42582 – fortify with optimisation above -O0 cause abort in realpath()

Bug 42582 - fortify with optimisation above -O0 cause abort in realpath()

Summary: fortify with optimisation above -O0 cause abort in realpath()

Status:	RESOLVED INVALID

Alias:	None

Product:	gcc
Classification:	Unclassified
Component:	middle-end (show other bugs)
Version:	4.4.2

Importance:	P3 normal
Target Milestone:	---
Assignee:	Not yet assigned to anyone

URL:
Keywords:

Depends on:
Blocks:

Reported:	2010-01-02 19:59 UTC by Peter
Modified:	2010-01-03 11:38 UTC (History)
CC List:	1 user (show)

See Also:
Host:
Target:
Build:
Known to work:
Known to fail:
Last reconfirmed:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Peter 2010-01-02 19:59:16 UTC

realpath() built with >=gcc-4.3 (where FORTIFY is enabled by default) and -Ox
where x>0 cause application to abort.

Test case: the following code built with gcc -O2:
==========================================================================
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int
main (int argc, char *argv[])
{
    int ret;
    char device_file_or_mount_point[1024];

    if (argc < 2 || strlen (argv[1]) == 0) {
        fprintf (stderr, "%s: pass relative path.\n", argv[0]);
        return 1;
    }

    realpath(argv[1], device_file_or_mount_point);

    return 0;
}
==========================================================================

produces:

 $ ./a.out /boot/
*** buffer overflow detected ***: ./a.out terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x37)[0x7f1adb1c33a7]
/lib/libc.so.6[0x7f1adb1c03d0]
/lib/libc.so.6[0x7f1adb1c0a9b]
./a.out(main+0x55)[0x7f1adb6518c5]
/lib/libc.so.6(__libc_start_main+0xe6)[0x7f1adb1015c6]
./a.out[0x7f1adb651789]
======= Memory map: ========
[snip]


I found this bug with umount.hal helper which started to fail here after this
commit:
http://cgit.freedesktop.org/hal/commit/?id=6d8eed9015a6ca648fe1dad575621b6ea959a748

But probably other applications are affected too. At least I found similar
issue with python reported here:
https://bugs.launchpad.net/ubuntu/+source/gcc-defaults/+bug/286334

Also I found that scilab has 6a5321bddceaf0e4761f29a507bfad6e1f3a7b33 commit
(googable) that basically modifies realpath(r,a) call to a=realpath(r,NULL).


Reproduced with gcc-4.4.2 (glibc-2.11) and gcc-4.3.4 (glibc-2.9_p20081201-r2)
 $ LC_ALL=C gcc --version
gcc (Gentoo 4.4.2 p1.0) 4.4.2
 $ uname -a
Linux tablet 2.6.32-gentoo #2 SMP PREEMPT Sat Dec 19 23:36:55 MSK 2009 x86_64 Intel(R) Core(TM)2 Duo CPU L7500 @ 1.60GHz GenuineIntel GNU/Linux

Comment 1 Harald van Dijk 2010-01-02 20:26:54 UTC

The buffer should be at least PATH_MAX bytes. If PATH_MAX > 1024, then 1024 bytes need not be enough. But anyway, realpath() comes from glibc, so even if this is a bug, you're reporting it to the wrong folks.

Comment 2 Richard Biener 2010-01-02 20:27:46 UTC

You also need to attach preprocessed source as it will be very glibc
specific.

Comment 3 Jakub Jelinek 2010-01-03 11:38:09 UTC

The testcase is indeed invalid, if the second argument to realpath is not NULL, it must be a buffer at least PATH_MAX bytes long.