Re: [PATCH] iproute2: Conforming to -D_FORTIFY_SOURCE=2 restrictions

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Stephen Hemminger <shemminger@vyatta.com>
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Bin Li <libin.charles@gmail.com>, netdev@vger.kernel.org
Subject: Re: [PATCH] iproute2: Conforming to -D_FORTIFY_SOURCE=2 restrictions
Date: Wed, 19 Oct 2011 09:50:52 -0700	[thread overview]
Message-ID: <20111019095052.4e3001da@nehalam.linuxnetplumber.net> (raw)
In-Reply-To: <1319023851.3103.17.camel@edumazet-laptop>

On Wed, 19 Oct 2011 13:30:51 +0200
Eric Dumazet <eric.dumazet@gmail.com> wrote:

> Le mercredi 19 octobre 2011 à 17:15 +0800, Bin Li a écrit :
> > Stephen,
> > 
> >  You can reproduce this issue in 2.6.37 like below. And the previous
> > gdb log is after the install the debuginfo package in SUSE.
> > 
> > # ip -6 xfrm state add src 3ffe:501:ffff:ff03:21a:64ff:fe12:e4c1 dst
> > 3ffe:501:ffff:ff05:200:ff:fe00:c1c1 proto ah spi 0x1000 mode transport
> > auth md5 "TAHITEST89ABCDEF"
> > 
> > *** buffer overflow detected ***: ip terminated
> > ======= Backtrace: =========
> > /lib/libc.so.6(__fortify_fail+0x40)[0xb76d0070]
> > /lib/libc.so.6(+0xe8e27)[0xb76cde27]
> > /lib/libc.so.6(+0xe8317)[0xb76cd317]
> > ip[0x806d6c4]
> > ip(do_xfrm_state+0x120)[0x806dc70]
> > ip(do_xfrm+0x81)[0x806ad51]
> > ip[0x804c355]
> > ip(main+0x476)[0x804caa6]
> > /lib/libc.so.6(__libc_start_main+0xfe)[0xb75fbc2e]
> > ip[0x804c261]
> > ======= Memory map: ========
> > 08048000-08087000 r-xp 00000000 08:01 4465       /sbin/ip
> > 08087000-08088000 r--p 0003e000 08:01 4465       /sbin/ip
> > 08088000-0808a000 rw-p 0003f000 08:01 4465       /sbin/ip
> > 0808a000-080ad000 rw-p 00000000 00:00 0          [heap]
> > b75c6000-b75e2000 r-xp 00000000 08:01 131084     /lib/libgcc_s.so.1
> > b75e2000-b75e3000 r--p 0001b000 08:01 131084     /lib/libgcc_s.so.1
> > b75e3000-b75e4000 rw-p 0001c000 08:01 131084     /lib/libgcc_s.so.1
> > b75e4000-b75e5000 rw-p 00000000 00:00 0
> > b75e5000-b774b000 r-xp 00000000 08:01 131375     /lib/libc-2.11.3.so
> > b774b000-b774c000 ---p 00166000 08:01 131375     /lib/libc-2.11.3.so
> > b774c000-b774e000 r--p 00166000 08:01 131375     /lib/libc-2.11.3.so
> > b774e000-b774f000 rw-p 00168000 08:01 131375     /lib/libc-2.11.3.so
> > b774f000-b7752000 rw-p 00000000 00:00 0
> > b7752000-b7755000 r-xp 00000000 08:01 131428     /lib/libdl-2.11.3.so
> > b7755000-b7756000 r--p 00002000 08:01 131428     /lib/libdl-2.11.3.so
> > b7756000-b7757000 rw-p 00003000 08:01 131428     /lib/libdl-2.11.3.so
> > b7774000-b7775000 rw-p 00000000 00:00 0
> > b7775000-b7794000 r-xp 00000000 08:01 154467     /lib/ld-2.11.3.so
> > b7794000-b7795000 r--p 0001e000 08:01 154467     /lib/ld-2.11.3.so
> > b7795000-b7796000 rw-p 0001f000 08:01 154467     /lib/ld-2.11.3.so
> > bfa02000-bfa23000 rw-p 00000000 00:00 0          [stack]
> > ffffe000-fffff000 r-xp 00000000 00:00 0          [vdso]
> > Aborted
> > 
> > And If without -D_FORTIFY_SOURCE=2 in gcc, it works fine, so It's a
> > bug in iproute2 which is not conforming to -D_FORTIFY_SOURCE=2
> > restrictions.
> > 
> 
> FORTIFY assumes we cant copy a string on alg.u.alg.alg_key !
> 
> This completely precludes 0-sized arrays
> 
> struct xfrm_algo {
>         char            alg_name[64];
>         unsigned int    alg_key_len;    /* in bits */
>         char            alg_key[0];
> };
> 
> struct {
>       union {
>           struct xfrm_algo alg;
>           struct xfrm_algo_aead aead;
>           struct xfrm_algo_auth auth;
>       } u;
>       char buf[XFRM_ALGO_KEY_BUF_SIZE];
> } alg = {};
> 
> I would say its a FORTIFY bug. This kind of construct is perfectly
> valid.

Maybe it will handle flexible style arrays.
See also:
   http://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html

At this time, I won't accept the patch that uses alloca() just to deal
with this FORTIFY bug.

     prev parent reply	other threads:[~2011-10-19 16:50 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-10-17  7:35 [PATCH] iproute2: Conforming to -D_FORTIFY_SOURCE=2 restrictions Bin Li
2011-10-17 15:23 ` Stephen Hemminger
2011-10-19  9:15   ` Bin Li
2011-10-19 11:30     ` Eric Dumazet
2011-10-19 16:50       ` Stephen Hemminger [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20111019095052.4e3001da@nehalam.linuxnetplumber.net \
    --to=shemminger@vyatta.com \
    --cc=eric.dumazet@gmail.com \
    --cc=libin.charles@gmail.com \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.