[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#946792: gcc-9: Buffer overflow bug introduced by gcc-search-prefixed-as-ld.diff

Source: gcc-9
Severity: important

Hello!

Recently, we have observed strange crashes of gcc-9 while building src:linux
on sh4 [1].

Michael Karcher has debugged the problem and found that this is a buffer
overflow introduced by the patch gcc-search-prefixed-as-ld.diff.

The backtrace is:

Core was generated by `gcc -v -pipe -m4 -m4-nofpu hello.c'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x296993e6 in memcpy () from /lib/sh4-linux-gnu/libc.so.6
(gdb) bt
#0  0x296993e6 in memcpy () from /lib/sh4-linux-gnu/libc.so.6
#1  0x00405ade in file_at_path (path=0x29892fb0 "/usr/lib/gcc/sh4-linux-gnu/9/../../../../sh4-linux-gnu/bin/sh4-linux-gnu/9/sh4-l", data=0x7b901400) at ../../src/gcc/gcc.c:2943
#2  0x00405b80 in file_at_path (path=0x29892fb0 "/usr/lib/gcc/sh4-linux-gnu/9/../../../../sh4-linux-gnu/bin/sh4-linux-gnu/9/sh4-l", data=0x7b9014a0) at ../../src/gcc/gcc.c:2936
#3  0x00404d0e in for_each_path (paths=0x4e8520 <exec_prefixes>, do_multi=<optimized out>, extra_space=2, callback=0x405a88 <file_at_path(char*, void*)>, callback_info=0x7b9014a0)
    at ../../src/gcc/gcc.c:2724
#4  0x0040680c in find_a_file (pprefix=<optimized out>, name=0x29828240 "as", mode=1, do_multi=<optimized out>) at ../../src/gcc/gcc.c:2999
#5  0x00409e86 in execute () at ../../src/gcc/gcc.c:3200
#6  0x0040ff14 in driver::do_spec_on_infiles (this=0x7b9015f8) at ../../src/gcc/gcc.c:8377
#7  0x00403b60 in driver::main (this=0x7b9015f8, argc=<optimized out>, argv=<optimized out>) at ../../src/gcc/gcc.c:7601
#8  0x00403dd4 in main (argc=6, argv=0x7b901694) at ../../src/gcc/gcc-main.c:47
(gdb)

See also [2].

The issue is fixed by replacing line 9 in [3] with:

+         len += strlen (DEFAULT_REAL_TARGET_MACHINE) + 2; /* triplet prefix for as, ld.  */

I assume it's just pure luck the issue doesn't show on other architectures.

Thanks,
Adrian

> [1] https://buildd.debian.org/status/fetch.php?pkg=linux&arch=sh4&ver=5.3.15-1&stamp=1575738446&raw=0
> [2] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=92946
> [3] https://sources.debian.org/src/gcc-9/9.2.1-21/debian/patches/gcc-search-prefixed-as-ld.diff/

--
 .''`.  John Paul Adrian Glaubitz
: :' :  Debian Developer - glaubitz@debian.org
`. `'   Freie Universitaet Berlin - glaubitz@physik.fu-berlin.de
  `-    GPG: 62FF 8A75 84E0 2956 9546  0006 7426 3B37 F5B5 F913
Reply to: