Bug 994170 (CVE-2016-4973) - VUL-0: CVE-2016-4973: gcc: Targets using libssp for SSP are missing -D_FORTIFY_SOURCE functionality
Summary: VUL-0: CVE-2016-4973: gcc: Targets using libssp for SSP are missing -D_FORTIF...
Status: RESOLVED WORKSFORME
Alias: CVE-2016-4973
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Minor
Target Milestone: ---
Assignee: Richard Biener
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/171945/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-08-17 19:37 UTC by Marcus Meissner
Modified: 2016-08-18 08:30 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2016-08-17 19:37:07 UTC 
rh#1324759

targets that use libssp for SSP (e.g. newlib, Cygwin, RTEMS, MinGW, but not e.g. Glibc, Bionic, NetBSD which provide SSP in libc) are mistakenly missing out on -D_FORTIFY_SOURCE functionality even when explicitly specified. The problem is in gcc libssp/Makefile.am:

libsubincludedir =
$(libdir)/gcc/$(target_noncanonical)/$(gcc_version)/include
nobase_libsubinclude_HEADERS = ssp/ssp.h ssp/string.h ssp/stdio.h
ssp/unistd.h

Headers are structured so that they should be in $(libsubincludedir), instead of $(libsubincludedir)/ssp where they are currently placed.

Demonstration:

$ cat fortify_test.c
/* example from https://gcc.gnu.org/bugzilla/show_bug.cgi?id=50460 [Open URL] */
#include <stdio.h>
#include <string.h>

const char *str1 = "JIHGFEDCBA";

int
main ()
{
struct A { char buf1[9]; char buf2[1]; } a;
strcpy (a.buf1 + (0 + 4), str1 + 5);
printf("%s %s\n", a.buf1, a.buf2);
return 0;
}

$ gcc -D_FORTIFY_SOURCE=2 -fstack-protector-strong -o fortify_test -O2
fortify_test.c
$ nm -C fortify_test | grep strcpy
U __strcpy_chk@@GLIBC_2.3.4

$ i686-w64-mingw32-gcc -D_FORTIFY_SOURCE=2 -fstack-protector-strong -o
fortify_test.exe -O2 fortify_test.c
$ i686-w64-mingw32-nm -C fortify_test.exe | grep strcpy
004061e8 I _imp__strcpy
00402624 T strcpy

If headers are moved, we can see:

$ i686-w64-mingw32-gcc -D_FORTIFY_SOURCE=2 -fstack-protector-strong -o
fortify_test.exe -O2 fortify_test.c
$ i686-w64-mingw32-nm -C fortify_test.exe | grep strcpy
00406200 I _imp____strcpy_chk
00401590 T __strcpy_chk

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1324759
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4973
http://seclists.org/oss-sec/2016/q3/300
Comment 1 Marcus Meissner 2016-08-17 19:37:49 UTC 
I think we are not affected, but could you cross check richi?
Comment 2 Swamp Workflow Management 2016-08-17 22:00:25 UTC 
bugbot adjusting priority
Comment 3 Richard Biener 2016-08-18 08:30:15 UTC 
(In reply to Marcus Meissner from comment #0)
> rh#1324759
> 
> targets that use libssp for SSP (e.g. newlib, Cygwin, RTEMS, MinGW, but not
> e.g. Glibc, Bionic, NetBSD which provide SSP in libc)

           ^^^^

but _not_ glibc.  We do not ship libssp:

        --enable-ssp \
        --disable-libssp \

Not a bug for us.