Memory corruption, possible security bug #221
Labels
Comments
It would be helpful if you could run 8g under gdb and get a stack trace when the smashing is detected. Thanks. Owner changed to r...@golang.org. Status changed to WaitingForReply. |
|
Comment 3 by x41@freeshell.org: Fresh install of:
Last version of Golang
cb140bac9ab0 release.2009-11-12/release
Tested on Ubuntu 9.04 and Ubuntu 9.10
XXXX@XXXX:~/go_src/src$ uname -a
Linux XXXX 2.6.28-11-generic #42-Ubuntu SMP Fri Apr 17 01:57:59 UTC 2009 i686 GNU/Linux
Attached Valgrind report and GDB report.
Buggy function exits()
argc=Cannot access memory at address 0xSEMIRANDOM ("main");
go_src/src/lib9/main.c
main(int argc, char **argv)
{
p9main(argc, argv);
########### HERE ##############
exits("main");
return 99;
}
Thanx for replying, and sorry for my late reply
( I was without money and the ISP shutdown my inet haha )
Attachments:
|
|
Comment 4 by x41@freeshell.org: Fresh install of:
Last version of Golang
cb140bac9ab0 release.2009-11-12/release
Tested on Ubuntu 9.04 and Ubuntu 9.10
XXXX@XXXX:~/go_src/src$ uname -a
Linux XXXX 2.6.28-11-generic #42-Ubuntu SMP Fri Apr 17 01:57:59 UTC 2009 i686 GNU/Linux
Attached Valgrind report and GDB report.
Binary: 8g
argc=Cannot access memory at address 0xSEMIRANDOM ("main");
go_src/src/lib9/main.c
main(int argc, char **argv)
{
p9main(argc, argv);
########### HERE ##############
exits("main");
return 99; =(
############ HERE #############
}
Thanx for replying, and sorry for my late reply
( I was without money and the ISP shutdown my inet haha )
Attachments:
|
|
Comment 5 by x41@freeshell.org: /usr/include/bits/string3.h:106: warning:
call to __builtin___strcpy_chk will always overflow destination buffer
And this i intentionally not allowed with -D_FORTIFY_SOURCE=2, which doesn't allow
crossing field boundaries for str*/stp* etc. functions (and still allows that
for mem* etc.).
If we use -00 the problem is resolved, but if we really need to use -02 or -03
we have to edit Make.conf and modify like this:
CFLAGS=-ggdb -I$(GOROOT)/include -O2 -fno-inline -D_FORTIFY_SOURCE=1
The difference between -D_FORTIFY_SOURCE=1 and -D_FORTIFY_SOURCE=2
is e.g. for
struct S { struct T { char buf[5]; int x; } t; char buf[20]; } var;
With -D_FORTIFY_SOURCE=1,
strcpy (&var.t.buf[1], "abcdefg");
is not considered an overflow (object is whole VAR), while
with -D_FORTIFY_SOURCE=2
strcpy (&var.t.buf[1], "abcdefg");
will be considered a buffer overflow.
==================================================
NOTE: In Ubuntu 8.10 and later versions, -D_FORTIFY_SOURCE=2
is set by default, and is activated when -O is set to 2 or higher.
This enables additional compile-time and run-time checks for several
libc functions. To disable, specify either -U_FORTIFY_SOURCE or
-D_FORTIFY_SOURCE=0.
==================================================
It thus OK to keep the bug as RESOLVED
|
|
This issue was closed by revision b73b43e. Status changed to Fixed. Merged into issue #-. |
This issue was closed.
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
by x41@freeshell.org:
changeset: 4010:91c471680dc9 linux i386 POC: package main import fmt "fmt" func main() { fmt.Printf("んんん"); } Then, run it like this ./8g -S poc.go *** stack smashing detected ***: ./8g terminated ======= Backtrace: ========= /lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0x5efde8] /lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x0)[0x5efda0] ./8g[0x804911e] ./8g[0x807f297] ./8g[0x807f072] ./8g[0x807fac5] ./8g[0x807f786] ./8g[0x804965a] ./8g[0x807f297] ./8g[0x807f072] ./8g[0x807fac5] ./8g[0x807f786] ./8g[0x80492e0] ./8g[0x807f297] ./8g[0x807f072] ./8g[0x807f82c] ./8g[0x807f730] ./8g[0x804a550] ./8g[0x80627af] ./8g[0x80784ae] ./8g[0x807d6bb] /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe6)[0x525b56] ./8g[0x8048f11] ======= Memory map: ======== 00110000-0012c000 r-xp 00000000 08:01 571 /lib/libgcc_s.so.1 0012c000-0012d000 r--p 0001b000 08:01 571 /lib/libgcc_s.so.1 0012d000-0012e000 rw-p 0001c000 08:01 571 /lib/libgcc_s.so.1 0050f000-0064d000 r-xp 00000000 08:01 393462 /lib/tls/i686/cmov/libc-2.10.1.so 0064d000-0064f000 r--p 0013e000 08:01 393462 /lib/tls/i686/cmov/libc-2.10.1.so 0064f000-00650000 rw-p 00140000 08:01 393462 /lib/tls/i686/cmov/libc-2.10.1.so 00650000-00653000 rw-p 00000000 00:00 0 007e7000-007e8000 r-xp 00000000 00:00 0 [vdso] 0085f000-00883000 r-xp 00000000 08:01 393470 /lib/tls/i686/cmov/libm-2.10.1.so 00883000-00884000 r--p 00023000 08:01 393470 /lib/tls/i686/cmov/libm-2.10.1.so 00884000-00885000 rw-p 00024000 08:01 393470 /lib/tls/i686/cmov/libm-2.10.1.so 00c04000-00c1f000 r-xp 00000000 08:01 521 /lib/ld-2.10.1.so 00c1f000-00c20000 r--p 0001a000 08:01 521 /lib/ld-2.10.1.so 00c20000-00c21000 rw-p 0001b000 08:01 521 /lib/ld-2.10.1.so 08048000-08090000 r-xp 00000000 08:01 537085 /home/xxxx/bin/8g 08090000-08091000 r--p 00047000 08:01 537085 /home/xxxx/bin/8g 08091000-08095000 rw-p 00048000 08:01 537085 /home/xxxx/bin/8g 08095000-0809a000 rw-p 00000000 00:00 0 08587000-08626000 rw-p 00000000 00:00 0 [heap] b77c6000-b7843000 rw-p 00000000 00:00 0 b7853000-b7855000 rw-p 00000000 00:00 0 bfbe7000-bfbfc000 rw-p 00000000 00:00 0 [stack] AbortedThe text was updated successfully, but these errors were encountered: