Bug 2336479

Summary: cryptlib failed to build with GCC 15 in check (cryptlib-test: "*** buffer overflow detected ***: terminated")
Product: [Fedora] Fedora Reporter: Dave Malcolm <dmalcolm>
Component: cryptlibAssignee: Ralf Senderek <innovation>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: rawhideCC: innovation, sipoyare
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2025-01-24 10:36:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2333037    

Description Dave Malcolm 2025-01-08 23:42:42 UTC 
I'm experimentally rebuilding rawhide with the not-yet-released GCC 15 to see if anything breaks, and to help write the porting guide.  See https://fedoraproject.org/wiki/User:Dmalcolm/gcc-15

My test build with GCC 15 failed:
https://copr.fedorainfracloud.org/coprs/dmalcolm/gcc-15-smoketest-3.failed/build/8476227/

whereas my test build with GCC 14 succeeded:
https://copr.fedorainfracloud.org/coprs/dmalcolm/gcc-15-smoketest-3.failed.checker/build/8478142/

Looking at the failure logs e.g.
https://download.copr.fedorainfracloud.org/results/dmalcolm/gcc-15-smoketest-3.failed/fedora-rawhide-x86_64/08476227-cryptlib/builder-live.log.gz

I see in %check:

+ echo 'Running tests on the cryptlib library. This will take a few minutes.'
+ cp /builddir/build/BUILD/cryptlib-3.4.8-build/BUILDROOT/usr/lib64/cryptlib/c/cryptlib-test.c .
+ sed -i '41s/<cryptlib\/cryptlib.h>/\".\/cryptlib.h\"/' cryptlib-test.c
+ gcc -o cryptlib-test cryptlib-test.c -L. libcl.so.3.4.8
+ ./cryptlib-test
*** buffer overflow detected ***: terminated
/var/tmp/rpm-tmp.JJ6y3m: line 54:  6710 Aborted                 (core dumped) ./cryptlib-test

RPM build errors:
error: Bad exit status from /var/tmp/rpm-tmp.JJ6y3m (%check)
    Bad exit status from /var/tmp/rpm-tmp.JJ6y3m (%check)



Reproducible: Didn't try
Comment 1 Ralf Senderek 2025-01-09 16:56:41 UTC 
Hi Dave,

I have updated the program cryptlib-test.c which is part of the source file cryptlib-tests.tar.gz.

The new file cryptlib-tests.tar.gz is in DISTGIT now.

Please re-run the smoketest using the new sources:

SHA512 (cryptlib-tests.tar.gz) = a07929c6cf25626ddc42baa743d0810bac1e5d05bc01f10cce718fbccfc36f280f512f5c67a69c820a352218b522f07f90bd5de34e9cacae740f69322ed57383
SHA512 (cryptlib-tools.tar.gz) = 8dd14b2a86e4c6e37d8c4c4a1467a52d234021d593d69959a4d4cdab1388aa4a65d4ee8157dfa11cbff55cd337c059145c63f4587ff1a079c2ccb573f9eeef85
SHA512 (cl348_fedora.zip) = 703bb673359a66144b3e202a8304e29b10221ca5f17d0747e05edea7d607389532740e168d101b43e7218c3b39555ac0914fdb7d80394457498b13c0aee392fc
SHA512 (cl348_fedora.zip.sig) = ab61212606575b1d409cbb52d2f01c9f53a0fdebc130228f7654a7944e44f2bc15da1f52b813f94e1c07adf8453990bf1c95674791cb4a3745521b9a823d7a00
SHA512 (cryptlib-perlfiles.tar.gz) = b975d34acfd1d99a224bbd5536483e5489feac8801a567740ec668bcef9a1eff67fddbdad53f61b2ff48bd43396e92f070ebf4de622f3edeb70428f4aaae2ff6

I have checked that the copr-rpmbuild succeeds with the new cryptlib-test.c .

