[Bug c/110579] New: O2, O1 opmtimizations cause a buffer overflow panic during a strcpy

[Bug c/110579] New: O2, O1 opmtimizations cause a buffer overflow panic during a strcpy

[gabriel.torres at ll dot mit.edu]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110579

            Bug ID: 110579
           Summary: O2, O1 opmtimizations cause a buffer overflow panic
                    during a strcpy
           Product: gcc
           Version: 11.3.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c
          Assignee: unassigned at gcc dot gnu.org
          Reporter: gabriel.torres at ll dot mit.edu
  Target Milestone: ---

Created attachment 55493
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=55493&action=edit
Output of compiling the source code.

O2, O1 opmtimizations of the attached .i file trigger a buffer overflow panic
during a strcpy.
The project being compiled is tar 1.14.
The unoptimzed version does not panic and performs the expected behavior,
creating an archive.

* the exact version of GCC;
  - 11.3.0, 12.1.0, 9.5.0
* the system type;
  - Ubuntu 22.04.1
* the options given when GCC was configured/built;
  - 11.3.0: Configured with: ../src/configure -v --with-pkgversion='Ubuntu
11.3.0-1ubuntu1~22.04.1' --with-bugurl=file:///usr/share/doc/gcc-11/README.Bugs
--enable-languages=c,ada,c++,go,brig,d,fortran,objc,obj-c++,m2 --prefix=/usr
--with-gcc-major-version-only --program-suffix=-11
--program-prefix=x86_64-linux-gnu- --enable-shared --enable-linker-build-id
--libexecdir=/usr/lib --without-included-gettext --enable-threads=posix
--libdir=/usr/lib --enable-nls --enable-bootstrap --enable-clocale=gnu
--enable-libstdcxx-debug --enable-libstdcxx-time=yes
--with-default-libstdcxx-abi=new --enable-gnu-unique-object
--disable-vtable-verify --enable-plugin --enable-default-pie --with-system-zlib
--enable-libphobos-checking=release --with-target-system-zlib=auto
--enable-objc-gc=auto --enable-multiarch --disable-werror --enable-cet
--with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32
--enable-multilib --with-tune=generic
--enable-offload-targets=nvptx-none=/build/gcc-11-aYxV0E/gcc-11-11.3.0/debian/tmp-nvptx/usr,amdgcn-amdhsa=/build/gcc-11-aYxV0E/gcc-11-11.3.0/debian/tmp-gcn/usr
--without-cuda-driver --enable-checking=release --build=x86_64-linux-gnu
--host=x86_64-linux-gnu --target=x86_64-linux-gnu
--with-build-config=bootstrap-lto-lean --enable-link-serialization=2
  - 9.5.0: Configured with: ../src/configure -v --with-pkgversion='Ubuntu
9.5.0-1ubuntu1~22.04' --with-bugurl=file:///usr/share/doc/gcc-9/README.Bugs
--enable-languages=c,ada,c++,go,brig,d,fortran,objc,obj-c++,gm2 --prefix=/usr
--with-gcc-major-version-only --program-suffix=-9
--program-prefix=x86_64-linux-gnu- --enable-shared --enable-linker-build-id
--libexecdir=/usr/lib --without-included-gettext --enable-threads=posix
--libdir=/usr/lib --enable-nls --enable-bootstrap --enable-clocale=gnu
--enable-libstdcxx-debug --enable-libstdcxx-time=yes
--with-default-libstdcxx-abi=new --enable-gnu-unique-object
--disable-vtable-verify --enable-plugin --enable-default-pie --with-system-zlib
--with-target-system-zlib=auto --enable-objc-gc=auto --enable-multiarch
--disable-werror --with-arch-32=i686 --with-abi=m64
--with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic
--enable-offload-targets=nvptx-none=/build/gcc-9-5Q4PKF/gcc-9-9.5.0/debian/tmp-nvptx/usr,hsa
--without-cuda-driver --enable-checking=release --build=x86_64-linux-gnu
--host=x86_64-linux-gnu --target=x86_64-linux-gnu
--with-build-config=bootstrap-lto-lean --enable-link-mutex
  - 12.1.0: Configured with: ../src/configure -v --with-pkgversion='Ubuntu
12.1.0-2ubuntu1~22.04' --with-bugurl=file:///usr/share/doc/gcc-12/README.Bugs
--enable-languages=c,ada,c++,go,d,fortran,objc,obj-c++,m2 --prefix=/usr
--with-gcc-major-version-only --program-suffix=-12
--program-prefix=x86_64-linux-gnu- --enable-shared --enable-linker-build-id
--libexecdir=/usr/lib --without-included-gettext --enable-threads=posix
--libdir=/usr/lib --enable-nls --enable-clocale=gnu --enable-libstdcxx-debug
--enable-libstdcxx-time=yes --with-default-libstdcxx-abi=new
--enable-gnu-unique-object --disable-vtable-verify --enable-plugin
--enable-default-pie --with-system-zlib --enable-libphobos-checking=release
--with-target-system-zlib=auto --enable-objc-gc=auto --enable-multiarch
--disable-werror --enable-cet --with-arch-32=i686 --with-abi=m64
--with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic
--enable-offload-targets=nvptx-none=/build/gcc-12-sZcx2y/gcc-12-12.1.0/debian/tmp-nvptx/usr,amdgcn-amdhsa=/build/gcc-12-sZcx2y/gcc-12-12.1.0/debian/tmp-gcn/usr
--enable-offload-defaulted --without-cuda-driver --enable-checking=release
--build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu
* the complete command line that triggers the bug;
 - ./tar cf foo.tar bar
* the compiler output (error messages, warnings, etc.); and
 - See make_output file
* the preprocessed file (*.i*) that triggers the bug

