[erlang-bugs] R14B01: buffer overflow detected during compilation with -D_FORTIFY_SOURCE=2 (x86_64)

Björn-Egil Dahlberg egil@REDACTED
Wed Dec 22 14:37:38 CET 2010 

Hi,

I am trying to reproduce this error, but I am sad to say that I seem to 
be missing something. Now, I am not a build environment expert but this 
should be straight forward right?

First off, this is otp_src_R14B01 with no distribution specific patches 
applied? Seems unlikely, since both Gentoo and openSUSE hits this error.

Now, I don't have any gentoo or opensuse x86_64 available, I have a 
32-bit gentoo which doesn't seem to produce this error (i didn't expect 
it to), and plenty of SuSE sled/sles 10.1 - 2 x86_64, which doesn't have 
the compiler.

I do have some newer x86_64 Ubuntu's so I tried with gcc (Ubuntu 
4.4.3-4ubuntu5) 4.4.3. This compiler should have the fortify sources 
patch (default since 9.10). -D_FORTIFY_SOURCE=2 shouldn't be needed 
since -02 and higher implies this option. A small testprogram confirms 
that -02 and memcpy check works anyways.

But, No luck.

I tried emulating what Nico did in his build script, like this,
 > tar -zxvf otp_src_R14B01.tar.gz
 > cd otp_src_R14B01
 >  export ERL_TOP=`pwd`
 >  export 'CFLAGS=-fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 
-fstack-protector -funwind-tables -fasynchronous-unwind-tables 
-fno-strict-aliasing'
 >  export 'CXXFLAGS=-fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 
-fstack-protector -funwind-tables -fasynchronous-unwind-tables 
-fno-strict-aliasing'
 >  export FFLAGS='-fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 
-fstack-protector -funwind-tables -fasynchronous-unwind-tables'
 >  ./configure --host=x86_64-unknown-linux-gnu 
--build=x86_64-unknown-linux-gnu --with-ssl=/usr --enable-threads 
--enable-smp-support --enable-kernel-poll --enable-hipe --enable-shared-zlib
 > ulimit -c unlimited
 > make

No errors, all is great.


So something is wrong. Either in the assumptions or the setup. 
Everything from stack-protectors, valgrind and other fortifications says 
everything is fine.

Is the error consistent? Does it appear everytime and on the same file? 
hipe_rtl.erl? It should anyways.

Could someone please give me some pointers on how to reproduce this?

// Björn-Egil
    Erlang/OTP



On 2010-12-21 11:56, Christian Faulhammer wrote:
> Hi,
>
> Kenneth Lundin<kenneth.lundin@REDACTED>:
>> Has -D_FORTIFY_SOURCE been tried on R14B as well and did not show any
>> buffer overflow?
>
>   There would have been reports (I maintain the package for Gentoo,
> where users build the package on their system)...and there were none.
> We use FORTIFY_SOURCE for some time now.
>
>> As I understand it -D_FORTIFY_SOURCE is a patch to GCC developed by
>> Redhat and =2 can also report buffer flow for code that is correct.
>
>   It is included in the trunk version and used by many distributions
> nowadays, especially for the server/hardened systems.
>
>> If this buffer overflow indeed is a real bug then of course we want to
>> find it and correct it.
>
>   Would be nice.
>
> V-Li
>

More information about the erlang-bugs mailing list