ccache-4.8.2-2.fc39.x86_64 (gdb) bt #0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44 #1 0x00001555553288a3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78 #2 0x00001555552d68ee in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #3 0x00001555552be8ff in __GI_abort () at abort.c:79 #4 0x00001555552bf7d0 in __libc_message ( fmt=fmt@entry=0x15555543c309 "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:150 #5 0x00001555553bbd19 in __GI___fortify_fail ( msg=msg@entry=0x15555543c2f0 "buffer overflow detected") at fortify_fail.c:24 #6 0x00001555553bb6d4 in __GI___chk_fail () at chk_fail.c:28 #7 0x00001555553bd0d5 in __strcpy_chk ( dest=dest@entry=0x5555555d2438 "", src=src@entry=0x5555555d2390 "gcc", destlen=destlen@entry=2) --Type <RET> for more, q to quit, c to continue without paging--c at strcpy_chk.c:30 #8 0x000055555555a9d4 in strcat (__src=0x5555555d2390 "gcc", __dest=0x5555555d2420 "x86_64-redhat-linux-gnu-") at /usr/include/bits/string_fortified.h:130 #9 dcc_gcc_rewrite_fqn (argv=0x5555555d2350) at src/compile.c:601 #10 dcc_build_somewhere (status=0x7fffffffd578, sg_level=0, argv=0x5555555d2350) at src/compile.c:715 #11 dcc_build_somewhere_timed (status=0x7fffffffd578, sg_level=0, argv=<optimized out>) at src/compile.c:1004 #12 main (argc=<optimized out>, argv=<optimized out>) at src/distcc.c:352 The guilty party appears to be some strcat()s into a malloc'd newcmd. #9 dcc_gcc_rewrite_fqn (argv=0x5555555d2350) at src/compile.c:601 601 strcat(newcmd, argv[0]); (gdb) l 596 } else 597 strcpy(newcmd, target_with_vendor); 598 599 600 strcat(newcmd, "-"); 601 strcat(newcmd, argv[0]); 602 603 /* TODO, is this the right PATH? */ 604 path = getenv("PATH"); 605 do { valgrind distcc also finds the same problem. Reproducible: Always Steps to Reproduce: cp /dev/null null.c ccache null.c +++ killed by SIGABRT (core dumped) +++ zsh: IOT instruction (core dumped) strace distcc null.c
in src/compile.c: 587 newcmd_len = strlen(target_with_vendor) + 1 + strlen(argv[0] + 1); this is wrong: it should be 587 newcmd_len = strlen(target_with_vendor) + 1 + strlen(argv[0]) + 1; The former is too short (counts only the trailing chars of argv[0] and leaves no \0 space).
distcc-3.3.5-15.fc39.x86_64 (sorry about the irrelevant ccache version earlier)
I put some local builds of 3.4 here: https://fedorapeople.org/~limb/distcc/ Let me know if they fix the issue. They should.
Thanks for your quick response. It still fails, but somewhere nearby rather than at the original point: **714426** *** strcpy_chk: buffer overflow detected ***: program terminated ==714426== at 0x484B17C: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6815) ==714426== by 0x484FD09: __strcpy_chk (vg_replace_strmem.c:1615) ==714426== by 0x10E9D3: ??? (in /usr/bin/distcc) ==714426== by 0x491C149: (below main) (libc_start_call_main.h:58) ==714426== #4 0x00001555552bf7d0 in __libc_message ( fmt=fmt@entry=0x15555543c309 "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:150 #5 0x00001555553bbd19 in __GI___fortify_fail ( msg=msg@entry=0x15555543c2f0 "buffer overflow detected") --Type <RET> for more, q to quit, c to continue without paging-- at fortify_fail.c:24 #6 0x00001555553bb6d4 in __GI___chk_fail () at chk_fail.c:28 #7 0x00001555553bd0d5 in __strcpy_chk ( dest=0x5555555d2438 "", src=0x5555555d2390 "gcc", destlen=2) at strcpy_chk.c:30 #8 0x000055555555a9d4 in main () Your RPMs don't include debuginfo so it was not possible to narrow it down to the line. It's trying to strcpy "gcc".
Interesting. I've uploaded the corresponding debuginfo RPMs.
OK, examining the src.rpm and confirming with the debuginfo* bits, this version of the build does not contain the fix I suggested back in comment #1. With that patch actually applied, the code appears to work. --- src/compile.c 2021-05-11 13:26:29.000000000 -0400 +++ src/compile.c 2024-01-15 16:45:00.558851171 -0500 @@ -584,7 +584,7 @@ return -ENOENT; - newcmd_len = strlen(target_with_vendor) + 1 + strlen(argv[0] + 1); + newcmd_len = strlen(target_with_vendor) + 1 + strlen(argv[0]) + 1; newcmd = malloc(newcmd_len); if (!newcmd) return -ENOMEM;
FEDORA-2024-0af08b6c2c has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2024-0af08b6c2c
FEDORA-2024-0af08b6c2c has been pushed to the Fedora 39 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-0af08b6c2c` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-0af08b6c2c See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2024-0af08b6c2c has been pushed to the Fedora 39 stable repository. If problem still persists, please make note of it in this bug report.