Bug 487702

Summary: correct code aborts with buffer overflow on ppc
Product: [Fedora] Fedora Reporter: Dan Horák <dan>
Component: gccAssignee: Jakub Jelinek <jakub>
Status: CLOSED UPSTREAM QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: jakub
Target Milestone: ---   
Target Release: ---   
Hardware: ppc   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-03-02 16:01:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
test.c
none
test.h none

Description Dan Horák 2009-02-27 15:05:18 UTC 
The code in attachments fails on buffer overflow when compiled and run on ppc (64bit kernel, 32bit userspace), but runs clean on x86_64


Version-Release number of selected component (if applicable):
gcc-4.4.0-0.21.ppc


Steps to Reproduce:
1. gcc -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -D_GNU_SOURCE -D_REENTRANT test.c

2. ./a.put

  
Actual results:
*** buffer overflow detected ***: ./a.out terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x6c)[0xff5c26c]
/lib/libc.so.6[0xff59718]
/lib/libc.so.6(__strncpy_chk+0x1b4)[0xff586f4]
./a.out[0x10000500]
/lib/libc.so.6[0xfe5ac64]
/lib/libc.so.6[0xfe5ae20]
======= Memory map: ========
00100000-00103000 r-xp 00100000 00:00 0                                  [vdso]
0fe3c000-0ffd5000 r-xp 00000000 fd:00 3212337                            /lib/libc-2.9.90.so
0ffd5000-0ffe8000 ---p 00199000 fd:00 3212337                            /lib/libc-2.9.90.so
0ffe8000-0ffec000 r--p 0019c000 fd:00 3212337                            /lib/libc-2.9.90.so
0ffec000-0ffed000 rw-p 001a0000 fd:00 3212337                            /lib/libc-2.9.90.so
0ffed000-0fff0000 rw-p 0ffed000 00:00 0 
10000000-10001000 r-xp 00000000 fd:00 294938                             /root/dhorak/test/a.out
10010000-10011000 rw-p 00000000 fd:00 294938                             /root/dhorak/test/a.out
f7fbc000-f7fbe000 rw-p f7fbc000 00:00 0 
f7fbe000-f7fe2000 r-xp 00000000 fd:00 3212322                            /lib/ld-2.9.90.so
f7ffd000-f7ffe000 r--p 0002f000 fd:00 3212322                            /lib/ld-2.9.90.so
f7ffe000-f7fff000 rw-p 00030000 fd:00 3212322                            /lib/ld-2.9.90.so
ffd43000-ffd58000 rw-p ffffffeb000 00:00 0                               [stack]
Neúspěšně ukončen (SIGABRT)

This is a test case for buffer overflow aborts that can be seen at
ppc = https://koji.fedoraproject.org/koji/getfile?taskID=1177236&name=build.log
ppc64 = https://koji.fedoraproject.org/koji/getfile?taskID=1190281&name=build.log
(scratch builds)
Comment 1 Dan Horák 2009-02-27 15:05:43 UTC 
Created attachment 333491 [details]
test.c
Comment 2 Dan Horák 2009-02-27 15:06:25 UTC 
Created attachment 333492 [details]
test.h
Comment 3 Dan Horák 2009-02-27 15:08:46 UTC 
removing any (?, but I have tried to remove a lot of them, one at time) of the struct members makes the code run without an abort
Comment 4 Jakub Jelinek 2009-03-02 16:01:02 UTC 
Tracking this upstream.
Comment 5 Jakub Jelinek 2009-03-04 20:14:00 UTC 
Should be fixed in gcc-4.4.0-0.22.
Comment 6 Dan Horák 2009-03-04 20:46:52 UTC 
(In reply to comment #5)
> Should be fixed in gcc-4.4.0-0.22.

confirmed