overflow with snpbin.c #370

zkamvar · 2025-02-06T01:00:41Z

From the R-package-devel thread: https://stat.ethz.ch/pipermail/r-package-devel/2025q1/011448.html

This was partially fixed with #364 and additionally with 9787efb, with help from Ivan.

I also wanted to add the failure logs so that I could reference them later:

clang ASAN

* using log directory ‘/data/gannet/ripley/R/packages/tests-clang-ASAN/dartR.base.Rcheck’
* using R Under development (unstable) (2025-01-31 r87670)
* using platform: x86_64-pc-linux-gnu
* R was compiled by
    clang version 19.1.7
    flang-new version 19.1.7
* running under: Fedora Linux 36 (Workstation Edition)
* using session charset: UTF-8
* using option ‘--no-stop-on-test-error’
* checking for file ‘dartR.base/DESCRIPTION’ ... OK
* checking extension type ... Package
* this is package ‘dartR.base’ version ‘0.98’
* package encoding: UTF-8
* checking package dependencies ... OK
* checking if this is a source package ... OK
* checking if there is a namespace ... OK
* checking for hidden files and directories ... OK
* checking for portable file names ... OK
* checking whether package ‘dartR.base’ can be installed ... [234s/475s] OK
* checking package directory ... OK
* checking whether the package can be loaded ... [23s/28s] OK
* checking whether the package can be loaded with stated dependencies ... [22s/26s] OK
* checking whether the package can be unloaded cleanly ... [22s/25s] OK
* checking whether the namespace can be loaded with stated dependencies ... [19s/20s] OK
* checking whether the namespace can be unloaded cleanly ... [23s/24s] OK
* checking loading without being on the library search path ... [22s/22s] OK
* checking examples ... [81s/88s] ERROR
Running examples in ‘dartR.base-Ex.R’ failed
The error most likely occurred in:

> ### Name: gl.filter.factorloadings
> ### Title: Filters loci based on factor loadings for a PCA or PCoA
> ### Aliases: gl.filter.factorloadings
> 
> ### ** Examples
> 
> pca <- gl.pcoa(testset.gl)
Starting gl.pcoa 
  Processing genlight object with SNP data
  Warning: Number of loci is less than the number of individuals to be represented
  Performing a PCA, individuals as entities, loci as attributes, SNP genotype as state
=================================================================
==2742437==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x518000697ff0 at pc 0x7f2e873ccfe0 bp 0x7ffdac8d25d0 sp 0x7ffdac8d25c8
READ of size 16 at 0x518000697ff0 thread T0
    #0 0x7f2e873ccfdf in bytesToDouble /tmp/RtmpNNPUz9/R.INSTALL3cef1f2b1bd39c/adegenet/src/snpbin.c:225:19
    #1 0x7f2e873ceca5 in snpbin2freq /tmp/RtmpNNPUz9/R.INSTALL3cef1f2b1bd39c/adegenet/src/snpbin.c:332:5
    #2 0x7f2e873ceca5 in snpbin_dotprod_freq /tmp/RtmpNNPUz9/R.INSTALL3cef1f2b1bd39c/adegenet/src/snpbin.c:447:5
    #3 0x7f2e873bba42 in GLdotProd /tmp/RtmpNNPUz9/R.INSTALL3cef1f2b1bd39c/adegenet/src/GLfunctions.c:42:14
    #4 0x5653c6191567 in do_dotCode /data/gannet/ripley/R/svn/R-devel/src/main/dotcode.c
    #5 0x5653c6232f7f in bcEval_loop /data/gannet/ripley/R/svn/R-devel/src/main/eval.c:8122:14
    #6 0x5653c6225384 in bcEval /data/gannet/ripley/R/svn/R-devel/src/main/eval.c:7505:16
    #7 0x5653c622389a in Rf_eval /data/gannet/ripley/R/svn/R-devel/src/main/eval.c:1167:8
    #8 0x5653c626d36c in R_execClosure /data/gannet/ripley/R/svn/R-devel/src/main/eval.c:2393:22
    #9 0x5653c626c531 in applyClosure_core /data/gannet/ripley/R/svn/R-devel/src/main/eval.c:2306:16
    #10 0x5653c62242e9 in Rf_applyClosure /data/gannet/ripley/R/svn/R-devel/src/main/eval.c:2328:16
    #11 0x5653c62242e9 in Rf_eval /data/gannet/ripley/R/svn/R-devel/src/main/eval.c:1280:12
    #12 0x5653c627ee00 in do_set /data/gannet/ripley/R/svn/R-devel/src/main/eval.c:3571:8
    #13 0x5653c6223de3 in Rf_eval /data/gannet/ripley/R/svn/R-devel/src/main/eval.c:1232:12
    #14 0x5653c62faa9a in Rf_ReplIteration /data/gannet/ripley/R/svn/R-devel/src/main/main.c:265:2
    #15 0x5653c62fd1d0 in R_ReplConsole /data/gannet/ripley/R/svn/R-devel/src/main/main.c:317:11
    #16 0x5653c62fd1d0 in run_Rmainloop /data/gannet/ripley/R/svn/R-devel/src/main/main.c:1219:5
    #17 0x5653c62fd262 in Rf_mainloop /data/gannet/ripley/R/svn/R-devel/src/main/main.c:1226:5
    #18 0x5653c600720c in main /data/gannet/ripley/R/svn/R-devel/src/main/Rmain.c:29:5
    #19 0x7f2e9fc2950f in __libc_start_call_main (/lib64/libc.so.6+0x2950f) (BuildId: 8257ee907646e9b057197533d1e4ac8ede7a9c5c)
    #20 0x7f2e9fc295c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x295c8) (BuildId: 8257ee907646e9b057197533d1e4ac8ede7a9c5c)
    #21 0x5653c5f274e4 in _start (/data/gannet/ripley/R/clang-ASAN/bin/exec/R+0x1574e4)

