After the recent qt upgrade kdesktop_lock no longer works. # kdesktop_lock kdesktop_lock: stack smashing attack in function virtual void QWidget::create(WId, bool, bool)() Aborted Portage 2.0.54-r2 (hardened/x86/2.6, gcc-3.4.5, glibc-2.3.6-r3, 2.6.16-gentoo-r7 i686) ================================================================= System uname: 2.6.16-gentoo-r7 i686 AMD Athlon(tm) 64 Processor 3500+ Gentoo Base System version 1.6.14 ccache version 2.3 [disabled] dev-lang/python: 2.4.2 dev-python/pycrypto: 2.0-r1 dev-util/ccache: 2.3 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.16.1 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=i686 -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.4/env /usr/kde/3.4/share/config /usr/kde/3.4/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control" CONFIG_PROTECT_MASK="/etc/eselect/compiler /etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -march=i686 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distlocks sandbox sfperms strict" GENTOO_MIRRORS="http://gentoo.mirrors.easynews.com/linux/gentoo/ http://gentoo.mirrors.pair.com/ http://gentoo.mirrors.tds.net/gentoo" PKGDIR="/usr/portage//packages/x86/" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage/" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage" USE="3dnow X a52 aac aalib acpi alsa apache2 arts audiofile bash-completion berkdb bindist bitmap-fonts bzip2 caps cdparanoi cdr crypt cscope ctype cups curl dba dbm dbus dga dlloader doc dri dvd dvdr dvdread eds encode esd ethereal examples exif expat fam fastcgi ffmpeg fftw flac flatfile foomaticdb ftp gb gd gdbm gif ginac glut gmp gnome gnutls gphoto2 gpm gstreamer gtk gtk2 gtkhtml guile hal hardened icc iconv idn ieee1394 imagemagick imap imlib innodb iodbc ipv6 jabber jack java javascript jpeg jpeg2k junit kde lcms ldap libcaca libedit libwww lm_sensors mad mbox mcal memlimit mhash mikmod mime mmap mmx mng motif mozilla mp3 mpeg mysql ncurses nls nocd nptl nsplugin odbc offensive ogg openal opengl oss pam pcre pda pdf perl php pic png posix python qt quicktime readline recode ruby sasl sdl sessions sharedmem skey slang snmp soap sockets spell spl sse2 ssl symlink sysvipc tcltk tcpd tetex theora threads tiff truetype truetype-fonts type1-fonts udev unicode usb userlocales vcd videos vorbis win32codecs wxwindows x86 xine xml xml2 xmms xpm xsl xv xvid zlib userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS, PORTAGE_RSYNC_OPTS
I'm not familiar with the hardened stuff, but is it possible to trace it back a bit more than that? Like a line number of the source code where it's failing?
I'm not sure how. I tried running gdb on it, but after it got the SIGABRT the desktop was no longer responsive to input until I switched virtual consoles and killed gdb. Any suggestions for getting more information are welcome.
curious - can you try it with 3.3.6 ( without the -r1 ). I wonder where this was introduced at.
Same problem with 3.3.6: LD_LIBRARY_PATH=/var/tmp/portage/qt-3.3.6/image/usr/qt/3/lib kdesktop_lock kdesktop_lock: stack smashing attack in function virtual void QWidget::create(WId, bool, bool)()
Interesting! When I tried to get some debugging information by re-compiling qt with USE=debug the problem went away. Sounds like this might actually be a nasty little compiler bug.
Oops. Sorry. Ignore that. It fails with the debug version as well. (I was accidentally running my temporary version which links against the 3.3.4 libraries). Unfortunately I also don't get any more information about where it is failing (running it in gdb does not give a useful stack-trace).
Created attachment 86979 [details, diff] patch to illuminate the problem OK, this is seriously weird. It really does look like a compiler bug. After applying the patch I get the following output: kdesktop_lock: app 0 0 false 0 0 kdesktop: relPath=System/ScreenSavers/ kdesktop: mForbidden: false size = 92/92, diff = 32 abababab abababab abababab abababab... ---- BEFORE ---- ---- AFTER ---- 1 0 1 0 ffffffff 0 0 20 1 0 0 0 0 0 8003b6c8 abababab... Notice that the local variables are overlapping! It turns out that just moving the declaration of "XWindowAttributes a;" causes the problem to go away, but it really looks like we have a compiler problem here.
out of curiousity, have you tried to re-emerged kdelibs and kdesktop after the qt emerge? Also, have you tried restarting Qt? I did a diff between the qwidget source files of qt-3.3.4 and qt-3.3.6 and there are very few changes, none of which look related to this.
I did in fact re-emerge kde-base/kdebase-3.4.3-r1 (and rebooted) after I first encountered the problem thinking it was that sort of issue. But given the behavior with my patch it really looks like a compiler bug, and not a qt problem at all (given that it can be "fixed" by just moving the declaration of a local variable).
It's interesting. There's no difference in that code between 3.3.4 and 3.3.6, so I'm not sure what's causing the bug to come to life.
Created attachment 87699 [details, diff] quick and dirty patch to work around the gcc bug I've included my quick and dirty patch which avoids the gcc bug. This is what I've put into my local portage tree and it seems to work. Obviously this isn't a real fix, but this is for anyone else who is running into this issue.
FYI: I just tested it with the new gcc-3.4.6-r1 compiler, and the problem still persists.
same problem here (also gentoo hardened). the problem exists with kde 3.4.3 and 3.5.2, but disappeares when reverting to qt-3.3.4-r8.
I guess I should reassign this to the hardened team to see what they have to say about it...
(In reply to comment #11) > I've included my quick and dirty patch which avoids the gcc bug. I think it's a limitation of the SSP implementation in gcc-3.x (which is a patch provided outside of GCC, unlike 4.x), that it gets confused by data declared in blocks inside a function. We've seen similar problems before; it's one of the problems with 3.x SSP and C++ (such declarations are not permitted in C). Moving the declaration to the beginning of the function is a good solution. It doesn't hurt anyone else; I recommend it (good work, Andre). Fixing SSP in gcc-3.x is much harder :/ but I'll raise a separate specific bug about that. Note that that gcc-3.x SSP is Gentoo-specific so I don't think it's something we should worry upstream about.
Hmm; I may have to take that back. Built qt with vanilla gcc, including the patch from comment 7 to show the addresses etc, and they still overlap. Only difference is that it doesn't get killed! Which implies SSP isn't causing the problem, just highlighting an actual problem.
Fellows, I upgraded from kde-3.4.something to kde-meta-3.5.2 the other day, and not only do I have this exact same problem, but I have a similar problem trying to start KPDF: kpdf: stack smashing attack in function void QPainter::setWorldMatrix(const QWMatrix&, bool)() Aborted I assume this KPDF problem is a manifestation of the same bug. I can view PDFs from within Konqueror, however. I have qt-3.3.6-r1 installed. Here's my emerge --info: Portage 2.0.54-r2 (default-linux/amd64/2005.0, gcc-3.4.5, glibc-2.3.6-r3, 2.6.15-gentoo-r1 x86_64) ================================================================= System uname: 2.6.15-gentoo-r1 x86_64 AMD Opteron(tm) Processor 246 Gentoo Base System version 1.6.14 dev-lang/python: 2.3.5-r2, 2.4.2 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: [Not Present] dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.16.1-r2 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=opteron -O3 