From patchwork Sat Jun  6 21:11:39 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Harald Anlauf <anlauf@gmx.de>
X-Patchwork-Id: 1304618
Return-Path: <gcc-patches-bounces@gcc.gnu.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=gcc.gnu.org
 (client-ip=2620:52:3:1:0:246e:9693:128c; helo=sourceware.org;
 envelope-from=gcc-patches-bounces@gcc.gnu.org; receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
 dmarc=none (p=none dis=none) header.from=gmx.de
Authentication-Results: ozlabs.org;
	dkim=pass (1024-bit key;
 secure) header.d=gmx.net header.i=@gmx.net header.a=rsa-sha256
 header.s=badeba3b8450 header.b=FArZek9s;
	dkim-atps=neutral
Received: from sourceware.org (server2.sourceware.org
 [IPv6:2620:52:3:1:0:246e:9693:128c])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 49fXJS6z79z9sRW
	for <incoming@patchwork.ozlabs.org>; Sun,  7 Jun 2020 07:11:51 +1000 (AEST)
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id 236FB3851C23;
	Sat,  6 Jun 2020 21:11:45 +0000 (GMT)
X-Original-To: gcc-patches@gcc.gnu.org
Delivered-To: gcc-patches@gcc.gnu.org
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20])
 by sourceware.org (Postfix) with ESMTPS id 6590E3851C05;
 Sat,  6 Jun 2020 21:11:41 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 6590E3851C05
Authentication-Results: sourceware.org;
 dmarc=none (p=none dis=none) header.from=gmx.de
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=anlauf@gmx.de
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net;
 s=badeba3b8450; t=1591477899;
 bh=jTGnDd0twZ7AAYpbONJACjDIrq15bC9sW98v5xxZLvI=;
 h=X-UI-Sender-Class:From:To:Subject:Date;
 b=FArZek9sA7mTalf85jadF6QLLeZRZa7aUky6V7bNUns7gioUT/dOSPdjPpb07tYxm
 SokvsfdKZnYRrtiwSpLF9dsPlnQyNVg8X8sfWpnGw9S6x3mdpLQB85S1GDLne5Pmyp
 27VedL/+rNZdqzqaxVRSuEyYr1znzzZEU26v0g5c=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Received: from [79.232.149.122] ([79.232.149.122]) by web-mail.gmx.net
 (3c-app-gmx-bap44.server.lan [172.19.172.114]) (via HTTP); Sat, 6 Jun 2020
 23:11:39 +0200
MIME-Version: 1.0
Message-ID: 
 <trinity-44427fa1-7044-402e-ad6c-e54a7021c609-1591477899687@3c-app-gmx-bap44>
From: Harald Anlauf <anlauf@gmx.de>
To: fortran <fortran@gcc.gnu.org>, gcc-patches <gcc-patches@gcc.gnu.org>
Subject: [PATCH] PR fortran/95091 - Buffer overflows with submodules and
 long symbols
Date: Sat, 6 Jun 2020 23:11:39 +0200
Importance: normal
Sensitivity: Normal
X-Priority: 3
X-Provags-ID: 
 V03:K1:d87vTSiQDciYTMU5MtVOyh7bOP7Y4mczcwA0akrI+IcvePLpX30Ymq7D4suFdJkey1gxT
 rdHbi/y9iRTsNZOWrOemcf5CVCXvaYyI7I6HAY/kMufYu4fS+qHX9esX+IwA35wjyrVBFfTbwKS4
 N+uyGJl9Ynx06jizSirwDcbEc3W0T/TiKjiHIQSwSg95oC+/GtyDx8g2yxM0dJ2Zo/rVMFd9FnLs
 LPW7/PlJM6YppxK0xu3RstWLk4/OTbjbiIrApYD5C8Ln9rTn2y1Uta/KQp/XAN6X/6s4r8bkYHuF
 Xk=
X-UI-Out-Filterresults: notjunk:1;V03:K0:XSXojsnkarM=:nDwRzwpzLsxPnDkKmTXQbs
 kk29l1D1soSM+hB0S4MiGoDdSrhlpjOyHgmwlJi4+Ucf88xSdOjZSD1SCorXY7msa3uuWndxC
 7X5QORYI+Gh+0luOc0kBMBT+VIvdHWtDtxWgIDL8sX6jcoqrNHvOPfyGMYxxHQkgbImfr493Z
 v6oy35kaPnjkDR2G2kkwvhbrd8HRrNiOce4JBRgx7c0p3o2vxDwSBHzEFeCWwUNuHLqgxrvz2
 xSCKnf+DHUgC2Km8vz+T51DWRD5j0jRLVttj/OukxqnVJwtGFq6eeXE1GQnR/ZeZTagIG2GLr
 jL2U94AN9XdUJ3WuZ63+6wbwTEGfS7scVabFmnj0H1AB897TCO53KNlFUcCr0trIotrvD1Arz
 tMcVwIC1BQGjLwof3OyAoBPgnKObeOGxlm00ELqBoQqVncaxBVgvJSfe1Bh7RaP+xCLNM+QNm
 0s54P1eF4+YxKS4SqyXb5yv8X5wQsFx7ByT/yBYJ/2BukmrU2UhoGdXAID07tTo4/V1cHiCHS
 yfmBXv0JveMDCfxs+jLWNxXIWy8zgmBSXlojNtkiDt2TXD1CH3lyE94I4UBy1ToHiJV9x05fB
 RsVaJSVlopHrp7vg3oLo0T52VrjnsX/8EgaCP1lQm/Kk5ZyrRIFOgOMegL6V6AUxM1+mhZNOe
 Srxz9kEUAU5uSzDujGqgqXC/io6HtEbFV0CiFUgZ7GpEniT31bVEkPBTwbFu9MMtn9bE=
X-Spam-Status: No, score=-11.5 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, FREEMAIL_FROM, GIT_PATCH_0, KAM_LOTSOFHASH, RCVD_IN_DNSWL_LOW,
 RCVD_IN_MSPIKE_H2, SPF_HELO_NONE, SPF_PASS,
 TXREP autolearn=ham autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 server2.sourceware.org
X-BeenThere: gcc-patches@gcc.gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Gcc-patches mailing list <gcc-patches.gcc.gnu.org>
List-Unsubscribe: <http://gcc.gnu.org/mailman/options/gcc-patches>,
 <mailto:gcc-patches-request@gcc.gnu.org?subject=unsubscribe>
List-Archive: <https://gcc.gnu.org/pipermail/gcc-patches/>
List-Post: <mailto:gcc-patches@gcc.gnu.org>
List-Help: <mailto:gcc-patches-request@gcc.gnu.org?subject=help>
List-Subscribe: <http://gcc.gnu.org/mailman/listinfo/gcc-patches>,
 <mailto:gcc-patches-request@gcc.gnu.org?subject=subscribe>
Errors-To: gcc-patches-bounces@gcc.gnu.org
Sender: "Gcc-patches" <gcc-patches-bounces@gcc.gnu.org>

