search

maandree / sha3sum

[Feature complete] SHA-3 and Keccak checksum utility
https://codeberg.org/maandree/sha3sum
ISC License
174 stars 51 forks source link

*** buffer overflow detected ***: terminated with GCC 12 and -D_FORTIFY_SOURCE=3 #34

Closed marxin closed 2 years ago

marxin commented 2 years ago

Can be seen with:

$ gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/home/marxin/bin/gcc/libexec/gcc/x86_64-pc-linux-gnu/12.0.1/lto-wrapper
Target: x86_64-pc-linux-gnu
Configured with: /home/marxin/Programming/gcc/configure --enable-languages=c,c++,fortran,jit --prefix=/home/marxin/bin/gcc --disable-multilib --enable-host-shared --disable-libsanitizer --enable-valgrind-annotations --disable-bootstrap
Thread model: posix
Supported LTO compression algorithms: zlib zstd
gcc version 12.0.1 20220325 (experimental) (GCC) 
$ gcc  common.c -std=c99 -Wall -Wextra -pedantic -Wdouble-promotion -Wformat=2 -Winit-self -Wmissing-include-dirs -Wtrampolines -Wfloat-equal -Wshadow -Wmissing-prototypes -Wmissing-declarations -Wredundant-decls -Wnested-externs -Winline -Wno-variadic-macros -Wswitch-default -Wpadded -Wsync-nand -Wunsafe-loop-optimizations -Wcast-align -Wstrict-overflow -Wdeclaration-after-statement -Wundef -Wbad-function-cast -Wcast-qual -Wlogical-op -Wstrict-prototypes -Wold-style-definition -Wpacked -Wvector-operation-performance -Wunsuffixed-float-constants -Wsuggest-attribute=const -Wsuggest-attribute=noreturn -Wsuggest-attribute=pure -Wsuggest-attribute=format -Wnormalized=nfkc -O2 -D_FORTIFY_SOURCE=3 -g  sha3-224sum.c -lkeccak
$ ./a.out -c .testdir/sums-1
blksize=4096, size=4096, ptr=0
blksize=4096, size=4096, ptr=276
*** buffer overflow detected ***: terminated
Aborted (core dumped)

one can see it with the following debugging patch:

diff --git a/common.c b/common.c
index dda8683..2b1143d 100644
--- a/common.c
+++ b/common.c
@@ -320,6 +320,7 @@ check_checksums(const char *restrict filename, const struct libkeccak_spec *rest
        if (ptr + blksize < size)
            buf = erealloc(buf, size <<= 1);

+    fprintf (stderr, "blksize=%ld, size=%ld, ptr=%ld\n", blksize, size, ptr);
        got = read(fd, buf + ptr, blksize);
        if (got < 0)
            eperror();

So read is called with blksize == 4096, which buf + ptr does not have enough space.

marxin commented 2 years ago

@siddhesh

maandree commented 2 years ago

Thank you for reporting this. This should now be fixed, and I made a new release: 1.2.2.

marxin commented 2 years ago

Thanks for the quickfix. Glad that it caught a real issue in the code.