Bug 12490 - buffer overflow in scan-decls.c
buffer overflow in scan-decls.c
Status: RESOLVED FIXED
Product: gcc
Classification: Unclassified
Component: bootstrap
3.3.1
: P2 critical
: 3.3.2
Assigned To: Eric Botcazou
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2003-10-02 08:54 UTC by Timo Kokkonen
Modified: 2005-07-23 22:49 UTC (History)
2 users (show)

See Also:
Host: sparc-sun-solaris2.9
Target: sparc-sun-solaris2.9
Build:
Known to work:
Known to fail:
Last reconfirmed:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Timo Kokkonen 2003-10-02 08:54:46 UTC
Apparently recent patches from Sun make some changes to system
headers in Solaris 9, causing fix-header to segfault when doing
"make bootstrap".


How to reproduce (on Solaris 9 with latest recommended patches installed,
using gcc-3.3 as bootstrap compiler):

# mkdir objdir; cd objdir
# ../configure --prefix=/opt/gcc-3.3.1 --enable-languages=c,c++ --disable-nls 
--disable-shared
# make bootstrap
...
if [ -f fixhdr.ready ] ; then \
        true; \
else \
        echo timestamp > fixhdr.ready; \
fi
if [ -f include/fixed ] ; then true; \
else \
  : This line works around a 'make' bug in BSDI 1.1.; \
  FIXPROTO_DEFINES=""; export FIXPROTO_DEFINES; \
  mkinstalldirs="/bin/sh ../../gcc/mkinstalldirs"; \
    export mkinstalldirs; \
  if [ -d /usr/include ] ; then \
    /bin/sh ../../gcc/fixproto include include /usr/include; \
    if [ $? -eq 0 ] ; then true ; else exit 1 ; fi ; \
  else true; fi; \
  echo timestamp > include/fixed; \
fi
fixproto: populating `include'
fix-header: fixing curses.h
Segmentation Fault - core dumped
make[2]: *** [stmp-fixproto] Error 1
make[2]: Leaving directory `/opt/src/gcc/gcc-3.3.1/objdir/gcc'
make[1]: *** [stage1_build] Error 2
make[1]: Leaving directory `/opt/src/gcc/gcc-3.3.1/objdir/gcc'
make: *** [bootstrap] Error 2


After investigating this with gdb, it seems global variable
symbol_table (from fix-header.c) gets overwritten when
extern_C_braces (from scan-decls.c) overflows, if there are
too many nested braces in header files.


Following seems to fix the problem, but this is just a hack
not a real fix, since this might still happen if there are
really many nested braces in some weird header file :)

--- gcc-3.3.1/gcc/scan-decls.c.orig     Thu Oct  2 11:49:15 2003
+++ gcc-3.3.1/gcc/scan-decls.c  Thu Oct  2 11:50:16 2003
@@ -32,7 +32,7 @@
    indicate the (brace nesting levels of) left braces that were
    prefixed by extern "C".  */
 int extern_C_braces_length = 0;
-char extern_C_braces[20];
+char extern_C_braces[200];
 #define in_extern_C_brace (extern_C_braces_length>0)
 
 /* True if the function declaration currently being scanned is
Comment 1 Eric Botcazou 2003-10-03 03:59:05 UTC
That's really annoying and we should fix it for GCC 3.3.2.

I think your solution is good enough because fixproto will be obsoleted in GCC
3.4 (in particular on Solaris machines). Any chance that you could estimate the
maximum nesting level? I'd like to both have a security margin and put a comment.

Thanks in advance.
Comment 2 Eric Botcazou 2003-10-03 03:59:56 UTC
I'll take care of it.
Comment 3 Mark Mitchell 2003-10-05 18:29:39 UTC
Subject: Re:  buffer overflow in scan-decls.c
	(bootstrap fails)

On Fri, 2003-10-03 at 23:18, ebotcazou at gcc dot gnu dot org wrote:
> PLEASE REPLY TO gcc-bugzilla@gcc.gnu.org ONLY, *NOT* gcc-bugs@gcc.gnu.org.
> 
> http://gcc.gnu.org/bugzilla/show_bug.cgi?id=12490

This patch is OK.  For extra brownie points, add an error message in the
case that extern_C_braces_length overflows the array bounds, but that's
not necessary if you don't have time.

Thanks,

Comment 4 CVS Commits 2003-10-08 12:29:36 UTC
Subject: Bug 12490

CVSROOT:	/cvs/gcc
Module name:	gcc
Changes by:	ebotcazou@gcc.gnu.org	2003-10-08 12:29:28

Modified files:
	gcc            : ChangeLog scan-decls.c 

Log message:
	PR bootstrap/12490
	* scan-decls.c (MAX_EXTERN_C_BRACES): New preprocessor constant
	to define the size of the extern_C_braces array.  Set it to 200.
	(scan_decls): Abort when extern_C_braces_length is out-of-bounds.

Patches:
http://gcc.gnu.org/cgi-bin/cvsweb.cgi/gcc/gcc/ChangeLog.diff?cvsroot=gcc&r1=2.1336&r2=2.1337
http://gcc.gnu.org/cgi-bin/cvsweb.cgi/gcc/gcc/scan-decls.c.diff?cvsroot=gcc&r1=1.32&r2=1.33

Comment 5 CVS Commits 2003-10-08 12:33:52 UTC
Subject: Bug 12490

CVSROOT:	/cvs/gcc
Module name:	gcc
Branch: 	gcc-3_3-branch
Changes by:	ebotcazou@gcc.gnu.org	2003-10-08 12:33:49

Modified files:
	gcc            : ChangeLog scan-decls.c 

Log message:
	PR bootstrap/12490
	* scan-decls.c (MAX_EXTERN_C_BRACES): New preprocessor constant
	to define the size of the extern_C_braces array.  Set it to 200.
	(scan_decls): Abort when extern_C_braces_length is out-of-bounds.

Patches:
http://gcc.gnu.org/cgi-bin/cvsweb.cgi/gcc/gcc/ChangeLog.diff?cvsroot=gcc&only_with_tag=gcc-3_3-branch&r1=1.16114.2.773&r2=1.16114.2.774
http://gcc.gnu.org/cgi-bin/cvsweb.cgi/gcc/gcc/scan-decls.c.diff?cvsroot=gcc&only_with_tag=gcc-3_3-branch&r1=1.30&r2=1.30.20.1

Comment 6 Eric Botcazou 2003-10-08 12:37:58 UTC
Patch applied with Mark's amelioration.