0x518000697ff8 is located 0 bytes after 888-byte region [0x518000697c80,0x518000697ff8)
allocated by thread T0 here:
    #0 0x5653c5fc44b9 in calloc /data/gannet/ripley/Sources2/LLVM/19/latest/compiler-rt/lib/asan/asan_malloc_linux.cpp:75:3
    #1 0x7f2e873cebca in snpbin_dotprod_freq /tmp/RtmpNNPUz9/R.INSTALL3cef1f2b1bd39c/adegenet/src/snpbin.c:443:23
    #2 0x7f2e873bba42 in GLdotProd /tmp/RtmpNNPUz9/R.INSTALL3cef1f2b1bd39c/adegenet/src/GLfunctions.c:42:14
    #3 0x5653c6191567 in do_dotCode /data/gannet/ripley/R/svn/R-devel/src/main/dotcode.c
    #4 0x5653c6232f7f in bcEval_loop /data/gannet/ripley/R/svn/R-devel/src/main/eval.c:8122:14
    #5 0x5653c6225384 in bcEval /data/gannet/ripley/R/svn/R-devel/src/main/eval.c:7505:16
    #6 0x5653c622389a in Rf_eval /data/gannet/ripley/R/svn/R-devel/src/main/eval.c:1167:8
    #7 0x5653c626d36c in R_execClosure /data/gannet/ripley/R/svn/R-devel/src/main/eval.c:2393:22
    #8 0x5653c626c531 in applyClosure_core /data/gannet/ripley/R/svn/R-devel/src/main/eval.c:2306:16
    #9 0x5653c62242e9 in Rf_applyClosure /data/gannet/ripley/R/svn/R-devel/src/main/eval.c:2328:16
    #10 0x5653c62242e9 in Rf_eval /data/gannet/ripley/R/svn/R-devel/src/main/eval.c:1280:12
    #11 0x5653c627ee00 in do_set /data/gannet/ripley/R/svn/R-devel/src/main/eval.c:3571:8
    #12 0x5653c6223de3 in Rf_eval /data/gannet/ripley/R/svn/R-devel/src/main/eval.c:1232:12
    #13 0x5653c62faa9a in Rf_ReplIteration /data/gannet/ripley/R/svn/R-devel/src/main/main.c:265:2
    #14 0x5653c62fd1d0 in R_ReplConsole /data/gannet/ripley/R/svn/R-devel/src/main/main.c:317:11
    #15 0x5653c62fd1d0 in run_Rmainloop /data/gannet/ripley/R/svn/R-devel/src/main/main.c:1219:5
    #16 0x5653c62fd262 in Rf_mainloop /data/gannet/ripley/R/svn/R-devel/src/main/main.c:1226:5
    #17 0x5653c600720c in main /data/gannet/ripley/R/svn/R-devel/src/main/Rmain.c:29:5
    #18 0x7f2e9fc2950f in __libc_start_call_main (/lib64/libc.so.6+0x2950f) (BuildId: 8257ee907646e9b057197533d1e4ac8ede7a9c5c)

