search

lifelongchaser / toolwhip

Automatically exported from code.google.com/p/toolwhip
0 stars 0 forks source link

Buffer Overflow Detected in gcc 4.2-5574 build #10

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
1. Got SDKs and headers from a Mac running XCode 3, 10.5
2. Following READMES, compiled cctools and ld64 on Gentoo host
3. Followed readme for gcc, getting source from Apple's open source page
4. During 'make' of gcc for i386, got a warning about a buffer overflow being 
detected and build fails.

Seems to fail while archiving libgcov.a.

Using Revision 177.

rm -f ./libgcov.a
i686-apple-darwin9-ar  rc ./libgcov.a libgcc/./_gcov.o 
libgcc/./_gcov_merge_add.o libgcc/./_gcov_merge_single.o 
libgcc/./_gcov_merge_delta.o libgcc/./_gcov_fork.o libgcc/./_gcov_execl.o 
libgcc/./_gcov_execlp.o libgcc/./_gcov_execle.o libgcc/./_gcov_execv.o 
libgcc/./_gcov_execvp.o libgcc/./_gcov_execve.o 
libgcc/./_gcov_interval_profiler.o libgcc/./_gcov_pow2_profiler.o 
libgcc/./_gcov_one_value_profiler.o
*** buffer overflow detected ***: /Developer/usr/bin/ranlib terminated
======= Backtrace: =========
/lib32/libc.so.6(__fortify_fail+0x48)[0x55667418]
/lib32/libc.so.6[0x55665460]
/lib32/libc.so.6[0x55664ae8]
/lib32/libc.so.6(_IO_default_xsputn+0xa0)[0x555e91e0]
/lib32/libc.so.6(_IO_padn+0xd0)[0x555dc680]
/lib32/libc.so.6(_IO_vfprintf+0x1213)[0x555bc943]
/lib32/libc.so.6(__vsprintf_chk+0xa7)[0x55664b97]
/lib32/libc.so.6(__sprintf_chk+0x2d)[0x55664add]
/Developer/usr/bin/ranlib[0x804b752]
/Developer/usr/bin/ranlib[0x804cd3e]
/Developer/usr/bin/ranlib[0x804d57d]
/lib32/libc.so.6(__libc_start_main+0xe5)[0x55594a65]
/Developer/usr/bin/ranlib[0x8048eb1]
======= Memory map: ========
08048000-0806f000 r-xp 00000000 08:03 48960                              
/Developer/usr/bin/libtool
0806f000-08070000 r--p 00026000 08:03 48960                              
/Developer/usr/bin/libtool
08070000-08071000 rw-p 00027000 08:03 48960                              
/Developer/usr/bin/libtool
0948b000-094ac000 rw-p 00000000 00:00 0                                  [heap]
55555000-55571000 r-xp 00000000 08:03 538130                             
/lib32/ld-2.10.1.so
55571000-55572000 r--p 0001c000 08:03 538130                             
/lib32/ld-2.10.1.so
55572000-55573000 rw-p 0001d000 08:03 538130                             
/lib32/ld-2.10.1.so
55573000-55574000 r-xp 00000000 00:00 0                                  [vdso]
55574000-55575000 rw-p 00000000 00:00 0
5557e000-556c0000 r-xp 00000000 08:03 538117                             
/lib32/libc-2.10.1.so
556c0000-556c2000 r--p 00142000 08:03 538117                             
/lib32/libc-2.10.1.so
556c2000-556c3000 rw-p 00144000 08:03 538117                             
/lib32/libc-2.10.1.so
556c3000-556c7000 rw-p 00000000 00:00 0
556c7000-556db000 rw-p 00000000 08:03 425952                             
/path/to/toolwhip-read-only/gcc.i386.obj/gcc/libgcov.a (deleted)
556db000-556e7000 r-xp 00000000 08:03 547143                             
/lib32/libgcc_s.so.1
556e7000-556e8000 r--p 0000b000 08:03 547143                             
/lib32/libgcc_s.so.1
556e8000-556e9000 rw-p 0000c000 08:03 547143                             
/lib32/libgcc_s.so.1
ffc6c000-ffc83000 rw-p 00000000 00:00 0                                  [stack]
i686-apple-darwin9-ar: fatal error in /Developer/usr/bin/ranlib
make[3]: *** [libgcov.a] Error 1
make[3]: Leaving directory `/path/to/toolwhip-read-only/gcc.i386.obj/gcc'
make[2]: *** [stmp-multilib] Error 2
make[2]: Leaving directory `/path/to/toolwhip-read-only/gcc.i386.obj/gcc'
make[1]: *** [all-gcc] Error 2
make[1]: Leaving directory `/path/to/toolwhip-read-only/gcc.i386.obj'
make: *** [all] Error 2