There's another case of buffer overflows when F2008 submodules are used.
Buffer sizes are further increased, and checks for overflow are put into
place.

OK for master?

I intend to backport to 10 and 9, since I believe the patch is safe.

Thanks,
Harald


PR fortran/95091 - Buffer overflows with submodules and long symbols

With submodules, name mangling results in long internal symbols.  This
requires adjustment of the sizes of temporaries to avoid buffer overflows.

2020-06-06  Harald Anlauf  <anlauf@gmx.de>

gcc/fortran/
	PR fortran/95091
	* class.c (get_unique_type_string, gfc_hash_value): Enlarge
	buffers, and check whether the strings returned by
	get_unique_type_string() fit.

diff --git a/gcc/fortran/class.c b/gcc/fortran/class.c
index b1764073ab4..8bb73502f5d 100644
--- a/gcc/fortran/class.c
+++ b/gcc/fortran/class.c
@@ -509,9 +509,11 @@ get_unique_type_string (char *string, gfc_symbol *derived)
 static void
 get_unique_hashed_string (char *string, gfc_symbol *derived)
 {
-  /* Provide sufficient space to hold "symbol_Pdtsymbol".  */
-  char tmp[2*GFC_MAX_SYMBOL_LEN+5];
+  /* Provide sufficient space to hold "symbol.symbol_symbol".  */
+  char tmp[3*GFC_MAX_SYMBOL_LEN+3];
   get_unique_type_string (&tmp[0], derived);
+  size_t len = strnlen (tmp, sizeof (tmp));
+  gcc_assert (len < sizeof (tmp));
   /* If string is too long, use hash value in hex representation (allow for
      extra decoration, cf. gfc_build_class_symbol & gfc_find_derived_vtab).
      We need space to for 15 characters "__class_" + symbol name + "_%d_%da",
@@ -532,12 +534,13 @@ unsigned int
 gfc_hash_value (gfc_symbol *sym)
 {
   unsigned int hash = 0;
-  /* Provide sufficient space to hold "symbol_Pdtsymbol".  */
-  char c[2*GFC_MAX_SYMBOL_LEN+5];
+  /* Provide sufficient space to hold "symbol.symbol_symbol".  */
+  char c[3*GFC_MAX_SYMBOL_LEN+3];
   int i, len;

   get_unique_type_string (&c[0], sym);
-  len = strlen (c);
+  len = strnlen (c, sizeof (c));
+  gcc_assert (len < sizeof (c));

   for (i = 0; i < len; i++)
     hash = (hash << 6) + (hash << 16) - hash + c[i];
diff --git a/gcc/testsuite/gfortran.dg/pr95091.f90 b/gcc/testsuite/gfortran.dg/pr95091.f90
new file mode 100644
index 00000000000..1c48dca2f4a
--- /dev/null
+++ b/gcc/testsuite/gfortran.dg/pr95091.f90
@@ -0,0 +1,19 @@
+! { dg-do compile }
+! { dg-options "-fsecond-underscore" }
+! PR fortran/95091 - ICE in gfc_hash_value
+
+module m2345678901234567890123456789012345678901234567890123456789_123
+  type t2345678901234567890123456789012345678901234567890123456789_123
+  end type t2345678901234567890123456789012345678901234567890123456789_123
+  interface
+     module subroutine s2345678901234567890123456789012345678901234567890123456789_123 &
+          (x2345678901234567890123456789012345678901234567890123456789_123)
+    end
+  end interface
+end
+submodule(m2345678901234567890123456789012345678901234567890123456789_123) &
+     n2345678901234567890123456789012345678901234567890123456789_123
+  type, extends(t2345678901234567890123456789012345678901234567890123456789_123) :: &
+    u2345678901234567890123456789012345678901234567890123456789_123
+  end type
+end