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/RtmpNNPUz9/R.INSTALL3cef1f2b1bd39c/adegenet/src/snpbin.c:225:19 in bytesToDouble
Shadow bytes around the buggy address:
  0x518000697d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x518000697d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x518000697e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x518000697e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x518000697f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x518000697f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[00]fa
  0x518000698000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x518000698080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x518000698100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x518000698180: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x518000698200: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2742437==ABORTING
* DONE
Status: 1 ERROR

GCC ASAN

* using log directory ‘/data/gannet/ripley/R/packages/tests-gcc-SAN/dartR.base.Rcheck’
* using R Under development (unstable) (2025-01-31 r87670)
* using platform: x86_64-pc-linux-gnu
* R was compiled by
    gcc-14 (GCC) 14.2.0
    GNU Fortran (GCC) 14.2.0
* running under: Fedora Linux 36 (Workstation Edition)
* using session charset: UTF-8
* using option ‘--no-stop-on-test-error’
* checking for file ‘dartR.base/DESCRIPTION’ ... OK
* checking extension type ... Package
* this is package ‘dartR.base’ version ‘0.98’
* package encoding: UTF-8
* checking package dependencies ... OK
* checking if this is a source package ... OK
* checking if there is a namespace ... OK
* checking for hidden files and directories ... OK
* checking for portable file names ... OK
* checking whether package ‘dartR.base’ can be installed ... [314s/319s] OK
* checking package directory ... OK
* checking whether the package can be loaded ... [33s/33s] OK
* checking whether the package can be loaded with stated dependencies ... [34s/35s] OK
* checking whether the package can be unloaded cleanly ... [33s/33s] OK
* checking whether the namespace can be loaded with stated dependencies ... [27s/28s] OK
* checking whether the namespace can be unloaded cleanly ... [32s/33s] OK
* checking loading without being on the library search path ... [33s/33s] OK
* checking examples ... [115s/116s] ERROR
Running examples in ‘dartR.base-Ex.R’ failed
The error most likely occurred in:

> ### Name: gl.filter.factorloadings
> ### Title: Filters loci based on factor loadings for a PCA or PCoA
> ### Aliases: gl.filter.factorloadings
> 
> ### ** Examples
> 
> pca <- gl.pcoa(testset.gl)
Starting gl.pcoa 
  Processing genlight object with SNP data
  Warning: Number of loci is less than the number of individuals to be represented
  Performing a PCA, individuals as entities, loci as attributes, SNP genotype as state
=================================================================
==1727716==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5180007443f8 at pc 0x7f6837300c01 bp 0x7ffca8bfa3e0 sp 0x7ffca8bfa3d8
READ of size 8 at 0x5180007443f8 thread T0
    #0 0x7f6837300c00 in bytesToDouble /tmp/RtmpE7Sc7I/R.INSTALL2f8bfe36d3831a/adegenet/src/snpbin.c:225
    #1 0x7f6837301c96 in snpbin2freq /tmp/RtmpE7Sc7I/R.INSTALL2f8bfe36d3831a/adegenet/src/snpbin.c:332
    #2 0x7f6837302e96 in snpbin_dotprod_freq /tmp/RtmpE7Sc7I/R.INSTALL2f8bfe36d3831a/adegenet/src/snpbin.c:447
    #3 0x7f683730430a in GLdotProd /tmp/RtmpE7Sc7I/R.INSTALL2f8bfe36d3831a/adegenet/src/GLfunctions.c:42
    #4 0x756f82 in do_dotCode /data/gannet/ripley/R/svn/R-devel/src/main/dotcode.c:2003
    #5 0x8a7953 in bcEval_loop /data/gannet/ripley/R/svn/R-devel/src/main/eval.c:8122
    #6 0x878b1f in bcEval /data/gannet/ripley/R/svn/R-devel/src/main/eval.c:7505
    #7 0x83f862 in Rf_eval /data/gannet/ripley/R/svn/R-devel/src/main/eval.c:1167
    #8 0x84a832 in R_execClosure /data/gannet/ripley/R/svn/R-devel/src/main/eval.c:2393
    #9 0x83e1da in applyClosure_core /data/gannet/ripley/R/svn/R-devel/src/main/eval.c:2306
    #10 0x83fee6 in Rf_applyClosure /data/gannet/ripley/R/svn/R-devel/src/main/eval.c:2328
    #11 0x83fee6 in Rf_eval /data/gannet/ripley/R/svn/R-devel/src/main/eval.c:1280
    #12 0x8639d6 in do_set /data/gannet/ripley/R/svn/R-devel/src/main/eval.c:3571
    #13 0x840316 in Rf_eval /data/gannet/ripley/R/svn/R-devel/src/main/eval.c:1232
    #14 0x9c9d99 in Rf_ReplIteration /data/gannet/ripley/R/svn/R-devel/src/main/main.c:265
    #15 0x9c9d99 in R_ReplConsole /data/gannet/ripley/R/svn/R-devel/src/main/main.c:317
    #16 0x9cb29b in run_Rmainloop /data/gannet/ripley/R/svn/R-devel/src/main/main.c:1219
    #17 0x9d5812 in Rf_mainloop /data/gannet/ripley/R/svn/R-devel/src/main/main.c:1226
    #18 0x4293ff in main /data/gannet/ripley/R/svn/R-devel/src/main/Rmain.c:29
    #19 0x7f685442950f in __libc_start_call_main (/lib64/libc.so.6+0x2950f) (BuildId: 8257ee907646e9b057197533d1e4ac8ede7a9c5c)
    #20 0x7f68544295c8 in __libc_start_main_alias_2 (/lib64/libc.so.6+0x295c8) (BuildId: 8257ee907646e9b057197533d1e4ac8ede7a9c5c)
    #21 0x429de4 in _start (/data/gannet/ripley/R/gcc-SAN3/bin/exec/R+0x429de4) (BuildId: a84d18346db10b9f6a24beeffd63f6e34190cf95)

0x5180007443f8 is located 0 bytes after 888-byte region [0x518000744080,0x5180007443f8)
allocated by thread T0 here:
    #0 0x7f6855cf7350 in calloc ../../../../latest/libsanitizer/asan/asan_malloc_linux.cpp:77
    #1 0x7f6837302e70 in snpbin_dotprod_freq /tmp/RtmpE7Sc7I/R.INSTALL2f8bfe36d3831a/adegenet/src/snpbin.c:443
    #2 0x7f683730430a in GLdotProd /tmp/RtmpE7Sc7I/R.INSTALL2f8bfe36d3831a/adegenet/src/GLfunctions.c:42
    #3 0x756f82 in do_dotCode /data/gannet/ripley/R/svn/R-devel/src/main/dotcode.c:2003
    #4 0x8a7953 in bcEval_loop /data/gannet/ripley/R/svn/R-devel/src/main/eval.c:8122
    #5 0x878b1f in bcEval /data/gannet/ripley/R/svn/R-devel/src/main/eval.c:7505
    #6 0x83f862 in Rf_eval /data/gannet/ripley/R/svn/R-devel/src/main/eval.c:1167
    #7 0x84a832 in R_execClosure /data/gannet/ripley/R/svn/R-devel/src/main/eval.c:2393
    #8 0x83e1da in applyClosure_core /data/gannet/ripley/R/svn/R-devel/src/main/eval.c:2306
    #9 0x83fee6 in Rf_applyClosure /data/gannet/ripley/R/svn/R-devel/src/main/eval.c:2328
    #10 0x83fee6 in Rf_eval /data/gannet/ripley/R/svn/R-devel/src/main/eval.c:1280
    #11 0x8639d6 in do_set /data/gannet/ripley/R/svn/R-devel/src/main/eval.c:3571
    #12 0x840316 in Rf_eval /data/gannet/ripley/R/svn/R-devel/src/main/eval.c:1232
    #13 0x9c9d99 in Rf_ReplIteration /data/gannet/ripley/R/svn/R-devel/src/main/main.c:265
    #14 0x9c9d99 in R_ReplConsole /data/gannet/ripley/R/svn/R-devel/src/main/main.c:317
    #15 0x9cb29b in run_Rmainloop /data/gannet/ripley/R/svn/R-devel/src/main/main.c:1219
    #16 0x9d5812 in Rf_mainloop /data/gannet/ripley/R/svn/R-devel/src/main/main.c:1226
    #17 0x4293ff in main /data/gannet/ripley/R/svn/R-devel/src/main/Rmain.c:29
    #18 0x7f685442950f in __libc_start_call_main (/lib64/libc.so.6+0x2950f) (BuildId: 8257ee907646e9b057197533d1e4ac8ede7a9c5c)

