Crash with -D_FORTIFY_SOURCE=2 on Linux

[copumpkin]

I've packaged souffle on Nix (a purely functional package manager and distribution) and noticed that with the Nix default compile-time hardening parameters, souffle crashes as soon as it does any actual work.

To reproduce:

1. Build version 1.0.0 (the git tag) with -D_FORTIFY_SOURCE=2
2. Run example as described in documentation
3. Observe a stack trace similar to the following:

*** buffer overflow detected ***: /tmp/nix-build-souffle-1.0.0.drv-0/souffle-1.0.0-src/src/souffle-wave terminated
======= Backtrace: =========
/nix/store/6fix3zqpnahyml8zp2sxi2rwan55rgb8-glibc-2.24/lib/libc.so.6(+0x70aa6)[0x7ffff6302aa6]
/nix/store/6fix3zqpnahyml8zp2sxi2rwan55rgb8-glibc-2.24/lib/libc.so.6(__fortify_fail+0x37)[0x7ffff638a7f7]
/nix/store/6fix3zqpnahyml8zp2sxi2rwan55rgb8-glibc-2.24/lib/libc.so.6(+0xf6990)[0x7ffff6388990]
/nix/store/6fix3zqpnahyml8zp2sxi2rwan55rgb8-glibc-2.24/lib/libc.so.6(+0xf5ef9)[0x7ffff6387ef9]
/nix/store/6fix3zqpnahyml8zp2sxi2rwan55rgb8-glibc-2.24/lib/libc.so.6(_IO_default_xsputn+0xab)[0x7ffff6306a7b]
/nix/store/6fix3zqpnahyml8zp2sxi2rwan55rgb8-glibc-2.24/lib/libc.so.6(_IO_vfprintf+0xcff)[0x7ffff62d9c3f]
/nix/store/6fix3zqpnahyml8zp2sxi2rwan55rgb8-glibc-2.24/lib/libc.so.6(__vsprintf_chk+0x8c)[0x7ffff6387f8c]
/nix/store/6fix3zqpnahyml8zp2sxi2rwan55rgb8-glibc-2.24/lib/libc.so.6(__sprintf_chk+0x7d)[0x7ffff6387edd]
/tmp/nix-build-souffle-1.0.0.drv-0/souffle-1.0.0-src/src/souffle-wave[0x44fa5d]
/tmp/nix-build-souffle-1.0.0.drv-0/souffle-1.0.0-src/src/souffle-wave[0x4506ff]
/tmp/nix-build-souffle-1.0.0.drv-0/souffle-1.0.0-src/src/souffle-wave[0x4122e0]
/tmp/nix-build-souffle-1.0.0.drv-0/souffle-1.0.0-src/src/souffle-wave[0x40e67c]
/nix/store/6fix3zqpnahyml8zp2sxi2rwan55rgb8-glibc-2.24/lib/libc.so.6(__libc_start_main+0xf0)[0x7ffff62b22e0]
/tmp/nix-build-souffle-1.0.0.drv-0/souffle-1.0.0-src/src/souffle-wave[0x40fa3a]
======= Memory map: ========
00400000-004e0000 r-xp 00000000 08:01 1708200                            /tmp/nix-build-souffle-1.0.0.drv-0/souffle-1.0.0-src/src/souffle-wave
006df000-006e5000 r--p 000df000 08:01 1708200                            /tmp/nix-build-souffle-1.0.0.drv-0/souffle-1.0.0-src/src/souffle-wave
006e5000-006e6000 rw-p 000e5000 08:01 1708200                            /tmp/nix-build-souffle-1.0.0.drv-0/souffle-1.0.0-src/src/souffle-wave
006e6000-00707000 rw-p 00000000 00:00 0                                  [heap]
7ffff5e86000-7ffff5e88000 r-xp 00000000 08:01 2403953                    /nix/store/6fix3zqpnahyml8zp2sxi2rwan55rgb8-glibc-2.24/lib/libdl-2.24.so
7ffff5e88000-7ffff6088000 ---p 00002000 08:01 2403953                    /nix/store/6fix3zqpnahyml8zp2sxi2rwan55rgb8-glibc-2.24/lib/libdl-2.24.so
7ffff6088000-7ffff6089000 r--p 00002000 08:01 2403953                    /nix/store/6fix3zqpnahyml8zp2sxi2rwan55rgb8-glibc-2.24/lib/libdl-2.24.so
