ngspice / Bugs / #679 segfault on check with ngspice-43

segfault on check with ngspice-43

#679 segfault on check with ngspice-43

Milestone: v1.0 (example)

Status: closed-fixed

Owner: Holger Vogt

Labels: None

Priority: 5

Updated: 2024-07-16

Created: 2024-07-16

Creator: Mamoru TASAKA

Private: No

Using released ngspice-43, make check causes segfault like:

Making check in regression
make[1]: Entering directory '/builddir/build/BUILD/ngspice-43/tests/regression'
Making check in lib-processing
make[2]: Entering directory '/builddir/build/BUILD/ngspice-43/tests/regression/lib-processing'
make  check-TESTS
make[3]: Entering directory '/builddir/build/BUILD/ngspice-43/tests/regression/lib-processing'
=================================================================
==1869==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x506000002ee0 at pc 0x7fc7f92f5676 bp 0x7fffaacd2240 sp 0x7fffaacd1a00
READ of size 65 at 0x506000002ee0 thread T0
    #0 0x7fc7f92f5675 in memcpy (/lib64/libasan.so.8+0xf5675) (BuildId: c1431025b5d8af781c22c9ceea71f065c547d32d)
    #1 0x5569d92b8a73 in memcpy /usr/include/bits/string_fortified.h:29
    #2 0x5569d92b8a73 in dup_string /builddir/build/BUILD/ngspice-43/src/misc/string.c:81
    #3 0x5569d8bfa4cd in copy_substring ../../../src/include/ngspice/stringutil.h:97
    #4 0x5569d8bfa4cd in cp_lexer /builddir/build/BUILD/ngspice-43/src/frontend/parser/lexical.c:247
    #5 0x5569d5c7c27e in add_to_sourcepath /builddir/build/BUILD/ngspice-43/src/frontend/inpcom.c:9529
    #6 0x5569d5c7f83e in inp_read /builddir/build/BUILD/ngspice-43/src/frontend/inpcom.c:1288
    #7 0x5569d5c8c95f in read_a_lib /builddir/build/BUILD/ngspice-43/src/frontend/inpcom.c:590
    #8 0x5569d5c8c95f in expand_section_ref /builddir/build/BUILD/ngspice-43/src/frontend/inpcom.c:3751
    #9 0x5569d5c81eb9 in expand_section_references /builddir/build/BUILD/ngspice-43/src/frontend/inpcom.c:3835
    #10 0x5569d5c81eb9 in inp_read /builddir/build/BUILD/ngspice-43/src/frontend/inpcom.c:1755
    #11 0x5569d5c84281 in inp_readall /builddir/build/BUILD/ngspice-43/src/frontend/inpcom.c:1050
    #12 0x5569d5c23c1e in inp_spsource /builddir/build/BUILD/ngspice-43/src/frontend/inp.c:536
    #13 0x5569d5b693d3 in main /builddir/build/BUILD/ngspice-43/src/main.c:1463
    #14 0x7fc7f8439087 in __libc_start_call_main (/lib64/libc.so.6+0x2a087) (BuildId: 8f53abaad945a669f2bdcd25f471d80e077568ef)
    #15 0x7fc7f843914a in __libc_start_main_alias_2 (/lib64/libc.so.6+0x2a14a) (BuildId: 8f53abaad945a669f2bdcd25f471d80e077568ef)
    #16 0x5569d5b7a9c4 in _start (/builddir/build/BUILD/ngspice-43/src/ngspice+0x1a29c4) (BuildId: 6d8c1a187dd22e624358fe9b23e0eb9f64e53d05)

