I'm having problems with hardened-gcc 3.3.2.1. When I compile the following program: #include <vector> #include <algorithm> int main() { std::vector<long> i; i.push_back(4); i.push_back(3); i.push_back(2); i.push_back(1); std::sort(i.begin(), i.end()); } executing the binary will give me a segmentation fault. After adding '-yno_propolice' to the compiler flags, however, the program works. Maybe I'm just incredibly dumb, but I cannot see why this code should overflow the stack! Reproducible: Always Steps to Reproduce: peti:~$ g++ test.cc -o test peti:~$ ./test Segmentation fault peti:~$ g++ -yno_propolice test.cc -o test peti:~$ ./test peti:~$ Portage 2.0.50-r1 (selinux-x86-1.4, gcc-3.3.2, glibc-2.3.2-r3, 2.6.3-rc2) ================================================================= System uname: 2.6.3-rc2 i686 AMD Athlon(tm) Processor Gentoo Base System version 1.4.3.13 Autoconf: sys-devel/autoconf-2.59 Automake: sys-devel/automake-1.7.8 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-mcpu=athlon -O3 -fomit-frame-pointer -funroll-loops -pipe" CHOST="i686-pc-linux-gnu" COMPILER="gcc3" CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/env.d" CXXFLAGS="-mcpu=athlon -O3 -fomit-frame-pointer -funroll-loops -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs ccache notitles sandbox sfperms strict userpriv" GENTOO_MIRRORS="http://ftp.snt.utwente.nl/pub/os/linux/gentoo ftp://ftp.snt.utwente.nl/pub/os/linux/gentoo" MAKEOPTS="-j1" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.de.gentoo.org/gentoo-portage" USE="3dnow X Xaw3d aalib altcolors avi berkdb caps cdr crypt curl dga doc dvd dvdr emacs encode ethereal gcl gdbm gif gtk idea javascript jpeg leim libwww mbox mmx mozilla moznocompose moznoirc moznomail moznoxft ncurses oggvobis opengl oss pam pdflib perl plotutils png python quicktime rage128 readline selinux spell ssl tetex threads tiff truetype x86 xml xml2 zlib"
solar@simple ssp $ g++ vector.cc -o vector -fstack-protector-all solar@simple ssp $ ./vector Segmentation fault solar@simple ssp $ g++ vector.cc -o vector -fstack-protector solar@simple ssp $ ./vector solar@simple ssp $ solar@simple ssp $ g++ vector.cc -o vector -fstack-protector-all solar@simple ssp $ ulimit -c unlimited solar@simple ssp $ ./vector Segmentation fault (core dumped) solar@simple ssp $ gdb -q ./vector ./core Core was generated by `./vector'. Program terminated with signal 11, Segmentation fault. Reading symbols from /usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.2/libstdc++.so.5...done. Loaded symbols for /usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.2/libstdc++.so.5 Reading symbols from /lib/libm.so.6...done. Loaded symbols for /lib/libm.so.6 Reading symbols from /usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.2/libgcc_s.so.1...done. Loaded symbols for /usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.2/libgcc_s.so.1 Reading symbols from /lib/libc.so.6...done. Loaded symbols for /lib/libc.so.6 Reading symbols from /lib/ld-linux.so.2...done. Loaded symbols for /lib/ld-linux.so.2 #0 0x08049e46 in long const& std::__median<long>(long const&, long const&, long const&) () (gdb) bt full #0 0x08049e46 in long const& std::__median<long>(long const&, long const&, long const&) () No symbol table info available. #1 0x08049448 in void std::__introsort_loop<__gnu_cxx::__normal_iterator<long*, std::vector<long, std::allocator<long> > >, int>(__gnu_cxx::__normal_iterator<long*, std::vector<long, std::allocator<long> > >, __gnu_cxx::__normal_iterator<long*, std::vector<long, std::allocator<long> > >, int) () No symbol table info available. #2 0x08048b60 in void std::sort<__gnu_cxx::__normal_iterator<long*, std::vector<long, std::allocator<long> > > >(__gnu_cxx::__normal_iterator<long*, std::vector<long, std::allocator<long> > >, __gnu_cxx::__normal_iterator<long*, std::vector<long, std::allocator<long> > >) () No symbol table info available. #3 0x08048896 in main () No symbol table info available. #4 0x2faaf951 in __libc_start_main () from /lib/libc.so.6 No symbol table info available. --------------------------------------------------------------------- I don't think this is an overflow at all or we would see some sort of "name: stack smashing attack in function anyfunction". I think you found a real bug with -fstack-protector-all and I think you should mail Etoh (ssp author) and ask for his input on this. http://www.research.ibm.com/trl/projects/security/ssp/ Till then it's recommended that you uninstall hardened-gcc and revert to a raw back to the basics [C|CXX|LD]FLAGS setup in your /etc/make.conf CFLAGS="-fPIC -fstack-protector" LDFLAGS="-pie"
OK. I've contacted the author ...
Any news from Etoh yet?
He's analysing the problem. I sent him the pre-processed output from g++, just a few hours ago.
03:28PM <ashes> lemmie try that on openbsd 03:30PM <ashes> $ g++ test.c -o test -fstack-protector-all 03:30PM <ashes> $ ./test 03:30PM <ashes> $
I assume I'm trying to reproduce this right. $ cat test.cc #include <vector> #include <algorithm> int main() { std::vector<long> i; i.push_back(4); i.push_back(3); i.push_back(2); i.push_back(1); std::sort(i.begin(), i.end()); } $ g++ test.cc -o test -fstack-protector-all $ ./test $ uname -a OpenBSD twocents.mooo.com 3.5 GENERIC#120 i386 $ ls -l /bsd -rw-r--r-- 1 root wheel 5036073 Feb 27 11:24 /bsd Doesn't look like a specificly SSP problem.
What gcc + ssp version is that? Our ssp code thats in our stable tree should be the 3.3-7 (current)
$ gcc -v Reading specs from /usr/lib/gcc-lib/i386-unknown-openbsd3.5/2.95.3/specs gcc version 2.95.3 20010125 (prerelease, propolice) The openbsd cvsweb says the last change to gcc/protector.c was 8 weeks ago. Etoh maintains openbsd's ssp.
I was using gcc 3.3.2 on Linux. Maybe that makes a difference?
I have tried the test program on another Linux machine with different compiler and library versions. The program does _not_ segfault there either. The configuration was: Portage 2.0.50-r1 (default-x86-1.4, gcc-3.2.3, glibc-2.3.2-r9, 2.4.22-hardened) and * sys-devel/hardened-gcc Latest version available: 5.0 Latest version installed: 2.4.5
ok then the previous stuff may hold no value in relation to what's going on at linux (or maybe just gentoo). Could you ask a hlfs user to try the sample program as see if the same exists for you guys?
On March 19, 2004 11:47 am, Jonas Norlander wrote: > It segfaults for me. Here is my spec. > Kernel 2.4.25 with grsecurity 1.9.14 > g++ (GCC) 3.3.2 (Propolice Only 3.3-5) > glibc 2.3.2 with Propolice patch Looks like he's on patch level 5. > [jonas@venus ~/tmp]$ ./vector > Segmentation fault > Mar 19 17:15:35 venus kernel: grsec: From 192.168.7.1: signal 11 sent to (vector:6851) UID(1001) EUID(1001), parent (bash:5200) UID(1001) EUID(1001) > Mar 19 17:15:35 venus kernel: grsec: From 192.168.7.1: attempted resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 by (vector:6851) UID(1001) EUID(1001), parent (bash:5200) UID(1001) EUID(1001)
No segfault from netbsd gcc-3.3.3-protector-7. The bug is with glibc.
You guys will love this: I have un-installed hardened-gcc, and now the problem is gone! | peti:~$ g++ -fstack-protector-all test.cc -o test && ./test | peti:~$ I cannot re-produce the segfault anymore, neither can Hiroaki Etoh (on my machine nor on his). So I'd say, things are pointing towards hardened-gcc rather than anything else?
Peter, I had no hgcc installed at all when I ran your test. solar@simple c $ g++ vector.cc -o vector -fstack-protector-all solar@simple c $ ./vector Segmentation fault solar@simple c $ file vector vector: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.4.1, dynamically linked (uses shared libs), not stripped
Alright, I give up. I have updated gcc and glibc to the latest stable versions, and after I did, everything works just fine. I cannot re-produce the problem any longer, and I couldn't re-produce it on any of the other machines I have an account on either. Solar, I've sent you a Cc of an e-mail conversation between Etoh and me, where he asks for details about the created core dump file. Maybe you can help him figure this out?
Peter, When you upgraded what versions of the toolchain did you upgrade to?
Portage 2.0.50-r1 (selinux-x86-1.4, gcc-3.3.2, glibc-2.3.2-r9, 2.6.3-rc2) ================================================================= System uname: 2.6.3-rc2 i686 AMD Athlon(tm) Processor Gentoo Base System version 1.4.3.13 Autoconf: sys-devel/autoconf-2.59 Automake: sys-devel/automake-1.7.8 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-mcpu=athlon -O3 -fomit-frame-pointer -funroll-loops -pipe -fPIC -fstack-protector" CHOST="i686-pc-linux-gnu" COMPILER="gcc3" CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3/share/config /usr/lib/mozilla/defaults/pref /usr/share/config /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-mcpu=athlon -O3 -fomit-frame-pointer -funroll-loops -pipe -fPIC -fstack-protector" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs ccache notitles sandbox sfperms strict userpriv" GENTOO_MIRRORS="http://ftp.snt.utwente.nl/pub/os/linux/gentoo ftp://ftp.snt.utwente.nl/pub/os/linux/gentoo" MAKEOPTS="-j1" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.de.gentoo.org/gentoo-portage" USE="3dnow X Xaw3d aalib altcolors avi berkdb caps cdr crypt curl dga doc dvd dvdr emacs encode ethereal gcl gdbm gif gtk idea javascript jpeg leim libwww mbox mmx mozilla moznocompose moznoirc moznomail moznoxft ncurses oggvobis opengl oss pam pdflib perl plotutils png python quicktime rage128 readline selinux spell ssl tetex threads tiff truetype x86 xml xml2 zlib"
problem persists here. Somebody else should mail Etoh about it.
Changing resolution to UPSTREAM
solar@simple c $ cat vector.cc #include <vector> #include <algorithm> int main() { std::vector<long> i; i.push_back(4); i.push_back(3); i.push_back(2); i.push_back(1); std::sort(i.begin(), i.end()); } solar@simple c $ g++ vector.cc -o vector -O solar@simple c $ ./vector solar@simple c $ g++ vector.cc -o vector -O1 solar@simple c $ ./vector solar@simple c $ g++ vector.cc -o vector -O2 solar@simple c $ ./vector solar@simple c $ g++ vector.cc -o vector -O3 solar@simple c $ ./vector solar@simple c $ g++ vector.cc -o vector -Os solar@simple c $ ./vector solar@simple c $ g++ vector.cc -o vector -O0 solar@simple c $ ./vector Segmentation fault gcc (GCC) 3.3.5 (Gentoo Hardened Linux 3.3.5-r1, ssp-3.3.2-3, pie-8.7.7.1) GNU ld version 2.15.92.0.2 20040927 x86 with glibc fails this test. x86 with uClibc passes this test. x86_64 with glibc passes this test. It seems safe to only use -Os -O -O1 -O2 with ssp on a x86 glibc host. -O3 triggers bugs in python.