https://gcc.gnu.org/bugzilla/show_bug.cgi?id=77409
Bug ID: 77409
Summary: CVE-2016-4973 Targets using libssp for SSP are missing
-D_FORTIFY_SOURCE functionality
Product: gcc
Version: 6.1.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: other
Assignee: unassigned at gcc dot gnu.org
Reporter: yselkowi at redhat dot com
CC: jon_y at users dot sourceforge.net, ktietz at gcc dot
gnu.org
Target Milestone: ---
Targets that use libssp for SSP (e.g. newlib, Cygwin, RTEMS, MinGW, but not
e.g. Glibc, Bionic, NetBSD which provide SSP in libc) are mistakenly missing
out on -D_FORTIFY_SOURCE functionality even when explicitly specified. The
problem is in gcc libssp/Makefile.am:
libsubincludedir =
$(libdir)/gcc/$(target_noncanonical)/$(gcc_version)/include
nobase_libsubinclude_HEADERS = ssp/ssp.h ssp/string.h ssp/stdio.h
ssp/unistd.h
Headers are structured so that they should be in $(libsubincludedir), instead
of $(libsubincludedir)/ssp where they are currently placed.
Demonstration:
$ cat fortify_test.c
/* example from bug 50460 */
#include <stdio.h>
#include <string.h>
const char *str1 = "JIHGFEDCBA";
int
main ()
{
struct A { char buf1[9]; char buf2[1]; } a;
strcpy (a.buf1 + (0 + 4), str1 + 5);
printf("%s %s\n", a.buf1, a.buf2);
return 0;
}
$ gcc -D_FORTIFY_SOURCE=2 -fstack-protector-strong -o fortify_test -O2
fortify_test.c
$ nm -C fortify_test | grep strcpy
U __strcpy_chk@@GLIBC_2.3.4
$ i686-w64-mingw32-gcc -D_FORTIFY_SOURCE=2 -fstack-protector-strong -o
fortify_test.exe -O2 fortify_test.c
$ i686-w64-mingw32-nm -C fortify_test.exe | grep strcpy
004061e8 I _imp__strcpy
00402624 T strcpy
If headers are moved, we can see:
$ i686-w64-mingw32-gcc -D_FORTIFY_SOURCE=2 -fstack-protector-strong -o
fortify_test.exe -O2 fortify_test.c
$ i686-w64-mingw32-nm -C fortify_test.exe | grep strcpy
00406200 I _imp____strcpy_chk
00401590 T __strcpy_chk
Red Hat Product Security has assigned CVE-2016-4973 to this issue.
Further discussion: https://bugzilla.redhat.com/show_bug.cgi?id=1324759
