* [Bug c++/105709] FORTIFY_SOURCE=3 (*** buffer overflow detected ***: terminated) on Qt
2022-05-24 0:07 [Bug c++/105709] New: FORTIFY_SOURCE=3 (*** buffer overflow detected ***: terminated) on Qt sam at gentoo dot org
@ 2022-05-24 0:09 ` sam at gentoo dot org
2022-05-24 0:09 ` [Bug middle-end/105709] " sam at gentoo dot org
` (9 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: sam at gentoo dot org @ 2022-05-24 0:09 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105709
--- Comment #1 from Sam James <sam at gentoo dot org> ---
Minimised reproducer works with Clang but fails with GCC 12 w/ F_S=3:
qt.cxx:
```
extern "C" void __readlink_chk(char *, char *, long, long);
char readlink___path, readlink___buf;
namespace Qt {
enum Initialization {} Uninitialized;
}
struct QArrayData {
int size;
};
struct QByteArray {
QByteArray(int, Qt::Initialization);
~QByteArray();
int size() const;
QArrayData d;
};
QByteArray::~QByteArray() {}
int QByteArray::size() const { return d.size; }
main() {
QByteArray buf(6, Qt::Uninitialized);
int __trans_tmp_1 = buf.size();
__readlink_chk(&readlink___path, &readlink___buf, __trans_tmp_1, 0);
}
```
```
$ c++ -O2 -D_FORTIFY_SOURCE=3 -l Qt5Core qt.cxx -o qt
qt.cxx:17:1: warning: ISO C++ forbids declaration of ‘main’ with no type
[-Wreturn-type]
17 | main() {
| ^~~~
$ ./qt
*** buffer overflow detected ***: terminated
Aborted (core dumped)
```
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Bug middle-end/105709] FORTIFY_SOURCE=3 (*** buffer overflow detected ***: terminated) on Qt
2022-05-24 0:07 [Bug c++/105709] New: FORTIFY_SOURCE=3 (*** buffer overflow detected ***: terminated) on Qt sam at gentoo dot org
2022-05-24 0:09 ` [Bug c++/105709] " sam at gentoo dot org
@ 2022-05-24 0:09 ` sam at gentoo dot org
2022-05-24 0:13 ` sam at gentoo dot org
` (8 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: sam at gentoo dot org @ 2022-05-24 0:09 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105709
--- Comment #2 from Sam James <sam at gentoo dot org> ---
```
$ gcc --version
gcc (Gentoo Hardened 12.1.1_p20220521 p5) 12.1.1 20220521
Copyright (C) 2022 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
```
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Bug middle-end/105709] FORTIFY_SOURCE=3 (*** buffer overflow detected ***: terminated) on Qt
2022-05-24 0:07 [Bug c++/105709] New: FORTIFY_SOURCE=3 (*** buffer overflow detected ***: terminated) on Qt sam at gentoo dot org
2022-05-24 0:09 ` [Bug c++/105709] " sam at gentoo dot org
2022-05-24 0:09 ` [Bug middle-end/105709] " sam at gentoo dot org
@ 2022-05-24 0:13 ` sam at gentoo dot org
2022-05-24 0:14 ` sam at gentoo dot org
` (7 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: sam at gentoo dot org @ 2022-05-24 0:13 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105709
--- Comment #3 from Sam James <sam at gentoo dot org> ---
Created attachment 53023
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=53023&action=edit
non-reduced-qt.cxx
(I've attached `non-reduced-qt.cxx` in case it's more illustrative. I didn't do
much to it, just yanked the qt_readlink function out of Qt, shoved
"/etc/timezone" into it (see the original backtrace), and it failed.
Needs to be compiled with:
```
$ g++ -O2 -D_FORTIFY_SOURCE=3 -o qt -fPIC -I/usr/include/qt5/QtCore
-I/usr/include/qt5 -I/usr/lib64/qt5/mkspecs/linux-g++
-I/usr/include/qt5/QtCore/5.15.4/QtCore/private/
-I/usr/include/qt5/QtCore/5.15.4/QtCore -I/usr/include/qt5/QtCore/5.15.4 qt.ii
-lQt5Core
```)
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Bug middle-end/105709] FORTIFY_SOURCE=3 (*** buffer overflow detected ***: terminated) on Qt
2022-05-24 0:07 [Bug c++/105709] New: FORTIFY_SOURCE=3 (*** buffer overflow detected ***: terminated) on Qt sam at gentoo dot org
` (2 preceding siblings ...)