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/RtmpE7Sc7I/R.INSTALL2f8bfe36d3831a/adegenet/src/snpbin.c:225 in bytesToDouble
Shadow bytes around the buggy address:
  0x518000744100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x518000744180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x518000744200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x518000744280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x518000744300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x518000744380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]
  0x518000744400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x518000744480: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x518000744500: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x518000744580: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x518000744600: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1727716==ABORTING
* DONE
Status: 1 ERROR

The text was updated successfully, but these errors were encountered:

zkamvar · 2025-02-06T01:29:48Z

I attempted to test this with docker, but I was not able to reproduce the overflow. That being said, with the fixes I've made, I'm confident that the overflow would not happen again.

I used https://dirk.eddelbuettel.com/code/sanitizers.html to figure out how to build adegenet with address sanitizers and how to trigger the failure.

This was the dockerfile I used.

FROM rocker/r-devel-san

MAINTAINER Thibaut Jombart <[email protected]>

RUN apt-get update && apt-get upgrade -y
RUN apt-get install -y libcurl4-openssl-dev libssl-dev libfontconfig1-dev libxml2-dev libharfbuzz-dev libfribidi-dev libfreetype6-dev libpng-dev libtiff5-dev libjpeg-dev gdal-bin proj-bin libgdal-dev libproj-dev libgmp3-dev jags libfftw3-dev

## add guest user

RUN adduser --disabled-password --gecos "" guest
RUN usermod -a -G users guest && usermod -a -G staff guest
RUN chmod a+rw /usr/local/lib/R/site-library -R



## install CRAN packages

# RUN echo 'options(download.file.method = "libcurl", repos = c(CRAN = "https://cran.ma.imperial.ac.uk"))' > ~/.Rprofile

RUN r -e "install.packages('devtools')" \
 && r -e "install.packages('adegenet', dependencies = TRUE)"

RUN r -e 'install.packages("BiocManager")' \
 && r -e 'BiocManager::install("SNPRelate")' \
 && r -e 'install.packages("dartR.base")'


## clone repos to get sources
RUN apt-get install -y git

RUN su guest
RUN mkdir ~/dev
WORKDIR /home/guest/dev

COPY . .

WORKDIR /home/guest/
CMD Rscript -e 'library(dartR.base); gl.pcoa(testset.gl)'

zkamvar linked a pull request Feb 6, 2025 that will close this issue

Prepare for CRAN release #369

Merged

zkamvar closed this as completed in #369 Feb 7, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

overflow with snpbin.c #370

overflow with snpbin.c #370

zkamvar commented Feb 6, 2025

zkamvar commented Feb 6, 2025

overflow with snpbin.c #370

overflow with snpbin.c #370

Comments

zkamvar commented Feb 6, 2025

zkamvar commented Feb 6, 2025