Debian Bug report logs - #624743
gcc-4.6 -D_FORTIFY_SOURCE=2 miscompiles exim4

Package: libc6-dev; Maintainer for libc6-dev is GNU Libc Maintainers <debian-glibc@lists.debian.org>; Source for libc6-dev is src:glibc (PTS, buildd, popcon).

Affects: vlc, exim4, gcc-4.6

Reported by: Andreas Metzler <ametzler@downhill.at.eu.org>

Date: Sun, 1 May 2011 07:30:02 UTC

Severity: important

Tags: pending

Merged with 619963, 624696

Found in version eglibc/2.11.2-10

Fixed in version eglibc/2.13-1

Done: Aurelien Jarno <aurelien@aurel32.net>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian GCC Maintainers <debian-gcc@lists.debian.org>:
Bug#624743; Package gcc-4.6. (Sun, 01 May 2011 07:30:05 GMT) (full text, mbox, link).

Acknowledgement sent to Andreas Metzler <ametzler@downhill.at.eu.org>:
New Bug report received and forwarded. Copy sent to Debian GCC Maintainers <debian-gcc@lists.debian.org>. (Sun, 01 May 2011 07:30:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Package: gcc-4.6
Version: 4.6.0-6
Severity: important
Blocks: 624696

The upgrade to gcc-4.6 broke exim4:
------------------------------------------
(SID)ametzler@argenau:/tmp/EXIM4/exim-4.75$ fakeroot debian/rules clean; \
 debian/rules extradaemonpackages='' build ; echo XXXXXXXXXXXXXXXXXXXX ; \
./build-tree/build-exim4-daemon-light/exim -C /dev/null -be '${if bool{0}{yes}{no}} X ${if !bool{0}{yes}{no}}'
[...]
touch build-indep-stamp
XXXXXXXXXXXXXXXXXXXX
Segmentation fault
------------------------------------------

Exim is using hardening-wrapper. I have played with the different
DEB_BUILD_HARDENING_* options, the part that breaks is
-D_FORTIFY_SOURCE=2. With
export DEB_BUILD_HARDENING_FORTIFY=0
I (seem to) get a working exim binary.

The c-file that actually breaks is drtables.c:

gdb exim
GNU gdb (GDB) 7.2-debian
[...]
Reading symbols from /tmp/EXIM4/exim-4.75/build-tree/build-exim4-daemon-light/exim...done.
(gdb) run -C /dev/null -be '${if bool{0}{yes}{no}}'
Starting program: /tmp/EXIM4/exim-4.75/build-tree/build-exim4-daemon-light/exim -C /dev/null -be '${if bool{0}{yes}{no}}'
[Thread debugging using libthread_db enabled]

Program received signal SIGSEGV, Segmentation fault.
0xf7f5a838 in add_lookup_to_list () at drtables.c:381
381           && (Ustrcmp(lookup_list[pos]->name, info->name) <= 0)) {
(gdb) bt
#0  0xf7f5a838 in add_lookup_to_list () at drtables.c:381
#1  init_lookup_list () at drtables.c:615
#2  0xf7f3fdd3 in main (argc=5, cargv=0xffffd744) at exim.c:3588
(gdb)


If I recompile drtables.c without -D_FORTIFY_SOURCE=2 and relink exim
the segfault goes away.

cu andreas


-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

Versions of packages gcc-4.6 depends on:
ii  binutils              2.21.51.20110421-2 The GNU assembler, linker and bina
ii  cpp-4.6               4.6.0-6            The GNU C preprocessor
ii  gcc-4.6-base          4.6.0-6            The GNU Compiler Collection (base

[buildlog.hardening-just-FORTIFY (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian GCC Maintainers <debian-gcc@lists.debian.org>:
Bug#624743; Package gcc-4.6. (Thu, 05 May 2011 13:06:03 GMT) (full text, mbox, link).

Acknowledgement sent to Kees Cook <kees@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian GCC Maintainers <debian-gcc@lists.debian.org>. (Thu, 05 May 2011 13:06:03 GMT) (full text, mbox, link).

Message #10 received at 624743@bugs.debian.org (full text, mbox, reply):

Hi! Thanks for this report. I can't reproduce this segfault. I tried the
builds both amd64 and i386, and both build fine with 4.6.0-6 for me. Do you
have any minimal reproducers that might show this more specifically?

Thanks!

-Kees

-- 
Kees Cook                                            @debian.org

Information forwarded to debian-bugs-dist@lists.debian.org, Debian GCC Maintainers <debian-gcc@lists.debian.org>:
Bug#624743; Package gcc-4.6. (Fri, 06 May 2011 18:21:03 GMT) (full text, mbox, link).

Acknowledgement sent to Andreas Metzler <ametzler@downhill.at.eu.org>:
Extra info received and forwarded to list. Copy sent to Debian GCC Maintainers <debian-gcc@lists.debian.org>. (Fri, 06 May 2011 18:21:03 GMT) (full text, mbox, link).

Message #15 received at 624743@bugs.debian.org (full text, mbox, reply):

On 2011-05-05 Kees Cook <kees@debian.org> wrote:
> Hi! Thanks for this report. I can't reproduce this segfault. I tried the
> builds both amd64 and i386, and both build fine with 4.6.0-6 for me. Do you
> have any minimal reproducers that might show this more specifically?

Sadly I cannot reproduce this anymore either. Some of the since
upgraded build-deps must have changed.

cu andreas

Information forwarded to debian-bugs-dist@lists.debian.org, Debian GCC Maintainers <debian-gcc@lists.debian.org>:
Bug#624743; Package gcc-4.6. (Mon, 23 May 2011 22:03:03 GMT) (full text, mbox, link).

Acknowledgement sent to Samuel Thibault <sthibault@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian GCC Maintainers <debian-gcc@lists.debian.org>. (Mon, 23 May 2011 22:03:03 GMT) (full text, mbox, link).

Message #20 received at 624743@bugs.debian.org (full text, mbox, reply):

found 624743 4.6.0-8
thanks

Hello,

hurd-i386 is also hit by the bug.

Andreas Metzler, le Fri 06 May 2011 20:16:49 +0200, a écrit :
> On 2011-05-05 Kees Cook <kees@debian.org> wrote:
> > Hi! Thanks for this report. I can't reproduce this segfault. I tried the
> > builds both amd64 and i386, and both build fine with 4.6.0-6 for me. Do you
> > have any minimal reproducers that might show this more specifically?
> 
> Sadly I cannot reproduce this anymore either. Some of the since
> upgraded build-deps must have changed.

I can reproduce it with gcc-4.6 4.6.0-8, but only by using valgrind: in
debian/minimaltest, prepend valgrind to the line

$2 -C "$top/exim4.conf" -bV

valgrind will then warn:

==29180== Source and destination overlap in memcpy(0x6fad4e8, 0x6fad4e0, 88)
==29180==    at 0x4C25F6A: memcpy (mc_replace_strmem.c:497)
==29180==    by 0x13B5D9: init_lookup_list (string3.h:59)
==29180==    by 0x11FF6E: main (exim.c:3615)

which is the same backtrace reported here. Disassembling
init_lookup_list shows this:

   0x00000000000335cb <+459>:	cltq   
   0x00000000000335cd <+461>:	lea    0x0(,%rax,8),%rdx
   0x00000000000335d5 <+469>:	callq  0x153a8 <memcpy@plt>
   0x00000000000335da <+474>:	mov    %rbx,%rcx
   0x00000000000335dd <+477>:	add    0x2b6fac(%rip),%rcx        # 0x2ea590 <lookup_list>
   0x00000000000335e4 <+484>:	mov    0x18(%rsp),%rdx

i.e. a memcpy call. l * 0x00000000000335d5 points at

59	  return __builtin___memmove_chk (__dest, __src, __len, __bos0 (__dest));

which is actually a memmove call, not a memcpy call!  The memmove call
comes from the add_lookup_to_list() inline.  By replacing it with
__builtin_memmove() to avoid the _chk version, I don't get any valgrind
issue any more.

It looks like gcc-4.6 is here erroneously optimizing
__builtin___memmove_chk into a memcpy call!

Samuel

Bug Marked as found in versions gcc-4.6/4.6.0-8. Request was from Samuel Thibault <sthibault@debian.org> to control@bugs.debian.org. (Mon, 23 May 2011 22:03:04 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian GCC Maintainers <debian-gcc@lists.debian.org>:
Bug#624743; Package gcc-4.6. (Tue, 24 May 2011 09:36:03 GMT) (full text, mbox, link).

