problem with i686-w64-mingw32-gcc -fstack-protector-all

problem with i686-w64-mingw32-gcc -fstack-protector-all

[Lee]

Maybe I'm just Doing It Wrong, but
  gcc -fstack-protector-all
seems to be working correctly &
  i686-w64-mingw32-gcc -fstack-protector-all
seems to be broken - eg:

$./ssp testtestx
Illegal instruction

printf's that happen before the stack over-write don't show up & no
"*** stack smashing detected ***" msg is printed before the "Illegal
instruction"

STC:

$cat doit
#!/bin/sh
LIB="-lssp"
set -x

cat main-ssp.c
cat func-ssp.c

i686-w64-mingw32-gcc -c -fstack-protector-all   func-ssp.c -o func-ssp.o
i686-w64-mingw32-gcc -c -fstack-protector-all   main-ssp.c -o main-ssp.o
i686-w64-mingw32-gcc -static -o ssp.exe func-ssp.o main-ssp.o $LIB
./ssp.exe testtestx

echo -e '\n\n'

gcc -c -fstack-protector-all   func-ssp.c -o cyg-func-ssp.o
gcc -c -fstack-protector-all   main-ssp.c -o cyg-main-ssp.o
gcc -static -o cyg-ssp.exe cyg-func-ssp.o cyg-main-ssp.o $LIB
./cyg-ssp.exe testtestx


$./doit
+ cat main-ssp.c
/* stack smashing protection
  i686-w64-mingw32-gcc -c -fstack-protector-all -o func-ssp.o func-ssp.c
  i686-w64-mingw32-gcc -c -fstack-protector-all -o main-ssp.o main-ssp.c
  i686-w64-mingw32-gcc -o ssp.exe  main-ssp.o func-ssp.o
  ./ssp testtestx
    *** should die ***
 */

#include <stdio.h>
#include <string.h>

extern int doit(char *s );

int main(int argc, char *argv[])
{
 int status=0;
 printf("main: argv[1]=%s\n", argv[1] );
 status = doit(argv[1]);
 if ( status != 1 ) printf("OhNoes!! doit returned %d\n", status );
 printf("main: exit\n" );
 return 0;
}

+ cat func-ssp.c
/* stack smashing protection test */

#include <stdio.h>
#include <string.h>

extern
int doit(char *s ) {
  char buf[]="12345678";
  int i=0;
  if ( *s != '\0' ) i = 1;  /* return true */
  printf("doit: s=\"%s\"   buf=\"%s\"  i=%d\n", s, buf, i );
  strcpy(buf, s);
    /* buffer overflow into return status(int i) if strlen(s) > 8 */
  printf("doit: s=\"%s\"   buf=\"%s\"  i=%d\n", s, buf, i );
  return i;
}

+ i686-w64-mingw32-gcc -c -fstack-protector-all func-ssp.c -o func-ssp.o
+ i686-w64-mingw32-gcc -c -fstack-protector-all main-ssp.c -o main-ssp.o
+ i686-w64-mingw32-gcc -static -o ssp.exe func-ssp.o main-ssp.o -lssp
+ ./ssp.exe testtestx
./doit: line 11:  9128 Illegal instruction     ./ssp.exe testtestx
+ echo -e '\n\n'



+ gcc -c -fstack-protector-all func-ssp.c -o cyg-func-ssp.o
+ gcc -c -fstack-protector-all main-ssp.c -o cyg-main-ssp.o
+ gcc -static -o cyg-ssp.exe cyg-func-ssp.o cyg-main-ssp.o -lssp
+ ./cyg-ssp.exe testtestx
main: argv[1]=testtestx
doit: s="testtestx"   buf="12345678"  i=1
doit: s="testtestx"   buf="testtestx"  i=1
*** stack smashing detected ***:  terminated
./doit: line 18:  2336 Illegal instruction     (core dumped)
./cyg-ssp.exe testtestx

$

$ gcc --version
gcc (GCC) 6.4.0
Copyright (C) 2017 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

$ i686-w64-mingw32-gcc --version
i686-w64-mingw32-gcc (GCC) 6.3.0
Copyright (C) 2016 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.