7ffff6089000-7ffff608a000 rw-p 00003000 08:01 2403953                    /nix/store/6fix3zqpnahyml8zp2sxi2rwan55rgb8-glibc-2.24/lib/libdl-2.24.so
7ffff608a000-7ffff6091000 r-xp 00000000 08:01 2403998                    /nix/store/6fix3zqpnahyml8zp2sxi2rwan55rgb8-glibc-2.24/lib/librt-2.24.so
7ffff6091000-7ffff6290000 ---p 00007000 08:01 2403998                    /nix/store/6fix3zqpnahyml8zp2sxi2rwan55rgb8-glibc-2.24/lib/librt-2.24.so
7ffff6290000-7ffff6291000 r--p 00006000 08:01 2403998                    /nix/store/6fix3zqpnahyml8zp2sxi2rwan55rgb8-glibc-2.24/lib/librt-2.24.so
7ffff6291000-7ffff6292000 rw-p 00007000 08:01 2403998                    /nix/store/6fix3zqpnahyml8zp2sxi2rwan55rgb8-glibc-2.24/lib/librt-2.24.so
7ffff6292000-7ffff6427000 r-xp 00000000 08:01 2403844                    /nix/store/6fix3zqpnahyml8zp2sxi2rwan55rgb8-glibc-2.24/lib/libc-2.24.so
7ffff6427000-7ffff6626000 ---p 00195000 08:01 2403844                    /nix/store/6fix3zqpnahyml8zp2sxi2rwan55rgb8-glibc-2.24/lib/libc-2.24.so
7ffff6626000-7ffff662a000 r--p 00194000 08:01 2403844                    /nix/store/6fix3zqpnahyml8zp2sxi2rwan55rgb8-glibc-2.24/lib/libc-2.24.so
7ffff662a000-7ffff662c000 rw-p 00198000 08:01 2403844                    /nix/store/6fix3zqpnahyml8zp2sxi2rwan55rgb8-glibc-2.24/lib/libc-2.24.so
7ffff662c000-7ffff6630000 rw-p 00000000 00:00 0 
7ffff6630000-7ffff6646000 r-xp 00000000 08:01 2403957                    /nix/store/6fix3zqpnahyml8zp2sxi2rwan55rgb8-glibc-2.24/lib/libgcc_s.so.1
7ffff6646000-7ffff6845000 ---p 00016000 08:01 2403957                    /nix/store/6fix3zqpnahyml8zp2sxi2rwan55rgb8-glibc-2.24/lib/libgcc_s.so.1
7ffff6845000-7ffff6846000 rw-p 00015000 08:01 2403957                    /nix/store/6fix3zqpnahyml8zp2sxi2rwan55rgb8-glibc-2.24/lib/libgcc_s.so.1
7ffff6846000-7ffff6865000 r-xp 00000000 08:01 2916928                    /nix/store/ly5dbisg2h0k3xnfdbk955m3pc4knvjk-gcc-5.4.0-lib/lib/libgomp.so.1.0.0
7ffff6865000-7ffff6a64000 ---p 0001f000 08:01 2916928                    /nix/store/ly5dbisg2h0k3xnfdbk955m3pc4knvjk-gcc-5.4.0-lib/lib/libgomp.so.1.0.0
7ffff6a64000-7ffff6a65000 r--p 0001e000 08:01 2916928                    /nix/store/ly5dbisg2h0k3xnfdbk955m3pc4knvjk-gcc-5.4.0-lib/lib/libgomp.so.1.0.0
7ffff6a65000-7ffff6a66000 rw-p 0001f000 08:01 2916928                    /nix/store/ly5dbisg2h0k3xnfdbk955m3pc4knvjk-gcc-5.4.0-lib/lib/libgomp.so.1.0.0
7ffff6a66000-7ffff6b6a000 r-xp 00000000 08:01 2403958                    /nix/store/6fix3zqpnahyml8zp2sxi2rwan55rgb8-glibc-2.24/lib/libm-2.24.so
7ffff6b6a000-7ffff6d69000 ---p 00104000 08:01 2403958                    /nix/store/6fix3zqpnahyml8zp2sxi2rwan55rgb8-glibc-2.24/lib/libm-2.24.so