2022-05-24 0:13 ` sam at gentoo dot org
@ 2022-05-24 0:14 ` sam at gentoo dot org
2022-05-24 0:14 ` sam at gentoo dot org
` (6 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: sam at gentoo dot org @ 2022-05-24 0:14 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105709
--- Comment #4 from Sam James <sam at gentoo dot org> ---
Created attachment 53024
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=53024&action=edit
non-reduced-qt.ii
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Bug middle-end/105709] FORTIFY_SOURCE=3 (*** buffer overflow detected ***: terminated) on Qt
2022-05-24 0:07 [Bug c++/105709] New: FORTIFY_SOURCE=3 (*** buffer overflow detected ***: terminated) on Qt sam at gentoo dot org
` (3 preceding siblings ...)
2022-05-24 0:14 ` sam at gentoo dot org
@ 2022-05-24 0:14 ` sam at gentoo dot org
2022-05-24 0:20 ` pinskia at gcc dot gnu.org
` (5 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: sam at gentoo dot org @ 2022-05-24 0:14 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105709
--- Comment #5 from Sam James <sam at gentoo dot org> ---
Created attachment 53025
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=53025&action=edit
reduced-qt.cxx
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Bug middle-end/105709] FORTIFY_SOURCE=3 (*** buffer overflow detected ***: terminated) on Qt
2022-05-24 0:07 [Bug c++/105709] New: FORTIFY_SOURCE=3 (*** buffer overflow detected ***: terminated) on Qt sam at gentoo dot org
` (4 preceding siblings ...)
2022-05-24 0:14 ` sam at gentoo dot org
@ 2022-05-24 0:20 ` pinskia at gcc dot gnu.org
2022-05-24 0:28 ` pinskia at gcc dot gnu.org
` (4 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: pinskia at gcc dot gnu.org @ 2022-05-24 0:20 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105709
--- Comment #6 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
the reduced testcase fails for me with clang.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Bug middle-end/105709] FORTIFY_SOURCE=3 (*** buffer overflow detected ***: terminated) on Qt
2022-05-24 0:07 [Bug c++/105709] New: FORTIFY_SOURCE=3 (*** buffer overflow detected ***: terminated) on Qt sam at gentoo dot org
` (5 preceding siblings ...)
2022-05-24 0:20 ` pinskia at gcc dot gnu.org
@ 2022-05-24 0:28 ` pinskia at gcc dot gnu.org
2022-05-24 0:45 ` sam at gentoo dot org
` (3 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: pinskia at gcc dot gnu.org @ 2022-05-24 0:28 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105709
--- Comment #7 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
Even this reduced testcase works:
# include <sys/syscall.h>
# include <pthread.h>
# include <unistd.h>
#include <cstring>
#include <cstdlib>
namespace Qt {
enum Initialization {} Uninitialized;
}
struct QArrayData {
int size;
char *d;
};
struct QByteArray {
[[gnu::noipa]]
QByteArray(int a, Qt::Initialization) {d.size = a; d.d =
(char*)__builtin_malloc(a); memset(d.d, 0, a);}
~QByteArray();
int size() const;
QArrayData d;
[[gnu::noipa]]
char *data() {return d.d;}
};
QByteArray::~QByteArray() {}
[[gnu::noipa]]
int QByteArray::size() const { return d.size; }
int
main() {
char *path = (char*)malloc(1024);
QByteArray buf(256, Qt::Uninitialized);
ssize_t len = ::readlink(path, buf.data(), buf.size());
return 0;
}
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Bug middle-end/105709] FORTIFY_SOURCE=3 (*** buffer overflow detected ***: terminated) on Qt
2022-05-24 0:07 [Bug c++/105709] New: FORTIFY_SOURCE=3 (*** buffer overflow detected ***: terminated) on Qt sam at gentoo dot org
` (6 preceding siblings ...)
2022-05-24 0:28 ` pinskia at gcc dot gnu.org
@ 2022-05-24 0:45 ` sam at gentoo dot org
2022-05-24 1:53 ` siddhesh at gcc dot gnu.org
` (2 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: sam at gentoo dot org @ 2022-05-24 0:45 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105709
--- Comment #8 from Sam James <sam at gentoo dot org> ---
Let me try hack something to reduce but test with Clang where possible. It's
hard because the mkspecs stuff which leaks into the preprocessed original
source doesn't build with Clang.
