Bug#680603: marked as done (gcc-4.7: -fstack-protector(-all) seem to be not working as they were.)

To: Osamu Aoki <osamu@debian.org>
Subject: Bug#680603: marked as done (gcc-4.7: -fstack-protector(-all) seem to be not working as they were.)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Mon, 09 Jul 2012 12:07:46 +0000
Message-id: <[🔎] handler.680603.D680603.134183545131090.ackdone@bugs.debian.org>
References: <20120709120048.GA2993@goofy.localdomain> <[🔎] 20120707084712.GA8018@goofy.localdomain>

Your message dated Mon, 9 Jul 2012 21:00:48 +0900
with message-id <20120709120048.GA2993@goofy.localdomain>
and subject line Re: Bug#680603: Acknowledgement (gcc-4.7: -fstack-protector(-all) seem to be not working as they were.)
has caused the Debian Bug report #680603,
regarding gcc-4.7: -fstack-protector(-all) seem to be not working as they were.
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
680603: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=680603
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: gcc-4.7: -fstack-protector(-all) seem to be not working as they were.
From: Osamu Aoki <osamu@debian.org>
Date: Sat, 7 Jul 2012 17:47:12 +0900
Message-id: <[🔎] 20120707084712.GA8018@goofy.localdomain>

Package: gcc-4.7
Version: 4.7.1-3
Severity: normal

I was playing with -fstack-protector flag to lern this hardening thing.
There may be some regression.

Here is my toy example C code with buffer overflow.

=========================================================
#include <stdio.h>
#include <string.h>

int main(int argc, char** argv) {
        char * data = "qwertyuiopasdfghjklzxcvbnm12345678901234567890";
        char dest[5]; /* too small */
        printf("'%s'\n", "Next line overflows!!!");
        strcpy(dest,data);
        printf("'%s'\n", "No no no ...");
        return 0;
}
=========================================================

I compiled with:
=========================================================
$ gcc -g -fno-stack-protector -o bof-unsafe bof.c
$ gcc -g -fstack-protector -o bof-safe bof.c
$ gcc -g -fstack-protector-all -o bof-safest bof.c
=========================================================

I get this as result now.

=========================================================
$ ./bof-unsafe || echo \"Error\"
'Next line overflows!!!'
'No no no ...'
Segmentation fault
"Error"
$ ./bof-safe || echo \"Error\"
'Next line overflows!!!'
'No no no ...'
Segmentation fault
"Error"
$ ./bof-safest || echo \"Error\"
'Next line overflows!!!'
'No no no ...'
*** stack smashing detected ***: ./bof-safest terminated
Segmentation fault
"Error"
=========================================================

Before upgrading to the current version (few days ago), ./bof-safe
compiled with -fstack-protector stopped nicely with good long back trace
information right after execution of strcpy(dest,data) as expected.  Now
it does not and I see 'No no no ...'.

I may be missing some utility here etc. since I am new to this
-fstack-protector thing.  But what I used to see is more desirable.

Osamu

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (10, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.4-trunk-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages gcc-4.7 depends on:
ii  binutils      2.22-7
ii  cpp-4.7       4.7.1-3
ii  gcc-4.7-base  4.7.1-3
ii  libc6         2.13-34
ii  libgcc1       1:4.7.1-3
ii  libgmp10      2:5.0.5+dfsg-2
ii  libgomp1      4.7.1-3
ii  libitm1       4.7.1-3
ii  libmpc2       0.9-4
ii  libmpfr4      3.1.0-5
ii  libquadmath0  4.7.1-3
ii  zlib1g        1:1.2.7.dfsg-13

Versions of packages gcc-4.7 recommends:
ii  libc6-dev  2.13-34

Versions of packages gcc-4.7 suggests:
ii  binutils-gold        2.22-7
pn  gcc-4.7-doc          <none>
ii  gcc-4.7-locales      4.7.1-3
pn  gcc-4.7-multilib     <none>
ii  libgcc1-dbg          1:4.7.1-3
ii  libgomp1-dbg         4.7.1-3
ii  libitm1-dbg          4.7.1-3
ii  libmudflap0-4.7-dev  4.7.1-3
ii  libmudflap0-dbg      4.7.1-3
ii  libquadmath0-dbg     4.7.1-3

-- no debconf information

--- End Message ---

--- Begin Message ---

To: 680603-done@bugs.debian.org

Subject: Re: Bug#680603: Acknowledgement (gcc-4.7: -fstack-protector(-all) seem to be not working as they were.)

From: Osamu Aoki <osamu@debian.org>

Date: Mon, 9 Jul 2012 21:00:48 +0900

Message-id: <20120709120048.GA2993@goofy.localdomain>

In-reply-to: <handler.680603.B.134165124423374.ack@bugs.debian.org>

References: <[🔎] 20120707084712.GA8018@goofy.localdomain> <handler.680603.B.134165124423374.ack@bugs.debian.org>
Hi,

> 680603: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=680603

I see this was not related to -fstack-protector.

I guess there were some chenge somewhere in default - -D_FORTIFY_SOURCE
value change.  This may be intended choice.  So closing this bug.

Osamu
--- End Message ---

Reply to:

References:
- Bug#680603: gcc-4.7: -fstack-protector(-all) seem to be not working as they were.
  - From: Osamu Aoki <osamu@debian.org>

Prev by Date: Processed: your mail
Next by Date: Bug#680680: fixed
Previous by thread: Bug#680603: gcc-4.7: -fstack-protector(-all) seem to be not working as they were.
Next by thread: Bug#85535: Revalidate Your MailBox
Index(es):
- Date
- Thread