Bug 895527
Summary: | potential buffer overflow uncovered by compiling with -O3 and FORTIFY_SOURCE | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Gary Benson <gbenson> |
Component: | gdb | Assignee: | Jan Kratochvil <jan.kratochvil> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | rawhide | CC: | gbenson, jan.kratochvil, matt, palves, pmuldoon, sergiodj, tromey |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | gdb-7.5.1-34.fc18 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-01-15 14:39:57 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Gary Benson
2013-01-15 13:19:13 UTC
Oddly, my GIT does not have the fixed second strncat: http://sourceware.org/git/?p=archer.git;a=blob;f=gdb/solib-svr4.c;h=5ec27a87bc0e791e28b6486a9724cb1dbb6d0d26;hb=archer-gbenson-stap-rtld-mainline#l2054 I have pushed this fix to archer-gbenson-stap-rtld-mainline: http://sourceware.org/git/?p=archer.git;a=blobdiff;f=gdb/solib-svr4.c;h=12d3c0fd8bd3ad0b2185c85db7683bcd4f514425;hp=5ec27a87bc0e791e28b6486a9724cb1dbb6d0d26;hb=38ec501fb86983933886b54989cf6b59d62b7271;hpb=a3b1d8553ec1a6fb0e6445b01253a67669fea944 Jan, is this ok? It appears already fixed to me: gdb-dlopen-stap-probe-6of7.patch char name[32] = { '\0' }; if (with_prefix) strncat (name, "rtld_", sizeof (name)); strncat (name, probe_info[i].name, sizeof (name) - sizeof ("rtld_")); I tried to rebuild gdb-7.5.1-35.fc18 with -O3 on F-18 and it is OK. IIRC I have sent you a notice it failed with -O2 but it was a long time ago. Does F-18 have -DFORTIFY_SOURCE? I do remember a previous failure but I don't recall what. Both those strncat calls need a "- 1" to allow space for the trailing NULL, so the patch I've pushed is more correct. Either way, it's not an exploitable problem as I understand it, since all the input arguments (all probe_info[i].name) come from within GDB, and the 32 byte buffer is big enough for all of them. (In reply to comment #4) > Does F-18 have -DFORTIFY_SOURCE? Yes, by rpmbuild, I was testing the O3 variant as: gcc -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -O3 -I. -I../../gdb -I../../gdb/common -I../../gdb/config -DLOCALEDIR="\"/usr/share/locale\"" -DHAVE_CONFIG_H -I../../gdb/../include/opcode -I../../gdb/../opcodes/.. -I../bfd -I../../gdb/../bfd -I../../gdb/../include -I../libdecnumber -I../../gdb/../libdecnumber -I../../gdb/gnulib/import -Ibuild-gnulib/import -DTUI=1 -I/usr/include/python2.7 -I/usr/include/python2.7 -Wall -Wdeclaration-after-statement -Wpointer-arith -Wformat-nonliteral -Wno-pointer-sign -Wno-unused -Wunused-value -Wunused-function -Wno-switch -Wno-char-subscripts -Wmissing-prototypes -Wdeclaration-after-statement -Wno-unused -Werror -c -o solib-svr4.o -MT solib-svr4.o -MMD -MP -MF .deps/solib-svr4.Tpo ../../gdb/solib-svr4.c > Both those strncat calls need a "- 1" to allow space for the trailing NULL, There is sizeof(string) instead of strlen(string) to count for that trailing '\0' (that is not NULL). > since all the input arguments (all probe_info[i].name) come from within GDB, > and the 32 byte buffer is big enough for all of them. Yes, I agree keeping the compiler quiet is the only purpose of this topic. Oh, I see, you used sizeof ("rtld_") in the second call. I agree now that what you have is correct. I'm going to keep what I have in GIT though for when I submit the patches, as I think it's clearer what is going on. |