In the meantime, could you tell me if non-reduced-qt.cxx and
non-reduced-qt.ii.xz work for you?
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Bug middle-end/105709] FORTIFY_SOURCE=3 (*** buffer overflow detected ***: terminated) on Qt
2022-05-24 0:07 [Bug c++/105709] New: FORTIFY_SOURCE=3 (*** buffer overflow detected ***: terminated) on Qt sam at gentoo dot org
` (7 preceding siblings ...)
2022-05-24 0:45 ` sam at gentoo dot org
@ 2022-05-24 1:53 ` siddhesh at gcc dot gnu.org
2022-05-24 2:40 ` sam at gentoo dot org
2022-05-24 2:46 ` pinskia at gcc dot gnu.org
10 siblings, 0 replies; 12+ messages in thread
From: siddhesh at gcc dot gnu.org @ 2022-05-24 1:53 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105709
--- Comment #9 from Siddhesh Poyarekar <siddhesh at gcc dot gnu.org> ---
>From a quick check of non-reduced-qt.cxx, clang appears to fail to fortify the
readlink function, which may explain why you see the failure with gcc but not
clang. Also the reduced reproducer in comment 1 looks wrong; it passes a 0
object size to __readlink_chk, which is guaranteed to fail. The correct
reproducer in that context is:
```
extern "C" void __readlink_chk(char *, char *, long, long);
char readlink___path, readlink___buf;
namespace Qt {
enum Initialization {} Uninitialized;
}
struct QArrayData {
int size;
};
struct QByteArray {
QByteArray(int, Qt::Initialization);
~QByteArray();
int size() const;
QArrayData d;
};
QByteArray::~QByteArray() {}
int QByteArray::size() const { return d.size; }
main() {
QByteArray buf(6, Qt::Uninitialized);
int __trans_tmp_1 = buf.size();
__readlink_chk(&readlink___path, &readlink___buf, __trans_tmp_1,
__builtin_dynamic_object_size (&readlink___buf, 0));
}
```
which again, is invalid code because the readlink is passed a 1 byte buffer and
read an uninitialized number of bytes, which again fails correctly. Fun fact:
this code will likely *pass* if -ftrivial-auto-var-init is passed! I guess one
can't win everything...
Now looking at the original code, it seems similar to the issue in bug 105078,
which is basically an attempt to use an implicit flex array (by overallocating
memory to the object) which is not guaranteed to work all the time. Clang
simply bails out at some point, because of which it doesn't fortify the
readlink call and everything is good.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Bug middle-end/105709] FORTIFY_SOURCE=3 (*** buffer overflow detected ***: terminated) on Qt
2022-05-24 0:07 [Bug c++/105709] New: FORTIFY_SOURCE=3 (*** buffer overflow detected ***: terminated) on Qt sam at gentoo dot org
` (8 preceding siblings ...)
2022-05-24 1:53 ` siddhesh at gcc dot gnu.org
@ 2022-05-24 2:40 ` sam at gentoo dot org
2022-05-24 2:46 ` pinskia at gcc dot gnu.org
10 siblings, 0 replies; 12+ messages in thread
From: sam at gentoo dot org @ 2022-05-24 2:40 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105709
--- Comment #10 from Sam James <sam at gentoo dot org> ---
Thanks Siddhesh. I was suspicious of how contorted the minimised version was
but I went with it given it still crashed.
And I think I get what the issue is with the original code now too. Cheers for
explaining.
I've reported this to Qt at https://bugreports.qt.io/browse/QTBUG-103782.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Bug middle-end/105709] FORTIFY_SOURCE=3 (*** buffer overflow detected ***: terminated) on Qt
2022-05-24 0:07 [Bug c++/105709] New: FORTIFY_SOURCE=3 (*** buffer overflow detected ***: terminated) on Qt sam at gentoo dot org
` (9 preceding siblings ...)
2022-05-24 2:40 ` sam at gentoo dot org
@ 2022-05-24 2:46 ` pinskia at gcc dot gnu.org
10 siblings, 0 replies; 12+ messages in thread
From: pinskia at gcc dot gnu.org @ 2022-05-24 2:46 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105709
Andrew Pinski <pinskia at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |RESOLVED
Resolution|--- |DUPLICATE
--- Comment #11 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
Actually it is an exact dup of bug 105078 really as it was reduced from the
same source. Closing as a dup.
*** This bug has been marked as a duplicate of bug 105078 ***
^ permalink raw reply [flat|nested] 12+ messages in thread