139724 – stack smash in QWidget::create (gcc-3.4.6-r2 vanilla has a bit of hardened chocolate in it - no it doesn't ;) )

Bug 139724 - stack smash in QWidget::create (gcc-3.4.6-r2 vanilla has a bit of hardened chocolate in it - no it doesn't ;) )

Summary: stack smash in QWidget::create (gcc-3.4.6-r2 vanilla has a bit of hardened ch...

Status:	RESOLVED DUPLICATE of bug 133301

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Hardened (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	The Gentoo Linux Hardened Team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2006-07-08 19:49 UTC by Sascha G.
Modified:	2006-07-09 04:07 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sascha G. 2006-07-08 19:49:41 UTC

This is about the following: sys-devel/gcc-3.4.6-r2: "GCC specs don't manage fstack-protector consistently" (from bug #104754).

I felt like trying a new game and compiled games-board/mahjongg3d with the hardened specs; when I tried to start mahjongg3d, I got the following error:
mahjongg3d: stack smashing attack in function virtual void QWidget::create(WId, bool, bool)()

After having recompiled the program with the vanilla compiler, I got exactly the same error. My understanding is that the vanilla specs switch off the SSP part, so I should not get this error.

with hardened specs:
$ readelf -a mahjongg3d |grep smash
000e7f44  00019407 R_386_JUMP_SLOT   00000000   __stack_smash_handler
   404: 00000000   458 FUNC    GLOBAL DEFAULT  UND __stack_smash_handler@GLIBC_2.3.2 (9)

with vanilla specs:
$ readelf -a mahjongg3d |grep smash
(empty output)


Portage 2.1.1_pre2-r6 (selinux/2005.1/x86/hardened, gcc-3.4.6/hardened, glibc-2.3.6-r4, 2.6.16-hardened-r10 i686)
=================================================================
System uname: 2.6.16-hardened-r10 i686 Intel(R) Pentium(R) 4 CPU 1.60GHz
Gentoo Base System version 1.12.1
app-admin/eselect-compiler: 2.0.0_rc2-r1
dev-lang/python:     2.4.3-r1
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     [Not Present]
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.18.1
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.17
sys-devel/gcc-config: [Not Present]
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r5
ACCEPT_KEYWORDS="x86 ~x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -pipe -march=pentium4 -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/eselect/compiler /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-O2 -pipe -march=pentium4 -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--alphabetical"
FEATURES="autoconfig collision-protect distlocks loadpolicy parallel-fetch sandbox selinux sfperms strict userfetch userpriv usersandbox"
GENTOO_MIRRORS="ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo ftp://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/"
LANG="en_US.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="en"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_EXTRA_OPTS="--exclude-from /etc/portage/rsync_excludes"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="x86 X a52 aac alsa bzip2 caps cjk crypt cups curl dts dvd dvdread ffmpeg flac ftp gif gtk hardened idn ipv6 jpeg kdeenablefinal mad mikmod mmap mmx mp3 ncurses nptl offensive ogg opengl pam pic png selinux sndfile sse sse2 ssl theora threads tiff truetype unicode vorbis win32codecs xinerama xv xvid zlib elibc_glibc input_devices_evdev input_devices_keyboard input_devices_mouse kernel_linux linguas_en userland_GNU video_cards_nvidia"
Unset:  CTARGET, INSTALL_MASK, LC_ALL

Comment 1 schaedpq 2006-07-09 02:01:25 UTC

No, thats no gcc thing here. You get the same error because the stack smashing occurs in qt (QWidget::create()), not in mahjong. And of course QT is still compiled with SSP, if you only recompile mahjong. You would have to recompile QT without SSP (it is sufficient to use i686-pc-linux-gnu-3.4.6-hardenednopie, you don't need to switch to the vanilla gcc) for now, but QT is an often used lib and its not really satsifactory to do so (for me).

I think, this is probably a duplicate of bug 133301.

Comment 2 Kevin F. Quinn (RETIRED) gentoo-dev

2006-07-09 02:40:15 UTC

Thanks Dominik for the analysis - yes, indeed it is the same as 133301.

*** This bug has been marked as a duplicate of 133301 ***

Comment 3 Sascha G. 2006-07-09 04:07:32 UTC

(In reply to comment #1)
> No, thats no gcc thing here. You get the same error because the stack smashing
> occurs in qt (QWidget::create()), not in mahjong. And of course QT is still
> compiled with SSP, if you only recompile mahjong. You would have to recompile
> QT without SSP (it is sufficient to use i686-pc-linux-gnu-3.4.6-hardenednopie,
> you don't need to switch to the vanilla gcc) for now, but QT is an often used
> lib and its not really satsifactory to do so (for me).

Oh dear. Of course, the error message actually says so, thanks for the hint. Sorry for wasting your time.
(Note to self: no bugreports after midnight anymore. That's the time you come up with funny ideas and summaries.)