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.3/env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown /usr/kde/3.4/env /usr/kde/3.4/share/config /usr/kde/3.4/shutdown /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/lib/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-march=opteron -O3 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distlocks sandbox sfperms strict" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LANG="en_US.utf8" LC_ALL="en_US.utf8" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="amd64 X Xaw3d a52 aac aalib accessibility acl acpi adns aim alsa apache2 arts audiofile avi bash-completion bcmath berkdb bidi bitmap-fonts bluetooth bonobo bzip2 bzlib calendar canna cdb cdparanoia cdr chasen cjk cli crypt cscope ctype cups curl curlwrappers db2 dba dbase dbm dbx dedicated dga dio directfb divx4linux doc dri dts dv dvb dvd dvdr dvdread eds emacs emacs-w3 emboss emul-linux-x86 encode esd ethereal evo examples exif expat fam fastcgi fbcon ffmpeg flac flash flatfile foomaticdb fortran freetds freewnn ftp gb gcj gd gdbm geoip ggi gif ginac glut gmp gnome gnustep gnutls gphoto2 gpm gps gstreamer gtk gtk2 gtkhtml guile hal hardened hardenedphp howl hyperwave-api iconv icq idn imagemagick imap imlib inifile innodb interbase iodbc ipv6 isdnlog jabber jack javascript joystick jpeg kde kdeenablefinal kerberos krb4 ladcca lcms ldap leim libcaca libg++ libgda libwww lirc lm_sensors lua lzw lzw-tiff m17n-lib mad maildir mailwrapper matroska mbox mcal mcve memlimit mhash migemo mikmod milter mime ming mmap mng mnogosearch motif mozilla mp3 mpeg mpi msession msql mssql mule mysql mysqli nas ncurses neXt netcdf nis nls nocd nptl oci8 odbc offensive ofx ogg openal opengl oracle oracle7 osc oscar oss ovrimos pam pcntl pcre pda pdflib perl php plotutils png portaudio posix postgres ppds pppd prelude python qdbm qt quicktime readline recode reflection ruby samba sapdb sasl scanner sdl session sharedext sharedmem shorten simplexml skey slang slp smartcard sndfile snmp soap sockets socks5 source sox speex spell spl sqlite ssl svg symlink sysvipc szip tcltk tcpd tetex theora threads tidy tiff tokenizer truetype truetype-fonts type1-fonts udev unicode usb v4l vcd vhosts videos vorbis wddx wifi wmf wxwindows xface xine xml xml2 xmlrpc xmms xorg xosd xpm xprint xsl xv xvid yahoo yaz zeo zlib userland_GNU kernel_linux elibc_glibc" Unset: CTARGET, INSTALL_MASK, LDFLAGS, LINGUAS, PORTAGE_RSYNC_EXTRA_OPTS, PORTAGE_RSYNC_OPTS, PORTDIR_OVERLAY
Is this bug a duplicate of bug #126896? If not, my report seems to be a case of that bug instead of this one.
(In reply to comment #18) > Is this bug a duplicate of bug #126896? If not, my report seems to be a case of > that bug instead of this one. No - at least not yet. This report is a stack smash in QWidget::create. #126896 is a stack smash in QPainter::setWorldMatrix.
Just want to add, that I am able to reproduce the issue on my system with x11-libs/qt-3.3.4-r8, kde-base/kdelibs-3.5.2-r6 and kde-base/kdebase-3.5.2-r1. qt, kdelibs and kdebase were compiled with i686-pc-linux-gnu-3.4.6-hardenednopie to ease debugging. Don't know if it helps you somehow, but the backtrace from the core dump is: (gdb) bt #0 0x4e4a8802 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2 #1 0x4c3c4d56 in kill () from /lib/libc.so.6 #2 0x4c3b151e in __stack_smash_handler () from /lib/libc.so.6 #3 0x4cd87611 in QWidget::create (this=0x59891690, window=44040206, initializeWindow=true, destroyOldWindow=true) at qwidget_x11.cpp:691 #4 0x08055a0c in LockProcess::createSaverWindow (this=0x39) at lockprocess.cc:425 Previous frame inner to this frame (corrupt stack?) # emerge --info Portage 2.1_rc4-r1 (hardened/x86/2.6, gcc-3.4.6, glibc-2.3.6-r3, 2.6.14-hardened-r8 i686) ================================================================= System uname: 2.6.14-hardened-r8 i686 AMD Athlon(tm) 64 Processor 3500+ Gentoo Base System version 1.6.14 distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] dev-lang/python: 2.4.2 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: [Not Present] dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.16.1-r2 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-mtune=athlon64 -march=athlon64 -O2 -pipe -Wall -g3 -ggdb3" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/lib/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/" CONFIG_PROTECT_MASK="/etc/gconf /etc/postfix/sample /etc/revdep-rebuild /etc/terminfo /etc/env.d" CXXFLAGS="-mtune=athlon64 -march=athlon64 -O2 -pipe -Wall -g3 -ggdb3" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distlocks metadata-transfer nostrip parallel-fetch sandbox sfperms strict" GENTOO_MIRRORS="http://linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror" LINGUAS="de" PKGDIR="/usr/portage//packages/x86/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage/" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://linux.rz.ruhr-uni-bochum.de/gentoo-portage" USE="3dnow 3dnowext X a52 acpi alsa ash-completion berkdb bitmap-fonts cdparanoia crypt cups debug dga dlloader dri dv dvd dvdr dvdread encode font-server glx gtk gtk2 hardened imap isdnlog jabber kde kdeenablefinal live lzo mad matrox mbox mime mjpeg mmx mmxext mozcalendar mozsvg mp3 mpeg mplayer musicbrainz network nls nodrm nptl nptlonly nsplugin offensive ogg opengl pam pam_timestamp pdf pic png quicktime readline real sftplogging sse ssl tcpd theora truetype truetype-fonts type1 type1-fonts userlocales v4l v4l2 vorbis win32codecs x86 xmms xorg xprint xv zlib elibc_glibc kernel_linux linguas_de userland_GNU video_cards_nv" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS
*** Bug 139724 has been marked as a duplicate of this bug. ***
(In reply to comment #7) > Created an attachment (id=86979) [edit] > patch to illuminate the problem > > OK, this is seriously weird. It really does look like a compiler bug. Just tried it with gcc-4.1.1 (with and without SSP switched on) and the output is correct; in other words the compiler bug is specific to 3.x series.
Great. And the GCC dev guys have closed the gcc 3.x branch. Now that we have a reliable compiler, they shut it down.
Fix confirmed. Solved problem here. Put the fix into your portage overlay using rm -rf x11-libs/qt ; wget -r -np --level=0 -k -nH --cut-dirs=1 \ --reject="index.html*" http://stier.dynu.com/~myportage/x11-libs/qt if you don't want to wait.
(In reply to comment #24) > Fix confirmed. Solved problem here. > > Put the fix into your portage overlay using > > rm -rf x11-libs/qt ; wget -r -np --level=0 -k -nH --cut-dirs=1 \ > --reject="index.html*" http://stier.dynu.com/~myportage/x11-libs/qt > > if you don't want to wait. > Works for me too (on 3 different boxes). Why is the patch still not included in portage?
*** Bug 151950 has been marked as a duplicate of this bug. ***
jfyi: the bug is still there when using x11-libs/qt-3.3.6-r4 and kde-base/kdelibs-3.5.5-r5 but the above patch also works for qt-3.3.6-r4 since there is a security issue (CVE-2006-4811) with qt <3.3.6-r4 it would be nice to get this patch into portage..
The patch fixes the problem for me on two x86 hardened systems. Is anything blocking it from being applied?
jfyi: the problem is still persistent on x11-libs/qt-3.3.8-r2 and kde-base/kdelibs-3.5.6-r5
The patch really is only a cosmetical change and shouldn't have any bad behaviour/side-effects. Can someone please integrate it in the ebuild? Tested here too and works like a charm.
(In reply to comment #30) Ok, i have found a bug with -fstack-protector on qt which leads to crashes in konqueror (visiting wikipedia.org kills konqueror). I have found a report for this here: http://grsecurity.net/pipermail/grsecurity/2006-July/000744.html So the best solution would be to disable SSP for qt in the next time. Ignore my earlier post so far.
Due to SSP having issues with C++ code, I just placed a -fno-stack-protector in the x11-libs/qt ebuilds. Thus, you should no longer see those issues when emerging anything qt-based or QT itself.
This fixes the problem for me (without needing my hacked patch).
