Example of bug hunting patch()

Robert Connolly cendres at videotron.ca
Mon Jan 26 13:20:49 PST 2004


For those of you with lots of time on your hands, these methods could be 
repeated on all the packages to locate many bugs. First get:
http://web.inter.nl.net/hcc/Haj.Ten.Brugge/ \
bounds-checking-gcc-3.3.2-1.00.patch.bz2

cd gcc-3.3.2
bzcat ../bounds-checking-gcc-3.3.2-1.00.patch.bz2 | patch -Np1
./configure... && make boostrap
make install

Note: You can skip the ada hunks. Its not a good idea to use the propolice 
patch with this, if you do you'll have to fix gcc/functions.c.rej, and hgcc 
might not work.

Get this and install it.
http://keihanna.dl.sourceforge.net/sourceforge/bfbtester/ \
bfbtester-2.0.1.tar.gz

cd patch-2.5.4
./configure && make

$ bfbtester -s patch # Use -a if you want.
=> /sources/lfs-packages/patch-2.5.4/patch
   * Single argument testing
*** Crash </sources/lfs-packages/patch-2.5.4/patch> ***
args:           -V [51200]
envs:
Signal:         11 ( Segmentation fault )
Core?           No
...

./patch -V foo
Segmentation fault

Not nice. So clean, and rebuild with debugging. Since we dont need to install 
most stuff to test it, theres no great need for optimizations.

make clean
CFLAGS="-fbounds-checking" ./configure
make CFLAGS="-fbounds-checking"

export GCC_BOUNDS_OPTS="-warn-all -print-calls -print-oob-pointers 
-print-functions"

Note: Use GCC_BOUNDS_OPTS="--help" and run ./patch to get a full list of 
options.

Now reproduce it.

./patch -V foo

That will output a lot of stuff, but the last few lines show what happened 
just before the segfault.

__bounds_push_function(thread=0, name="error", main=0, file="error.c", 
ln=125), nesting_nr=1
__bounds_add_stack_object(p=0xbffff640, sz=4, align=4, file="error.c", ln=127, 
name="args" nesting_nr=1)
__bounds_check_ptr_true (p=NULL, file="error.c", ln=130)
Segmentation fault

If you look around line 130 in error.c you can backtrace the function to the 
program_name bug, and with more debugging find the mismatch causing the 
segfault. Even if you dont know how to fix it this provides much of the 
information needed to fix it. In this case there is a fix:

make clean
sed -e 's@*program_name at const program_name[]@g' -i error.c
./configure && make

bfbtester -a patch
=> /sources/lfs-packages/patch-2.5.4/patch
   * Single argument testing
   * Multiple arguments testing
   * Environment variable testing
Cleaning up...might take a few seconds

:)

P.S.
Not everything will be this easy. This bug doesn't go out of bounds or do 
anything very dangerous, as far as I can tell. The method in propolice.txt 
testing should be used along with this depending on the program and the bug. 
Other methods are welcome.




More information about the hlfs-dev mailing list