[Bug c++/105709] New: FORTIFY_SOURCE=3 (*** buffer overflow detected ***: terminated) on Qt

[Bug c++/105709] New: FORTIFY_SOURCE=3 (*** buffer overflow detected ***: terminated) on Qt

[sam at gentoo dot org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105709

            Bug ID: 105709
           Summary: FORTIFY_SOURCE=3 (*** buffer overflow detected ***:
                    terminated) on Qt
           Product: gcc
           Version: 10.3.1
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c++
          Assignee: unassigned at gcc dot gnu.org
          Reporter: sam at gentoo dot org
                CC: siddhesh at gcc dot gnu.org
  Target Milestone: ---

Originally reported downstream in Gentoo at https://bugs.gentoo.org/847145.

Noticed when building net-libs/accounts-qml (https://accounts-sso.gitlab.io/).
It crashed on calling qmake (part of qtcore) which was calling
/usr/lib64/qt5/bin/qmlplugindump (part of qtdeclarative):
```
make[1]: Entering directory
'/var/tmp/portage/net-libs/accounts-qml-0.7-r1/work/accounts-qml-module-VERSION_0.7/src'
export LD_PRELOAD=Ubuntu/OnlineAccounts/libAccounts.so;
/usr/lib64/qt5/bin/qmlplugindump -notrelocatable Ubuntu.OnlineAccounts 0.1 . >
Ubuntu/OnlineAccounts/plugin.qmltypes
/usr/lib64/qt5/bin/qmake -install qinstall
/var/tmp/portage/net-libs/accounts-qml-0.7-r1/work/accounts-qml-module-VERSION_0.7/src/Ubuntu/OnlineAccounts/qmldir
/var/tmp/portage/net-libs/accounts-qml-0.7-r1/image/usr/lib64/qt5/qml/Ubuntu/OnlineAccounts/qmldir
/usr/lib64/qt5/bin/qmake -install qinstall -exe
Ubuntu/OnlineAccounts/libAccounts.so
/var/tmp/portage/net-libs/accounts-qml-0.7-r1/image/usr/lib64/qt5/qml/Ubuntu/OnlineAccounts/libAccounts.so
*** buffer overflow detected ***: terminated
make[1]: *** [Makefile:818: Ubuntu/OnlineAccounts/plugin.qmltypes] Aborted
(core dumped)
make[1]: *** Deleting file 'Ubuntu/OnlineAccounts/plugin.qmltypes'
make[1]: Leaving directory
'/var/tmp/portage/net-libs/accounts-qml-0.7-r1/work/accounts-qml-module-VERSION_0.7/src'
make: *** [Makefile:71: sub-src-install_subtargets-ordered] Error 2
 * ERROR: net-libs/accounts-qml-0.7-r1::gentoo failed (install phase):
 *   emake failed
```

