Re: [PATCH] iproute2: Conforming to -D_FORTIFY_SOURCE=2 restrictions

Netdev List
 help / color / mirror / Atom feed

From: Stephen Hemminger <shemminger@vyatta.com>
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Bin Li <libin.charles@gmail.com>, netdev@vger.kernel.org
Subject: Re: [PATCH] iproute2: Conforming to -D_FORTIFY_SOURCE=2 restrictions
Date: Wed, 19 Oct 2011 09:50:52 -0700	[thread overview]
Message-ID: <20111019095052.4e3001da@nehalam.linuxnetplumber.net> (raw)
In-Reply-To: <1319023851.3103.17.camel@edumazet-laptop>

On Wed, 19 Oct 2011 13:30:51 +0200
Eric Dumazet <eric.dumazet@gmail.com> wrote:

> Le mercredi 19 octobre 2011 à 17:15 +0800, Bin Li a écrit :
> > Stephen,
> > 
> >  You can reproduce this issue in 2.6.37 like below. And the previous
> > gdb log is after the install the debuginfo package in SUSE.
> > 
> > # ip -6 xfrm state add src 3ffe:501:ffff:ff03:21a:64ff:fe12:e4c1 dst
> > 3ffe:501:ffff:ff05:200:ff:fe00:c1c1 proto ah spi 0x1000 mode transport
> > auth md5 "TAHITEST89ABCDEF"
> > 
> > *** buffer overflow detected ***: ip terminated
> > ======= Backtrace: =========
> > /lib/libc.so.6(__fortify_fail+0x40)[0xb76d0070]
> > /lib/libc.so.6(+0xe8e27)[0xb76cde27]
> > /lib/libc.so.6(+0xe8317)[0xb76cd317]
> > ip[0x806d6c4]
> > ip(do_xfrm_state+0x120)[0x806dc70]
> > ip(do_xfrm+0x81)[0x806ad51]
> > ip[0x804c355]
> > ip(main+0x476)[0x804caa6]
> > /lib/libc.so.6(__libc_start_main+0xfe)[0xb75fbc2e]
> > ip[0x804c261]
> > ======= Memory map: ========
> > 08048000-08087000 r-xp 00000000 08:01 4465       /sbin/ip
> > 08087000-08088000 r--p 0003e000 08:01 4465       /sbin/ip
> > 08088000-0808a000 rw-p 0003f000 08:01 4465       /sbin/ip
> > 0808a000-080ad000 rw-p 00000000 00:00 0          [heap]
> > b75c6000-b75e2000 r-xp 00000000 08:01 131084     /lib/libgcc_s.so.1
> > b75e2000-b75e3000 r--p 0001b000 08:01 131084     /lib/libgcc_s.so.1
> > b75e3000-b75e4000 rw-p 0001c000 08:01 131084     /lib/libgcc_s.so.1
> > b75e4000-b75e5000 rw-p 00000000 00:00 0
> > b75e5000-b774b000 r-xp 00000000 08:01 131375     /lib/libc-2.11.3.so
> > b774b000-b774c000 ---p 00166000 08:01 131375     /lib/libc-2.11.3.so
> > b774c000-b774e000 r--p 00166000 08:01 131375     /lib/libc-2.11.3.so
> > b774e000-b774f000 rw-p 00168000 08:01 131375     /lib/libc-2.11.3.so
> > b774f000-b7752000 rw-p 00000000 00:00 0
> > b7752000-b7755000 r-xp 00000000 08:01 131428     /lib/libdl-2.11.3.so
> > b7755000-b7756000 r--p 00002000 08:01 131428     /lib/libdl-2.11.3.so
> > b7756000-b7757000 rw-p 00003000 08:01 131428     /lib/libdl-2.11.3.so
> > b7774000-b7775000 rw-p 00000000 00:00 0
> > b7775000-b7794000 r-xp 00000000 08:01 154467     /lib/ld-2.11.3.so
> > b7794000-b7795000 r--p 0001e000 08:01 154467     /lib/ld-2.11.3.so
> > b7795000-b7796000 rw-p 0001f000 08:01 154467     /lib/ld-2.11.3.so
> > bfa02000-bfa23000 rw-p 00000000 00:00 0          [stack]
> > ffffe000-fffff000 r-xp 00000000 00:00 0          [vdso]
> > Aborted
> > 
> > And If without -D_FORTIFY_SOURCE=2 in gcc, it works fine, so It's a
> > bug in iproute2 which is not conforming to -D_FORTIFY_SOURCE=2
> > restrictions.
> > 
> 
> FORTIFY assumes we cant copy a string on alg.u.alg.alg_key !
> 
> This completely precludes 0-sized arrays
> 
> struct xfrm_algo {
>         char            alg_name[64];
>         unsigned int    alg_key_len;    /* in bits */
>         char            alg_key[0];
> };
> 
> struct {
>       union {
>           struct xfrm_algo alg;
>           struct xfrm_algo_aead aead;
>           struct xfrm_algo_auth auth;
>       } u;
>       char buf[XFRM_ALGO_KEY_BUF_SIZE];
> } alg = {};
> 
> I would say its a FORTIFY bug. This kind of construct is perfectly
> valid.

Maybe it will handle flexible style arrays.
See also:
   http://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html

At this time, I won't accept the patch that uses alloca() just to deal
with this FORTIFY bug.

     prev parent reply	other threads:[~2011-10-19 16:50 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-10-17  7:35 [PATCH] iproute2: Conforming to -D_FORTIFY_SOURCE=2 restrictions Bin Li
2011-10-17 15:23 ` Stephen Hemminger
2011-10-19  9:15   ` Bin Li
2011-10-19 11:30     ` Eric Dumazet
2011-10-19 16:50       ` Stephen Hemminger [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20111019095052.4e3001da@nehalam.linuxnetplumber.net \
    --to=shemminger@vyatta.com \
    --cc=eric.dumazet@gmail.com \
    --cc=libin.charles@gmail.com \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox