#621 Fix buffer overflow w/ GCC 4.5 and -D_FORTIFY_SOURCE=2

closed-fixed
46. Traces (1)
5
2010-08-19
2010-08-19
No

Many distros are enabling -D_FORTIFY_SOURCE=2 by default these days. When tcl is built with GCC 4.5 this exposes a buffer overflow:

$ wish
*** buffer overflow detected ***: wish terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x37)[0x3cc86e77a7]
/lib/libc.so.6[0x3cc86e55c0]
/usr/lib64/libtcl8.5.so[0x3cc9acc692]
/usr/lib64/libtcl8.5.so[0x3cc9acbf68]
/usr/lib64/libtcl8.5.so[0x3cc9a34258]
/usr/lib64/libtcl8.5.so[0x3cc9a77880]
/usr/lib64/libtcl8.5.so[0x3cc9a7fc49]
/usr/lib64/libtcl8.5.so(TclEvalObjEx+0x85)[0x3cc9a36535]
/usr/lib64/libtcl8.5.so[0x3cc9a49a26]
/usr/lib64/libtcl8.5.so[0x3cc9a34258]
/usr/lib64/libtcl8.5.so[0x3cc9a35d40]
/usr/lib64/libtcl8.5.so(Tcl_EvalEx+0x16)[0x3cc9a36466]
/usr/lib64/libtcl8.5.so(Tcl_FSEvalFileEx+0x241)[0x3cc9a9d2d1]
/usr/lib64/libtcl8.5.so[0x3cc9a483ab]
/usr/lib64/libtcl8.5.so[0x3cc9a34258]
/usr/lib64/libtcl8.5.so(Tcl_EvalObjv+0x48)[0x3cc9a347e8]
/usr/lib64/libtcl8.5.so(TclEvalObjEx+0x368)[0x3cc9a36818]
/usr/lib64/libtcl8.5.so[0x3cc9abb0df]
/usr/lib64/libtcl8.5.so[0x3cc9a34258]
/usr/lib64/libtcl8.5.so[0x3cc9a77880]
/usr/lib64/libtcl8.5.so(TclObjInterpProcCore+0x10c)[0x3cc9abb67c]
/usr/lib64/libtcl8.5.so[0x3cc9a34258]
/usr/lib64/libtcl8.5.so(Tcl_EvalObjv+0x48)[0x3cc9a347e8]
/usr/lib64/libtcl8.5.so(TclEvalObjEx+0x368)[0x3cc9a36818]
/usr/lib64/libtcl8.5.so[0x3cc9abb0df]
/usr/lib64/libtcl8.5.so[0x3cc9a34258]
/usr/lib64/libtcl8.5.so[0x3cc9a77880]
/usr/lib64/libtcl8.5.so(TclObjInterpProcCore+0x10c)[0x3cc9abb67c]
/usr/lib64/libtcl8.5.so[0x3cc9a34258]
/usr/lib64/libtcl8.5.so[0x3cc9a34551]
/usr/lib64/libtcl8.5.so[0x3cc9a77880]
/usr/lib64/libtcl8.5.so(TclObjInterpProcCore+0x10c)[0x3cc9abb67c]
/usr/lib64/libtcl8.5.so[0x3cc9a34258]
/usr/lib64/libtcl8.5.so[0x3cc9a35d40]
/usr/lib64/libtcl8.5.so(Tcl_EvalEx+0x16)[0x3cc9a36466]
/usr/lib64/libtcl8.5.so(Tcl_Eval+0x1d)[0x3cc9a3648d]
/usr/lib64/libtk8.5.so[0x3ccae609bd]
wish(Tcl_AppInit+0x28)[0x4009b8]
/usr/lib64/libtk8.5.so(Tk_MainEx+0x270)[0x3ccae50fe0]
wish(main+0x2c)[0x400a3c]
/lib/libc.so.6(__libc_start_main+0xfd)[0x3cc861ecdd]
wish[0x4008c9]
======= Memory map: ========
00400000-00401000 r-xp 00000000 fe:00 48106 /usr/bin/wish8.5
00600000-00601000 r--p 00000000 fe:00 48106 /usr/bin/wish8.5
00601000-00602000 rw-p 00001000 fe:00 48106 /usr/bin/wish8.5
00d8d000-00f27000 rw-p 00000000 00:00 0 [heap]
3cc8200000-3cc821e000 r-xp 00000000 08:03 30552 /lib64/ld-2.12.1.so
3cc841e000-3cc841f000 r--p 0001e000 08:03 30552 /lib64/ld-2.12.1.so