Backtrace of the original failure:
```
Using host libthread_db library "/usr/lib64/libthread_db.so.1".
Core was generated by `/usr/lib64/qt5/bin/qmlplugindump -notrelocatable
Ubuntu.OnlineAccounts 0.1 .'.
Program terminated with signal SIGABRT, Aborted.
#0  0x00007f06afee44ec in ?? () from /usr/lib64/libc.so.6
[Current thread is 1 (Thread 0x7f06ac1c31c0 (LWP 37))]
gef➤  bt
#0  0x00007f06afee44ec in  () at /usr/lib64/libc.so.6
#1  0x00007f06afe935e2 in raise () at /usr/lib64/libc.so.6
#2  0x00007f06afe7d46c in abort () at /usr/lib64/libc.so.6
#3  0x00007f06afed8126 in  () at /usr/lib64/libc.so.6
#4  0x00007f06aff77ce2 in __fortify_fail () at /usr/lib64/libc.so.6
#5  0x00007f06aff766c2 in  () at /usr/lib64/libc.so.6
#6  0x00007f06aff76ba0 in __readlinkat_chk () at /usr/lib64/libc.so.6
#7  0x00007f06b05607ce in readlink (__len=0x100, __buf=<optimized out>,
__path=0x55955442aab8 "/etc/localtime") at /usr/include/bits/unistd.h:119
#8  qt_readlink(char const*) (path=0x55955442aab8 "/etc/localtime") at
/usr/src/debug/dev-qt/qtcore-5.15.4/qtbase-everywhere-src-5.15.4/src/corelib/kernel/qcore_unix.cpp:68
#9  0x00007f06b04b8c2a in QFileSystemEngine::getLinkTarget(QFileSystemEntry
const&, QFileSystemMetaData&) (link=..., data=...) at
/usr/src/debug/dev-qt/qtcore-5.15.4/qtbase-everywhere-src-5.15.4/src/corelib/io/qfilesystemengine_unix.cpp:628
#10 0x00007f06b045ce50 in
QFileInfoPrivate::getFileName(QAbstractFileEngine::FileName) const
(this=0x559554417310, name=QAbstractFileEngine::LinkName) at
/usr/src/debug/dev-qt/qtcore-5.15.4/qtbase-everywhere-src-5.15.4/src/corelib/io/qfileinfo.cpp:71
#11 0x00007f06b045edca in QFileInfo::symLinkTarget() const
(this=this@entry=0x7fff00632520) at
/usr/src/debug/dev-qt/qtcore-5.15.4/qtbase-everywhere-src-5.15.4/src/corelib/io/qfileinfo.cpp:1237
#12 0x00007f06b045884f in QFile::symLinkTarget(QString const&) (fileName=...)
at
/usr/src/debug/dev-qt/qtcore-5.15.4/qtbase-everywhere-src-5.15.4/src/corelib/io/qfile.cpp:492
#13 0x00007f06b0438140 in (anonymous namespace)::ZoneNameReader::etcLocalTime
() at
/usr/src/debug/dev-qt/qtcore-5.15.4/qtbase-everywhere-src-5.15.4/src/corelib/time/qtimezoneprivate_tz.cpp:1255
#14 (anonymous namespace)::ZoneNameReader::name (this=<optimized out>) at
/usr/src/debug/dev-qt/qtcore-5.15.4/qtbase-everywhere-src-5.15.4/src/corelib/time/qtimezoneprivate_tz.cpp:1205
#15 QTzTimeZonePrivate::systemTimeZoneId() const (this=<optimized out>) at
/usr/src/debug/dev-qt/qtcore-5.15.4/qtbase-everywhere-src-5.15.4/src/corelib/time/qtimezoneprivate_tz.cpp:1314
#16 0x00007f06b04387ce in QTzTimeZonePrivate::QTzTimeZonePrivate()
(this=this@entry=0x55955442aa20) at
/usr/src/debug/dev-qt/qtcore-5.15.4/qtbase-everywhere-src-5.15.4/src/corelib/time/qtimezoneprivate_tz.cpp:663
#17 0x00007f06b042a50c in newBackendTimeZone () at
/usr/src/debug/dev-qt/qtcore-5.15.4/qtbase-everywhere-src-5.15.4/src/corelib/time/qtimezone.cpp:68
#18 QTimeZoneSingleton::QTimeZoneSingleton() (this=0x7f06b07eb6a8 <(anonymous
namespace)::Q_QGS_global_tz::innerFunction()::holder>) at
/usr/src/debug/dev-qt/qtcore-5.15.4/qtbase-everywhere-src-5.15.4/src/corelib/time/qtimezone.cpp:109
#19 Holder::Holder (this=0x7f06b07eb6a8 <(anonymous
namespace)::Q_QGS_global_tz::innerFunction()::holder>) at
/usr/src/debug/dev-qt/qtcore-5.15.4/qtbase-everywhere-src-5.15.4/src/corelib/time/qtimezone.cpp:118
#20 (anonymous namespace)::Q_QGS_global_tz::innerFunction () at
/usr/src/debug/dev-qt/qtcore-5.15.4/qtbase-everywhere-src-5.15.4/src/corelib/time/qtimezone.cpp:118
#21 QGlobalStatic<QTimeZoneSingleton, (anonymous
namespace)::Q_QGS_global_tz::innerFunction, (anonymous
namespace)::Q_QGS_global_tz::guard>::operator-> (this=<optimized out>) at
/usr/src/debug/dev-qt/qtcore-5.15.4/qtbase-everywhere-src-5.15.4/include/QtCore/../../src/corelib/global/qglobalstatic.h:140
#22 QTimeZone::systemTimeZone() () at
/usr/src/debug/dev-qt/qtcore-5.15.4/qtbase-everywhere-src-5.15.4/src/corelib/time/qtimezone.cpp:819
#23 0x00007f06b15ee3b3 in getLocalTZA () at
/usr/src/debug/dev-qt/qtdeclarative-5.15.4/qtdeclarative-everywhere-src-5.15.4/src/qml/jsruntime/qv4dateobject.cpp:723
#24 QV4::DatePrototype::init(QV4::ExecutionEngine*, QV4::Object*)
(this=0x7f06ab16d068, engine=engine@entry=0x559554421360, ctor=0x7f06ab16d198)
at
/usr/src/debug/dev-qt/qtdeclarative-5.15.4/qtdeclarative-everywhere-src-5.15.4/src/qml/jsruntime/qv4dateobject.cpp:848
#25 0x00007f06b15b777d in QV4::ExecutionEngine::ExecutionEngine(QJSEngine*)
(this=this@entry=0x559554421360, jsEngine=jsEngine@entry=0x7fff00632a50) at
/usr/src/debug/dev-qt/qtdeclarative-5.15.4/qtdeclarative-everywhere-src-5.15.4/src/qml/jsruntime/qv4engine.cpp:630
#26 0x00007f06b15abdd4 in QJSEngine::QJSEngine(QJSEnginePrivate&, QObject*)
(this=this@entry=0x7fff00632a50, dd=..., parent=parent@entry=0x0) at
/usr/src/debug/dev-qt/qtdeclarative-5.15.4/qtdeclarative-everywhere-src-5.15.4/src/qml/jsapi/qjsengine.cpp:355
#27 0x00007f06b1713be0 in QQmlEngine::QQmlEngine(QObject*)
(this=0x7fff00632a50, parent=0x0) at
/usr/src/debug/dev-qt/qtdeclarative-5.15.4/qtdeclarative-everywhere-src-5.15.4/src/qml/qml/qqmlengine.cpp:982
#28 0x0000559552a57598 in main(int, char**) (argc=<optimized out>,
argv=<optimized out>) at
/usr/src/debug/dev-qt/qtdeclarative-5.15.4/qtdeclarative-everywhere-src-5.15.4/tools/qmlplugindump/main.cpp:1185
```