Thanks,
Lee

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: problem with i686-w64-mingw32-gcc -fstack-protector-all

[Christian Franke]

Lee wrote:
> Maybe I'm just Doing It Wrong, but
>    gcc -fstack-protector-all
> seems to be working correctly &
>    i686-w64-mingw32-gcc -fstack-protector-all
> seems to be broken - eg:
>
> $./ssp testtestx
> Illegal instruction
>
> printf's that happen before the stack over-write don't show up & no
> "*** stack smashing detected ***" msg is printed before the "Illegal
> instruction"
> ...
>
> extern
> int doit(char *s ) {
>    char buf[]="12345678";
>    int i=0;
>    if ( *s != '\0' ) i = 1;  /* return true */
>    printf("doit: s=\"%s\"   buf=\"%s\"  i=%d\n", s, buf, i );
>    strcpy(buf, s);
>      /* buffer overflow into return status(int i) if strlen(s) > 8 */
>    printf("doit: s=\"%s\"   buf=\"%s\"  i=%d\n", s, buf, i );
>    return i;
> }
>
> + i686-w64-mingw32-gcc -c -fstack-protector-all func-ssp.c -o func-ssp.o
> + i686-w64-mingw32-gcc -c -fstack-protector-all main-ssp.c -o main-ssp.o
> + i686-w64-mingw32-gcc -static -o ssp.exe func-ssp.o main-ssp.o -lssp

BTW: There is no need to link with -lssp if the related code generation 
option -fstack-protector* is also used during link.


> + ./ssp.exe testtestx
> ./doit: line 11:  9128 Illegal instruction     ./ssp.exe testtestx
> + echo -e '\n\n'
>

The *** stack smashing detected *** message from MinGW runtime is only 
visible if stdio is attached to a Windows console.

Works for me if one more overflow char is added:

Cygwin mintty:

$ ./ssp testtestx
main: argv[1]=testtestx
doit: s="testtestx"   buf="12345678"  i=1
doit: s="testtestx"   buf="testtestx"  i=1
main: exit

$ ./ssp testtestxx
Illegal instruction


Cygwin in Windows console (cygwin.bat):

$ ./ssp testtestxx
main: argv[1]=testtestxx
doit: s="testtestxx"   buf="12345678"  i=1
doit: s="testtestxx"   buf="testtestxx"  i=1
*** stack smashing detected ***:  terminated
Illegal instruction


cmd.exe in Windows console:

C:\cygwin\tmp>.\ssp.exe testtestxx
main: argv[1]=testtestxx
doit: s="testtestxx"   buf="12345678"  i=1
doit: s="testtestxx"   buf="testtestxx"  i=1
*** stack smashing detected ***:  terminated
[Windows Message Box: Debug/Abort Program ?]


Christian


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: problem with i686-w64-mingw32-gcc -fstack-protector-all

[Lee]

On 10/4/17, Christian Franke   wrote:
> Lee wrote:
>> Maybe I'm just Doing It Wrong, but
>>    gcc -fstack-protector-all
>> seems to be working correctly &
>>    i686-w64-mingw32-gcc -fstack-protector-all
>> seems to be broken - eg:
>>
>> $./ssp testtestx
>> Illegal instruction
>>
>> printf's that happen before the stack over-write don't show up & no
>> "*** stack smashing detected ***" msg is printed before the "Illegal
>> instruction"
>> ...
>>
>> extern
>> int doit(char *s ) {
>>    char buf[]="12345678";
>>    int i=0;
>>    if ( *s != '\0' ) i = 1;  /* return true */
>>    printf("doit: s=\"%s\"   buf=\"%s\"  i=%d\n", s, buf, i );
>>    strcpy(buf, s);
>>      /* buffer overflow into return status(int i) if strlen(s) > 8 */
>>    printf("doit: s=\"%s\"   buf=\"%s\"  i=%d\n", s, buf, i );
>>    return i;
>> }
>>
>> + i686-w64-mingw32-gcc -c -fstack-protector-all func-ssp.c -o func-ssp.o
>> + i686-w64-mingw32-gcc -c -fstack-protector-all main-ssp.c -o main-ssp.o
>> + i686-w64-mingw32-gcc -static -o ssp.exe func-ssp.o main-ssp.o -lssp
>
> BTW: There is no need to link with -lssp if the related code generation
> option -fstack-protector* is also used during link.

Thanks for that!
I would have never guessed that a compile-time switch would have an
effect if all you're doing is linking.


