Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 591680 (CVE-2016-4973) - sys-devel/gcc: Targets using libssp for SSP are missing -D_FORTIFY_SOURCE functionality
Summary: sys-devel/gcc: Targets using libssp for SSP are missing -D_FORTIFY_SOURCE fun...
Status: RESOLVED WONTFIX
Alias: CVE-2016-4973
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A2 [upstream cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-08-19 11:59 UTC by Agostino Sarubbo
Modified: 2019-03-27 22:38 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-08-19 11:59:41 UTC
From ${URL} :

It was reported that targets that use libssp for SSP (e.g. newlib, Cygwin, RTEMS, MinGW, but not e.g. Glibc, Bionic, NetBSD which provide SSP in libc) 
are mistakenly missing out on -D_FORTIFY_SOURCE functionality even when explicitly specified. The problem is in gcc libssp/Makefile.am:

libsubincludedir =
$(libdir)/gcc/$(target_noncanonical)/$(gcc_version)/include
nobase_libsubinclude_HEADERS = ssp/ssp.h ssp/string.h ssp/stdio.h
ssp/unistd.h

Headers are structured so that they should be in $(libsubincludedir), instead of $(libsubincludedir)/ssp where they are currently placed.

Demonstration:

$ cat fortify_test.c
/* example from https://gcc.gnu.org/bugzilla/show_bug.cgi?id=50460 [Open URL] */
#include <stdio.h>
#include <string.h>

const char *str1 = "JIHGFEDCBA";

int
main ()
{
struct A { char buf1[9]; char buf2[1]; } a;
strcpy (a.buf1 + (0 + 4), str1 + 5);
printf("%s %s\n", a.buf1, a.buf2);
return 0;
}

$ gcc -D_FORTIFY_SOURCE=2 -fstack-protector-strong -o fortify_test -O2
fortify_test.c
$ nm -C fortify_test | grep strcpy
U __strcpy_chk@@GLIBC_2.3.4

$ i686-w64-mingw32-gcc -D_FORTIFY_SOURCE=2 -fstack-protector-strong -o
fortify_test.exe -O2 fortify_test.c
$ i686-w64-mingw32-nm -C fortify_test.exe | grep strcpy
004061e8 I _imp__strcpy
00402624 T strcpy

If headers are moved, we can see:

$ i686-w64-mingw32-gcc -D_FORTIFY_SOURCE=2 -fstack-protector-strong -o
fortify_test.exe -O2 fortify_test.c
$ i686-w64-mingw32-nm -C fortify_test.exe | grep strcpy
00406200 I _imp____strcpy_chk
00401590 T __strcpy_chk


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-07-20 14:59:16 UTC
From Upstream

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=CVE-2016-4973

Status:	RESOLVED INVALID

Comment #10:

https://bugzilla.redhat.com/show_bug.cgi?id=1324759#c6 and the others from Jakub Jelinek on why this is not a GCC bug.

And why you can't do what you want GCC to change it to do.

> But, if you tweak this upstream, then you break all the users that are installing gcc themselves.


THis is why any change to install them as normal headers is wrong even for targets where you think you should install them.

So again closing this as invalid.  This is a security bug in the applications thinking they get _FORTIFY_SOURCE support for mingw and cygwin, etc but they really need to include ssp library headers instead.  Not a GCC bug for someone including the wrong header :).
Comment 2 Andreas K. Hüttel gentoo-dev 2017-12-09 20:44:35 UTC
@security: so what shall we do here?

(In reply to Christopher Díaz Riveros from comment #1)
> From Upstream
> 
> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=CVE-2016-4973
> 
> Status:	RESOLVED INVALID
> 
> Comment #10:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1324759#c6 and the others from
> Jakub Jelinek on why this is not a GCC bug.
> 
> And why you can't do what you want GCC to change it to do.
> 
> > But, if you tweak this upstream, then you break all the users that are installing gcc themselves.
> 
> 
> THis is why any change to install them as normal headers is wrong even for
> targets where you think you should install them.
> 
> So again closing this as invalid.  This is a security bug in the
> applications thinking they get _FORTIFY_SOURCE support for mingw and cygwin,
> etc but they really need to include ssp library headers instead.  Not a GCC
> bug for someone including the wrong header :).