r1151 - in trunk/BOOK: chapter01 chapter06

robert at linuxfromscratch.org robert at linuxfromscratch.org
Mon Jun 11 08:52:43 PDT 2007


Author: robert
Date: 2007-06-11 09:52:43 -0600 (Mon, 11 Jun 2007)
New Revision: 1151

Modified:
   trunk/BOOK/chapter01/changelog.xml
   trunk/BOOK/chapter06/butterfly-toolchain.xml
Log:
Added new fgets() overflow program, for testing

Modified: trunk/BOOK/chapter01/changelog.xml
===================================================================
--- trunk/BOOK/chapter01/changelog.xml	2007-06-11 12:50:19 UTC (rev 1150)
+++ trunk/BOOK/chapter01/changelog.xml	2007-06-11 15:52:43 UTC (rev 1151)
@@ -52,6 +52,9 @@
       <para>June 11th, 2007</para>
       <itemizedlist>
         <listitem>
+          <para>[robert]: Added new fgets() overflow program, for testing.</para>
+        </listitem>
+        <listitem>
           <para>[robert]: Added Ncurses coverity fixes patch.</para>
         </listitem>
         <listitem>

Modified: trunk/BOOK/chapter06/butterfly-toolchain.xml
===================================================================
--- trunk/BOOK/chapter06/butterfly-toolchain.xml	2007-06-11 12:50:19 UTC (rev 1150)
+++ trunk/BOOK/chapter06/butterfly-toolchain.xml	2007-06-11 15:52:43 UTC (rev 1151)
@@ -257,8 +257,55 @@
 
     <important>
       <?dbfo keep-together="auto"?>
-      <para>Test the _FORTIFY_SOURCE feature with the following program:</para>
+      <para>This test program will cause fgets(3) to have a buffer overflow.
+      This is an example where static code checking will not detect a problem,
+      because the overflow is caused by user input at run time. The only
+      problem that is reported by static code analysis programs, like
+      <ulink url="http://www.splint.org/">Splint</ulink> or the
+      <parameter>-Wextra</parameter> option, is that the
+      <function>int argc</function> paramter is unused:</para>
 
+<screen><userinput>cat > fgets-overflow.c << "EOF"
+#include <stdio.h>
+#include <stdlib.h>
+int
+main(int argc, char *argv[])
+{
+	char b[10];
+	int len = atoi(argv[1]);
+	if ((fgets(b, len, stdin)) != b)
+		return 1;
+	(void)printf("%s\n", b);
+	return 0;
+}
+EOF</userinput></screen>
+
+      <para>The next commands demonstrates that without any protection this
+      program can run a buffer overflow silently, without any warnings, errors,
+      or crashes:</para>
+
+<screen><userinput>gcc -o fgets-overflow fgets-overflow.c \
+    -fno-stack-protector -U_FORTIFY_SOURCE -Wall -Wformat=2
+echo abcdefghijklm | ./fgets-overflow 14</userinput></screen>
+
+      <para>This should return <quote>abcdefghijklm</quote>, 13 characters,
+      from an array that should only hold 10. Now lets try again witout
+      disabling any protection:</para>
+
+<screen><userinput>gcc -o fgets-overflow fgets-overflow.c
+echo abcdefghijklm | ./fgets-overflow 14</userinput></screen>
+
+      <para>This should now return:</para>
+
+<screen><computeroutput>*** buffer overflow detected ***: ./fgets-overflow terminated
+Aborted</computeroutput></screen>
+
+      <para>Both _FORTIFY_SOURCE and SSP will abort this program if the
+      program's argument (14 in the above example) is more than 10.</para>
+
+      <para>The next program is a simple strcpy(3) overflow, and is an example
+      where static code analysis will catch the problem:</para>
+
 <screen><userinput>cat > strcpy-overflow.c << "EOF"
 #include <string.h>
 int main()
@@ -270,18 +317,15 @@
 EOF
 gcc -o fortify-test strcpy-overflow.c</userinput></screen>
 
-      <para>This should return:</para>
+      <para>This should display:</para>
 
 <screen><computeroutput>strcpy-overflow.c: In function 'main':
 strcpy-overflow.c:5: warning: call to __builtin___strcpy_chk will
     always overflow destination buffer</computeroutput></screen>
 
-      <para>It's worth mentioning here that the <option>-Werror</option> GCC
-      option would cause this <command>gcc</command> to fail, and the program
-      would not be created.</para>
+      <para>Here the _FORTIFY_SOURCE feature is warning that the compiler
+      knows in advance that strcpy(3) will overflow. Try to run the program:</para>
 
-      <para>Try to run the program:</para>
-
 <screen><userinput>./fortify-test ; echo $?</userinput></screen>
 
       <para>This should return:</para>




More information about the hlfs-book mailing list