From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 37AC63857829; Tue, 24 May 2022 01:53:43 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 37AC63857829 From: "siddhesh at gcc dot gnu.org" To: gcc-bugs@gcc.gnu.org Subject: [Bug middle-end/105709] FORTIFY_SOURCE=3 (*** buffer overflow detected ***: terminated) on Qt Date: Tue, 24 May 2022 01:53:42 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: middle-end X-Bugzilla-Version: 12.1.1 X-Bugzilla-Keywords: wrong-code X-Bugzilla-Severity: normal X-Bugzilla-Who: siddhesh at gcc dot gnu.org X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: gcc-bugs@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-bugs mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 May 2022 01:53:43 -0000 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D105709 --- Comment #9 from Siddhesh Poyarekar --- >>From a quick check of non-reduced-qt.cxx, clang appears to fail to fortify = the readlink function, which may explain why you see the failure with gcc but n= ot clang. Also the reduced reproducer in comment 1 looks wrong; it passes a 0 object size to __readlink_chk, which is guaranteed to fail. The correct reproducer in that context is: ``` extern "C" void __readlink_chk(char *, char *, long, long); char readlink___path, readlink___buf; namespace Qt { enum Initialization {} Uninitialized; } struct QArrayData { int size; }; struct QByteArray { QByteArray(int, Qt::Initialization); ~QByteArray(); int size() const; QArrayData d; }; QByteArray::~QByteArray() {} int QByteArray::size() const { return d.size; } main() { QByteArray buf(6, Qt::Uninitialized); int __trans_tmp_1 =3D buf.size(); __readlink_chk(&readlink___path, &readlink___buf, __trans_tmp_1, __builtin_dynamic_object_size (&readlink___buf, 0)); } ``` which again, is invalid code because the readlink is passed a 1 byte buffer= and read an uninitialized number of bytes, which again fails correctly. Fun fa= ct: this code will likely *pass* if -ftrivial-auto-var-init is passed! I guess= one can't win everything... Now looking at the original code, it seems similar to the issue in bug 1050= 78, which is basically an attempt to use an implicit flex array (by overallocat= ing memory to the object) which is not guaranteed to work all the time. Clang simply bails out at some point, because of which it doesn't fortify the readlink call and everything is good.=