[Arch package] stack smashing detected by Fortify

[FrederikLauber]

Can you reliably reproduce the issue?

If so, please list the steps to reproduce below:

1. run zcashd
2. observe crash with "stack smashing detected" within a few seconds

Expected behaviour

zcash should be running

Machine specs:

• Arch Linux

Here is the issue on the Arch Linux Bug tracker including a stack trace.
https://bugs.archlinux.org/task/54835

[daira]

That's odd because the failure is from Fortify, but we always compile with Fortify enabled already (and test that it is actually enabled).

The trace linked from the Arch ticket is from a stripped executable. Can you recompile the Arch package without stripping symbols? Also, can you link to any patches that were applied to build the Arch package?

[eli-schwartz]

Arch uses three patches: https://git.archlinux.org/svntogit/community.git/tree/trunk/PKGBUILD?h=packages/zcash#n24
The patches themselves can be seen here: https://git.archlinux.org/svntogit/community.git/tree/trunk?h=packages/zcash

It's not doing anything other than using system libraries for libgmp, libsodium, and rust (I assume because your build system doesn't inherently have any way to do that), and fix a boost linker flag.

[daira]

Hmm, what versions are the system Boost, libsodium, and Rust? It is plausible that memory safety bugs in one of those dependencies have been fixed between the system versions and the ones we normally use (i.e. Boost 1.62.0, libsodium 1.0.11, and Rust 1.16.0).

[daira]

Also, what gcc/g++ and binutils are you using?

[daira]

BTW, if the system Boost is compiled with single-threaded option then that would definitely cause a problem. But I suspect that it's compiled for multi-threaded and just lacks the "-mt" on the library name.

[eli-schwartz]

Our repos are at:
libsodium 1.0.13-1 (initially built with 1.0.12-1)
boost 1.64.0-4
rust 1:1.18.0-1
gcc 7.1.1-4

Our boost package is compiled with --layout=system threading=multi. 😄

(Also note that I don't use this software, I am here because I triaged the bug on our bugtracker and followed the link here.)

[tensor5]

Arch package works after rebuilding, issue https://bugs.archlinux.org/task/54835 has been closed.

[daira]

Any idea what was different between the original build and the rebuild?

[tensor5]

@daira I'm not sure if this is related, but the default Arch's CFLAGS recently changed, and glibc was rebuilt with the new flags.

[bitcartel]

This is now resolved. Closing.