115237 – stack smashing attack while compiling qt-4.x on amd64/hardened

Bug 115237 - stack smashing attack while compiling qt-4.x on amd64/hardened

Summary: stack smashing attack while compiling qt-4.x on amd64/hardened

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Hardened (show other bugs)
Hardware:	AMD64 Linux

Importance:	High normal (vote)
Assignee:	The Gentoo Linux Hardened Team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:	135265
	Show dependency tree

Reported:	2005-12-11 14:25 UTC by Nicolas MASSE
Modified:	2007-11-10 09:26 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Nicolas MASSE 2005-12-11 14:25:49 UTC

Hello,  
  
I tried to compile qt-4.0.1 on my amd64 box and the build failed with : qmake: 
stack smashing attack in function virtual bool  
UnixMakefileGenerator::findLibraries()() 

Reproducible: Always
Steps to Reproduce:
1. emerge =x11-libs/qt-4.0.1 
 
Actual Results:  
/tmp/portage/qt-4.0.1/work/qt-x11-opensource-src-4.0.1/examples/linguist/arrowpad/arrowpad.pro  
(linux-g++-64) 
/tmp/portage/qt-4.0.1/work/qt-x11-opensource-src-4.0.1/bin/qmake   
-spec /tmp/portage/qt-4.0.1/work/qt-x11-opensource-src-4.0.1/mkspecs/linux-g++-64  
-o /tmp/portage/qt-4.0.1/work/qt-x11-opensource-src-4.0.1/./examples/linguist/arrowpad /tmp/portage/qt-4.0.1/work/qt-x11-opensource-src-4.0.1/examples/linguist/arrowpad/arrowpad.pro 
qmake: stack smashing attack in function virtual bool  
UnixMakefileGenerator::findLibraries()() 
./configure: line 3901:  1293 Aborted                 QTDIR="$outpath"  
$QMAKE_EXEC 
 
        NOTE: This platform does not support runtime library paths, using  
-no-rpath. 
 
Qt is now configured for building. Just run 'gmake'. 
Once everything is built, you must run 'gmake install'. 
Qt will be installed into /usr/lib64/qt4 
 
To reconfigure, run 'gmake confclean' and 'configure'. 
 
make: *** No rule to make target `sub-tools-all-ordered'.  Stop. 
 
!!! ERROR: x11-libs/qt-4.0.1 failed. 
!!! Function src_compile, Line 144, Exitcode 2 
!!! (no error message) 
!!! If you need support, post the topmost build error, NOT this status  
message. 
 

Expected Results:  
qt emerged successfully  

# emerge info   
Portage 2.0.53 (hardened/amd64, gcc-3.4.4, glibc-2.3.5-r3,   
2.6.13-hardened-r2-poubi64-5 x86_64)   
=================================================================   
System uname: 2.6.13-hardened-r2-poubi64-5 x86_64 AMD Athlon(tm) 64 Processor   
3000+   
Gentoo Base System version 1.12.0_pre11   
dev-lang/python:     2.3.5, 2.4.2   
sys-apps/sandbox:    1.2.17   
sys-devel/autoconf:  2.13, 2.59-r7   
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1   
sys-devel/binutils:  2.16.1-r1   
sys-devel/libtool:   1.5.20-r1   
virtual/os-headers:  2.6.11-r3   
ACCEPT_KEYWORDS="amd64 ~amd64"   
AUTOCLEAN="yes"   
CBUILD="x86_64-pc-linux-gnu"   
CFLAGS="-march=athlon64 -O2 -pipe -fforce-addr"   
CHOST="x86_64-pc-linux-gnu"   
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.4/env /usr/kde/3.4/share/config /usr/kde/3.4/shutdown /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control"   
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"   
CXXFLAGS="-march=athlon64 -O2 -pipe -fforce-addr"   
DISTDIR="/home/portage/distfiles"   
FEATURES="autoaddcvs autoconfig ccache collision-protect distlocks nostrip   
sandbox sfperms strict userpriv usersandbox"   
GENTOO_MIRRORS="http://trumpetti.atm.tut.fi/gentoo http://distfiles.gentoo.org   
http://www.ibiblio.org/pub/Linux/distributions/gentoo"   
LANG="en_US.UTF-8"   
MAKEOPTS="-j2"   
PKGDIR="/home/portage/packages"   
PORTAGE_TMPDIR="/tmp"   
PORTDIR="/var/portage"   
PORTDIR_OVERLAY="/home/portage/overlay"   
SYNC="rsync://rsync.gentoo.org/gentoo-portage"   
USE="amd64 X acl alsa berkdb caps crypt hardened ipv6 jpeg kde nls nptl   
nptlonly pam pic png readline ssl tcpd tiff unicode userlocales xinerama zlib   
userland_GNU kernel_linux elibc_glibc"   
Unset:  ASFLAGS, CTARGET, LC_ALL, LDFLAGS, LINGUAS   
   
# ls -l /etc/make.profile   
lrwxrwxrwx  1 root root 38 2005-11-30 18:00 /etc/make.profile    
-> ../var/portage/profiles/hardened/amd64   
 
 
 
 
 
I tried to debug the program and here is what I found : 
------------------------------------------------------- 
 
Workdir : 
/tmp/portage/qt-4.0.1/work/qt-x11-opensource-src-4.0.1 
 
Program : 
bin/qmake 
 
Args : 
-spec /tmp/portage/qt-4.0.1/work/qt-x11-opensource-src-4.0.1/mkspecs/linux-g++-64 
-o /tmp/portage/qt-4.0.1/work/qt-x11-opensource-src-4.0.1/./examples/linguist/arrowpad /tmp/portage/qt-4.0.1/work/qt-x11-opensource-src-4.0.1/examples/linguist/arrowpad/arrowpad.pro 
 
GDB commands : 
set args 
-spec /tmp/portage/qt-4.0.1/work/qt-x11-opensource-src-4.0.1/mkspecs/linux-g++-64 
-o /tmp/portage/qt-4.0.1/work/qt-x11-opensource-src-4.0.1/./examples/linguist/arrowpad /tmp/portage/qt-4.0.1/work/qt-x11-opensource-src-4.0.1/examples/linguist/arrowpad/arrowpad.pro 
run 
bt 
 
Result : 
qmake: stack smashing attack in function virtual bool 
UnixMakefileGenerator::findLibraries()() 
 
Program received signal SIGABRT, Aborted. 
0x00002aaaab0f3109 in ?? () 
(gdb) bt 
#0  0x00002aaaab0f3109 in ?? () 
#1  0x00002aaaab0e0b86 in ?? () 
#2  0xfffffffe7fffffdf in ?? () 
#3  0xffffffffffffffff in ?? () 
#4  0xffffffffffffffff in ?? () 
#5  0xffffffffffffffff in ?? () 
#6  0xffffffffffffffff in ?? () 
#7  0xffffffffffffffff in ?? () 
#8  0xffffffffffffffff in ?? () 
#9  0xffffffffffffffff in ?? () 
#10 0xffffffffffffffff in ?? () 
#11 0xffffffffffffffff in ?? () 
#12 0xffffffffffffffff in ?? () 
#13 0xffffffffffffffff in ?? () 
#14 0xffffffffffffffff in ?? () 
#15 0xffffffffffffffff in ?? () 
#16 0xffffffffffffffff in ?? () 
#17 0xffffffffffffffff in ?? () 
#18 0x0000000000000000 in ?? () 
 
Conclusion : 
The bug appears in qmake. 
The back trace is strange. I'll try to compile with the -g option. 
 
Result : 
I compiled with -g, but I've got the same result. 
 
Conclusion : 
I'll try to set a breakpoint in UnixMakefileGenerator::findLibraries() 
 
GDB command : 
break UnixMakefileGenerator::findLibraries() 
 
Result : 
(gdb) break UnixMakefileGenerator::findLibraries() 
Breakpoint 1 at 0x8fb50: file unixmake.cpp, line 310. 
(gdb) run 
Starting 
program: /tmp/portage/qt-4.0.1/work/qt-x11-opensource-src-4.0.1/bin/qmake 
-spec /tmp/portage/qt-4.0.1/work/qt-x11-opensource-src-4.0.1/mkspecs/linux-g++-64 
-o /tmp/portage/qt-4.0.1/work/qt-x11-opensource-src-4.0.1/./examples/linguist/arrowpad /tmp/portage/qt-4.0.1/work/qt-x11-opensource-src-4.0.1/examples/linguist/arrowpad/arrowpad.pro 
Warning: 
Cannot insert breakpoint 1. 
Error accessing memory address 0x8fb50: Input/output error. 
(gdb)

Comment 1 Caleb Tennis (RETIRED) gentoo-dev

2006-01-26 05:25:54 UTC

Hmm, is it still an issue in qt-4.1 ?

Comment 2 Nicolas MASSE 2006-01-30 14:46:43 UTC

(In reply to comment #1)
> Hmm, is it still an issue in qt-4.1 ?
> 

Yes, I have the same error messages. The package compiles cleanly when using the vanilla flavor of gcc.

Comment 3 Christian Heim (RETIRED) gentoo-dev

2007-11-10 09:26:16 UTC

Due to SSP having issues with C++ code, I just placed a -fno-stack-protector in the x11-libs/qt ebuilds. Thus, you should no longer see those issues when emerging anything qt-based or QT itself.