Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 2208579 - rpm-git-tag-sort-1.0-12.fc39 FTBFS: ./test: buffer overflow detected
Summary: rpm-git-tag-sort-1.0-12.fc39 FTBFS: ./test: buffer overflow detected
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: rpm-git-tag-sort
Version: rawhide
Hardware: Unspecified
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Copr Team
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: F39FTBFS
TreeView+ depends on / blocked
 
Reported: 2023-05-19 15:48 UTC by Petr Pisar
Modified: 2023-08-01 08:43 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-08-01 08:43:36 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Fedora Pagure rpm-git-tag-sort pull-request 3 0 None None None 2023-05-19 16:29:14 UTC

Description Petr Pisar 2023-05-19 15:48:08 UTC
rpm-git-tag-sort-1.0-12.fc39 fails to build in Fedora 39:

+ /usr/bin/make -O -j6 V=1 VERBOSE=1
gcc -Wall -g -std=gnu99 -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -m64   -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer  -c c-vector/vec.c
gcc -Wall -g -std=gnu99 -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -m64   -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer  -I/usr/include/rpm -c main.c
gcc -Wall -g -std=gnu99 -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -m64   -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer  -lrpm -lrpmio -lgit2 -o main main.o vec.o
+ ./test
*** buffer overflow detected ***: terminated
0a1,14
> 043436006cb582879b8d66503e755a22bcd8b13e tag-1-2
> d882aa1b41767801307cf18b08c3653ee22eca35 tag-11-1
> 11344b06b32f18534d921cb22a001db21058e7af tag-10-1
> 6fecf2e24af75b97ae857d6f8b58ee54a74b7d2d tag-9-1
> fa9dd254964d602202e09e43017f67d484903618 tag-5-1
> f617549126a44e6cceea5384623dede4cd76beb5 tag-8-3
> 5334bc27d2312b7b512733f625ade86bd19f7edd tag-8-2
> e5cc783757f61e7e7179394a989b0bf6bd8b771d tag-8-1
> 1097c7de63a35207f32c3232a1f4253ad0ec2e4e tag-8-0
> 335cae5db0ac482dfd3e8ec972831dc0b74ca030 tag-7-1
> 9b0975c3aaeea59ebdcf69ae23d331c7c97cd97a tag-6-1
> 379b113d3447c00c499b2a048cda13878c10e79a tag-3-1
> 5c48f70428673549517763d984ab06019791c8bf tag-4-1
> 13841e1b08e7c90c651ce8bf9acb0312e14841b8 tag-1-1
fail.
error: Bad exit status from /var/tmp/rpm-tmp.Zd3mzx (%build)

I discovered it when rebuilding it for rpm-4.19 <https://koji.fedoraproject.org/koji/buildinfo?buildID=2203164> and verified with a scratch build against rpm-4.18 <https://koji.fedoraproject.org/koji/taskinfo?taskID=101337566>.

Reproducible: Always

Comment 1 Petr Pisar 2023-05-19 16:04:48 UTC
It's the second invocation of ./main in ./test which crashes:

$ gdb --args ./main testx tag
[...]
(gdb) bt
#0  0x00007ffff7a8f6d4 in __pthread_kill_implementation () from /lib64/libc.so.6
#1  0x00007ffff7a3e71e in raise () from /lib64/libc.so.6
#2  0x00007ffff7a2687f in abort () from /lib64/libc.so.6
#3  0x00007ffff7a27750 in __libc_message.cold () from /lib64/libc.so.6
#4  0x00007ffff7b22a99 in __fortify_fail () from /lib64/libc.so.6
#5  0x00007ffff7b22454 in __chk_fail () from /lib64/libc.so.6
#6  0x00007ffff7b23e55 in __strcpy_chk () from /lib64/libc.so.6
#7  0x0000000000401dcd in strcpy (__src=0x538fe0 "tag-10-1", __dest=0x7fffffffde50 "") at /usr/include/bits/string_fortified.h:79
#8  rpm_is_lower_than (tag2_name=0x538fe0 "tag-10-1", tag1_name=0x52d700 "tag-9-1") at /home/test/fedora/rpm-git-tag-sort/rpm-git-tag-sort/main.c:134
#9  add_to_result (e_idx=<optimized out>, e=<optimized out>, tag_idx=<optimized out>) at /home/test/fedora/rpm-git-tag-sort/rpm-git-tag-sort/main.c:219
#10 visit (c=<optimized out>, visited_ptr=visited_ptr@entry=0x7fffffffe230, name=<optimized out>, repo=<optimized out>) at /home/test/fedora/rpm-git-tag-sort/rpm-git-tag-sort/main.c:304
#11 0x0000000000402191 in visit (c=0x535da0, visited_ptr=visited_ptr@entry=0x7fffffffe230, name=<optimized out>, repo=<optimized out>) at /home/test/fedora/rpm-git-tag-sort/rpm-git-tag-sort/main.c:271
#12 0x0000000000402191 in visit (c=0x532bd0, visited_ptr=visited_ptr@entry=0x7fffffffe230, name=<optimized out>, repo=<optimized out>) at /home/test/fedora/rpm-git-tag-sort/rpm-git-tag-sort/main.c:271
#13 0x0000000000401560 in main (argc=<optimized out>, argv=<optimized out>) at /home/test/fedora/rpm-git-tag-sort/rpm-git-tag-sort/main.c:432

Comment 2 Petr Pisar 2023-05-19 16:12:07 UTC
The problem is that here:

    /* copy tag names */
    char tag1_name_cpy[strlen(tag1_name) + 1];
    char tag2_name_cpy[strlen(tag1_name) + 1];
    strcpy(tag1_name_cpy, tag1_name);
->  strcpy(tag2_name_cpy, tag2_name);

tag2_name_cpy is too short to hold tag2_name:

(gdb) p tag1_name
$1 = 0x52d700 "tag-9-1"
(gdb) p tag2_name
$2 = 0x538fe0 "tag-10-1"

It looks like a typo in tag2_name_cpy[] definition.

Comment 3 Petr Pisar 2023-05-19 16:29:15 UTC
I proposed a fix at <https://pagure.io/rpm-git-tag-sort/pull-request/3>.

Comment 4 Petr Pisar 2023-05-22 10:31:04 UTC
The fix was merged by the upstream.

Comment 5 Petr Pisar 2023-05-22 14:33:40 UTC
RPM maintainers needs to rebuild this package against a new rpm-4.19. This bug prevents from doing so. Could you please apply the fix? If you don't have time, I can do it instead of you.

Comment 6 Fedora Admin user for bugzilla script actions 2023-07-20 12:43:23 UTC
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.

Comment 7 Pavel Raiskup 2023-08-01 08:43:36 UTC
Thank you for the report and hints.  I've built the fixed packages in Rawhide:

rpmgit-tag-sort: https://koji.fedoraproject.org/koji/buildinfo?buildID=2267612
rpkg-macros:     https://koji.fedoraproject.org/koji/buildinfo?buildID=2253802
rpkg-util:       https://koji.fedoraproject.org/koji/buildinfo?buildID=2253810


Note You need to log in before you can comment on or make changes to this bug.