[Bug c++/105709] FORTIFY_SOURCE=3 (*** buffer overflow detected ***: terminated) on Qt

[sam at gentoo dot org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105709

--- Comment #1 from Sam James <sam at gentoo dot org> ---
Minimised reproducer works with Clang but fails with GCC 12 w/ F_S=3:

qt.cxx:
```
extern "C" void __readlink_chk(char *, char *, long, long);
char readlink___path, readlink___buf;
namespace Qt {
enum Initialization {} Uninitialized;
}
struct QArrayData {
  int size;
};
struct QByteArray {
  QByteArray(int, Qt::Initialization);
  ~QByteArray();
  int size() const;
  QArrayData d;
};
QByteArray::~QByteArray() {}
int QByteArray::size() const { return d.size; }
main() {
  QByteArray buf(6, Qt::Uninitialized);
  int __trans_tmp_1 = buf.size();
  __readlink_chk(&readlink___path, &readlink___buf, __trans_tmp_1, 0);
}
```

```
$ c++ -O2 -D_FORTIFY_SOURCE=3 -l Qt5Core qt.cxx -o qt
qt.cxx:17:1: warning: ISO C++ forbids declaration of ‘main’ with no type
[-Wreturn-type]
   17 | main() {
      | ^~~~
$ ./qt
*** buffer overflow detected ***: terminated
Aborted (core dumped)
```

[Bug middle-end/105709] FORTIFY_SOURCE=3 (*** buffer overflow detected ***: terminated) on Qt

[sam at gentoo dot org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105709

--- Comment #2 from Sam James <sam at gentoo dot org> ---
```
$ gcc --version
gcc (Gentoo Hardened 12.1.1_p20220521 p5) 12.1.1 20220521
Copyright (C) 2022 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
```

[Bug middle-end/105709] FORTIFY_SOURCE=3 (*** buffer overflow detected ***: terminated) on Qt

[sam at gentoo dot org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105709

--- Comment #3 from Sam James <sam at gentoo dot org> ---
Created attachment 53023
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=53023&action=edit
non-reduced-qt.cxx

(I've attached `non-reduced-qt.cxx` in case it's more illustrative. I didn't do
much to it, just yanked the qt_readlink function out of Qt, shoved
"/etc/timezone" into it (see the original backtrace), and it failed.

Needs to be compiled with:
```
$ g++ -O2 -D_FORTIFY_SOURCE=3 -o qt -fPIC -I/usr/include/qt5/QtCore
-I/usr/include/qt5 -I/usr/lib64/qt5/mkspecs/linux-g++
-I/usr/include/qt5/QtCore/5.15.4/QtCore/private/
-I/usr/include/qt5/QtCore/5.15.4/QtCore -I/usr/include/qt5/QtCore/5.15.4 qt.ii
-lQt5Core
```)

[Bug middle-end/105709] FORTIFY_SOURCE=3 (*** buffer overflow detected ***: terminated) on Qt

[sam at gentoo dot org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105709

--- Comment #4 from Sam James <sam at gentoo dot org> ---
Created attachment 53024
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=53024&action=edit
non-reduced-qt.ii

[Bug middle-end/105709] FORTIFY_SOURCE=3 (*** buffer overflow detected ***: terminated) on Qt

[sam at gentoo dot org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105709

--- Comment #5 from Sam James <sam at gentoo dot org> ---
Created attachment 53025
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=53025&action=edit
reduced-qt.cxx

[Bug middle-end/105709] FORTIFY_SOURCE=3 (*** buffer overflow detected ***: terminated) on Qt

[pinskia at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105709

--- Comment #6 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
the reduced testcase fails for me with clang.

