507829 – disallowed constructs with gcc -D_FORTIFY_SOURCE=2

Bug 507829 - disallowed constructs with gcc -D_FORTIFY_SOURCE=2

Summary: disallowed constructs with gcc -D_FORTIFY_SOURCE=2

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	hunspell
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Caolan McNamara
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	532481
TreeView+	depends on / blocked

Reported:	2009-06-24 13:05 UTC by Yanko Kaneti
Modified:	2009-11-02 15:13 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	532481 (view as bug list)
Environment:
Last Closed:	2009-11-02 15:13:45 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Yanko Kaneti 2009-06-24 13:05:55 UTC

+++ This bug was initially created as a clone of Bug #506952 +++

There is a problem with the hunspell code that gets flagged (with aborting) by the new fortify checks that gcc in rawhide does. Here are the last two comments from the xulrunner bug. The comments and the crash are for xulrunners private hunspell copy but they should apply to hunspell proper as well as there are no significant modifications from hunspell-1.2.8.

Note that the last hunspell build in rawhide is not done with the stricter gcc, but any potential rebuild would need this addressed.



fixed the startup crash for me but I get reproducible fortify fail opening this particular bugreport. (Logged in , hence with the comments box present and that hunspell stuff you can see below)
......

#3  0x0000003ccf6f7537 in *__GI___fortify_fail (
    msg=0x3ccf73436f "buffer overflow detected") at fortify_fail.c:32
#4  0x0000003ccf6f5590 in *__GI___chk_fail () at chk_fail.c:29
#5  0x00007ffff1537c12 in strcpy (__src=<value optimized out>, 
    __dest=<value optimized out>) at /usr/include/bits/string3.h:106
#6  HashMgr::add_word (__src=<value optimized out>, __dest=<value optimized out>)
    at hashmgr.cpp:191
#7  0x00007ffff1538313 in HashMgr::load_tables (this=0x324a430, 
    tpath=<value optimized out>, key=<value optimized out>) at hashmgr.cpp:527
#8  0x00007ffff1538473 in HashMgr::HashMgr (this=0x324a430, 
    tpath=0x7fffffff9360 "/usr/lib64/xulrunner-1.9.1/dictionaries/en_ZW.dic", 
    apath=<value optimized out>, key=0x0) at hashmgr.cpp:105
#9  0x00007ffff153cae5 in Hunspell::Hunspell (this=0x324a340, 
    affpath=0x3912d38 "/usr/lib64/xulrunner-1.9.1/dictionaries/en_ZW.aff", 
    dpath=0x7fffffff9360 "/usr/lib64/xulrunner-1.9.1/dictionaries/en_ZW.dic", key=0x0)
    at hunspell.cpp:87
#10 0x00007ffff1527ef2 in mozHunspell::SetDictionary (this=0x39d11d0, 
    aDictionary=<value optimized out>) at mozHunspell.cpp:157
#11 0x00007ffff151e737 in mozSpellChecker::SetCurrentDictionary (this=0x324a2b0, 
    aDictionary=@0x7fffffff9470) at mozSpellChecker.cpp:373
#12 0x00007ffff140afef in nsEditorSpellCheck::SetCurrentDictionary (
    this=<value optimized out>, aDictionary=<value optimized out>)
    at nsEditorSpellCheck.cpp:455
#13 0x00007ffff140c0e0 in nsEditorSpellCheck::InitSpellChecker (this=0x39d0e20, 
    aEditor=0x7ffff0dbeb3c, aEnableSelectionChecking=0) at nsEditorSpellCheck.cpp:212
#14 0x00007ffff1522fba in mozInlineSpellChecker::SetEnableRealTimeSpell (this=0x39cd190, 
    aEnabled=<value optimized out>) at mozInlineSpellChecker.cpp:726
#15 0x00007ffff116072e in nsEditor::SyncRealTimeSpell (this=0x2dcc390)
    at nsEditor.cpp:1341
#16 0x00007ffff115976b in nsEditor::PostCreate (this=0x228e) at nsEditor.cpp:246
.....

