[PATCH 03/21] tests: Working around bounds check

Eugene Syromyatnikov evgsyr at gmail.com
Sun Oct 9 13:28:48 UTC 2016 

When building with -Wp,-D_FORTIFY_SOURCE=2, dompiler produces the
following warning:

In file included from /usr/include/string.h:638:0,
                 from ioctl_dm.c:4:
In function ‘strcpy’,
    inlined from ‘main’ at ioctl_dm.c:57:8:
/usr/include/bits/string3.h:104:3: warning: call to __builtin___strcpy_chk will always overflow destination buffer [enabled by default]
   return __builtin___strcpy_chk (__dest, __src, __bos (__dest));
   ^

And later it aborts:

[  200s] FAIL: ioctl_dm
[  200s] ==============
[  200s]
[  200s] + ../strace -V
[  200s] + TIMEOUT='timeout -s 9 60'
[  200s] + timeout -s 9 60 true
[  200s] + exec timeout -s 9 60 ./ioctl_dm.test
[  200s] + run_prog
[  200s] + '[' 0 -eq 0 ']'
[  200s] + set -- ./ioctl_dm
[  200s] + args=./ioctl_dm
[  200s] + ./ioctl_dm
[  200s] *** buffer overflow detected ***: ./ioctl_dm terminated
[  200s] ======= Backtrace: =========
[  200s] /lib64/libc.so.6(__fortify_fail+0x37)[0x7fbc8fa1acb7]
[  200s] /lib64/libc.so.6(+0x10be80)[0x7fbc8fa18e80]
[  200s] ./ioctl_dm[0x400616]
[  200s] /lib64/libc.so.6(__libc_start_main+0xf5)[0x7fbc8f92eaf5]
[  200s] ./ioctl_dm[0x400739]
[  200s] ======= Memory map: ========
[  200s] 00400000-00401000 r-xp 00000000 08:00 84792                              /home/abuild/rpmbuild/BUILD/strace-4.13.0.260.af086/tests/ioctl_dm
[  200s] 00601000-00602000 r--p 00001000 08:00 84792                              /home/abuild/rpmbuild/BUILD/strace-4.13.0.260.af086/tests/ioctl_dm
[  200s] 00602000-00603000 rw-p 00002000 08:00 84792                              /home/abuild/rpmbuild/BUILD/strace-4.13.0.260.af086/tests/ioctl_dm
[  200s] 02244000-02265000 rw-p 00000000 00:00 0                                  [heap]
[  200s] 7fbc8f6f5000-7fbc8f70a000 r-xp 00000000 08:00 131341                     /usr/lib64/libgcc_s-4.8.2-20140120.so.1
[  200s] 7fbc8f70a000-7fbc8f909000 ---p 00015000 08:00 131341                     /usr/lib64/libgcc_s-4.8.2-20140120.so.1
[  200s] 7fbc8f909000-7fbc8f90a000 r--p 00014000 08:00 131341                     /usr/lib64/libgcc_s-4.8.2-20140120.so.1
[  200s] 7fbc8f90a000-7fbc8f90b000 rw-p 00015000 08:00 131341                     /usr/lib64/libgcc_s-4.8.2-20140120.so.1
[  200s] 7fbc8f90d000-7fbc8fac3000 r-xp 00000000 08:00 131350                     /usr/lib64/libc-2.17.so
[  200s] 7fbc8fac3000-7fbc8fcc3000 ---p 001b6000 08:00 131350                     /usr/lib64/libc-2.17.so
[  200s] 7fbc8fcc3000-7fbc8fcc7000 r--p 001b6000 08:00 131350                     /usr/lib64/libc-2.17.so
[  200s] 7fbc8fcc7000-7fbc8fcc9000 rw-p 001ba000 08:00 131350                     /usr/lib64/libc-2.17.so
[  200s] 7fbc8fcc9000-7fbc8fcce000 rw-p 00000000 00:00 0
[  200s] 7fbc8fcd5000-7fbc8fcf6000 r-xp 00000000 08:00 131343                     /usr/lib64/ld-2.17.so
[  200s] 7fbc8fef1000-7fbc8fef5000 rw-p 00000000 00:00 0
[  200s] 7fbc8fef5000-7fbc8fef6000 r--p 00020000 08:00 131343                     /usr/lib64/ld-2.17.so
[  200s] 7fbc8fef6000-7fbc8fef7000 rw-p 00021000 08:00 131343                     /usr/lib64/ld-2.17.so
[  200s] 7fbc8fef7000-7fbc8fef9000 rw-p 00000000 00:00 0
[  200s] 7ffe9b7e3000-7ffe9b806000 rw-p 00000000 00:00 0                          [stack]
[  200s] 7ffe9b84d000-7ffe9b84f000 r--p 00000000 00:00 0                          [vvar]
[  200s] 7ffe9b84f000-7ffe9b851000 r-xp 00000000 00:00 0                          [vdso]
[  200s] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
[  200s] ./init.sh: line 53: 15162 Aborted                 "$@"
[  200s] + rc=134
[  200s] + '[' 134 -eq 77 ']'
[  200s] + fail_ './ioctl_dm failed with code 134'
[  200s] + warn_ 'ioctl_dm.test: failed test: ./ioctl_dm failed with code 134'
[  200s] + printf '%s\n' 'ioctl_dm.test: failed test: ./ioctl_dm failed with code 134'
[  200s] ioctl_dm.test: failed test: ./ioctl_dm failed with code 134
[  200s] + exit 1

It is due the fact that message field is 0-element array. Worked around
by copying to string field with appropriate offset.
---
 tests/ioctl_dm.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/tests/ioctl_dm.c b/tests/ioctl_dm.c
index a5945ae..cb6dd97 100644
--- a/tests/ioctl_dm.c
+++ b/tests/ioctl_dm.c
@@ -64,7 +64,8 @@ main(void)
 
 	init_s();
 	s.u.tm.target_msg.sector = 0x1234;
-	strcpy(s.u.tm.target_msg.message, "tmsg");
+	strcpy(s.u.string + offsetof(struct dm_target_msg, message),
+		"tmsg");
 	ioctl(-1, DM_TARGET_MSG, &s);
 	printf("ioctl(-1, DM_TARGET_MSG, "
 	       "{version=4.1.2, dev=makedev(18, 52), name=\"nnn\", "
-- 
1.7.10.4

More information about the Strace-devel mailing list