00 00
0x0ff9767f9950: 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 03 f9 f9 f9
0x0ff9767f9960: f9 f9 f9 f9 00 03 f9 f9 f9 f9 f9 f9 00 00 00 00
0x0ff9767f9970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff9767f9980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff9767f9990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
=================================================================
==16462==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fc7b400ca23 at pc 0x7fc7b3fe7077 bp 0x7ffd84638a70 sp 0x7ffd84638a68
READ of size 1 at 0x7fc7b400ca23 thread T0
#0 0x7fc7b3fe7076 in ADFI_string_2_C_string /home/geis_go/tmp/CGNS/src/adf/ADF_internals.c:7418
#1 0x7fc7b3fcdb60 in ADFI_evaluate_datatype /home/geis_go/tmp/CGNS/src/adf/ADF_internals.c:3165
#2 0x7fc7b3fab4c0 in ADF_Put_Dimension_Information /home/geis_go/tmp/CGNS/src/adf/ADF_interface.c:2369
#3 0x7fc7b3fa2863 in ADF_Delete /home/geis_go/tmp/CGNS/src/adf/ADF_interface.c:1218
#4 0x7fc7b3f0c208 in cgio_delete_node /home/geis_go/tmp/CGNS/src/cgns_io.c:1167
#5 0x7fc7b3eaa53b in cgi_delete_node /home/geis_go/tmp/CGNS/src/cgns_internals.c:7924
#6 0x7fc7b3ed0b51 in cgi_descr_address /home/geis_go/tmp/CGNS/src/cgns_internals.c:11335
#7 0x7fc7b3f61567 in cg_descriptor_write /home/geis_go/tmp/CGNS/src/cgnslib.c:10396
#8 0xe4403f in writeVolumeSourcesToCGNS IO/writeVolumeSourceToBlockContainer.c:246
#9 0xe4440a in writeVolumeSourceToBlockContainerFamily IO/writeVolumeSourceToBlockContainer.c:318
#10 0x40f0c6 in main MAIN/prepMain.c:600
#11 0x7fc7b173eb44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
#12 0x40eb38 (/home/geis_go/work/trace_suite_clean/prep/PREPdebug+0x40eb38)

0x7fc7b400ca23 is located 0 bytes to the right of global variable '*.LC93' defined in '/home/geis_go/tmp/CGNS/src/adf/ADF_interface.c' (0x7fc7b400ca20) of size 3
'*.LC93' is ascii string 'MT'
SUMMARY: AddressSanitizer: global-buffer-overflow /home/geis_go/tmp/CGNS/src/adf/ADF_internals.c:7418 in ADFI_string_2_C_string
Shadow bytes around the buggy address:
0x0ff9767f98f0: 00 07 f9 f9 f9 f9 f9 f9 00 00 06 f9 f9 f9 f9 f9
0x0ff9767f9900: 00 00 00 00 03 f9 f9 f9 f9 f9 f9 f9 00 00 05 f9
0x0ff9767f9910: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff9767f9920: 00 00 00 00 00 00 00 00 02 f9 f9 f9 f9 f9 f9 f9
0x0ff9767f9930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff9767f9940: 00 00 00 00[03]f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x0ff9767f9950: 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 03 f9 f9 f9
0x0ff9767f9960: f9 f9 f9 f9 00 03 f9 f9 f9 f9 f9 f9 00 00 00 00
0x0ff9767f9970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff9767f9980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff9767f9990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb

Environment

None

Status

Assignee

Georg Geiser

Reporter

Anonymous

Labels

None

Components

Fix versions

Affects versions

3.4.0

Priority

Critical
Configure