0

My code looks like

struct MyData {
   int len;
   char data[1];
};

MyData *d1 = malloc(1024);
strcpy(d1->data, a_string);

I use it as variable-length buffer and guarantee the buffer not overflowing manually and carefully. But the program crashed.

objdump -d

2f3dc:   48 8b 44 24 10          mov    0x10(%rsp),%rax
2f3e1:   48 89 ee                mov    %rbp,%rsi
2f3e4:   ba 01 00 00 00          mov    $0x1,%edx
2f3e9:   48 8d 78 20             lea    0x20(%rax),%rdi
2f3ed:   e8 ce b3 fd ff          callq  a7c0 <__strcpy_chk@plt>

How can I convince gcc this particular buffer will not overflow and turn off checking for it, but still on for others.

BR / Apr 2, 2021

Here is the simplified code compiled by gcc-4.8 ======>>>>

#include <string.h>

typedef struct _EncodedBuffer1 {
    int encoding;
    char data[1024];
} EncodedBuffer1;

typedef struct _EncodedBuffer2 {
    int encoding;
    char data[512];
} EncodedBuffer2;

typedef struct _MyData1 {
    int size;
    int data_type;

    union {
        bool bool_balue;
        int int_value;
        double double_value;
        char string1[1];
    };
    /* something else */
    union {
        struct {
            EncodedBuffer1 x_buf1;
            EncodedBuffer2 x_buf2;
        };
        struct {
            EncodedBuffer2 y_buf1;
            EncodedBuffer1 y_buf2;
        };
    };
} MyData1;

int main(int argc, char *argv[])
{
    MyData1 d1;
    memset(&d1, 0, sizeof(d1));
    d1.size = sizeof(d1);
    strcpy(d1.string1, argv[1]);
    return 0;
}