3cc841f000-3cc8420000 rw-p 0001f000 08:03 30552 /lib64/ld-2.12.1.so
3cc8420000-3cc8421000 rw-p 00000000 00:00 0
3cc8600000-3cc8762000 r-xp 00000000 08:03 30553 /lib64/libc-2.12.1.so
3cc8762000-3cc8962000 ---p 00162000 08:03 30553 /lib64/libc-2.12.1.so
3cc8962000-3cc8966000 r--p 00162000 08:03 30553 /lib64/libc-2.12.1.so
3cc8966000-3cc8967000 rw-p 00166000 08:03 30553 /lib64/libc-2.12.1.so
3cc8967000-3cc896c000 rw-p 00000000 00:00 0
3cc8a00000-3cc8a81000 r-xp 00000000 08:03 30556 /lib64/libm-2.12.1.so
3cc8a81000-3cc8c80000 ---p 00081000 08:03 30556 /lib64/libm-2.12.1.so
3cc8c80000-3cc8c81000 r--p 00080000 08:03 30556 /lib64/libm-2.12.1.so
3cc8c81000-3cc8c82000 rw-p 00081000 08:03 30556 /lib64/libm-2.12.1.so
3cc8e00000-3cc8e02000 r-xp 00000000 08:03 30555 /lib64/libdl-2.12.1.so
3cc8e02000-3cc9002000 ---p 00002000 08:03 30555 /lib64/libdl-2.12.1.so
3cc9002000-3cc9003000 r--p 00002000 08:03 30555 /lib64/libdl-2.12.1.so
3cc9003000-3cc9004000 rw-p 00003000 08:03 30555 /lib64/libdl-2.12.1.so
3cc9200000-3cc9218000 r-xp 00000000 08:03 30559 /lib64/libpthread-2.12.1.so
3cc9218000-3cc9417000 ---p 00018000 08:03 30559 /lib64/libpthread-2.12.1.so
3cc9417000-3cc9418000 r--p 00017000 08:03 30559 /lib64/libpthread-2.12.1.so
3cc9418000-3cc9419000 rw-p 00018000 08:03 30559 /lib64/libpthread-2.12.1.so
3cc9419000-3cc941d000 rw-p 00000000 00:00 0
3cc9600000-3cc9616000 r-xp 00000000 08:03 30554 /lib64/libz.so.1.2.5
3cc9616000-3cc9816000 ---p 00016000 08:03 30554 /lib64/libz.so.1.2.5
3cc9816000-3cc9817000 r--p 00016000 08:03 30554 /lib64/libz.so.1.2.5
3cc9817000-3cc9818000 rw-p 00017000 08:03 30554 /lib64/libz.so.1.2.5
3cc9a00000-3cc9b14000 r-xp 00000000 fe:00 11893 /usr/lib64/libtcl8.5.so
3cc9b14000-3cc9d13000 ---p 00114000 fe:00 11893 /usr/lib64/libtcl8.5.so
3cc9d13000-3cc9d17000 r--p 00113000 fe:00 11893 /usr/lib64/libtcl8.5.so
3cc9d17000-3cc9d1f000 rw-p 00117000 fe:00 11893 /usr/lib64/libtcl8.5.so
3cc9d1f000-3cc9d20000 rw-p 00000000 00:00 0
3cc9e00000-3cc9f3a000 r-xp 00000000 fe:00 57425 /usr/lib64/libX11.so.6.3.0
3cc9f3a000-3cca13a000 ---p 0013a000 fe:00 57425 /usr/lib64/libX11.so.6.3.0
3cca13a000-3cca13b000 r--p 0013a000 fe:00 57425 /usr/lib64/libX11.so.6.3.0
3cca13b000-3cca140000 rw-p 0013b000 fe:00 57425 /usr/lib64/libX11.so.6.3.0
3cca200000-3cca202000 r-xp 00000000 fe:00 57409 /usr/lib64/libXau.so.6.0.0
3cca202000-3cca401000 ---p 00002000 fe:00 57409 /usr/lib64/libXau.so.6.0.0
3cca401000-3cca402000 r--p 00001000 fe:00 57409 /usr/lib64/libXau.so.6.0.0
3cca402000-3cca403000 rw-p 00002000 fe:00 57409 /usr/lib64/libXau.so.6.0.0