7ffff6d69000-7ffff6d6a000 r--p 00103000 08:01 2403958                    /nix/store/6fix3zqpnahyml8zp2sxi2rwan55rgb8-glibc-2.24/lib/libm-2.24.so
7ffff6d6a000-7ffff6d6b000 rw-p 00104000 08:01 2403958                    /nix/store/6fix3zqpnahyml8zp2sxi2rwan55rgb8-glibc-2.24/lib/libm-2.24.so
7ffff6d6b000-7ffff6ed4000 r-xp 00000000 08:01 2916957                    /nix/store/ly5dbisg2h0k3xnfdbk955m3pc4knvjk-gcc-5.4.0-lib/lib/libstdc++.so.6.0.21
7ffff6ed4000-7ffff70d3000 ---p 00169000 08:01 2916957                    /nix/store/ly5dbisg2h0k3xnfdbk955m3pc4knvjk-gcc-5.4.0-lib/lib/libstdc++.so.6.0.21
7ffff70d3000-7ffff70df000 r--p 00168000 08:01 2916957                    /nix/store/ly5dbisg2h0k3xnfdbk955m3pc4knvjk-gcc-5.4.0-lib/lib/libstdc++.so.6.0.21
7ffff70df000-7ffff70e0000 rw-p 00174000 08:01 2916957                    /nix/store/ly5dbisg2h0k3xnfdbk955m3pc4knvjk-gcc-5.4.0-lib/lib/libstdc++.so.6.0.21
7ffff70e0000-7ffff70e3000 rw-p 00000000 00:00 0 
7ffff70e3000-7ffff70fb000 r-xp 00000000 08:01 2403991                    /nix/store/6fix3zqpnahyml8zp2sxi2rwan55rgb8-glibc-2.24/lib/libpthread-2.24.so
7ffff70fb000-7ffff72fa000 ---p 00018000 08:01 2403991                    /nix/store/6fix3zqpnahyml8zp2sxi2rwan55rgb8-glibc-2.24/lib/libpthread-2.24.so
7ffff72fa000-7ffff72fb000 r--p 00017000 08:01 2403991                    /nix/store/6fix3zqpnahyml8zp2sxi2rwan55rgb8-glibc-2.24/lib/libpthread-2.24.so
7ffff72fb000-7ffff72fc000 rw-p 00018000 08:01 2403991                    /nix/store/6fix3zqpnahyml8zp2sxi2rwan55rgb8-glibc-2.24/lib/libpthread-2.24.so
7ffff72fc000-7ffff7300000 rw-p 00000000 00:00 0 
7ffff7300000-7ffff737d000 r-xp 00000000 08:01 2064                       /nix/store/j42wfki9hmxhj38vn1sh4g2axrcdz6wk-boost-1.60.0/lib/libboost_program_options.so.1.60.0
7ffff737d000-7ffff757c000 ---p 0007d000 08:01 2064                       /nix/store/j42wfki9hmxhj38vn1sh4g2axrcdz6wk-boost-1.60.0/lib/libboost_program_options.so.1.60.0
7ffff757c000-7ffff7580000 r--p 0007c000 08:01 2064                       /nix/store/j42wfki9hmxhj38vn1sh4g2axrcdz6wk-boost-1.60.0/lib/libboost_program_options.so.1.60.0
7ffff7580000-7ffff7581000 rw-p 00080000 08:01 2064                       /nix/store/j42wfki9hmxhj38vn1sh4g2axrcdz6wk-boost-1.60.0/lib/libboost_program_options.so.1.60.0
7ffff7581000-7ffff7591000 r-xp 00000000 08:01 482                        /nix/store/j42wfki9hmxhj38vn1sh4g2axrcdz6wk-boost-1.60.0/lib/libboost_date_time.so.1.60.0
7ffff7591000-7ffff7791000 ---p 00010000 08:01 482                        /nix/store/j42wfki9hmxhj38vn1sh4g2axrcdz6wk-boost-1.60.0/lib/libboost_date_time.so.1.60.0
7ffff7791000-7ffff7792000 r--p 00010000 08:01 482                        /nix/store/j42wfki9hmxhj38vn1sh4g2axrcdz6wk-boost-1.60.0/lib/libboost_date_time.so.1.60.0
7ffff7792000-7ffff7793000 rw-p 00011000 08:01 482                        /nix/store/j42wfki9hmxhj38vn1sh4g2axrcdz6wk-boost-1.60.0/lib/libboost_date_time.so.1.60.0
7ffff7793000-7ffff77b9000 r-xp 00000000 08:01 2080                       /nix/store/j42wfki9hmxhj38vn1sh4g2axrcdz6wk-boost-1.60.0/lib/libboost_thread.so.1.60.0
7ffff77b9000-7ffff79b9000 ---p 00026000 08:01 2080                       /nix/store/j42wfki9hmxhj38vn1sh4g2axrcdz6wk-boost-1.60.0/lib/libboost_thread.so.1.60.0
7ffff79b9000-7ffff79bb000 r--p 00026000 08:01 2080                       /nix/store/j42wfki9hmxhj38vn1sh4g2axrcdz6wk-boost-1.60.0/lib/libboost_thread.so.1.60.0
7ffff79bb000-7ffff79bc000 rw-p 00028000 08:01 2080                       /nix/store/j42wfki9hmxhj38vn1sh4g2axrcdz6wk-boost-1.60.0/lib/libboost_thread.so.1.60.0
7ffff79bc000-7ffff79bf000 r-xp 00000000 08:01 2077                       /nix/store/j42wfki9hmxhj38vn1sh4g2axrcdz6wk-boost-1.60.0/lib/libboost_system.so.1.60.0
7ffff79bf000-7ffff7bbe000 ---p 00003000 08:01 2077                       /nix/store/j42wfki9hmxhj38vn1sh4g2axrcdz6wk-boost-1.60.0/lib/libboost_system.so.1.60.0
7ffff7bbe000-7ffff7bbf000 r--p 00002000 08:01 2077                       /nix/store/j42wfki9hmxhj38vn1sh4g2axrcdz6wk-boost-1.60.0/lib/libboost_system.so.1.60.0
7ffff7bbf000-7ffff7bc0000 rw-p 00003000 08:01 2077                       /nix/store/j42wfki9hmxhj38vn1sh4g2axrcdz6wk-boost-1.60.0/lib/libboost_system.so.1.60.0
7ffff7bc0000-7ffff7bd9000 r-xp 00000000 08:01 485                        /nix/store/j42wfki9hmxhj38vn1sh4g2axrcdz6wk-boost-1.60.0/lib/libboost_filesystem.so.1.60.0
7ffff7bd9000-7ffff7dd8000 ---p 00019000 08:01 485                        /nix/store/j42wfki9hmxhj38vn1sh4g2axrcdz6wk-boost-1.60.0/lib/libboost_filesystem.so.1.60.0
7ffff7dd8000-7ffff7dd9000 r--p 00018000 08:01 485                        /nix/store/j42wfki9hmxhj38vn1sh4g2axrcdz6wk-boost-1.60.0/lib/libboost_filesystem.so.1.60.0
7ffff7dd9000-7ffff7dda000 rw-p 00019000 08:01 485                        /nix/store/j42wfki9hmxhj38vn1sh4g2axrcdz6wk-boost-1.60.0/lib/libboost_filesystem.so.1.60.0
7ffff7dda000-7ffff7dfd000 r-xp 00000000 08:01 2403770                    /nix/store/6fix3zqpnahyml8zp2sxi2rwan55rgb8-glibc-2.24/lib/ld-2.24.so
7ffff7fe8000-7ffff7ff8000 rw-p 00000000 00:00 0 
7ffff7ff8000-7ffff7ffa000 r--p 00000000 00:00 0                          [vvar]
7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0                          [vdso]
7ffff7ffc000-7ffff7ffd000 r--p 00022000 08:01 2403770                    /nix/store/6fix3zqpnahyml8zp2sxi2rwan55rgb8-glibc-2.24/lib/ld-2.24.so
7ffff7ffd000-7ffff7ffe000 rw-p 00023000 08:01 2403770                    /nix/store/6fix3zqpnahyml8zp2sxi2rwan55rgb8-glibc-2.24/lib/ld-2.24.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0 
7ffffffdd000-7ffffffff000 rw-p 00000000 00:00 0                          [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

Note that in my case all the dependencies are provided by Nix so that's why there are the weird paths in the memory dump.

I don't get the same problem on Darwin, possibly because clang/llvm (not the standard Apple one) implements the fortification measures differently.

If you have trouble reproducing I can try to get the thing to fail in the same way using a more conventional (non-Nix) build.

[b-scholz]

That is an issue with the c-preprocessor. We use the BOOST C-preprocessor called wave, which we had to bundle with soufflé because the llvm/clang c-preprocessor is not compatible for our purposes.

I have checked several sprintf() statements in the source code and I see that some have fixed buffer sizes. Is there a possibility to see which sprintf() statement fails in the source-code? What I am asking is, can you relate the machine code address

/tmp/nix-build-souffle-1.0.0.drv-0/souffle-1.0.0-src/src/souffle-wave[0x44fa5d]

to an actual source code line (For example by adding the flag -g etc.).

[copumpkin]

@b-scholz hmm, I added -g to both CPPFLAGS and LDFLAGS and saw it being passed in during the build log, but somehow I'm still not getting line numbers (for souffle-wave) in my gdb backtrace. Do you have any ideas?

In the meantime, here's a backtrace with function symbols that gdb was at least able to provide:

(gdb) bt
#0  0x00007ffff62c51d4 in raise () from /nix/store/6fix3zqpnahyml8zp2sxi2rwan55rgb8-glibc-2.24/lib/libc.so.6
#1  0x00007ffff62c663a in abort () from /nix/store/6fix3zqpnahyml8zp2sxi2rwan55rgb8-glibc-2.24/lib/libc.so.6
#2  0x00007ffff6302aab in __libc_message () from /nix/store/6fix3zqpnahyml8zp2sxi2rwan55rgb8-glibc-2.24/lib/libc.so.6
#3  0x00007ffff638a7f7 in __fortify_fail () from /nix/store/6fix3zqpnahyml8zp2sxi2rwan55rgb8-glibc-2.24/lib/libc.so.6
#4  0x00007ffff6388990 in __chk_fail () from /nix/store/6fix3zqpnahyml8zp2sxi2rwan55rgb8-glibc-2.24/lib/libc.so.6
#5  0x00007ffff6387ef9 in _IO_str_chk_overflow () from /nix/store/6fix3zqpnahyml8zp2sxi2rwan55rgb8-glibc-2.24/lib/libc.so.6
#6  0x00007ffff6306a7b in __GI__IO_default_xsputn () from /nix/store/6fix3zqpnahyml8zp2sxi2rwan55rgb8-glibc-2.24/lib/libc.so.6
#7  0x00007ffff62d9c3f in vfprintf () from /nix/store/6fix3zqpnahyml8zp2sxi2rwan55rgb8-glibc-2.24/lib/libc.so.6
#8  0x00007ffff6387f8c in __vsprintf_chk () from /nix/store/6fix3zqpnahyml8zp2sxi2rwan55rgb8-glibc-2.24/lib/libc.so.6
#9  0x00007ffff6387edd in __sprintf_chk () from /nix/store/6fix3zqpnahyml8zp2sxi2rwan55rgb8-glibc-2.24/lib/libc.so.6
#10 0x000000000044fa5d in boost::wave::util::predefined_macros::predefined_macros() ()
