[Bug tree-optimization/120929] New: [16 Regression] file-5.45 triggers stack protection false positives since r16-1905-g7165ca43caf470

Wed, 02 Jul 2025 07:25:24 -0700 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=120929

            Bug ID: 120929
           Summary: [16 Regression] file-5.45 triggers stack protection
                    false positives since r16-1905-g7165ca43caf470
           Product: gcc
           Version: 16.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: tree-optimization
          Assignee: unassigned at gcc dot gnu.org
          Reporter: slyfox at gcc dot gnu.org
  Target Milestone: ---

Initially observed as `file` project build failure against `gcc-master`.
Bisected `gcc` down to r16-1905-g7165ca43caf470.

THis is the `file` backtrace from `file` `git`:

$ git clone https://github.com/file/file.git
$ cd file
$ autoreconf -ivf
$ make
...
../src/file -C -m magic
*** buffer overflow detected ***: terminated

Backtrace:

$ cd magic
$ LD_LIBRARY_PATH=../src/.libs gdb --args ..//src/.libs/file -C -m magic
(gdb) run
(gdb) bt
#0  0x00007ffff7ca253c in __pthread_kill_implementation ()
   from /nix/store/2y6w65brrlgjifjiqmd9agjh87fw3a5r-glibc-2.41-4/lib/libc.so.6
#1  0x00007ffff7c42e8e in raise () from
/nix/store/2y6w65brrlgjifjiqmd9agjh87fw3a5r-glibc-2.41-4/lib/libc.so.6
#2  0x00007ffff7c293f8 in abort () from
/nix/store/2y6w65brrlgjifjiqmd9agjh87fw3a5r-glibc-2.41-4/lib/libc.so.6
#3  0x00007ffff7c2a42a in __libc_message_impl.cold ()
   from /nix/store/2y6w65brrlgjifjiqmd9agjh87fw3a5r-glibc-2.41-4/lib/libc.so.6
#4  0x00007ffff7d36b19 in __fortify_fail () from
/nix/store/2y6w65brrlgjifjiqmd9agjh87fw3a5r-glibc-2.41-4/lib/libc.so.6
#5  0x00007ffff7d363e4 in __chk_fail () from
/nix/store/2y6w65brrlgjifjiqmd9agjh87fw3a5r-glibc-2.41-4/lib/libc.so.6
#6  0x00007ffff7f8ea0b in memcpy (__dest=0x7ffff7100010, __src=<optimized out>,
__len=<optimized out>)
    at
/nix/store/f9sj2zw0nclykz90gsrbzdjl5hh88ff4-glibc-2.41-4-dev/include/bits/string_fortified.h:29
#7  coalesce_entries (ms=0x40a300, me=<optimized out>, nme=<optimized out>,
ma=0x40a5b8, nma=0x40a5c8)
    at apprentice.c:1511
#8  apprentice_load (ms=ms@entry=0x40a300, fn=fn@entry=0x40a500 "magic",
action=action@entry=2) at apprentice.c:1634
#9  0x00007ffff7f8ebe8 in apprentice_1 (ms=0x40a300, fn=0x40a500 "magic",
action=2) at apprentice.c:494
#10 file_apprentice (ms=0x40a300, fn=0x40a500 "magic", action=2) at
apprentice.c:781
#11 0x00007ffff7f88f99 in magic_compile (ms=0x40a300, magicfile=0x7fffffffc15c
"magic") at magic.c:345
#12 0x0000000000402aad in main (argc=4, argv=0x7fffffffbaf8) at file.c:400

I suspect that coalesce_entries() at apprentice.c:1511 fails -DFORTIFY_SOURCE=3
as it confuses pointer to pointers as object sizes:

https://github.com/file/file/blob/9505a205a84bb53b5937b2ef35c3a315ef82cc14/src/apprentice.c#L1510

No minimal reproducer yet.

Reply via email to