3cca600000-3cca61c000 r-xp 00000000 fe:00 57419 /usr/lib64/libxcb.so.1.1.0
3cca61c000-3cca81b000 ---p 0001c000 fe:00 57419 /usr/lib64/libxcb.so.1.1.0
3cca81b000-3cca81c000 r--p 0001b000 fe:00 57419 /usr/lib64/libxcb.so.1.1.0
3cca81c000-3cca81d000 rw-p 0001c000 fe:00 57419 /usr/lib64/libxcb.so.1.1.0
3ccaa00000-3ccaa05000 r-xp 00000000 fe:00 57414 /usr/lib64/libXdmcp.so.6.0.0
3ccaa05000-3ccac04000 ---p 00005000 fe:00 57414 /usr/lib64/libXdmcp.so.6.0.0
3ccac04000-3ccac05000 r--p 00004000 fe:00 57414 /usr/lib64/libXdmcp.so.6.0.0
3ccac05000-3ccac06000 rw-p 00005000 fe:00 57414 /usr/lib64/libXdmcp.so.6.0.0
3ccae00000-3ccaf28000 r-xp 00000000 fe:00 61802 /usr/lib64/libtk8.5.so
3ccaf28000-3ccb128000 ---p 00128000 fe:00 61802 /usr/lib64/libtk8.5.so
3ccb128000-3ccb131000 r--p 00128000 fe:00 61802 /usr/lib64/libtk8.5.so
3ccb131000-3ccb146000 rw-p 00131000 fe:00 61802 /usr/lib64/libtk8.5.so
3ccb200000-3ccb215000 r-xp 00000000 08:03 30558 /lib64/libgcc_s.so.1
3ccb215000-3ccb414000 ---p 00015000 08:03 30558 /lib64/libgcc_s.so.1
3ccb414000-3ccb415000 r--p 00014000 08:03 30558 /lib64/libgcc_s.so.1
3ccb415000-3ccb416000 rw-p 00015000 08:03 30558 /lib64/libgcc_s.so.1
3ccc200000-3ccc296000 r-xp 00000000 fe:00 58257 /usr/lib64/libfreetype.so.6.6.0
3ccc296000-3ccc496000 ---p 00096000 fe:00 58257 /usr/lib64/libfreetype.so.6.6.0
3ccc496000-3ccc49b000 r--p 00096000 fe:00 58257 /usr/lib64/libfreetype.so.6.6.0
3ccc49b000-3ccc49c000 rw-p 0009b000 fe:00 58257 /usr/lib64/libfreetype.so.6.6.0
3ccca00000-3ccca27000 r-xp 00000000 fe:00 57180 /usr/lib64/libexpat.so.1.5.2
3ccca27000-3cccc27000 ---p 00027000 fe:00 57180 /usr/lib64/libexpat.so.1.5.2Aborted

The attached patch is being used by Fedora and Suse and fixes the problem for me.

https://bugs.gentoo.org/317727

Discussion

  • dirtyepic @ gentoo

    tcl-8.5.8-fortify.patch

     
  • Donal K. Fellows

    Patch looks reasonable, but I'm concerned about the issue reported in the original Gentoo bug. We shouldn't be under-allocating buffers. Still, if the patch fixes it then it's fine with me. (I prefer memcpy to strcpy anyway.)

    I just hate doing things without being able to verify the fix in the test suite. (I also updated two other places in the same source file which were using the same pattern.)

     
  • Donal K. Fellows

    • labels: --> 46. Traces
    • assigned_to: nobody --> dkf
    • status: open --> closed-accepted
     
  • Donal K. Fellows

    • status: closed-accepted --> closed-fixed
     
  • Donal K. Fellows

    Fixed on HEAD and 8.5 branch

     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks