stack-buffer-overflow when starting Singular built with sanitize flags

[Lars Kastner <lars.kastner@…>]

We configured Singular with

CXXFLAGS="-std=c++14 -stdlib=libc++ -O1 -g -fno-omit-frame-pointer -L${ASAN_PATH}/installed/mpfr/lib64 -fsanitize=address -fsanitize-address-use-after-scope -fno-sanitize=enum,vptr" LDFLAGS="-stdlib=libc++ -Wl,-rpath,${ASAN_PATH}/installed/ntl/lib -Wl,-rpath,${ASAN_PATH}/installed/mpfr/lib64" CFLAGS="-O1 -g -fno-omit-frame-pointer -fsanitize=address -fsanitize-address-use-after-scope -fno-sanitize=enum,vptr"

i.e. with sanitize flags. Then after building we get the following error at startup:

kastner@marvin:~/local/asan/installed/singular_broken/bin> ./Singular 
=================================================================
==25997==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd31dc16ca at pc 0x00000052b44b bp 0x7ffd31dc1550 sp 0x7ffd31dc0d00
WRITE of size 11 at 0x7ffd31dc16ca thread T0
    #0 0x52b44a in scanf_common(void*, int, bool, char const*, __va_list_tag*) /homes/combi/kastner/local/asan/llvm-6.0.0-src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors_format.inc:343
    #1 0x52c0f5 in vsscanf /homes/combi/kastner/local/asan/llvm-6.0.0-src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1408
    #2 0x52c1e2 in sscanf /homes/combi/kastner/local/asan/llvm-6.0.0-src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1432
    #3 0x662618 in make_version(char*, int) /homes/combi/kastner/local/asan/singular-sources/Singular/libparse.l
    #4 0x65f1bc in yylplex(char const*, char const*, lib_style_types*, idrec*, int, lp_modes) /homes/combi/kastner/local/asan/singular-sources/Singular/libparse.l:264:16
    #5 0x62a079 in iiLoadLIB(_IO_FILE*, char const*, char const*, idrec*, int, int) /homes/combi/kastner/local/asan/singular-sources/Singular/iplib.cc:931:3
    #6 0x6287a7 in iiLibCmd(char*, int, int, int) /homes/combi/kastner/local/asan/singular-sources/Singular/iplib.cc:861:16
    #7 0x67052e in siInit(char*) /homes/combi/kastner/local/asan/singular-sources/Singular/misc_ip.cc:1465:5
    #8 0x5b74f4 in main /homes/combi/kastner/local/asan/singular-sources/Singular/tesths.cc:70:3
    #9 0x1479befb7724 in __libc_start_main (/lib64/libc.so.6+0x20724)
    #10 0x4b7428 in _start /home/abuild/rpmbuild/BUILD/glibc-2.22/csu/../sysdeps/x86_64/start.S:118

Address 0x7ffd31dc16ca is located in stack of thread T0 at offset 42 in frame
    #0 0x6624af in make_version(char*, int) /homes/combi/kastner/local/asan/singular-sources/Singular/libparse.l:847

  This frame has 2 object(s):
    [32, 42) 'ver' (line 848) <== Memory access at offset 42 overflows this variable
    [64, 80) 'date' (line 849)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /homes/combi/kastner/local/asan/llvm-6.0.0-src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors_format.inc:343 in scanf_common(void*, int, bool, char const*, __va_list_tag*)
Shadow bytes around the buggy address:
  0x1000263b0280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000263b0290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000263b02a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000263b02b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000263b02c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1000263b02d0: 00 00 00 00 f1 f1 f1 f1 00[02]f2 f2 00 00 f3 f3
  0x1000263b02e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000263b02f0: f1 f1 f1 f1 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  0x1000263b0300: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  0x1000263b0310: f8 f8 f8 f8 f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00
  0x1000263b0320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==25997==ABORTING

Benjamin Lorenz suggests the following fix

diff --git a/Singular/libparse.cc b/Singular/libparse.cc
index ee5876d88..738405e38 100644
--- a/Singular/libparse.cc
+++ b/Singular/libparse.cc
@@ -3383,8 +3383,8 @@ void reinit_yylp()
 
 void make_version(char *p,int what)
 {
-  char ver[10];
-  char date[16];
+  char ver[11];
+  char date[17];
   ver[0]='?'; ver[1]='.'; ver[2]='?'; ver[3]='\0';
   date[0]='?'; date[1]='\0';
   if(what) sscanf(p,"%*[^=]= %*s %*s %10s %16s",ver,date);
diff --git a/Singular/libparse.ll b/Singular/libparse.ll
index 101eece80..600f09869 100644
--- a/Singular/libparse.ll
+++ b/Singular/libparse.ll
@@ -845,8 +845,8 @@ void reinit_yylp()
 
 void make_version(char *p,int what)
 {
-  char ver[10];
-  char date[16];
+  char ver[11];
+  char date[17];
   ver[0]='?'; ver[1]='.'; ver[2]='?'; ver[3]='\0';
   date[0]='?'; date[1]='\0';
   if(what) sscanf(p,"%*[^=]= %*s %*s %10s %16s",ver,date);

If I understand correctly, then this is due to the following part of man sscanf:

s      Matches a sequence of non-white-space characters; the next pointer must be  a
       pointer to character array that is long enough to hold the input sequence and
       the terminating null byte ('\0'), which is added  automatically.   The  input
       string  stops  at white space or at the maximum field width, whichever occurs
       first.

[hannes]

Thanks for the report and the fix. (55b29ffa7e5ceaaf5e8681e442c601fdf88fd855)