0x506000002ee0 is located 0 bytes after 64-byte region [0x506000002ea0,0x506000002ee0)
allocated by thread T0 here:
    #0 0x7fc7f92f7350 in calloc (/lib64/libasan.so.8+0xf7350) (BuildId: c1431025b5d8af781c22c9ceea71f065c547d32d)
    #1 0x5569d92aaebc in tmalloc /builddir/build/BUILD/ngspice-43/src/misc/alloc.c:70
    #2 0x5569d92aaebc in trealloc /builddir/build/BUILD/ngspice-43/src/misc/alloc.c:106
    #3 0x5569d8bfb203 in push /builddir/build/BUILD/ngspice-43/src/frontend/parser/lexical.c:104
    #4 0x5569d8bfb203 in cp_lexer /builddir/build/BUILD/ngspice-43/src/frontend/parser/lexical.c:424
    #5 0x5569d5c7c27e in add_to_sourcepath /builddir/build/BUILD/ngspice-43/src/frontend/inpcom.c:9529
    #6 0x5569d5c7f83e in inp_read /builddir/build/BUILD/ngspice-43/src/frontend/inpcom.c:1288
    #7 0x5569d5c8c95f in read_a_lib /builddir/build/BUILD/ngspice-43/src/frontend/inpcom.c:590
    #8 0x5569d5c8c95f in expand_section_ref /builddir/build/BUILD/ngspice-43/src/frontend/inpcom.c:3751
    #9 0x5569d5c81eb9 in expand_section_references /builddir/build/BUILD/ngspice-43/src/frontend/inpcom.c:3835
    #10 0x5569d5c81eb9 in inp_read /builddir/build/BUILD/ngspice-43/src/frontend/inpcom.c:1755
    #11 0x5569d5c84281 in inp_readall /builddir/build/BUILD/ngspice-43/src/frontend/inpcom.c:1050
    #12 0x5569d5c23c1e in inp_spsource /builddir/build/BUILD/ngspice-43/src/frontend/inp.c:536
    #13 0x5569d5b693d3 in main /builddir/build/BUILD/ngspice-43/src/main.c:1463
    #14 0x7fc7f8439087 in __libc_start_call_main (/lib64/libc.so.6+0x2a087) (BuildId: 8f53abaad945a669f2bdcd25f471d80e077568ef)
    #15 0x7fc7f843914a in __libc_start_main_alias_2 (/lib64/libc.so.6+0x2a14a) (BuildId: 8f53abaad945a669f2bdcd25f471d80e077568ef)
    #16 0x5569d5b7a9c4 in _start (/builddir/build/BUILD/ngspice-43/src/ngspice+0x1a29c4) (BuildId: 6d8c1a187dd22e624358fe9b23e0eb9f64e53d05)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/lib64/libasan.so.8+0xf5675) (BuildId: c1431025b5d8af781c22c9ceea71f065c547d32d) in memcpy
Shadow bytes around the buggy address:
  0x506000002c00: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x506000002c80: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
  0x506000002d00: fa fa fa fa 00 00 00 00 00 00 04 fa fa fa fa fa
  0x506000002d80: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x506000002e00: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
=>0x506000002e80: fa fa fa fa 00 00 00 00 00 00 00 00[fa]fa fa fa
  0x506000002f00: 00 00 00 00 00 00 04 fa fa fa fa fa fa fa fa fa
  0x506000002f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x506000003000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x506000003080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x506000003100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1869==ABORTING
egrep: warning: egrep is obsolescent; using grep -E
egrep: warning: egrep is obsolescent; using grep -E
--- ex1a.out_tmp    2024-07-15 22:31:16.177521436 +0900
+++ ex1a.test_tmp   2024-07-15 22:31:16.168521327 +0900
@@ -1,5 +0,0 @@
-
-
-
-
-INFO: ok
FAIL: ex1a.cir

and so on.

Looking at https://sourceforge.net/p/ngspice/ngspice/ci/2af390f0b12ec460f29464d7325cf3ab5b02d98b/tree/src/misc/string.c#l81
the source buffer str must be accessed up to n_char, not nchar + 1

Discussion

Holger Vogt - 2024-07-16

Thanks for the report.

I have to check why my 'make check' didn't catch this bug.

Patch is merged to pre-master-44, will go to master immediately.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Holger Vogt - 2024-07-16

status: open --> closed-fixed

assigned_to: Holger Vogt
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Mamoru TASAKA - 2024-07-16

Note that I have enabled asan (i.e. compiled with gcc -fsanitize=address ). "Normal" compilation (i.e. without asan) may not releave this segfault.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

segfault on check with ngspice-43

Group

Searches

Help

#679 segfault on check with ngspice-43

Discussion