Searching for similar errors elsewhere, it seems that there is some flag that 
might get set on ar to catch these things and seems to be somewhat common when 
building toolchains, but I found no solutions.

Original issue reported on code.google.com by jdiw...@gmail.com on 8 Jul 2010 at 2:43

GoogleCodeExporter commented 9 years ago 
I seem to have gotten around this issue by building libtool with gcc 4.1

Original comment by adamvleg...@gmail.com on 13 Dec 2010 at 4:33

GoogleCodeExporter commented 9 years ago 
Tried compiling everything with GCC 4.1.2 and still get this same error:

```i686-apple-darwin9-ar  rc ./libgcov.a libgcc/./_gcov.o 
libgcc/./_gcov_merge_add.o libgcc/./_gcov_merge_single.o 
libgcc/./_gcov_merge_delta.o libgcc/./_gcov_fork.o libgcc/./_gcov_execl.o 
libgcc/./_gcov_execlp.o libgcc/./_gcov_execle.o libgcc/./_gcov_execv.o 
libgcc/./_gcov_execvp.o libgcc/./_gcov_execve.o 
libgcc/./_gcov_interval_profiler.o libgcc/./_gcov_pow2_profiler.o 
libgcc/./_gcov_one_value_profiler.o
*** buffer overflow detected ***: /home/tatsh/usr/apple-darwin9/usr/bin/ranlib 
terminated
======= Backtrace: =========
/lib32/libc.so.6(__fortify_fail+0x50)[0xf76666b0]
/lib32/libc.so.6(+0xe753a)[0xf766453a]
/lib32/libc.so.6(+0xe6c08)[0xf7663c08]
/lib32/libc.so.6(_IO_default_xsputn+0xa4)[0xf75e8744]
/lib32/libc.so.6(_IO_padn+0xd7)[0xf75dba97]
/lib32/libc.so.6(_IO_vfprintf+0xfd0)[0xf75bbcf0]
/lib32/libc.so.6(__vsprintf_chk+0x9f)[0xf7663cbf]
/lib32/libc.so.6(__sprintf_chk+0x2d)[0xf7663bed]
/home/tatsh/usr/apple-darwin9/usr/bin/ranlib[0x804ad9c]
/home/tatsh/usr/apple-darwin9/usr/bin/ranlib[0x804cbb2]
/home/tatsh/usr/apple-darwin9/usr/bin/ranlib[0x804d3bf]
/lib32/libc.so.6(__libc_start_main+0xe6)[0xf7593ce6]
/home/tatsh/usr/apple-darwin9/usr/bin/ranlib[0x8048ec1]
======= Memory map: ========
08048000-08067000 r-xp 00000000 08:21 116858913                          
/home/tatsh/usr/apple-darwin9/usr/bin/libtool
08067000-08068000 r--p 0001e000 08:21 116858913                          
/home/tatsh/usr/apple-darwin9/usr/bin/libtool
08068000-08069000 rw-p 0001f000 08:21 116858913                          
/home/tatsh/usr/apple-darwin9/usr/bin/libtool
09d9b000-09dbc000 rw-p 00000000 00:00 0                                  [heap]
f757c000-f757d000 rw-p 00000000 00:00 0 
f757d000-f76d5000 r-xp 00000000 08:01 3886863                            
/lib32/libc-2.12.2.so
f76d5000-f76d7000 r--p 00158000 08:01 3886863                            
/lib32/libc-2.12.2.so
f76d7000-f76d8000 rw-p 0015a000 08:01 3886863                            
/lib32/libc-2.12.2.so
f76d8000-f76db000 rw-p 00000000 00:00 0 
f76fb000-f7705000 r-xp 00000000 08:01 1044847                            
/lib32/libgcc_s.so.1
f7705000-f7706000 r--p 00009000 08:01 1044847                            
/lib32/libgcc_s.so.1
f7706000-f7707000 rw-p 0000a000 08:01 1044847                            
/lib32/libgcc_s.so.1
f7707000-f771b000 rw-p 00000000 08:21 92864568                           
