tar segfaults (busybox 1.8.1)

Fri Nov 16 21:35:14 UTC 2007

On Friday 16 November 2007 12:53, Ralf Friedl wrote:
> Denys Vlasenko wrote:
> > It means that you built your glibc with some weird debugging mode,
> > and it converts
> >
> >     strcpy(array, string);
> >
> > into some sort of
> >
> >     strcpy_with_overrun_check(array, sizeof(array), string);
> >
> > In this case, it blew up despite code was correct.
> >
> > It also makes all your strcpy's bigger.
> >
> > Which version of glibc does this? With which configure options
> > did you built it?
>
> glibc can't to this, it must be the compiler, maybe with some special
> options.

With magic macro definition of strcpy, it can.

Alexader says that failure looks like this:

tuxx at vi-edv003:~/busybox/busybox-1.8.1$ ./busybox tar cf test.tar a s d
*** buffer overflow detected ***: ./busybox terminated
======= Backtrace: =========
/lib/libc.so.6(__chk_fail+0x44)[0xb7e0fdd4]
/lib/libc.so.6(__strcpy_chk+0x49)[0xb7e0f249]
./busybox[0x80711ca]
[0x805]
======= Memory map: ========

See? __strcpy_chk is definitely in libc.so.6.
And I doubt that gcc team will be ok with adding
printing of messages like this to /dev/tty.
gcc isn't supposed to even know that /dev/tty exists.

> This would also be consistent with the strace log, which shows that
> libgcc_s is loaded to display the stack trace.

In my experience, libgcc_s has quite different task.
See below.

> If glibc would do it, the 
> functions for the backtrace would probably be included in glibc.
>
> Regards
> Ralf Friedl
>
> 29355 munmap(0xb7f29000, 4096)          = 0
> 29355 open("/dev/tty", O_RDWR|O_NOCTTY|O_NONBLOCK) = 7
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
I'm pretty sure it's not gcc doing this

> 29355 writev(7, [{"*** buffer overflow detected ***"..., 34}, {"./busybox",
> 9}, {" terminated\n", 12}], 3) = 55 29355 open("/etc/ld.so.cache",
> O_RDONLY) = 8
> 29355 fstat64(8, {st_mode=S_IFREG|0644, st_size=125457, ...}) = 0
> 29355 mmap2(NULL, 125457, PROT_READ, MAP_PRIVATE, 8, 0) = 0xb7f0b000
> 29355 close(8)                          = 0
> 29355 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or
> directory) 29355 open("/lib/libgcc_s.so.1", O_RDONLY) = 8

Libgcc
The GCC low-level runtime library

GCC provides a low-level runtime library, libgcc.a or
libgcc_s.so.1 on some platforms.  GCC generates calls to
routines in this library automatically, whenever it needs to perform
some operation that is too complicated to emit inline code for.

Most of the routines in libgcc handle arithmetic operations
that the target processor cannot perform directly.  This includes
integer multiply and divide on some machines, and all floating-point
operations on other machines.  libgcc also includes routines
for exception handling, and a handful of miscellaneous operations.

Some of these routines can be defined in mostly machine-independent C.
Others must be hand-written in assembly language for each processor
that needs them.

GCC will also generate calls to C library routines, such as
memcpy and memset, in some cases.  The set of routines
that GCC may possibly use is documented in Other
Builtins,,,gcc, Using the GNU Compiler Collection (GCC).

* Integer library routines
* Soft float library routines
* Decimal float library routines
* Exception handling routines
* Miscellaneous routines

--
vda