You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When LAMMPS is built indirectly by automated build systems, its source might end up at arbitrarily long paths. This leads to stack buffer overflows when LAMMPSExceptions are constructed.
Steps to reproduce
In a unix environment:
LONGDIR=$HOME/really-really-really-really-really-really-really-really-really-really-long-dir
mkdir $LONGDIRcd$LONGDIR
git clone https://github.com/lammps/lammps
cd lammps
mkdir build-s
cd build-s
# Note: Here I build a binary with exceptions just for easy reproduction of the bug.# Obviously, my actual use case involves building a library.
cmake ../cmake -DLAMMPS_EXCEPTIONS=yes \
-DCMAKE_INSTALL_PREFIX=./install \
-DCMAKE_BUILD_TYPE=Debug
make install
cd ..
echo argle bargle | build-s/install/bin/lammps
You get:
LAMMPS (5 Sep 2018)
using 4 OpenMP thread(s) per MPI task
ERROR: Unknown command: argle bargle (src/input.cpp:246)
Last command: argle bargle
[arch-t430s:18491] *** Process received signal ***
[arch-t430s:18491] Signal: Segmentation fault (11)
[arch-t430s:18491] Signal code: (128)
[arch-t430s:18491] Failing at address: (nil)
Segmentation fault (core dumped)
The backtrace for this in gdb is quite a sight:
Backtrace
(remember, this is without optimizations!)
#0 uw_frame_state_for (context=context@entry=0x7fffffffd4f0, fs=fs@entry=0x7fffffffd5e0) at /build/gcc/src/gcc/libgcc/unwind-dw2.c:1265
#1 0x00007ffff745f22b in _Unwind_RaiseException (exc=exc@entry=0x555555cbae30) at /build/gcc/src/gcc/libgcc/unwind.inc:104
#2 0x00007ffff76af09d in __cxxabiv1::__cxa_throw (obj=<optimized out>, tinfo=0x555555b4fc10 <typeinfo for LAMMPS_NS::LAMMPSException>,
dest=0x5555557d886a <LAMMPS_NS::LAMMPSException::~LAMMPSException()>) at /build/gcc/src/gcc/libstdc++-v3/libsupc++/eh_throw.cc:90
#3 0x00005555557d8093 in LAMMPS_NS::Error::all (this=0x555555ca67d0,
file=0x555555ab7db8 "/home/lampam/really-really-really-really-really-really-really-really-really-really-long-dir/lammps/src/input.cpp", line=246,
str=0x555555c3c4a0 "Unknown command: argle bargle")
at /home/lampam/really-really-really-really-really-really-really-really-really-really-long-dir/lammps/src/error.cpp:160
#4 0x706e692f6372732f in ?? ()
#5 0x323a7070632e7475 in ?? ()
#6 0x000055000a293634 in ?? ()
#7 0x00007fffffffd940 in ?? ()
#8 0x0000000b0000000d in ?? ()
#9 0x0000555555c3c4a0 in ?? ()
#10 0x1ec6b3e017a15100 in ?? ()
#11 0x00007fffffffd940 in ?? ()
#12 0x00005555556895e9 in main (argc=<error reading variable: Cannot access memory at address 0x73706d6d616c2f2e>,
argv=<error reading variable: Cannot access memory at address 0x73706d6d616c2f22>)
at /home/lampam/really-really-really-really-really-really-really-really-really-really-long-dir/lammps/src/main.cpp:54
Backtrace stopped: Cannot access memory at address 0x73706d6d616c2f7a
Basically, what I gather from this is that something was written beyond the stack frame of a function somewhere, corrupting data needed for unwinding or backtraces.
cd$LONGDIR/lammps
# change all four instances of sprintf into snprintf
sed -ie 's_sprintf(msg,_snprintf(msg, 100,_' src/error.cpp
mkdir build-n
cd build-n
cmake ../cmake -DLAMMPS_EXCEPTIONS=yes \
-DCMAKE_INSTALL_PREFIX=./install \
-DCMAKE_BUILD_TYPE=Debug
make install
cd ..
echo argle bargle | build-n/install/bin/lammps
The fixed binary does not crash.
LAMMPS (5 Sep 2018)
using 4 OpenMP thread(s) per MPI task
ERROR: Unknown command: argle bargle (src/input.cpp:246)
Last command: argle bargle
The text was updated successfully, but these errors were encountered:
Summary
When LAMMPS is built indirectly by automated build systems, its source might end up at arbitrarily long paths. This leads to stack buffer overflows when LAMMPSExceptions are constructed.
Steps to reproduce
In a unix environment:
You get:
The backtrace for this in gdb is quite a sight:
Backtrace
(remember, this is without optimizations!)
Basically, what I gather from this is that something was written beyond the stack frame of a function somewhere, corrupting data needed for unwinding or backtraces.
Possible fix
Looking at
error.cpp
, it's not hard to see what the problem is. As a quick test, we can try fixing that:The fixed binary does not crash.
The text was updated successfully, but these errors were encountered: