[Bug 2053134] Re: FTBFS: arm64, riscv64: ‘read’ writing 1 byte into a region of size 0 overflows the destination

Bug Watch Updater 2053134 at bugs.launchpad.net
Wed Feb 14 21:37:19 UTC 2024 

Launchpad has imported 1 comments from the remote bug at
https://sourceware.org/bugzilla/show_bug.cgi?id=31383.

If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
https://help.launchpad.net/InterBugTracking.

------------------------------------------------------------------------
On 2024-02-14T21:06:25+00:00 Pinskia wrote:

__fortified_attr_access seems to be defined incorrectly for _FORTIFY_SOURCE==3.
The documentation for the size-index of access attribute (https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-access-function-attribute) has the following:
```
When no size-index argument is specified, the pointer argument must be either null or point to a space that is suitably aligned and large for __at least one object__ of the referenced type (this implies that a past-the-end pointer is not a valid argument).
```

Notice the __at least__ part here. That means the definition of
__fortified_attr_access is wrong when _FORTIFY_SOURCE==3, when passing
around 0 size structs.

An example is:
```

#include <stdio.h>
#include <unistd.h>

int main(void) {
    struct test_st {};
    int fd = 0;
    int count = 0;

    struct test_st test_info[16];
 
    count = read(fd, test_info, sizeof(test_info));
    return(0);
}
```

With _FORTIFY_SOURCE==3 we get:
 __attribute__ ((__access__ (__write_only__, 2)))

Which means the size has to be at least 1 but test_info has size of 0
and we are passing a size of 0 to read even.

This is moved from GCC bug:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113922 .

Reply at:
https://bugs.launchpad.net/ubuntu/+source/tgt/+bug/2053134/comments/4


** Changed in: glibc
       Status: Unknown => Confirmed

** Changed in: glibc
   Importance: Unknown => Medium

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to glibc in Ubuntu.
https://bugs.launchpad.net/bugs/2053134

Title:
  FTBFS: arm64, riscv64: ‘read’ writing 1 byte into a region of size 0
  overflows the destination

Status in GLibC:
  Confirmed
Status in glibc package in Ubuntu:
  New
Status in tgt package in Ubuntu:
  In Progress

Bug description:
  Log from arm64:

  
  cc -Wdate-time -D_FORTIFY_SOURCE=3 -c -g -O2 -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -ffile-prefix-map=/home/ubuntu/git/packages/tgt/tgt=. -flto=auto -ffat-lto-objects -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -mbranch-protection=standard -fdebug-prefix-map=/home/ubuntu/git/packages/tgt/tgt=/usr/src/tgt-1:1.0.85-1.1ubuntu1 -DUSE_SIGNALFD -DUSE_TIMERFD -DHAVE_GFAPI_VER_7_6 -DUSE_SYSTEMD -DUSE_EVENTFD -D_GNU_SOURCE -I. -g -O2 -fno-strict-aliasing -Wall -Wstrict-prototypes -Werror -DTGT_VERSION=\"1.0.85\" -DBSDIR=\"/usr/lib/tgt/backing-store\" bs_sheepdog.c -o bs_sheepdog.o
  bs.c: In function ‘bs_sig_request_done’:
  bs.c:196:15: error: ‘read’ writing 1 byte into a region of size 0 overflows the destination [-Werror=stringop-overflow=]
    196 |         ret = read(fd, (char *)siginfo, sizeof(siginfo));
        |               ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  bs.c:193:33: note: destination object ‘siginfo’ of size 0
    193 |         struct signalfd_siginfo siginfo[16];
        |                                 ^~~~~~~
  In file included from /usr/include/unistd.h:1217,
                   from bs.c:33:
  /usr/include/aarch64-linux-gnu/bits/unistd.h:26:1: note: in a call to function ‘read’ declared with attribute ‘access (write_only, 2)’
     26 | read (int __fd, void *__buf, size_t __nbytes)
        | ^~~~
  cc -Wdate-time -D_FORTIFY_SOURCE=3 -c -g -O2 -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -ffile-prefix-map=/home/ubuntu/git/packages/tgt/tgt=. -flto=auto -ffat-lto-objects -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -mbranch-protection=standard -fdebug-prefix-map=/home/ubuntu/git/packages/tgt/tgt=/usr/src/tgt-1:1.0.85-1.1ubuntu1 -DUSE_SIGNALFD -DUSE_TIMERFD -DHAVE_GFAPI_VER_7_6 -DUSE_SYSTEMD -DUSE_EVENTFD -D_GNU_SOURCE -I. -g -O2 -fno-strict-aliasing -Wall -Wstrict-prototypes -Werror -DTGT_VERSION=\"1.0.85\" -DBSDIR=\"/usr/lib/tgt/backing-store\" tgtadm.c -o tgtadm.o
  cc1: all warnings being treated as errors

To manage notifications about this bug go to:
https://bugs.launchpad.net/glibc/+bug/2053134/+subscriptions

More information about the foundations-bugs mailing list