diff options
author | Alexey Sheplyakov <asheplyakov@yandex.ru> | 2021-07-10 22:18:14 +0400 |
---|---|---|
committer | Alexey Sheplyakov <asheplyakov@yandex.ru> | 2021-07-10 22:18:14 +0400 |
commit | 879b71d6e95673e58d33f6c3c341a893ee307161 (patch) | |
tree | 3070aa83a321b6c727806e5e7741eeeaed1f7a40 | |
parent | 68a9d020737449a6bc6cb09cf7161caa47dc498d (diff) | |
download | distcc-git-879b71d6e95673e58d33f6c3c341a893ee307161.tar.gz |
dcc_gcc_rewrite_fqn: avoid heap corruption
On ALT Linux I've run into the following bug:
distcc gcc -Wall -std=gnu89 -I. -O2 -o hello.o -c hello.c
free(): invalid next size (fast)
Aborted (core dumped)
Apparently dcc_gcc_rewrite writes beyond the allocated memory:
valgrind --leak-check=full -v ./distcc gcc -Wall -std=gnu89 -I. -O2 -o hello.o -c hello.c
==11382== ERROR SUMMARY: 53 errors from 5 contexts (suppressed: 0 from 0)
==11382==
==11382== 1 errors in context 1 of 5:
==11382== Invalid write of size 1
==11382== at 0x4C349D8: strcat (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==11382== by 0x10D165: dcc_gcc_rewrite_fqn (compile.c:611)
==11382== by 0x10D4B4: dcc_build_somewhere (compile.c:725)
==11382== by 0x10DC01: dcc_build_somewhere_timed (compile.c:1014)
==11382== by 0x10E380: main (distcc.c:352)
==11382== Address 0x544e828 is 1 bytes after a block of size 23 alloc'd
==11382== at 0x4C31B0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==11382== by 0x10D087: dcc_gcc_rewrite_fqn (compile.c:588)
==11382== by 0x10D4B4: dcc_build_somewhere (compile.c:725)
==11382== by 0x10DC01: dcc_build_somewhere_timed (compile.c:1014)
==11382== by 0x10E380: main (distcc.c:352)
==11382==
==11382==
==11382== 1 errors in context 2 of 5:
==11382== Invalid write of size 1
==11382== at 0x4C349C8: strcat (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==11382== by 0x10D165: dcc_gcc_rewrite_fqn (compile.c:611)
==11382== by 0x10D4B4: dcc_build_somewhere (compile.c:725)
==11382== by 0x10DC01: dcc_build_somewhere_timed (compile.c:1014)
==11382== by 0x10E380: main (distcc.c:352)
==11382== Address 0x544e827 is 0 bytes after a block of size 23 alloc'd
==11382== at 0x4C31B0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==11382== by 0x10D087: dcc_gcc_rewrite_fqn (compile.c:588)
==11382== by 0x10D4B4: dcc_build_somewhere (compile.c:725)
==11382== by 0x10DC01: dcc_build_somewhere_timed (compile.c:1014)
==11382== by 0x10E380: main (distcc.c:352)
and ALT Linux' hardened glibc does not quite like that.
Correctly compute the `newcmd_len` to avoid the problem.
ALTBUG: #40425
-rw-r--r-- | src/compile.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/compile.c b/src/compile.c index 3496456..26d7d18 100644 --- a/src/compile.c +++ b/src/compile.c @@ -584,7 +584,7 @@ static int dcc_gcc_rewrite_fqn(char **argv) return -ENOENT; - newcmd_len = strlen(target_with_vendor) + 1 + strlen(argv[0] + 1); + newcmd_len = strlen(target_with_vendor) + 1 + strlen(argv[0]) + 1; newcmd = malloc(newcmd_len); if (!newcmd) return -ENOMEM; |