Bug 487702 - correct code aborts with buffer overflow on ppc
Summary: correct code aborts with buffer overflow on ppc
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Fedora
Classification: Fedora
Component: gcc
Version: rawhide
Hardware: ppc
OS: Linux
low
medium
Target Milestone: ---
Assignee: Jakub Jelinek
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-02-27 15:05 UTC by Dan Horák
Modified: 2009-03-04 20:46 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-03-02 16:01:02 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
test.c (144 bytes, text/x-csrc)
2009-02-27 15:05 UTC, Dan Horák 		no flags Details
test.h (324 bytes, text/x-chdr)
2009-02-27 15:06 UTC, Dan Horák 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
GNU Compiler Collection 39343 0 None None None Never

Description Dan Horák 2009-02-27 15:05:18 UTC 
The code in attachments fails on buffer overflow when compiled and run on ppc (64bit kernel, 32bit userspace), but runs clean on x86_64


Version-Release number of selected component (if applicable):
gcc-4.4.0-0.21.ppc


Steps to Reproduce:
1. gcc -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -D_GNU_SOURCE -D_REENTRANT test.c

2. ./a.put

  
Actual results:
*** buffer overflow detected ***: ./a.out terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x6c)[0xff5c26c]
/lib/libc.so.6[0xff59718]
/lib/libc.so.6(__strncpy_chk+0x1b4)[0xff586f4]
./a.out[0x10000500]
/lib/libc.so.6[0xfe5ac64]
/lib/libc.so.6[0xfe5ae20]
======= Memory map: ========
00100000-00103000 r-xp 00100000 00:00 0                                  [vdso]
0fe3c000-0ffd5000 r-xp 00000000 fd:00 3212337                            /lib/libc-2.9.90.so
0ffd5000-0ffe8000 ---p 00199000 fd:00 3212337                            /lib/libc-2.9.90.so
0ffe8000-0ffec000 r--p 0019c000 fd:00 3212337                            /lib/libc-2.9.90.so
0ffec000-0ffed000 rw-p 001a0000 fd:00 3212337                            /lib/libc-2.9.90.so
0ffed000-0fff0000 rw-p 0ffed000 00:00 0 
10000000-10001000 r-xp 00000000 fd:00 294938                             /root/dhorak/test/a.out
10010000-10011000 rw-p 00000000 fd:00 294938                             /root/dhorak/test/a.out
f7fbc000-f7fbe000 rw-p f7fbc000 00:00 0 
f7fbe000-f7fe2000 r-xp 00000000 fd:00 3212322                            /lib/ld-2.9.90.so
f7ffd000-f7ffe000 r--p 0002f000 fd:00 3212322                            /lib/ld-2.9.90.so
f7ffe000-f7fff000 rw-p 00030000 fd:00 3212322                            /lib/ld-2.9.90.so
ffd43000-ffd58000 rw-p ffffffeb000 00:00 0                               [stack]
Neúspěšně ukončen (SIGABRT)

This is a test case for buffer overflow aborts that can be seen at
ppc = https://koji.fedoraproject.org/koji/getfile?taskID=1177236&name=build.log
ppc64 = https://koji.fedoraproject.org/koji/getfile?taskID=1190281&name=build.log
(scratch builds)
Comment 1 Dan Horák 2009-02-27 15:05:43 UTC 
Created attachment 333491 [details]
test.c
Comment 2 Dan Horák 2009-02-27 15:06:25 UTC 
Created attachment 333492 [details]
test.h
Comment 3 Dan Horák 2009-02-27 15:08:46 UTC 
removing any (?, but I have tried to remove a lot of them, one at time) of the struct members makes the code run without an abort
Comment 4 Jakub Jelinek 2009-03-02 16:01:02 UTC 
Tracking this upstream.
Comment 5 Jakub Jelinek 2009-03-04 20:14:00 UTC 
Should be fixed in gcc-4.4.0-0.22.
Comment 6 Dan Horák 2009-03-04 20:46:52 UTC 
(In reply to comment #5)
> Should be fixed in gcc-4.4.0-0.22.

confirmed
Note You need to log in before you can comment on or make changes to this bug.