--- Additional comment from jakub on 2009-06-24 08:18:40 EDT ---

struct hentry
{
  unsigned char blen; // word length in bytes
  unsigned char clen; // word length in characters (different for UTF-8 enc.)
  short    alen;      // length of affix flag vector
  unsigned short * astr;  // affix flag vector
  struct   hentry * next; // next word with same hash code
  struct   hentry * next_homonym; // next homonym word (with same hash code)
  char     var;       // variable fields (only for special pronounciation yet)
  char     word;      // variable-length word (8-bit or UTF-8 encoding)
};
...
    // variable-length hash record with word and optional fields
    struct hentry* hp = 
        (struct hentry *) malloc (sizeof(struct hentry) + wbl + descl);
    if (!hp) return 1;
    char * hpw = &(hp->word);
    strcpy(hpw, word);

That's intentionally not allowed with -D_FORTIFY_SOURCE=2, which doesn't allow crossing field boundaries for str*/stp* etc. functions (and still allows that for mem* etc.).  Change that to char word[1];, or char word[];, or char word[0].
In the latter two cases (flexible array member and zero length) you obviously need to check all the allocations, because sizeof(struct hentry) will decrease by 1, in the first case not.  Only arrays as last fields are flexible array members or handled as poor alternatives to flexible array members by gcc.

Comment 1 Caolan McNamara 2009-06-24 13:35:56 UTC

indeed

Comment 2 Caolan McNamara 2009-06-24 15:16:45 UTC

hunspell-1.2.8-6.fc12 should do the trick, in theory at least, hard to be certain given the busted state of my local rawhide setup

Comment 3 Yanko Kaneti 2009-06-24 16:09:03 UTC

Adapted to the mozilla copy it certainly helps firefox not crash. Thanks.

Comment 4 Deji Akingunola 2009-11-02 14:37:36 UTC

I'm re-opening this bug because similar problem is preventing texmaker from starting. Here is what I get when I tried to run texmaker in gdb;
... 
(gdb) bt
#0  0x00000031da433575 in raise (sig=<value optimized out>)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x00000031da434d55 in abort () at abort.c:92
#2  0x00000031da470393 in __libc_message (do_abort=<value optimized out>, 
    fmt=<value optimized out>) at ../sysdeps/unix/sysv/linux/libc_fatal.c:186
#3  0x00000031da4faae7 in __fortify_fail (msg=
    0x31da540fb5 "buffer overflow detected") at fortify_fail.c:32
#4  0x00000031da4f8a50 in __chk_fail () at chk_fail.c:29
#5  0x00000000004ff3fb in strcpy (__src=<value optimized out>, 
    __dest=<value optimized out>) at /usr/include/bits/string3.h:106
#6  HashMgr::add_word (__src=<value optimized out>, 
    __dest=<value optimized out>) at hunspell/hashmgr.cxx:138
#7  0x00000000004ffc5e in HashMgr::load_tables (this=0xb76dc0, 
    tpath=<value optimized out>, key=<value optimized out>)
    at hunspell/hashmgr.cxx:474
#8  0x00000000004ffe32 in HashMgr::HashMgr (this=0xb76dc0, tpath=
    0xbaabd8 "/usr/share/myspell/en_US.dic", apath=<value optimized out>, key=
    0x0) at hunspell/hashmgr.cxx:52
#9  0x000000000050535a in Hunspell::Hunspell (this=0xb8a2b0, affpath=
    0xb74e58 "/usr/share/myspell/en_US.aff", dpath=
    0xbaabd8 "/usr/share/myspell/en_US.dic", key=0x0)
    at hunspell/hunspell.cxx:35
#10 0x0000000000470e1e in Texmaker::Texmaker (this=0xb82810,

Comment 5 Caolan McNamara 2009-11-02 15:13:45 UTC

texmaker has a copy of hunspell inside it, its that copy which is crashing, not the system version

Note You need to log in before you can comment on or make changes to this bug.