[Bug c/110579] O2, O1 opmtimizations cause a buffer overflow panic during a strcpy

[gabriel.torres at ll dot mit.edu]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110579

--- Comment #1 from Gabriel <gabriel.torres at ll dot mit.edu> ---
Created attachment 55494
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=55494&action=edit
Processed *.i files

[Bug tree-optimization/110579] O2, O1 opmtimizations cause a buffer overflow panic during a strcpy

[sjames at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110579

--- Comment #2 from Sam James <sjames at gcc dot gnu.org> ---
Could you give us a backtrace with -ggdb3 when it aborts at runtime?

[Bug tree-optimization/110579] O2, O1 opmtimizations cause a buffer overflow panic during a strcpy

[pinskia at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110579

Andrew Pinski <pinskia at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |INVALID
             Status|UNCONFIRMED                 |RESOLVED

--- Comment #3 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
The warning:
In function ‘strcpy’,
    inlined from ‘start_header’ at create.c:695:7:
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:79:10: warning:
‘__builtin___strcpy_chk’ writing 8 bytes into a region of size 6
[-Wstringop-overflow=]
   79 |   return __builtin___strcpy_chk (__dest, __src, __glibc_objsize
(__dest));
      |         
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Which comes from:

      strcpy (header->header.magic, "ustar  "); //8


The code is not _FORTIFY_SOURCE=2 safe which requires strcpy to only write
exactly the amount to those fields and not combine character fields as
different.


  char magic[6];
  char version[2];

[Bug tree-optimization/110579] O2, O1 opmtimizations cause a buffer overflow panic during a strcpy

[pinskia at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110579

--- Comment #4 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
All of these FORTIFY issues have been fixed for a long time now (over 10
years).

Why are you trying to use an old version of gnu tar?

e.g. https://lists.gnu.org/archive/html/bug-tar/2010-02/msg00010.html

[Bug tree-optimization/110579] O2, O1 opmtimizations cause a buffer overflow panic during a strcpy

[gabriel.torres at ll dot mit.edu]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110579

--- Comment #5 from Gabriel <gabriel.torres at ll dot mit.edu> ---
I see. That makes sense.

Our research project has a dataset with tar 1.14. Our plan is to compare our
work with existing work in the dataset and to be consistent, use tar 1.14. We
noticed our binary compiled with gcc would abort when creating an archive while
using clang was fine.