Acknowledgement sent to Thomas Schwinge <thomas@schwinge.name>:
Extra info received and forwarded to list. Copy sent to Debian GCC Maintainers <debian-gcc@lists.debian.org>. (Tue, 24 May 2011 09:36:04 GMT) (full text, mbox, link).

Message #27 received at 624743@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hallo!

On Mon, 23 May 2011 23:59:27 +0200, Samuel Thibault <sthibault@debian.org> wrote:
> [exim4 SEGFAULT with fortifying options]

> It looks like gcc-4.6 is here erroneously optimizing
> __builtin___memmove_chk into a memcpy call!

This is not a GCC bug (<http://gcc.gnu.org/PR46863>), but it is a glibc
header bug (<http://bugs.debian.org/619963>).

After fixing the bits/string3.h header of my 2.11.2-13 glibc package
according to
<http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=42acbb92c861e97a6e1293ea853db88342a1bf53>,
the error is gone.  This fix should already be in the Debian 2.13
packages.

We need to tell <control@bugs.debian.org> about these findings; is this
correct?

reassign 619963 eglibc
reassign 624743 eglibc
forcemerge 619963 624743

Grüße,
 Thomas

[Message part 2 (application/pgp-signature, inline)]

Bug reassigned from package 'gcc-4.6' to 'eglibc'. Request was from Thomas Schwinge <thomas@schwinge.name> to control@bugs.debian.org. (Tue, 24 May 2011 09:54:29 GMT) (full text, mbox, link).

Bug No longer marked as found in versions gcc-4.6/4.6.0-8 and gcc-4.6/4.6.0-6. Request was from Thomas Schwinge <thomas@schwinge.name> to control@bugs.debian.org. (Tue, 24 May 2011 09:54:30 GMT) (full text, mbox, link).

Forcibly Merged 619963 624696 624743. Request was from Thomas Schwinge <thomas@schwinge.name> to control@bugs.debian.org. (Tue, 24 May 2011 09:54:32 GMT) (full text, mbox, link).

Added indication that 624743 affects vlc and exim4 Request was from Thomas Schwinge <thomas@schwinge.name> to control@bugs.debian.org. (Tue, 24 May 2011 09:54:34 GMT) (full text, mbox, link).

Bug reassigned from package 'eglibc' to 'libc6-dev'. Request was from Jonathan Nieder <jrnieder@gmail.com> to control@bugs.debian.org. (Tue, 24 May 2011 17:57:07 GMT) (full text, mbox, link).

Bug No longer marked as fixed in versions 2.13-1. Request was from Jonathan Nieder <jrnieder@gmail.com> to control@bugs.debian.org. (Tue, 24 May 2011 17:57:09 GMT) (full text, mbox, link).

Bug Marked as found in versions eglibc/2.11.2-10. Request was from Jonathan Nieder <jrnieder@gmail.com> to control@bugs.debian.org. (Tue, 24 May 2011 17:57:11 GMT) (full text, mbox, link).

Bug Marked as fixed in versions eglibc/2.13-1. Request was from Jonathan Nieder <jrnieder@gmail.com> to control@bugs.debian.org. (Tue, 24 May 2011 18:03:07 GMT) (full text, mbox, link).

Added tag(s) pending. Request was from Jonathan Nieder <jrnieder@gmail.com> to control@bugs.debian.org. (Tue, 24 May 2011 18:03:09 GMT) (full text, mbox, link).

Added indication that 624743 affects gcc-4.6 Request was from Jonathan Nieder <jrnieder@gmail.com> to control@bugs.debian.org. (Tue, 24 May 2011 18:09:07 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 22 Jun 2011 07:35:43 GMT) (full text, mbox, link).

Bug unarchived. Request was from Aurelien Jarno <aurel32@debian.org> to control@bugs.debian.org. (Fri, 12 Aug 2011 18:33:04 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 10 Sep 2011 07:37:27 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Dec 6 15:09:06 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Debian Bug report logs - #624743 gcc-4.6 -D_FORTIFY_SOURCE=2 miscompiles exim4

Debian Bug report logs - #624743
gcc-4.6 -D_FORTIFY_SOURCE=2 miscompiles exim4