>> + ./ssp.exe testtestx
>> ./doit: line 11:  9128 Illegal instruction     ./ssp.exe testtestx
>> + echo -e '\n\n'
>>
>
> The *** stack smashing detected *** message from MinGW runtime is only
> visible if stdio is attached to a Windows console.

Yes!
But even after re-reading https://github.com/mintty/mintty/wiki/Tips &
https://github.com/mintty/mintty/issues/56  I'm still missing why _no_
output is displayed before the 'Illegal instruction' output line.
Without a stack overflow I see:
$ ./ssp test
main: argv[1]=test
doit: s="test"   buf="12345678"  i=1
doit: s="test"   buf="test"  i=1
main: exit

so it seems like I should have gotten at least the first two lines of output.

> Works for me if one more overflow char is added:
>
> Cygwin mintty:
>
> $ ./ssp testtestx
> main: argv[1]=testtestx
> doit: s="testtestx"   buf="12345678"  i=1
> doit: s="testtestx"   buf="testtestx"  i=1
> main: exit

Interesting.  I have Windows 10 & i686-w64-mingw32-gcc (GCC) 6.3.0   you?


> $ ./ssp testtestxx
> Illegal instruction
>
>
> Cygwin in Windows console (cygwin.bat):
>
> $ ./ssp testtestxx
> main: argv[1]=testtestxx
> doit: s="testtestxx"   buf="12345678"  i=1
> doit: s="testtestxx"   buf="testtestxx"  i=1
> *** stack smashing detected ***:  terminated
> Illegal instruction
>
>
> cmd.exe in Windows console:
>
> C:\cygwin\tmp>.\ssp.exe testtestxx
> main: argv[1]=testtestxx
> doit: s="testtestxx"   buf="12345678"  i=1
> doit: s="testtestxx"   buf="testtestxx"  i=1
> *** stack smashing detected ***:  terminated
> [Windows Message Box: Debug/Abort Program ?]

I get the same with the cygwin.bat console window; a straight dos
(cmd.exe) console window has a 10 second delay after
*** stack smashing detected ***:  terminated
is displayed before I get the
   ------------------------
ssp.exe has stopped working

A problem caused the program to stop working
correctly. Please close the program.

 -> Close the program
   ------------------------
pop-up window

Anyway.. Thank you!!  It's been driving me nuts trying to figure out
why all I get is 'Illegal instruction'

Lee

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: problem with i686-w64-mingw32-gcc -fstack-protector-all

[Christian Franke]

Lee wrote:
>
>>> + ./ssp.exe testtestx
>>> ./doit: line 11:  9128 Illegal instruction     ./ssp.exe testtestx
>>> + echo -e '\n\n'
>>>
>> The *** stack smashing detected *** message from MinGW runtime is only
>> visible if stdio is attached to a Windows console.
> Yes!
> But even after re-reading https://github.com/mintty/mintty/wiki/Tips &
> https://github.com/mintty/mintty/issues/56  I'm still missing why _no_
> output is displayed before the 'Illegal instruction' output line.

Stdio streams are usually full buffered if not attached to a 
tty/console. Buffers are flushed on regular exit(), but not on abnormal 
termination. Add fflush() calls to fix.


>> Works for me if one more overflow char is added:
>>
>> Cygwin mintty:
>>
>> $ ./ssp testtestx
>> main: argv[1]=testtestx
>> doit: s="testtestx"   buf="12345678"  i=1
>> doit: s="testtestx"   buf="testtestx"  i=1
>> main: exit
> Interesting.  I have Windows 10 & i686-w64-mingw32-gcc (GCC) 6.3.0   you?

Same (Win10.0.15063 x64 German).


> ...
>
> Anyway.. Thank you!!  It's been driving me nuts trying to figure out
> why all I get is 'Illegal instruction'

The 'Illegal instruction' is printed by the Cygwin shell because the 
program fails with STATUS_ILLEGAL_INSTRUCTION which is mapped to SIGILL.

The libspp code[1] shows that the program is terminated with 
__builtin_trap(). GCC then generates the x86 instruction UD2 ("defined" 
as "undefined instruction" :-)
In the MinGW case, stack error messages are written to CONOUT$ or are 
not written if no console is attached (Cygwin and others: /dev/tty or 
syslog()).

Christian

[1]
https://gcc.gnu.org/viewcvs/gcc/trunk/libssp/ssp.c?revision=233253&view=markup


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple