Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 341525 - app-cdr/cdrtools-3.00 always overflows destination buffer warnings
Summary: app-cdr/cdrtools-3.00 always overflows destination buffer warnings
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Daniel Pielmeier
Depends on:
Blocks: fortify-source
  Show dependency tree
Reported: 2010-10-17 21:25 UTC by Ryan Hill (RETIRED)
Modified: 2012-08-21 14:28 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

cdrtools-3.00:20101017-211508.log (cdrtools-3.00:20101017-211508.log,365.96 KB, text/plain)
2010-10-19 04:24 UTC, Ryan Hill (RETIRED)
Patch to cdrtools-3.00 cdrecord/scsi_cdr.c to fix _FORTIFY_SOURCE warnings (cdrtools-3.00-fortify.patch,2.58 KB, patch)
2010-12-08 05:23 UTC, Kevin Pyle
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Ryan Hill (RETIRED) gentoo-dev 2010-10-17 21:25:18 UTC
See the attached log.  Note that these warnings will become errors sometime in the near future.
Comment 1 Daniel Pielmeier gentoo-dev 2010-10-18 14:24:45 UTC
Ryan can you please attach the log you have promised.
Comment 2 Ryan Hill (RETIRED) gentoo-dev 2010-10-19 04:24:27 UTC
Created attachment 251197 [details]
Comment 3 Ryan Hill (RETIRED) gentoo-dev 2010-10-19 04:25:41 UTC
Portage 2.2_rc97 (default/linux/amd64/10.0/developer, gcc-4.5.1, glibc-2.12.1-r1, 2.6.35-gentoo-r10 x86_64)
System uname: Linux-2.6.35-gentoo-r10-x86_64-Intel-R-_Core-TM-2_Duo_CPU_T9300_@_2.50GHz-with-gentoo-2.0.1
Timestamp of tree: Mon, 18 Oct 2010 04:30:01 +0000
ccache version 3.0.1 [enabled]
app-shells/bash:     4.1_p9
dev-java/java-config: 2.1.11
dev-lang/python:     2.5.4-r4, 2.6.6-r1, 2.7, 3.1.2-r4
dev-util/ccache:     3.0.1::halo-overlay
dev-util/cmake:      2.8.1-r2
sys-apps/baselayout: 2.0.1
sys-apps/openrc:     0.6.3
sys-apps/sandbox:    2.3-r1
sys-devel/autoconf:  2.13, 2.68
sys-devel/automake:  1.9.6-r3, 1.10.3, 1.11.1
sys-devel/gcc:       4.1.2, 4.3.5::dirtyepic, 4.4.5::dirtyepic, 4.4.6_pre9999::toolchain, 4.5.1::dirtyepic, 4.5.2_pre9999::toolchain
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.10
sys-devel/make:      3.82
virtual/os-headers:  2.6.35 (sys-kernel/linux-headers)
Repositories: gentoo halo-overlay dirtyepic gcc-porting toolchain
ACCEPT_KEYWORDS="amd64 ~amd64"
CFLAGS="-O2 -march=core2 -msse4.1 -mcx16 -msahf --param l1-cache-size=32 --param l1-cache-line-size=64 --param l2-cache-size=6144 -mtune=generic -pipe -ftree-vectorize"
CONFIG_PROTECT="/etc /usr/share/config"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-O2 -march=core2 -msse4.1 -mcx16 -msahf --param l1-cache-size=32 --param l1-cache-line-size=64 --param l2-cache-size=6144 -mtune=generic -pipe -ftree-vectorize"
FEATURES="assume-digests binpkg-logs ccache distlocks fixlafiles fixpackages multilib-strict news parallel-fetch preserve-libs protect-owned sandbox sfperms sign split-log splitdebug strict test test-fail-continue unknown-features-warn unmerge-orphans userfetch userpriv usersandbox usersync"
LDFLAGS="-Wl,--hash-style=gnu -Wl,-O1 -Wl,--as-needed"
LINGUAS="en en_US"
MAKEOPTS="-j3 V=1"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTDIR_OVERLAY="/home/dirtyepic/overlay /home/dirtyepic/svn/dirtyepic /home/dirtyepic/svn/gcc-porting /home/dirtyepic/svn/toolchain"
USE="X a52 aac acpi akonadi alsa amd64 archive ass autotrace avahi bash-completion berkdb bonjour bs2b bzip2 cairo ccache cdaudio cdda cddb cdio cdr cli consolekit cracklib crypt css curl custom-cflags custom-cpuopts custom-optimization cvs cxx dbus device-mapper dirac disk-partition djvu dri dts dvd dvdnav dvdr emboss emf enca encode exif expat faac faad fam ffmpeg fftw firefox firefox3 flac fontconfig fts3 gdbm gif git gmp gmplayer gold graphite graphviz gstreamer gtk gui guidexml hal iconv icu id3tag imap inotify jadetex java jpeg jpeg2k kde kdehiddenvisibility kipi lame laptop lastfm lastfmradio libburn libmms libnotify lightning lzma mad maildir mdnsresponder-compat mmap mmx mmxext mng modules mp2 mp3 mp4 mpeg mplayer multilib musicbrainz nautilus ncurses network-cron nntp nptl nptlonly nsplugin ogg opengl openmp openssl opensync optimized-qmake osdmenu pam pango pcre pdf phonon pic plotutils png ppds pppd qt3support qt4 quicktime rar readline reflection replytolist rtc schroedinger scrobbler session shm smp snmp sound sox spell sse sse2 sse3 ssl ssse3 startup-notification subversion svg sysfs taglib tcpd theora threads threadsafe thumbnail tiff tremor truetype unicode urandom usb utempter vim-syntax vim-with-x visibility vorbis wicd wifi wma wmf wxwidgets wxwindows x264 xattr xcb xcomposite xft xml xmlpatterns xmp xorg xulrunner xv xvid xvmc zip zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en en_US" PHP_TARGETS="php-5.2" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="intel" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" 

Comment 4 David J Cozatt 2010-12-05 11:39:41 UTC

/usr/include/bits/string3.h:107:3: warning: call to __builtin___strcpy_chk    │
│will always overflow destination buffer                                       │
│/usr/include/bits/string3.h:107:3: warning: call to __builtin___strcpy_chk    │
│will always overflow destination buffer                                       │
│/usr/include/bits/string3.h:107:3: warning: call to __builtin___strcpy_chk    │
│will always overflow destination buffer                                       │
│/usr/include/bits/string3.h:107:3: warning: call to __builtin___strcpy_chk    │
│will always overflow destination buffer

A discussion of FORTIFY_SOURCE=  different settings 0,1,2 throw different errors.

Comment 5 David J Cozatt 2010-12-05 13:29:49 UTC

a quote from

The attached patch (which relies on
) provides a lightweight buffer overflow protection to
some memory and string functions.
I'm well aware of mudflap, but it has too big runtime overhead
to be used by all programs.  The intent of this patch
is to add some checks that have no or non-measurable
runtime overhead, so something that can be enabled for
all programs and libraries in an operating system.
The patch certainly doesn't prevent all buffer overflows,
but should prevent many common ones.
It works by computing a constant (conservative) number
of bytes remaining to the end of object(s) each destination
pointer passed to memory and string functions, if possible
checking for overflows at compile time, if not possible
passing that constant size to special checking alternatives
of the memory/string functions.
contains the glibc counterpart to this patch, although
it doesn't have to be glibc/Linux specific at all.
One could easily take bits/string3.h and part of bits/stdio2.h
from the above patch, rename to <string.h> resp. <stdio.h>,
#include_next <string.h>/<stdio.h> in these headers and
create a library containing the checking functions.
Comment 6 Ryan Hill (RETIRED) gentoo-dev 2010-12-05 18:19:45 UTC
Yeah, we know what FORTIFY_SOURCE is.  That's why this bug is on the FORTIFY_SOURCE tracker.
Comment 7 Kevin Pyle 2010-12-08 05:23:11 UTC
Created attachment 256619 [details, diff]
Patch to cdrtools-3.00 cdrecord/scsi_cdr.c to fix _FORTIFY_SOURCE warnings

This is caused by the same style construct that broke GNU tar with one of the _FORTIFY_SOURCE upgrades (bug #317139): intentional overflow of one field into another as a shortcut to initialize several fields from a single copy operation.  Additionally, it looks like the null generated by strcpy will overflow past the last field that was supposed to be initialized, either clearing vendor_uniq or corrupting the first byte after the structure, depending on whether the preprocessor symbol 'comment' was defined (see libscg/scg/scsireg.h for a definition of the structure being used in the affected calls).

The attached patch converts each of the offending strcpy calls into a group of three memcpy calls to initialize the three underlying fields.  The source data for the three memcpy calls is derived by extracting the relevant substrings from the corresponding strcpy.
Comment 8 schily 2012-01-22 19:16:34 UTC
The warning is a result of a GCC problem. The strcpy() in question writes 28 bytes to 32 byte space in the structure.

Try to assign the copy destination to char *p and use p as first parameter to strcpy() - then report whether the warning goes away.
Comment 9 Kevin Pyle 2012-02-04 00:28:39 UTC
(In reply to comment #8)
> The warning is a result of a GCC problem. The strcpy() in question writes 28
> bytes to 32 byte space in the structure.

The patch I attached over a year ago already addresses this.  The output field is not a 32 byte array, but a group of three contiguous arrays of lengths 8, 16, and 4.

> Try to assign the copy destination to char *p and use p as first parameter to
> strcpy() - then report whether the warning goes away.

If that worked at all, it would be because the change deprived the compiler of the ability to recognize the overflows.  Please do not suggest disabling safety features when a patch already exists to fix the problem properly.
Comment 10 Attila Stehr 2012-03-17 21:44:40 UTC
Still an issue with app-cdr/cdrtools-3.01_alpha07. Any progress here?
Comment 11 Daniel Pielmeier gentoo-dev 2012-08-18 09:01:57 UTC
(In reply to comment #10)
> Still an issue with app-cdr/cdrtools-3.01_alpha07. Any progress here?

I only get this warnings with cdrtools-3.00 and not with cdrtools-3.01_alpha07. Anybody else still get this warnings?
Comment 12 Attila Stehr 2012-08-21 13:43:21 UTC
Got no warnings emerging 3.01_alpha08.
Comment 13 Daniel Pielmeier gentoo-dev 2012-08-21 14:28:04 UTC
Looking at the code this should be fixed in 3.01_alpha08 and not in 3.01_alpha07. Maybe I mixed something up while testing the new version.