[Bug middle-end/105709] FORTIFY_SOURCE=3 (*** buffer overflow detected ***: terminated) on Qt

[pinskia at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105709

--- Comment #7 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
Even this reduced testcase works:

#  include <sys/syscall.h>
#  include <pthread.h>
#  include <unistd.h>
#include <cstring>
#include <cstdlib>

namespace Qt {
enum Initialization {} Uninitialized;
}
struct QArrayData {
  int size;
  char *d;
};
struct QByteArray {
    [[gnu::noipa]]
  QByteArray(int a, Qt::Initialization)  {d.size = a; d.d =
(char*)__builtin_malloc(a); memset(d.d, 0, a);}
  ~QByteArray();
  int size() const;
  QArrayData d;
    [[gnu::noipa]]
  char *data() {return d.d;}
};
QByteArray::~QByteArray() {}
    [[gnu::noipa]]
int QByteArray::size() const { return d.size; }
int
main() {
    char *path = (char*)malloc(1024);
  QByteArray buf(256, Qt::Uninitialized); 
     ssize_t len = ::readlink(path, buf.data(), buf.size());

  return 0;
}

[Bug middle-end/105709] FORTIFY_SOURCE=3 (*** buffer overflow detected ***: terminated) on Qt

[sam at gentoo dot org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105709

--- Comment #8 from Sam James <sam at gentoo dot org> ---
Let me try hack something to reduce but test with Clang where possible. It's
hard because the mkspecs stuff which leaks into the preprocessed original
source doesn't build with Clang.

In the meantime, could you tell me if non-reduced-qt.cxx and
non-reduced-qt.ii.xz work for you?

[Bug middle-end/105709] FORTIFY_SOURCE=3 (*** buffer overflow detected ***: terminated) on Qt

[siddhesh at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105709

--- Comment #9 from Siddhesh Poyarekar <siddhesh at gcc dot gnu.org> ---
>From a quick check of non-reduced-qt.cxx, clang appears to fail to fortify the
readlink function, which may explain why you see the failure with gcc but not
clang.  Also the reduced reproducer in comment 1 looks wrong; it passes a 0
object size to __readlink_chk, which is guaranteed to fail.  The correct
reproducer in that context is:

```
extern "C" void __readlink_chk(char *, char *, long, long);
char readlink___path, readlink___buf;
namespace Qt {
enum Initialization {} Uninitialized;
}
struct QArrayData {
  int size;
};
struct QByteArray {
  QByteArray(int, Qt::Initialization);
  ~QByteArray();
  int size() const;
  QArrayData d;
};
QByteArray::~QByteArray() {}
int QByteArray::size() const { return d.size; }
main() {
  QByteArray buf(6, Qt::Uninitialized);
  int __trans_tmp_1 = buf.size();
  __readlink_chk(&readlink___path, &readlink___buf, __trans_tmp_1,
__builtin_dynamic_object_size (&readlink___buf, 0));
}
```

which again, is invalid code because the readlink is passed a 1 byte buffer and
read an uninitialized number of bytes, which again fails correctly.  Fun fact:
this code will likely *pass* if -ftrivial-auto-var-init is passed!  I guess one
can't win everything...

Now looking at the original code, it seems similar to the issue in bug 105078,
which is basically an attempt to use an implicit flex array (by overallocating
memory to the object) which is not guaranteed to work all the time.  Clang
simply bails out at some point, because of which it doesn't fortify the
readlink call and everything is good.

[Bug middle-end/105709] FORTIFY_SOURCE=3 (*** buffer overflow detected ***: terminated) on Qt

[sam at gentoo dot org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105709

--- Comment #10 from Sam James <sam at gentoo dot org> ---
Thanks Siddhesh. I was suspicious of how contorted the minimised version was
but I went with it given it still crashed.

And I think I get what the issue is with the original code now too. Cheers for
explaining.

I've reported this to Qt at https://bugreports.qt.io/browse/QTBUG-103782.

[Bug middle-end/105709] FORTIFY_SOURCE=3 (*** buffer overflow detected ***: terminated) on Qt

[pinskia at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105709

Andrew Pinski <pinskia at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
         Resolution|---                         |DUPLICATE

--- Comment #11 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
Actually it is an exact dup of bug 105078 really as it was reduced from the
same source.  Closing as a dup.

*** This bug has been marked as a duplicate of bug 105078 ***