[Bug 601030] Re: broken configuration test with fortify source

Thu May 26 01:54:33 UTC 2011

Launchpad has imported 4 comments from the remote bug at
http://sourceware.org/bugzilla/show_bug.cgi?id=11968.

If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
https://help.launchpad.net/InterBugTracking.

------------------------------------------------------------------------
On 2010-09-02T18:15:45+00:00 Kees Cook wrote:

Since 2.11 and later, it seems that longjmp will fail on x86_64 when
_FORTIFY_SOURCE is enabled.

Works on x86_32, and 2.10 and earlier.

https://launchpad.net/bugs/601030

Reply at: https://bugs.launchpad.net/gcc-linaro/+bug/601030/comments/17

------------------------------------------------------------------------
On 2010-09-02T18:22:00+00:00 Kees Cook wrote:

Created attachment 4962
reproducer

Here is the reproducer. This dies on alarm on Ubuntu x86_64 (eglibc 2.11 and
2.12) and Fedora x86_64 (2.12) when using more recent glibc:

$ gcc -O2 -fno-stack-protector -D_FORTIFY_SOURCE=2 -Wall minimal.c -o minimal
/tmp
$ ./minimal 
Alarm Clock

It doesn't always fail, and I tried to mitigate this by disabling ASLR.

Michael Hope noticed:

"The fault occurs as the 'pass' value given to longjmp() gets corrupted before
use by setjmp(), causing the 'setjmp() < 2' test to fail and the system to loop
forever. The only assembler level fortify/non-fortify difference is a call to
longjmp_chk instead of longjmp.

Note that shifting 'mystack' off the stack and into static memory also works
around the problem.

glibc-2.11.1/sysdeps/unix/sysv/linux/x86_64/____longjmp_chk.S is broken. It
saves the value of 'pass' in ecx for later use but ecx is trashed by a syscall.

The syscall is used to bring in the signal stack so that the fortify code can
print an error message if needed. The problem goes away with -U_FORTIFY_SOURCE
as no such syscall is used."

Reply at: https://bugs.launchpad.net/gcc-linaro/+bug/601030/comments/18

------------------------------------------------------------------------
On 2010-09-08T22:52:49+00:00 Drepper-fsp wrote:

Fixed in git.

Reply at: https://bugs.launchpad.net/gcc-linaro/+bug/601030/comments/19

------------------------------------------------------------------------
On 2010-09-08T23:04:54+00:00 Kees Cook wrote:

Thanks!

http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=c044aa75354b48d4b7aaffe465706282192e54c2

Reply at: https://bugs.launchpad.net/gcc-linaro/+bug/601030/comments/20

** Changed in: glibc
       Status: Confirmed => Fix Released

** Changed in: glibc
   Importance: Unknown => Medium

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to eglibc in Ubuntu.
https://bugs.launchpad.net/bugs/601030

Title:
  broken configuration test with fortify source

Status in Linaro GCC:
  Invalid
Status in The GNU C Library:
  Fix Released
Status in Linaro Toolchain Miscellanies:
  Confirmed
Status in “eglibc” package in Ubuntu:
  Fix Released
Status in “gawk” package in Ubuntu:
  Fix Released
Status in “eglibc” source package in Lucid:
  Confirmed
Status in “gawk” source package in Lucid:
  Invalid
Status in “eglibc” source package in Maverick:
  Fix Released
Status in “gawk” source package in Maverick:
  Fix Released

Bug description:
  Binary package hint: gcc-4.4

  gcc-4.4 -g -O2 -U_FORTIFY_SOURCE -Wall conftest.c && ./a.out
  works
  while
  gcc-4.4 -g -O2 -Wall conftest.c && ./a.out
  does not (hangs). 4.3 and 4.5 do work, -O1 as well.