Bug 1652633

Summary: There is a heap-buffer-overflow at src/generator_spgemm_csc_reader.c:178(function libxsmm_sparse_csc_reader) that allocated at src/generator_spgemm_csc_reader.c:125 in libxsmm.
Product: [Fedora] Fedora Reporter: shuitao gan <ganshuitao>
Component: libxsmmAssignee: Dave Love <dave.love>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: unspecified    
Version: rawhideCC: dave.love, dominik, ganshuitao
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-11-23 16:29:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
$./libxsmm_gemm_generator sparse b a 10 10 10 1 1 1 1 1 1 0 wsm nopf SP POC1 none

Description shuitao gan 2018-11-22 13:43:41 UTC 
Created attachment 1507969 [details]
$./libxsmm_gemm_generator sparse b a 10 10 10 1 1 1 1 1 1 0 wsm nopf SP POC1

version: libxsmm release-1.10
summary: 

There is a  heap-buffer-overflow at src/generator_spgemm_csc_reader.c:178(function libxsmm_sparse_csc_reader) that allocated at src/generator_spgemm_csc_reader.c:125 in libxsmm.

Description:

The asan debug is as follows:

$./libxsmm_gemm_generator sparse b a 10 10 10 1 1 1 1 1 1 0 wsm nopf SP POC1

=================================================================
==51913==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efc0 at pc 0x000000444861 bp 0x7ffe55179a10 sp 0x7ffe55179a00
WRITE of size 4 at 0x60200000efc0 thread T0
    #0 0x444860 in libxsmm_sparse_csc_reader src/generator_spgemm_csc_reader.c:178
    #1 0x405751 in libxsmm_generator_spgemm src/generator_spgemm.c:279
    #2 0x40225a in main src/libxsmm_generator_gemm_driver.c:318
    #3 0x7f1775752a3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
    #4 0x402ea8 in _start (/home/company/real_sanitize/poc_check/libxsmm/libxsmm_gemm_generator_asan+0x402ea8)

0x60200000efc0 is located 15 bytes to the right of 1-byte region [0x60200000efb0,0x60200000efb1)
allocated by thread T0 here:
    #0 0x7f1775db29aa in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x989aa)
    #1 0x444017 in libxsmm_sparse_csc_reader src/generator_spgemm_csc_reader.c:125
    #2 0x7ffe55179e0f  (<unknown module>)
    #3 0x439  (<unknown module>)

SUMMARY: AddressSanitizer: heap-buffer-overflow src/generator_spgemm_csc_reader.c:178 libxsmm_sparse_csc_reader
Shadow bytes around the buggy address:
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9df0: fa fa fa fa fa fa 01 fa[fa]fa 04 fa fa fa 00 00
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==51913==ABORTING
Comment 1 Dave Love 2018-11-22 15:30:18 UTC 
You'll need to explain this (and please don't spam us with more of the same in the mean time).
What version are you complaining about?  It doesn't appear to correspond to libxsmm in Fedora rawhide, and there is no version 1.10.
Comment 2 Dave Love 2018-11-23 16:29:46 UTC 
This doesn't seem to be a Fedora bug.
Comment 3 Red Hat Bugzilla 2023-09-14 04:42:43 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days