gcc -O2 -v

Using built-in specs.
COLLECT_GCC=gcc-4.8
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/4.8/lto-wrapper
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Ubuntu 4.8.5-4ubuntu2' --with-bugurl=file:///usr/share/doc/gcc-4.8/README.Bugs --enable-languages=c,c++,java,go,d,fortran,objc,obj-c++ --prefix=/usr --program-suffix=-4.8 --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --with-gxx-include-dir=/usr/include/c++/4.8 --libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --enable-gnu-unique-object --disable-libmudflap --enable-plugin --with-system-zlib --disable-browser-plugin --enable-java-awt=gtk --enable-gtk-cairo --with-java-home=/usr/lib/jvm/java-1.5.0-gcj-4.8-amd64/jre --enable-java-home --with-jvm-root-dir=/usr/lib/jvm/java-1.5.0-gcj-4.8-amd64 --with-jvm-jar-dir=/usr/lib/jvm-exports/java-1.5.0-gcj-4.8-amd64 --with-arch-directory=amd64 --with-ecj-jar=/usr/share/java/eclipse-ecj.jar --enable-objc-gc --enable-multiarch --disable-werror --with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32 --with-tune=generic --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu
Thread model: posix
gcc version 4.8.5 (Ubuntu 4.8.5-4ubuntu2)
COLLECT_GCC_OPTIONS='-O2' '-v' '-mtune=generic' '-march=x86-64'
 /usr/lib/gcc/x86_64-linux-gnu/4.8/cc1plus -quiet -v -imultiarch x86_64-linux-gnu -D_GNU_SOURCE 2.cpp -quiet -dumpbase 2.cpp -mtune=generic -march=x86-64 -auxbase 2 -O2 -version -fstack-protector -Wformat -Wformat-security -o /tmp/cc7vXPnz.s
GNU C++ (Ubuntu 4.8.5-4ubuntu2) version 4.8.5 (x86_64-linux-gnu)
    compiled by GNU C version 4.8.5, GMP version 6.1.0, MPFR version 3.1.3-p5, MPC version 1.0.3
warning: MPFR header version 3.1.3-p5 differs from library version 3.1.4.
GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072
ignoring duplicate directory "/usr/include/x86_64-linux-gnu/c++/4.8"
ignoring nonexistent directory "/usr/local/include/x86_64-linux-gnu"
ignoring nonexistent directory "/usr/lib/gcc/x86_64-linux-gnu/4.8/../../../../x86_64-linux-gnu/include"
#include "..." search starts here:
#include <...> search starts here:
 /usr/include/c++/4.8
 /usr/include/x86_64-linux-gnu/c++/4.8
 /usr/include/c++/4.8/backward
 /usr/lib/gcc/x86_64-linux-gnu/4.8/include
 /usr/local/include
 /usr/lib/gcc/x86_64-linux-gnu/4.8/include-fixed
 /usr/include/x86_64-linux-gnu
 /usr/include
End of search list.
GNU C++ (Ubuntu 4.8.5-4ubuntu2) version 4.8.5 (x86_64-linux-gnu)
    compiled by GNU C version 4.8.5, GMP version 6.1.0, MPFR version 3.1.3-p5, MPC version 1.0.3
warning: MPFR header version 3.1.3-p5 differs from library version 3.1.4.
GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072
Compiler executable checksum: f5d21a1dc5d9b70befc71d2006b2e7c5
COLLECT_GCC_OPTIONS='-O2' '-v' '-mtune=generic' '-march=x86-64'
 as -v --64 -o /tmp/ccpgLPzV.o /tmp/cc7vXPnz.s
GNU assembler version 2.26.1 (x86_64-linux-gnu) using BFD version (GNU Binutils for Ubuntu) 2.26.1
COMPILER_PATH=/usr/lib/gcc/x86_64-linux-gnu/4.8/:/usr/lib/gcc/x86_64-linux-gnu/4.8/:/usr/lib/gcc/x86_64-linux-gnu/:/usr/lib/gcc/x86_64-linux-gnu/4.8/:/usr/lib/gcc/x86_64-linux-gnu/
LIBRARY_PATH=/usr/lib/gcc/x86_64-linux-gnu/4.8/:/usr/lib/gcc/x86_64-linux-gnu/4.8/../../../x86_64-linux-gnu/:/usr/lib/gcc/x86_64-linux-gnu/4.8/../../../../lib/:/lib/x86_64-linux-gnu/:/lib/../lib/:/usr/lib/x86_64-linux-gnu/:/usr/lib/../lib/:/usr/lib/gcc/x86_64-linux-gnu/4.8/../../../:/lib/:/usr/lib/
COLLECT_GCC_OPTIONS='-O2' '-v' '-mtune=generic' '-march=x86-64'
 /usr/lib/gcc/x86_64-linux-gnu/4.8/collect2 --sysroot=/ --build-id --eh-frame-hdr -m elf_x86_64 --hash-style=gnu --as-needed -dynamic-linker /lib64/ld-linux-x86-64.so.2 -z relro /usr/lib/gcc/x86_64-linux-gnu/4.8/../../../x86_64-linux-gnu/crt1.o /usr/lib/gcc/x86_64-linux-gnu/4.8/../../../x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/4.8/crtbegin.o -L/usr/lib/gcc/x86_64-linux-gnu/4.8 -L/usr/lib/gcc/x86_64-linux-gnu/4.8/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/4.8/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/4.8/../../.. /tmp/ccpgLPzV.o -lgcc --as-needed -lgcc_s --no-as-needed -lc -lgcc --as-needed -lgcc_s --no-as-needed /usr/lib/gcc/x86_64-linux-gnu/4.8/crtend.o /usr/lib/gcc/x86_64-linux-gnu/4.8/../../../x86_64-linux-gnu/crtn.o
Pan Ruochen
  • 1,990
  • 6
  • 23
  • 34
  • Could you please post actual compilable code, including `#include` and `int main`? Please include the compiler version and compiler options you are using .`the program crashed.` why did it crash? Is `a_string` longer then 1024? – KamilCuk Apr 02 '21 at 13:56
  • @KamilCuk, Please check my changes on the post. – Pan Ruochen Apr 02 '21 at 14:25
  • `_EncodedBuffer1` Identifiers starting with leading `_` followed by upper-case letter are reserved. Do not use them in your code. `strcpy(d1.string1, argv[1]);` With what arguments are you executing the program? For sure it will "crash" when `argv[1]` is `NULL`. What compiler options are you using? `bool bool_balue;` at least `#include `. I know I may be picky - but an [MCVE] _really_ helps. – KamilCuk Apr 02 '21 at 14:31
  • compiled by gcc -O2 and ./a.out 123 crashed: *** buffer overflow detected ***: ./a.out terminated – Pan Ruochen Apr 02 '21 at 14:34
  • That would be strange - for `__strcpy_chk` to be generated _on glibc_ you have to have `-D_FORTIFY_SOURCE=1` in your compiler options. Do you? What would happen if you would add `#undef _FORTIFY_SOURCE` on top of your source file? What would happen if you would add `-D_FORTIFY_SOURCE=0` to your compiler options? Could you show the output of `gcc -O2 -v` when compiling the file? What linux distribution are you using (if using linux, are you?)? – KamilCuk Apr 02 '21 at 14:35
  • it is okay with #undef _FORTIFY_SOURCE. I guess the option turns off all overflow checking. But it sitll not enough. I wish gcc turn off checking on this structure and still on for others. – Pan Ruochen Apr 02 '21 at 14:47
  • See my changes on the post for the gcc verion information. And I am using ubuntu 16.04. @KamilCuk – Pan Ruochen Apr 02 '21 at 14:56
  • You can use `__strcpy(d1.string1, argv[1]);` – KamilCuk Apr 02 '21 at 15:02

1 Answers1

1

Gcc isn't too smart - It does exactly what you tell him, your code uses a buffer overflow as a feature.

When you write your example

struct MyData {
   int len;
   char data[1];
};

MyData *d1 = malloc(1024);
strcpy(d1->data, a_string);

gcc sees a strcpy being called with a buffer of size 1 as its destination - because that is what you told the compiler in the field's declaration char data[1];. gcc is being exactly as smart as it should be. The correct way to declare MyData would be with a zero sized array

struct MyData {
   int len;
   char data[0];
};
Efi Weiss
  • 638
  • 6
  • 12