#11 0x00000000004506ff in boost::wave::context<__gnu_cxx::__normal_iterator<char*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, boost::wave::cpplexer::lex_iterator<boost::wave::cpplexer::lex_token<boost::wave::util::file_position<boost::wave::util::flex_string<char, std::char_traits<char>, std::allocator<char>, boost::wave::util::CowString<boost::wave::util::AllocatorStringStorage<char, std::allocator<char> >, char*> > > > >, boost::wave::iteration_context_policies::load_file_to_string, trace_macro_expansion<boost::wave::cpplexer::lex_token<boost::wave::util::file_position<boost::wave::util::flex_string<char, std::char_traits<char>, std::allocator<char>, boost::wave::util::CowString<boost::wave::util::AllocatorStringStorage<char, std::allocator<char> >, char*> > > > >, boost::wave::this_type>::context(__gnu_cxx::__normal_iterator<char*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > const&, __gnu_cxx::__normal_iterator<char*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > const&, char const*, trace_macro_expansion<boost::wave::cpplexer::lex_token<boost::wave::util::file_position<boost::wave::util::flex_string<char, std::char_traits<char>, std::allocator<char>, boost::wave::util::CowString<boost::wave::util::AllocatorStringStorage<char, std::allocator<char> >, char*> > > > > const&) ()
#12 0x00000000004122e0 in do_actual_work(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::istream&, boost::program_options::variables_map const&, bool) ()
#13 0x000000000040e67c in main ()

[b-scholz]

No worries. I believe it is related to the buffer sizes of the sprintf() statements in the file

https://github.com/souffle-lang/souffle/blob/master/src/wavelib/util/cpp_macromap_predef.hpp

It could be that your compiler uses unicode instead of UTF8 for the buffer definitions (i.e. char buffer[...]) If this is the case all constants in the buffer length definitions will need to be doubled.

For example,
char buffer[sizeof("\"Oct 11 1347\"")+1];
should be rewritten to
char buffer[sizeof("\"Oct 11 1347\"")+2];

Could you give it a try?

[copumpkin]

Patching all occurrences of )+1]; in that file to )+2]; stopped the crash, thanks! 👍

Still surprised that's happening though. I've never seen a C compiler do that, so I took my compiler and compiled this with it:

#include <stdio.h>

int main() {
  printf("size: %d\n", sizeof("\"Oct 11 1347\""));
  return 0;
}

and it prints 14, so the sizeof already includes the terminating null character. Is there some magic flag/define that makes gcc and library functions treat char as wchar_t? Otherwise I don't really understand the fix.

[b-scholz]

We enable the C++ 2011 standard for compilation. It could be the specific flags we use.

The bottom line is that there should be no sprintf() in the code. We should rewrite the code such that string-streams in C++ are used.

I will put it on my TODO list.

[copumpkin]

Alright, that sounds right. Either way, your fix seemed to address the issue 😄 Thanks!

[copumpkin]

Is it worth fixing (like I could submit a PR) the +1 vs. +2 thing for now or do you think the sprintf replacement will make that unnecessary soon?

[b-scholz]

It would be great if you could submit a PR because it is a bug. We will replace the sprintf() as soon as possible.