On executing pcmanfm, the application is terminated with the following message: *** stack smashing detected ***: pcmanfm - terminated pcmanfm: stack smashing attack in function <unknown> - terminated Report to http://bugs.gentoo.org/ Reproducible: Always Steps to Reproduce: 1. Install package x11-misc/pcmanfm-0.9.10 . 2. Try to run "pcmanfm". Actual Results: Application terminates with the following message: *** stack smashing detected ***: pcmanfm - terminated pcmanfm: stack smashing attack in function <unknown> - terminated Report to http://bugs.gentoo.org/ Expected Results: Display a nice GTK-based GUI providing performant random access to a file system containing huge numbers of small and big files. I do not expect the bug to be of the data-loss kind. But the software seems to crash on startup.
I found the problem long ago... Well, and my workaround is to use the vanilla gcc profile when building x11-libs/libfm and x11-misc/pcmanfm. pcmanfm probably does not work well with the SSP feature of hardened gcc.
Further test shows, building libfm with x86_64-pc-linux-gnu-4.6.2-hardenednossp seems enough to resolve the issue. pcmanfm can be built with the default hardened gcc profile. So only the libfm ebuild needs append-flags -fno-stack-protector .
1) Please post your `emerge --info' output in a comment. 2) Also, please find more related information on your system about the crash, like entries in the syslog.
# emerge --info Portage 2.1.10.44 (hardened/linux/amd64/no-multilib, gcc-4.5.3, glibc-2.13-r4, 2.6.38-hardened-r6 x86_64) ================================================================= System uname: Linux-2.6.38-hardened-r6-x86_64-Intel-R-_Core-TM-2_Quad_CPU_Q6600_@_2.40GHz-with-gentoo-2.0.3 Timestamp of tree: Fri, 17 Feb 2012 00:45:01 +0000 app-shells/bash: 4.1_p9 dev-java/java-config: 2.1.11-r3 dev-lang/python: 2.7.2-r3, 3.1.4-r3 dev-util/cmake: 2.8.6-r4 dev-util/pkgconfig: 0.26 sys-apps/baselayout: 2.0.3 sys-apps/openrc: 0.9.8.4 sys-apps/sandbox: 2.5 sys-devel/autoconf: 2.13, 2.68 sys-devel/automake: 1.11.1 sys-devel/binutils: 2.21.1-r1 sys-devel/gcc: 4.5.3-r1 sys-devel/gcc-config: 1.4.1-r1 sys-devel/libtool: 2.4-r1 sys-devel/make: 3.82-r1 sys-kernel/linux-headers: 3.1 (virtual/os-headers) sys-libs/glibc: 2.13-r4 Repositories: gentoo ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=core2 -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /usr/share/openvpn/easy-rsa" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.3/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-march=core2 -O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests binpkg-logs distlocks ebuild-locks fixlafiles news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch webrsync-gpg" FFLAGS="" GENTOO_MIRRORS="ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo" LANG="en_US.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j5" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" SYNC="" USE="X acl alsa amd64 berkdb bzip2 cli consolekit cracklib crypt cups cxx dbus dri fontconfig gdbm gpm gtk gtk3 hardened iconv idn ipv6 justify lock mmx modules mudflap ncurses nptl nptlonly openmp pam pax_kernel pcre policykit pppd readline session smp sndfile sse sse2 sse3 ssl startup-notification sysfs tcpd thunar truetype udev unicode urandom xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" SANE_BACKENDS="genesys" USERLAND="GNU" VIDEO_CARDS="nouveau" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LINGUAS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS The logs did not reveal additional information. Syslog contains the already known: Mar 28 15:12:30 localhost *** stack smashing detected ***: pcmanfm - terminated Mar 28 15:12:30 localhost pcmanfm: stack smashing attack in function <unknown> - terminated Mar 28 15:12:30 localhost Report to http://bugs.gentoo.org/
What if you run a gdb backtrace on pcmanfm?
I followed http://www.gentoo.org/proj/en/qa/backtraces.xml and reemerged with -ggdb and splitdebug. But gdb refuses, to give a stack trace: $ gdb pcmanfm GNU gdb (Gentoo 7.3.1 p2) 7.3.1 Copyright (C) 2011 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-pc-linux-gnu". For bug reporting instructions, please see: <http://bugs.gentoo.org/>... Reading symbols from /usr/bin/pcmanfm...Reading symbols from /usr/lib64/debug/usr/bin/pcmanfm.debug...done. done. (gdb) run Starting program: /usr/bin/pcmanfm *** stack smashing detected ***: pcmanfm - terminated pcmanfm: stack smashing attack in function <unknown> - terminated Report to http://bugs.gentoo.org/ Program terminated with signal SIGKILL, Killed. The program no longer exists. (gdb) bt No stack. (gdb)
1. Nothing appeared in dmesg after the SSP issue occurs. 2. Last few lines of strace pcmanfm: --- open("/usr/share/locale/en_US.UTF-8/LC_MESSAGES/libfm.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en_US.utf8/LC_MESSAGES/libfm.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en_US/LC_MESSAGES/libfm.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en.UTF-8/LC_MESSAGES/libfm.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en.utf8/LC_MESSAGES/libfm.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en/LC_MESSAGES/libfm.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/libfm/archivers.list", O_RDONLY) = 8 fstat(8, {st_mode=S_IFREG|0644, st_size=2203, ...}) = 0 read(8, "[file-roller]\ncreate=file-roller"..., 4096) = 2203 read(8, "", 4096) = 0 close(8) = 0 socket(PF_FILE, SOCK_DGRAM, 0) = 8 connect(8, {sa_family=AF_FILE, path="/dev/log"}, 110) = 0 write(2, "*** stack smashing detected ***:"..., 54*** stack smashing detected ***: pcmanfm - terminated ) = 54 write(8, "*** stack smashing detected ***:"..., 54) = 54 write(2, "pcmanfm: stack smashing attack i"..., 66pcmanfm: stack smashing attack in function <unknown> - terminated ) = 66 write(8, "pcmanfm: stack smashing attack i"..., 66) = 66 write(2, "Report to http://bugs.gentoo.org"..., 35Report to http://bugs.gentoo.org/ ) = 35 write(8, "Report to http://bugs.gentoo.org"..., 35) = 35 close(8) = 0 getpid() = 11136 kill(11136, SIGKILL <unfinished ...> +++ killed by SIGKILL +++ zsh: killed strace pcmanfm exit 137 --- 3. I managed to get some probably unreliable backtrace: --- #0 0x000003fff573a9f0 in __stack_chk_fail () from /lib64/libc.so.6 No symbol table info available. #1 0x000003fff6f82515 in _fm_archiver_init () at base/fm-archiver.c:225 kf = 0x2aaaad14880 #2 0x000003fff6f78ecd in fm_init (config=0x2aaaad14030) at fm.c:59 path = <optimized out> #3 0x000003fff78640e9 in fm_gtk_init (config=<optimized out>) at fm-gtk.c:26 _g_boolean_var_ = <optimized out> #4 0x000002aaaaabb64f in main (argc=1, argv=0x3ffffffdc38) at pcmanfm.c:194 config = 0x2aaaad14030 err = 0x0 --- fm_archiver_init() in src/base/fm-archiver.c of libfm reads /usr/share/libfm/archivers.list and extracts a list of archivers that pcmanfm supports from it, with some functions from glib. Combined with the strace output above, I suppose the problem comes from fm_archiver_init(). Also, there are some really long strings in /usr/share/libfm/archivers.list. 4. By the way, what is the correct way to obtain a backtrace or core dump when a program is killed by SIGKILL in a stack smashing problem? I used "break __stack_chk_fail" to obtain the backtrace of the last time __stack_chk_fail() is called. Is that reliable?
Created attachment 307047 [details, diff] libfm-0.1.17-ssp-fix.patch The problem is on line 206 and 207 of ./src/base/fm-archiver.c in libfm source code: --- int n_archivers; char** programs = g_key_file_get_groups(kf, &n_archivers); --- g_key_file_get_groups()'s second argument must be a pointer to gsize type. gsize is unsigned long. On amd64 boxes, gsize is 64-bit long, but libfm passes a pointer to the 32-bit variable "n_archivers" to it. --- gchar ** g_key_file_get_groups(GKeyFile *key_file, gsize *length); --- So, it's "smashing the stack" indeed. It works without SSP just because of pure luck. This problem should be reported upstream. This patch also fixes a memory leak I spot: The string list "programs" should be freed with g_strfreev() instead of g_free(). But, well, there are chances that I fixed it incorrectly.
Created attachment 309781 [details, diff] libfm-0.1.17-ssp-fix.patch The "memory leak fix" is incorrect. I must be blind to ignore the comment in the code. Patch updated.
just ran into the same problem. According to the pacmanfm bugtracker the patch is applied upstream (see here http://sourceforge.net/tracker/?func=detail&aid=3512666&group_id=156956&atid=801864). But since 0.9.10 is the last release it would be nice if the ebuild would contain the patch too.
Patch applied in 0.1.17-r1. Thank you
