From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <mark@klomp.org>
Received: from gnu.wildebeest.org (gnu.wildebeest.org [45.83.234.184])
 by sourceware.org (Postfix) with ESMTPS id AD4AA3857414
 for <elfutils-devel@sourceware.org>; Fri, 29 Jul 2022 18:34:34 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org AD4AA3857414
Authentication-Results: sourceware.org;
 dmarc=none (p=none dis=none) header.from=klomp.org
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=klomp.org
Received: from tarox.wildebeest.org (83-87-18-245.cable.dynamic.v4.ziggo.nl
 [83.87.18.245])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by gnu.wildebeest.org (Postfix) with ESMTPSA id 38B58300066F;
 Fri, 29 Jul 2022 20:34:28 +0200 (CEST)
Received: by tarox.wildebeest.org (Postfix, from userid 1000)
 id 6B1B8413CBBB; Fri, 29 Jul 2022 20:34:28 +0200 (CEST)
Message-ID: <dfbbbbd00dc70d07950ce12de7fd20e9171f5325.camel@klomp.org>
Subject: Re: [PATCH] libdwfl: Rewrite reading of ar_size in elf_begin_rand
From: Mark Wielaard <mark@klomp.org>
To: elfutils-devel@sourceware.org
Cc: Siddhesh Poyarekar <siddhesh@gotplt.org>
Date: Fri, 29 Jul 2022 20:34:28 +0200
In-Reply-To: <20220728134844.8618-1-mark@klomp.org>
References: <20220728134844.8618-1-mark@klomp.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Evolution 3.28.5 (3.28.5-10.el7) 
Mime-Version: 1.0
X-Spam-Status: No, score=-5.5 required=5.0 tests=BAYES_00, JMQ_SPF_NEUTRAL,
 KAM_DMARC_STATUS, SPF_HELO_NONE, SPF_PASS,
 TXREP autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
X-BeenThere: elfutils-devel@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Elfutils-devel mailing list <elfutils-devel.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/elfutils-devel>,
 <mailto:elfutils-devel-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/elfutils-devel/>
List-Help: <mailto:elfutils-devel-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/elfutils-devel>,
 <mailto:elfutils-devel-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jul 2022 18:34:36 -0000

Hi,

On Thu, 2022-07-28 at 15:48 +0200, Mark Wielaard wrote:
> With GCC 12.1.1, glibc 2.3a, -fsanitize=3Dundefined and
> -D_FORTIFY_SOURCE=3D3 we get the following error message:
>=20
> In file included from /usr/include/ar.h:22,
>                  from ../libelf/libelfP.h:33,
>                  from core-file.c:31:
> In function =E2=80=98pread=E2=80=99,
>     inlined from =E2=80=98pread_retry=E2=80=99 at ../lib/system.h:188:21,
>     inlined from =E2=80=98elf_begin_rand=E2=80=99 at core-file.c:86:16,
>     inlined from =E2=80=98core_file_read_eagerly=E2=80=99 at core-file.c:=
205:15:
> /usr/include/bits/unistd.h:74:10: error: =E2=80=98__pread_alias=E2=80=99 =
writing 58
> or more bytes into a region of size 10 overflows the destination [-
> Werror=3Dstringop-overflow=3D]
>    74 |   return __glibc_fortify (pread, __nbytes, sizeof (char),
>       |          ^~~~~~~~~~~~~~~
> /usr/include/ar.h: In function =E2=80=98core_file_read_eagerly=E2=80=99:
> /usr/include/ar.h:41:10: note: destination object =E2=80=98ar_size=E2=80=
=99 of size
> 10
>    41 |     char ar_size[10];           /* File size, in ASCII
> decimal.  */
>       |          ^~~~~~~
> /usr/include/bits/unistd.h:50:16: note: in a call to function
> =E2=80=98__pread_alias=E2=80=99 declared with attribute =E2=80=98access (=
write_only, 2, 3)=E2=80=99
>    50 | extern ssize_t __REDIRECT (__pread_alias,
>       |                ^~~~~~~~~~
> cc1: all warnings being treated as errors
>=20
> The warning disappears when dropping either -fsanitize=3Dundefined
> or when using -D_FORTIFY_SOURCE=3D2. It looks like a false positive.
> But I haven't figured out how/why it happens.
>=20
> The code is a little tricky to proof correct though. The ar_size
> field is a not-zero terminated string ASCII decimal, right-paddedr
> with spaces. Which is then converted with strtoll. Relying on the
> fact that the struct ar_hdr is zero initialized, so there will be
> a zero byte after the ar_size field.
>=20
> Rewrite the code to just use a zero byte terminated char array.
> Which is much easier to reason about. As a bonus the error
> disappears.

The try build turned out green (ppc64le and s390x were red before)
except for the centos7 builder where the native-biarch-core failed
(this is a flaky test apparently because of a kernel issue dumping
biarch cores?) An explicit rebuild made all tests PASS.

So I have pushed this to get all our builders green again.

Cheers,

Mark