Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 207926 - sys-devel/gcc-config has buffer overflows
Summary: sys-devel/gcc-config has buffer overflows
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Core system (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Toolchain Maintainers
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-01-28 16:51 UTC by Evan Teran
Modified: 2008-03-16 01:20 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
example of overflow (test.c,1.46 KB, text/plain)
2008-01-28 16:52 UTC, Evan Teran
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Evan Teran 2008-01-28 16:51:33 UTC
I was looking into why gentoo uses gcc-config instead of an "eselect-gcc" which would be more consistant with the rest of gentoo. So I figured that I would look at the gcc-config sources, after all, it essentially does similar work to eselect-gcc, perhaps I could help :)

Anyway, I discovered misuse of several functions causing buffer overflows. My examples are from wrapper-1.5.0.c:

line 328:
    "strcpy(data.name, basename(argv[0]));" more hypothetical than practical, but since you don't know the length of argv[0], it should be a strncpy.

lines 218-221:
        "strncpy(data->bin, str, sizeof(data->bin) - 1);
	data->bin[strlen(data->bin) - 1] = '/';
	strncat(data->bin, data->name, sizeof(data->bin) - 1);
	data->bin[MAXPATHLEN] = 0;"

here, the problem is misuse of the strncat function. The size parameter is supposed to represent how much is LEFT in the buffer (total size - used part). Not the total size. I will attach a program which demonstrates that it does in fact cause an overflow. Fortunately, the only damage that is done is the data->tmp variable gets trashed. However, this whole thing could be safely replaced with something like this:

snprintf(data->bin, sizeof(data->bin), "%s/%s", str, data->name);

line 48:
     strncpy does not gaurantee null termination for long strings

line 71-73:
    "size_t len = strlen(path) + strlen(data->name) + 2;
     snprintf(str, len, "%s/%s", path, data->name);"

The size param of snprintf should be the size of the buffer, not the size of the source data! This code basically does no bounds checking at all, because you set the len equal to the size of the source data.

These should be easy to clean up, but of course I am still interested in my end gaol of making gcc-config more consistent with the eselect system. But that is for another day :)

Thanks,
Evan Teran

Reproducible: Always
Comment 1 Evan Teran 2008-01-28 16:52:21 UTC
Created attachment 142028 [details]
example of overflow
Comment 2 SpanKY gentoo-dev 2008-03-16 01:20:25 UTC
eselect-gcc is a duplicate of gcc-config at the moment, not the other way around

string handling has been cleaned up in gcc-config-1.4.1:
http://sources.gentoo.org/sys-devel/gcc-config/files/wrapper-1.5.1.c?rev=1.1