search

rakshasa / rtorrent

rTorrent BitTorrent client
https://github.com/rakshasa/rtorrent/wiki
GNU General Public License v2.0
4.05k stars 412 forks source link

utils: lockfile: avoid stack overflow for lockfile buffer #1169

Closed cyphar closed 1 year ago

cyphar commented 2 years ago

There appears to have been some change on openSUSE (likely some new hardening flags for builds, or some glibc hardening) such that incorrect buffer handling results in a segfault even if the buffer is never overflowed.

Signed-off-by: Aleksa Sarai cyphar@cyphar.com

cyphar commented 2 years ago

Here's the key info from the coredump:

Core was generated by `rtorrent'.
Program terminated with signal SIGABRT, Aborted.
#0  __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
44            return INTERNAL_SYSCALL_ERROR_P (ret) ? INTERNAL_SYSCALL_ERRNO (ret) : 0;
[Current thread is 1 (Thread 0x7f78c8364d00 (LWP 2112))]
Missing separate debuginfos, use: zypper install libsasl2-3-debuginfo-2.1.28-1.5.x86_64
(gdb) bt
#0  __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
#1  0x00007f78c90fa743 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78
#2  0x00007f78c90a76f6 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#3  0x00007f78c9090814 in __GI_abort () at abort.c:79
#4  0x00007f78c90ed79e in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7f78c9233524 "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:155
#5  0x00007f78c919287a in __GI___fortify_fail (msg=msg@entry=0x7f78c92334ca "buffer overflow detected") at fortify_fail.c:26
#6  0x00007f78c9190e36 in __GI___chk_fail () at chk_fail.c:28
#7  0x00007f78c91909f5 in ___snprintf_chk (s=<optimized out>, maxlen=maxlen@entry=255, flag=flag@entry=2, slen=<optimized out>, format=format@entry=0x55e8f96e815d ":+%i\n")
    at snprintf_chk.c:29
#8  0x000055e8f9673192 in snprintf (__fmt=0x55e8f96e815d ":+%i\n", __n=255, __s=<optimized out>) at /usr/include/bits/stdio2.h:71
#9  utils::Lockfile::try_lock (this=0x55e8faa6f090) at utils/lockfile.cc:101
#10 core::DownloadStore::enable (lock=<optimized out>, this=0x55e8faa6f070) at core/download_store.cc:74
#11 Control::initialize (this=0x55e8faa6a780) at /usr/src/debug/rtorrent-0.9.8-5.5.x86_64/src/control.cc:115
#12 0x000055e8f963f43b in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/rtorrent-0.9.8-5.5.x86_64/src/main.cc:469

I suspect this is caused by FORTIFY_SOURCE=2.

thesamesam commented 1 year ago

Note that this is actually with _FORTIFY_SOURCE=3 (not 2).