realpath() built with >=gcc-4.3 (where FORTIFY is enabled by default) and -Ox
where x>0 cause application to abort.

Test case: the following code built with gcc -O2:
==========================================================================
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int
main (int argc, char *argv[])
{
    int ret;
    char device_file_or_mount_point[1024];

    if (argc < 2 || strlen (argv[1]) == 0) {
        fprintf (stderr, "%s: pass relative path.\n", argv[0]);
        return 1;
    }

    realpath(argv[1], device_file_or_mount_point);

    return 0;
}
==========================================================================

produces:

 $ ./a.out /boot/
*** buffer overflow detected ***: ./a.out terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x37)[0x7f1adb1c33a7]
/lib/libc.so.6[0x7f1adb1c03d0]
/lib/libc.so.6[0x7f1adb1c0a9b]
./a.out(main+0x55)[0x7f1adb6518c5]
/lib/libc.so.6(__libc_start_main+0xe6)[0x7f1adb1015c6]
./a.out[0x7f1adb651789]
======= Memory map: ========
[snip]


I found this bug with umount.hal helper which started to fail here after this
commit:
http://cgit.freedesktop.org/hal/commit/?id=6d8eed9015a6ca648fe1dad575621b6ea959a748

But probably other applications are affected too. At least I found similar
issue with python reported here:
https://bugs.launchpad.net/ubuntu/+source/gcc-defaults/+bug/286334

Also I found that scilab has 6a5321bddceaf0e4761f29a507bfad6e1f3a7b33 commit
(googable) that basically modifies realpath(r,a) call to a=realpath(r,NULL).


Reproduced with gcc-4.4.2 (glibc-2.11) and gcc-4.3.4 (glibc-2.9_p20081201-r2)
 $ LC_ALL=C gcc --version
gcc (Gentoo 4.4.2 p1.0) 4.4.2
 $ uname -a
Linux tablet 2.6.32-gentoo #2 SMP PREEMPT Sat Dec 19 23:36:55 MSK 2009 x86_64
Intel(R) Core(TM)2 Duo CPU L7500 @ 1.60GHz GenuineIntel GNU/Linux


-- 
           Summary: fortify with optimisation above -O0 cause abort in
                    realpath()
           Product: gcc
           Version: 4.4.2
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c
        AssignedTo: unassigned at gcc dot gnu dot org
        ReportedBy: pva at gentoo dot org


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=42582

Reply via email to