Bug 110579 - O2, O1 optimizations cause a buffer overflow panic during a strcpy
Summary: O2, O1 optimizations cause a buffer overflow panic during a strcpy
Status: RESOLVED INVALID
Alias: None
Product: gcc
Classification: Unclassified
Component: tree-optimization (show other bugs)
Version: 11.3.0
: P3 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords: diagnostic, wrong-code
Depends on:
Blocks: Wstringop-overflow
  Show dependency treegraph
 
Reported: 2023-07-06 20:14 UTC by Gabriel
Modified: 2023-07-07 21:16 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Known to work:
Known to fail:
Last reconfirmed:


Attachments
Output of compiling the source code. (1.38 KB, text/plain)
2023-07-06 20:14 UTC, Gabriel
Details
Processed *.i files (683.41 KB, application/x-gzip)
2023-07-06 20:14 UTC, Gabriel
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Gabriel 2023-07-06 20:14:26 UTC
Created attachment 55493 [details]
Output of compiling the source code.

O2, O1 opmtimizations of the attached .i file trigger a buffer overflow panic during a strcpy.
The project being compiled is tar 1.14.
The unoptimzed version does not panic and performs the expected behavior, creating an archive.

* the exact version of GCC;
  - 11.3.0, 12.1.0, 9.5.0
* the system type;
  - Ubuntu 22.04.1
* the options given when GCC was configured/built;
  - 11.3.0: Configured with: ../src/configure -v --with-pkgversion='Ubuntu 11.3.0-1ubuntu1~22.04.1' --with-bugurl=file:///usr/share/doc/gcc-11/README.Bugs --enable-languages=c,ada,c++,go,brig,d,fortran,objc,obj-c++,m2 --prefix=/usr --with-gcc-major-version-only --program-suffix=-11 --program-prefix=x86_64-linux-gnu- --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --libdir=/usr/lib --enable-nls --enable-bootstrap --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --with-default-libstdcxx-abi=new --enable-gnu-unique-object --disable-vtable-verify --enable-plugin --enable-default-pie --with-system-zlib --enable-libphobos-checking=release --with-target-system-zlib=auto --enable-objc-gc=auto --enable-multiarch --disable-werror --enable-cet --with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic --enable-offload-targets=nvptx-none=/build/gcc-11-aYxV0E/gcc-11-11.3.0/debian/tmp-nvptx/usr,amdgcn-amdhsa=/build/gcc-11-aYxV0E/gcc-11-11.3.0/debian/tmp-gcn/usr --without-cuda-driver --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu --with-build-config=bootstrap-lto-lean --enable-link-serialization=2
  - 9.5.0: Configured with: ../src/configure -v --with-pkgversion='Ubuntu 9.5.0-1ubuntu1~22.04' --with-bugurl=file:///usr/share/doc/gcc-9/README.Bugs --enable-languages=c,ada,c++,go,brig,d,fortran,objc,obj-c++,gm2 --prefix=/usr --with-gcc-major-version-only --program-suffix=-9 --program-prefix=x86_64-linux-gnu- --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --libdir=/usr/lib --enable-nls --enable-bootstrap --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --with-default-libstdcxx-abi=new --enable-gnu-unique-object --disable-vtable-verify --enable-plugin --enable-default-pie --with-system-zlib --with-target-system-zlib=auto --enable-objc-gc=auto --enable-multiarch --disable-werror --with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic --enable-offload-targets=nvptx-none=/build/gcc-9-5Q4PKF/gcc-9-9.5.0/debian/tmp-nvptx/usr,hsa --without-cuda-driver --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu --with-build-config=bootstrap-lto-lean --enable-link-mutex
  - 12.1.0: Configured with: ../src/configure -v --with-pkgversion='Ubuntu 12.1.0-2ubuntu1~22.04' --with-bugurl=file:///usr/share/doc/gcc-12/README.Bugs --enable-languages=c,ada,c++,go,d,fortran,objc,obj-c++,m2 --prefix=/usr --with-gcc-major-version-only --program-suffix=-12 --program-prefix=x86_64-linux-gnu- --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --libdir=/usr/lib --enable-nls --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --with-default-libstdcxx-abi=new --enable-gnu-unique-object --disable-vtable-verify --enable-plugin --enable-default-pie --with-system-zlib --enable-libphobos-checking=release --with-target-system-zlib=auto --enable-objc-gc=auto --enable-multiarch --disable-werror --enable-cet --with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic --enable-offload-targets=nvptx-none=/build/gcc-12-sZcx2y/gcc-12-12.1.0/debian/tmp-nvptx/usr,amdgcn-amdhsa=/build/gcc-12-sZcx2y/gcc-12-12.1.0/debian/tmp-gcn/usr --enable-offload-defaulted --without-cuda-driver --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu
* the complete command line that triggers the bug;
 - ./tar cf foo.tar bar
* the compiler output (error messages, warnings, etc.); and
 - See make_output file
* the preprocessed file (*.i*) that triggers the bug
Comment 1 Gabriel 2023-07-06 20:14:59 UTC
Created attachment 55494 [details]
Processed *.i files
Comment 2 Sam James 2023-07-06 20:35:58 UTC
Could you give us a backtrace with -ggdb3 when it aborts at runtime?
Comment 3 Andrew Pinski 2023-07-06 20:41:00 UTC
The warning:
In function ‘strcpy’,
    inlined from ‘start_header’ at create.c:695:7:
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:79:10: warning: ‘__builtin___strcpy_chk’ writing 8 bytes into a region of size 6 [-Wstringop-overflow=]
   79 |   return __builtin___strcpy_chk (__dest, __src, __glibc_objsize (__dest));
      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Which comes from:

      strcpy (header->header.magic, "ustar  "); //8


The code is not _FORTIFY_SOURCE=2 safe which requires strcpy to only write exactly the amount to those fields and not combine character fields as different.


  char magic[6];
  char version[2];
Comment 4 Andrew Pinski 2023-07-06 20:45:08 UTC
All of these FORTIFY issues have been fixed for a long time now (over 10 years).

Why are you trying to use an old version of gnu tar?

e.g. https://lists.gnu.org/archive/html/bug-tar/2010-02/msg00010.html
Comment 5 Gabriel 2023-07-06 20:54:33 UTC
I see. That makes sense.

Our research project has a dataset with tar 1.14. Our plan is to compare our work with existing work in the dataset and to be consistent, use tar 1.14. We noticed our binary compiled with gcc would abort when creating an archive while using clang was fine.