fortify source question

thorsten fly_b747 at gmx.de
Sat Jan 3 07:50:18 PST 2009


Hello there,

this is a bit off-topic, however if someone could point me in the right
direction, I would appreciate it.

I am trying to build a toolchain based on the HLFS-SVN-20080603 (the
last html-version) but with updated packages according to LFS 6.4. Which
means:

gcc-4.3.2
binutils-2.18
glibc-2.8-20080929

So far, everything wored like a charm, however while testing my
butterfly toolchain there seems to be some problem with fortify source:

the fgets-overflow works like expected:
 echo abcdefghijklm | ./fgets-overflow 14
*** buffer overflow detected ***: ./fgets-overflow terminated
======= Backtrace:  [...]

however the strcpy-overflow does not:

 cat > strcpy-overflow.c << "EOF"
> #include <string.h>
> int main()
> {
>  char buf[2];
>  strcpy(buf,"12345");
>  return 0;
> }
> EOF
root:~# gcc -o strcpy-overflow strcpy-overflow.c -static -L/usr/lib/static
root:~#

[ there is no warning about overflowing the buffer while compilng ]

./strcpy-overflow
*** stack smashing detected ***: ./strcpy-overflow terminated
======= Backtrace:  [ ...]

and the overflow seems to be detected by ssp, not fortify source.
even compiling with
gcc -o strcpy-overflow strcpy-overflow.c -static -L/usr/lib/static -Wall
-Wextra -D_FORTIFY_SOURCE=2
gives the same results.

I disabled libssp in the gcc build, since glibc provides it. Could this
be the reason? Or is gcc-4.3 the problem?

I attached gcc -dumpspecs for info...

thanks, thorsten
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: specs
URL: <http://lists.linuxfromscratch.org/pipermail/hlfs-dev/attachments/20090103/e5382f20/attachment.ksh>


More information about the hlfs-dev mailing list