Ticket UUID: | 3127687 | |||
Title: | Triggers FORTIFY_SOURCE buffer overflow detection | |||
Type: | Bug | Version: | None | |
Submitter: | lool | Created on: | 2010-12-04 23:54:57 | |
Subsystem: | 18. Commands M-Z | Assigned To: | nijtmans | |
Priority: | 5 Medium | Severity: | ||
Status: | Closed | Last Modified: | 2010-12-06 05:28:11 | |
Resolution: | Fixed | Closed By: | nijtmans | |
Closed on: | 2010-12-05 22:28:11 | |||
Description: |
Hi there This affects tcl8.4 only, not tcl8.5. After a rebuild of tcl8.4 in Ubuntu, gitk and other applications were failing to start (even wish8.4 wouldn't start); these would fail with: *** buffer overflow detected ***: wish terminated followed by a backtrace. This is due to the _FORTIFY_SOURCE security feature, see: https://wiki.ubuntu.com/CompilerFlags#-D_FORTIFY_SOURCE=2 https://wiki.ubuntu.com/Security/Features#Built%20with%20Fortify%20Source The original bug has details on why this occurs and is at: https://bugs.launchpad.net/ubuntu/+source/tcl8.4/+bug/683546 As a workaround, I've changed the package to build generic/tclCmdMZ.c with -U_FORTIFY_SOURCE, but ideally the structure would declare the command[] with some define for the maximum length of variable names or commands. Cheers, | |||
User Comments: |
nijtmans added on 2010-12-06 05:28:11:
allow_comments - 1 This is a dup of #3048354, which was never backported to 8.4. Fix is the same. Fixed on 8.4 branch. dkf added on 2010-12-06 05:27:34: FWIW, I've been converting Tcl to use memcpy instead of strcpy whenever we know the length anyway (on the grounds that it might also be faster) but I don't think I've done any of that back in 8.4 (and I can't remember for 8.5...) nijtmans added on 2010-12-06 05:16:09: File Added - 395305: 3127687.patch nijtmans added on 2010-12-06 05:14:59: changing command[4] to command[1] has the problem that the structure will be over-allocated (sizeof might add passing characters.....) better: replace the strcpy with memcpy, as we already know the length anyway. This is faster and should not trigger the FORTIFY_SOURCE. patch attached. Does this help? lool added on 2010-12-05 18:41:09: Oddly, I don't hit the problem with wish8.5. Maybe a different code path? I had tried changing command[4] to command[0], but that didn't work (it would still hit FORTIFY_SOURCE protection with a max size of zero). However Kees Cook wrote to me that command[1] is how this should be defined. 8.5 > As long as you don't hit FORTIFY_SOURCE protection, I guess it's best to keep it enabled, but if you do hit it then it would be nice to only disable it in the places where it's a false positive (rather than globally). Another way to avoid the issue entirely is to have a char *command and runtime allocate it, but that might have a performance hit. nijtmans added on 2010-12-05 15:34:51: >ideally the structure would declare the command[] with some define for the maximum length of variable names or commands. Tcl does not have a maximum length of variable names or commands, other than the amount of availalble memory... For Tcl 8.6, a solution would be to define buffer having size [0], that's the standard way of doing this. But I don't know if all the supported compilers handle that. So for Tcl 8.4/8.5 maybe the best is compile everything with -U_FORTIFY_SOURCE (Tcl8.5 this code moved to tclTrace.c). just my 2c lool added on 2010-12-05 06:54:57: File Added - 395235: fortify-source.diff |