Bug 1652633 - There is a heap-buffer-overflow at src/generator_spgemm_csc_reader.c:178(function libxsmm_sparse_csc_reader) that allocated at src/generator_spgemm_csc_reader.c:125 in libxsmm. [NEEDINFO]
Summary: There is a heap-buffer-overflow at src/generator_spgemm_csc_reader.c:178(fun...
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: libxsmm   
(Show other bugs)
Version: rawhide
Hardware: All
OS: All
unspecified
low
Target Milestone: ---
Assignee: Dave Love
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-22 13:43 UTC by shuitao gan
Modified: 2018-11-23 16:29 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-11-23 16:29:46 UTC
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
dave.love: needinfo? (ganshuitao)


Attachments (Terms of Use)
$./libxsmm_gemm_generator sparse b a 10 10 10 1 1 1 1 1 1 0 wsm nopf SP POC1 (24 bytes, text/plain)
2018-11-22 13:43 UTC, shuitao gan
no flags Details

Description shuitao gan 2018-11-22 13:43:41 UTC
Created attachment 1507969 [details]
$./libxsmm_gemm_generator sparse b a 10 10 10 1 1 1 1 1 1 0 wsm nopf SP POC1

version: libxsmm release-1.10
summary: 

There is a  heap-buffer-overflow at src/generator_spgemm_csc_reader.c:178(function libxsmm_sparse_csc_reader) that allocated at src/generator_spgemm_csc_reader.c:125 in libxsmm.

Description:

The asan debug is as follows:

$./libxsmm_gemm_generator sparse b a 10 10 10 1 1 1 1 1 1 0 wsm nopf SP POC1

=================================================================
==51913==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efc0 at pc 0x000000444861 bp 0x7ffe55179a10 sp 0x7ffe55179a00
WRITE of size 4 at 0x60200000efc0 thread T0
    #0 0x444860 in libxsmm_sparse_csc_reader src/generator_spgemm_csc_reader.c:178
    #1 0x405751 in libxsmm_generator_spgemm src/generator_spgemm.c:279
    #2 0x40225a in main src/libxsmm_generator_gemm_driver.c:318
    #3 0x7f1775752a3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
    #4 0x402ea8 in _start (/home/company/real_sanitize/poc_check/libxsmm/libxsmm_gemm_generator_asan+0x402ea8)

0x60200000efc0 is located 15 bytes to the right of 1-byte region [0x60200000efb0,0x60200000efb1)
allocated by thread T0 here:
    #0 0x7f1775db29aa in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x989aa)
    #1 0x444017 in libxsmm_sparse_csc_reader src/generator_spgemm_csc_reader.c:125
    #2 0x7ffe55179e0f  (<unknown module>)
    #3 0x439  (<unknown module>)

SUMMARY: AddressSanitizer: heap-buffer-overflow src/generator_spgemm_csc_reader.c:178 libxsmm_sparse_csc_reader
Shadow bytes around the buggy address:
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9df0: fa fa fa fa fa fa 01 fa[fa]fa 04 fa fa fa 00 00
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==51913==ABORTING

Comment 1 Dave Love 2018-11-22 15:30:18 UTC
You'll need to explain this (and please don't spam us with more of the same in the mean time).
What version are you complaining about?  It doesn't appear to correspond to libxsmm in Fedora rawhide, and there is no version 1.10.

Comment 2 Dave Love 2018-11-23 16:29:46 UTC
This doesn't seem to be a Fedora bug.


Note You need to log in before you can comment on or make changes to this bug.