Ralf
Comment 2 Siddhesh Poyarekar 2025-01-16 15:15:51 UTC 
Still failing with gcc15:

https://koji.fedoraproject.org/koji/taskinfo?taskID=127940424
Comment 3 Siddhesh Poyarekar 2025-01-23 12:31:56 UTC 
Looks like this is where it's actually failing:

```
gcc -c -D__UNIX__ -DNDEBUG -I. -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Wno-complain-wrong-lang -Werror=format-security -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -march=x86-64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -mtls-dialect=gnu2 -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -DDATA_LITTLEENDIAN -DFIXED_SEED=0xb99c1874a2269659 -fPIC -DHAS_RECURSIVE_MUTEX -DHAS_ROBUST_MUTEX -m64 -Wno-pointer-sign -Wno-strict-aliasing -fwrapv -fno-delete-null-pointer-checks -fhardened -DOSVERSION=6 -O3 -fomit-frame-pointer -D_REENTRANT test/utils.c
cc1: warning: ‘_FORTIFY_SOURCE’ is not enabled by ‘-fhardened’ because it was specified in ‘-D’ or ‘-U’ [-Whardened]
cc1: warning: ‘_GLIBCXX_ASSERTIONS’ is not enabled by ‘-fhardened’ because it was specified in ‘-D’ or ‘-U’ [-Whardened]
In function ‘memcpy’,
    inlined from ‘insertDNstring’ at cert/dn.c:790:2:
/usr/include/bits/string_fortified.h:29:10: warning: ‘__builtin___memcpy_chk’ writing between 1 and 16383 bytes into a region of size 0 overflows the destination [-Wstringop-overflow=]
   29 |   return __builtin___memcpy_chk (__dest, __src, __len,
      |          ^
In function ‘memcpy’,
    inlined from ‘addAttributeFieldString’ at cert/ext_add.c:941:5:
/usr/include/bits/string_fortified.h:29:10: warning: ‘__builtin___memcpy_chk’ writing between 1 and 1024 bytes into a region of size 0 overflows the destination [-Wstringop-overflow=]
   29 |   return __builtin___memcpy_chk (__dest, __src, __len,
      |          ^
In function ‘memcpy’,
    inlined from ‘addAttributeFieldString’ at cert/ext_add.c:976:4:
/usr/include/bits/string_fortified.h:29:10: warning: ‘__builtin___memcpy_chk’ writing between 1 and 1024 bytes into a region of size 0 overflows the destination [-Wstringop-overflow=]
   29 |   return __builtin___memcpy_chk (__dest, __src, __len,
      |          ^
In function ‘memcpy’,
    inlined from ‘addInfo’ at session/sess_iattr.c:686:3,
    inlined from ‘addSessionInfoS’ at session/sess_iattr.c:729:10:
/usr/include/bits/string_fortified.h:29:10: warning: ‘__builtin___memcpy_chk’ writing between 1 and 16383 bytes into a region of size 0 overflows the destination [-Wstringop-overflow=]
   29 |   return __builtin___memcpy_chk (__dest, __src, __len,
      |          ^
In function ‘memcpy’,
    inlined from ‘addRevocationEntry’ at cert/certrev.c:296:2:
/usr/include/bits/string_fortified.h:29:10: warning: ‘__builtin___memcpy_chk’ writing between 1 and 16383 bytes into a region of size 0 overflows the destination [-Wstringop-overflow=]
   29 |   return __builtin___memcpy_chk (__dest, __src, __len,
      |          ^
```

The -fhardened interaction warning is unrelated, but interesting, probably something to address in redhat-rpm-config.  The "region of size 0" could be tree-object-size failing, let me confirm.
Comment 4 Siddhesh Poyarekar 2025-01-23 15:53:36 UTC 
OK, so the problem here is __counted_by__, which requires that the size field identified by __counted_by__ be initialized before the pointer it describes is referenced.  The fix below is what is needed to initialize the size of the flex array early enough.  I've done a quick build to verify that this works:

--- a/misc/int_api.h	2025-01-23 10:39:34.467910628 -0500
+++ b/misc/int_api.h	2025-01-23 10:39:30.532598818 -0500
@@ -1191,8 +1191,8 @@
 
 #define initVarStruct( structure, structureType, size, valueName ) \
 		memset( structure, 0, sizeof( structureType ) ); \
-		structure->valueName = structure->storage; \
-		structure->storageSize = size
+		structure->storageSize = size; \
+		structure->valueName = structure->storage
 
 #define copyVarStruct( destStructure, srcStructure, structureType, valueName ) \
 		memcpy( destStructure, srcStructure, \
Comment 5 Ralf Senderek 2025-01-24 10:36:19 UTC 
cryptlib-3.4.8-4.fc42 builds correctly with gcc15patch applied and all cryptlib tests in /lib64/cryptlib finish successfully.

Thank you Siddhesh for your help, I appreciate it very much.