/home/tatsh/usr/src/toolwhip2/gcc.i386.obj/gcc/libgcov.a
f771b000-f771c000 rw-p 00000000 00:00 0 
f771c000-f7739000 r-xp 00000000 08:01 3886861                            
/lib32/ld-2.12.2.so
f7739000-f773a000 r--p 0001c000 08:01 3886861                            
/lib32/ld-2.12.2.so
f773a000-f773b000 rw-p 0001d000 08:01 3886861                            
/lib32/ld-2.12.2.so
ffabe000-ffae2000 rw-p 00000000 00:00 0                                  [stack]
ffffe000-fffff000 r-xp 00000000 00:00 0                                  [vdso]
i686-apple-darwin9-ar: fatal error in 
/home/tatsh/usr/apple-darwin9/usr/bin/ranlib
make[3]: *** [libgcov.a] Error 1
make[3]: Leaving directory `/home/tatsh/usr/src/toolwhip2/gcc.i386.obj/gcc'
make[2]: *** [stmp-multilib] Error 2
make[2]: Leaving directory `/home/tatsh/usr/src/toolwhip2/gcc.i386.obj/gcc'
make[1]: *** [all-gcc] Error 2
make[1]: Leaving directory `/home/tatsh/usr/src/toolwhip2/gcc.i386.obj'
make: *** [all] Error 2

Think it would be better to figure out the line where the buffer overflow 
occurs.

Original comment by audvare on 22 Aug 2011 at 2:33

GoogleCodeExporter commented 9 years ago 
The lines related are in the add_member() function in libtool.c:
lines ~1949-1966: 
        else{
            /*
             * Since we can use long names force this to use extended
             * format #1. And round the name size to 8 plus the size of
             * struct ar_hdr rounded to 8 bytes.
             */
            member->member_name_size = size_ar_name(&member->ar_hdr);
            ar_name_size = round(ofile->member_name_size, 8) +
                   (round(sizeof(struct ar_hdr), 8) -
                    sizeof(struct ar_hdr));
            member->output_long_name = TRUE; // buffer overflow: wants "#1/20"
            sprintf(ar_name_buf, "%s%-*lu",
                    AR_EFMT1, // %s
                    (int)(sizeof(member->ar_hdr.ar_name) - (sizeof(AR_EFMT1) - 1)), // %-* left justify by this width
                    ar_name_size); // lu
            memcpy(member->ar_hdr.ar_name, ar_name_buf,
              sizeof(member->ar_hdr.ar_name));
        }

It seems to want to write "#1/20" into the buffer and the buffer size here is 
17. sizeof(member->ar_hdr.ar_name) = 20 and 
(int)(sizeof(member->ar_hdr.ar_name) - (sizeof(AR_EFMT1) - 1) = 13.

A simple lookalike does not reproduce this error (values taken from GDB):

#include <stdio.h>

#define AFT1 "#1/"

int main() {
  char p[17];
  sprintf(p, "%s%-*lu", 
    AFT1,
    (int)(sizeof("_gcov_execve.o  ") - (sizeof(AFT1) - 1)),
    20);
  printf("%s\n", p);
  return 0;
}

I'm kind of ruling out libtool.c as the problem because Apple's logs mention a 
few overflow issues but none about this particular section and the only 
difference now in the latest version is that round() is now called rnd(). 
Otherwise everything else is the same.

Original comment by audvare on 22 Aug 2011 at 1:55