Exceptions create segfaults when lammps is built at a long filepath

[ExpHP]

Summary

When LAMMPS is built indirectly by automated build systems, its source might end up at arbitrarily long paths. This leads to stack buffer overflows when LAMMPSExceptions are constructed.

Steps to reproduce

In a unix environment:

LONGDIR=$HOME/really-really-really-really-really-really-really-really-really-really-long-dir
mkdir $LONGDIR
cd $LONGDIR
git clone https://github.com/lammps/lammps
cd lammps

mkdir build-s
cd build-s
# Note: Here I build a binary with exceptions just for easy reproduction of the bug.
#       Obviously, my actual use case involves building a library.
cmake ../cmake -DLAMMPS_EXCEPTIONS=yes \
               -DCMAKE_INSTALL_PREFIX=./install \
               -DCMAKE_BUILD_TYPE=Debug
make install
cd ..

echo argle bargle | build-s/install/bin/lammps

You get:

LAMMPS (5 Sep 2018)
  using 4 OpenMP thread(s) per MPI task
ERROR: Unknown command: argle bargle (src/input.cpp:246)
Last command: argle bargle
[arch-t430s:18491] *** Process received signal ***
[arch-t430s:18491] Signal: Segmentation fault (11)
[arch-t430s:18491] Signal code:  (128)
[arch-t430s:18491] Failing at address: (nil)
Segmentation fault (core dumped)

The backtrace for this in gdb is quite a sight:

---

Backtrace

(remember, this is without optimizations!)

#0  uw_frame_state_for (context=context@entry=0x7fffffffd4f0, fs=fs@entry=0x7fffffffd5e0) at /build/gcc/src/gcc/libgcc/unwind-dw2.c:1265
#1  0x00007ffff745f22b in _Unwind_RaiseException (exc=exc@entry=0x555555cbae30) at /build/gcc/src/gcc/libgcc/unwind.inc:104
#2  0x00007ffff76af09d in __cxxabiv1::__cxa_throw (obj=<optimized out>, tinfo=0x555555b4fc10 <typeinfo for LAMMPS_NS::LAMMPSException>, 
    dest=0x5555557d886a <LAMMPS_NS::LAMMPSException::~LAMMPSException()>) at /build/gcc/src/gcc/libstdc++-v3/libsupc++/eh_throw.cc:90
#3  0x00005555557d8093 in LAMMPS_NS::Error::all (this=0x555555ca67d0, 
    file=0x555555ab7db8 "/home/lampam/really-really-really-really-really-really-really-really-really-really-long-dir/lammps/src/input.cpp", line=246, 
    str=0x555555c3c4a0 "Unknown command: argle bargle")
    at /home/lampam/really-really-really-really-really-really-really-really-really-really-long-dir/lammps/src/error.cpp:160
#4  0x706e692f6372732f in ?? ()
#5  0x323a7070632e7475 in ?? ()
#6  0x000055000a293634 in ?? ()
#7  0x00007fffffffd940 in ?? ()
#8  0x0000000b0000000d in ?? ()
#9  0x0000555555c3c4a0 in ?? ()
#10 0x1ec6b3e017a15100 in ?? ()
#11 0x00007fffffffd940 in ?? ()
#12 0x00005555556895e9 in main (argc=<error reading variable: Cannot access memory at address 0x73706d6d616c2f2e>, 
    argv=<error reading variable: Cannot access memory at address 0x73706d6d616c2f22>)
    at /home/lampam/really-really-really-really-really-really-really-really-really-really-long-dir/lammps/src/main.cpp:54
Backtrace stopped: Cannot access memory at address 0x73706d6d616c2f7a

---

Basically, what I gather from this is that something was written beyond the stack frame of a function somewhere, corrupting data needed for unwinding or backtraces.

Possible fix

Looking at error.cpp, it's not hard to see what the problem is. As a quick test, we can try fixing that:

cd $LONGDIR/lammps
# change all four instances of sprintf into snprintf
sed -ie 's_sprintf(msg,_snprintf(msg, 100,_' src/error.cpp

mkdir build-n
cd build-n
cmake ../cmake -DLAMMPS_EXCEPTIONS=yes \
               -DCMAKE_INSTALL_PREFIX=./install \
               -DCMAKE_BUILD_TYPE=Debug
make install
cd ..

echo argle bargle | build-n/install/bin/lammps

The fixed binary does not crash.

LAMMPS (5 Sep 2018)
  using 4 OpenMP thread(s) per MPI task
ERROR: Unknown command: argle bargle (src/input.cpp:246)
Last command: argle bargle

[rbberger]

@ExpHP thanks again for the detailed report! should be fixed with PR #1105

[akohlmey]

fixed in #1105