Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-103782

Buffer overflow in qt_readlink (in qmlplugindump, via qmake) with -D_FORTIFY_SOURCE=3 and GCC 12

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • P2: Important
    • None
    • 5.15.4
    • Core: Other
    • None
    • Linux/Wayland, Linux/X11
    • 2
    • 2778f02021 (qt/tqtc-qtbase/5.15)
    • Team A Foundation Sprint 58

    Description

      Originally reported in Gentoo. Reported to GCC where it was explained that `qt_readlink` is to blame.

      Noticed when building net-libs/accounts-qml (https://accounts-sso.gitlab.io/).

      It crashed on calling qmake (part of qtcore) which was calling /usr/lib64/qt5/bin/qmlplugindump (part of qtdeclarative):

      make[1]: Entering directory '/var/tmp/portage/net-libs/accounts-qml-0.7-r1/work/accounts-qml-module-VERSION_0.7/src'
      export LD_PRELOAD=Ubuntu/OnlineAccounts/libAccounts.so; /usr/lib64/qt5/bin/qmlplugindump -notrelocatable Ubuntu.OnlineAccounts 0.1 . > Ubuntu/OnlineAccounts/plugin.qmltypes
      /usr/lib64/qt5/bin/qmake -install qinstall /var/tmp/portage/net-libs/accounts-qml-0.7-r1/work/accounts-qml-module-VERSION_0.7/src/Ubuntu/OnlineAccounts/qmldir /var/tmp/portage/net-libs/accounts-qml-0.7-r1/image/usr/lib64/qt5/qml/Ubuntu/OnlineAccounts/qmldir
      /usr/lib64/qt5/bin/qmake -install qinstall -exe Ubuntu/OnlineAccounts/libAccounts.so /var/tmp/portage/net-libs/accounts-qml-0.7-r1/image/usr/lib64/qt5/qml/Ubuntu/OnlineAccounts/libAccounts.so
      *** buffer overflow detected ***: terminated
      make[1]: *** [Makefile:818: Ubuntu/OnlineAccounts/plugin.qmltypes] Aborted (core dumped)
      make[1]: *** Deleting file 'Ubuntu/OnlineAccounts/plugin.qmltypes'
      make[1]: Leaving directory '/var/tmp/portage/net-libs/accounts-qml-0.7-r1/work/accounts-qml-module-VERSION_0.7/src'
      make: *** [Makefile:71: sub-src-install_subtargets-ordered] Error 2
       * ERROR: net-libs/accounts-qml-0.7-r1::gentoo failed (install phase):
       *   emake failed
      

      Backtrace of the original failure:

      Using host libthread_db library "/usr/lib64/libthread_db.so.1".
      Core was generated by `/usr/lib64/qt5/bin/qmlplugindump -notrelocatable Ubuntu.OnlineAccounts 0.1 .'.
      Program terminated with signal SIGABRT, Aborted.
      #0  0x00007f06afee44ec in ?? () from /usr/lib64/libc.so.6
      [Current thread is 1 (Thread 0x7f06ac1c31c0 (LWP 37))]
      gef➤  bt
      #0  0x00007f06afee44ec in  () at /usr/lib64/libc.so.6
      #1  0x00007f06afe935e2 in raise () at /usr/lib64/libc.so.6
      #2  0x00007f06afe7d46c in abort () at /usr/lib64/libc.so.6
      #3  0x00007f06afed8126 in  () at /usr/lib64/libc.so.6
      #4  0x00007f06aff77ce2 in __fortify_fail () at /usr/lib64/libc.so.6
      #5  0x00007f06aff766c2 in  () at /usr/lib64/libc.so.6
      #6  0x00007f06aff76ba0 in __readlinkat_chk () at /usr/lib64/libc.so.6
      #7  0x00007f06b05607ce in readlink (__len=0x100, __buf=<optimized out>, __path=0x55955442aab8 "/etc/localtime") at /usr/include/bits/unistd.h:119
      #8  qt_readlink(char const*) (path=0x55955442aab8 "/etc/localtime") at /usr/src/debug/dev-qt/qtcore-5.15.4/qtbase-everywhere-src-5.15.4/src/corelib/kernel/qcore_unix.cpp:68
      #9  0x00007f06b04b8c2a in QFileSystemEngine::getLinkTarget(QFileSystemEntry const&, QFileSystemMetaData&) (link=..., data=...) at /usr/src/debug/dev-qt/qtcore-5.15.4/qtbase-everywhere-src-5.15.4/src/corelib/io/qfilesystemengine_unix.cpp:628
      #10 0x00007f06b045ce50 in QFileInfoPrivate::getFileName(QAbstractFileEngine::FileName) const (this=0x559554417310, name=QAbstractFileEngine::LinkName) at /usr/src/debug/dev-qt/qtcore-5.15.4/qtbase-everywhere-src-5.15.4/src/corelib/io/qfileinfo.cpp:71
      #11 0x00007f06b045edca in QFileInfo::symLinkTarget() const (this=this@entry=0x7fff00632520) at /usr/src/debug/dev-qt/qtcore-5.15.4/qtbase-everywhere-src-5.15.4/src/corelib/io/qfileinfo.cpp:1237
      #12 0x00007f06b045884f in QFile::symLinkTarget(QString const&) (fileName=...) at /usr/src/debug/dev-qt/qtcore-5.15.4/qtbase-everywhere-src-5.15.4/src/corelib/io/qfile.cpp:492
      #13 0x00007f06b0438140 in (anonymous namespace)::ZoneNameReader::etcLocalTime () at /usr/src/debug/dev-qt/qtcore-5.15.4/qtbase-everywhere-src-5.15.4/src/corelib/time/qtimezoneprivate_tz.cpp:1255
      #14 (anonymous namespace)::ZoneNameReader::name (this=<optimized out>) at /usr/src/debug/dev-qt/qtcore-5.15.4/qtbase-everywhere-src-5.15.4/src/corelib/time/qtimezoneprivate_tz.cpp:1205
      #15 QTzTimeZonePrivate::systemTimeZoneId() const (this=<optimized out>) at /usr/src/debug/dev-qt/qtcore-5.15.4/qtbase-everywhere-src-5.15.4/src/corelib/time/qtimezoneprivate_tz.cpp:1314
      #16 0x00007f06b04387ce in QTzTimeZonePrivate::QTzTimeZonePrivate() (this=this@entry=0x55955442aa20) at /usr/src/debug/dev-qt/qtcore-5.15.4/qtbase-everywhere-src-5.15.4/src/corelib/time/qtimezoneprivate_tz.cpp:663
      #17 0x00007f06b042a50c in newBackendTimeZone () at /usr/src/debug/dev-qt/qtcore-5.15.4/qtbase-everywhere-src-5.15.4/src/corelib/time/qtimezone.cpp:68
      #18 QTimeZoneSingleton::QTimeZoneSingleton() (this=0x7f06b07eb6a8 <(anonymous namespace)::Q_QGS_global_tz::innerFunction()::holder>) at /usr/src/debug/dev-qt/qtcore-5.15.4/qtbase-everywhere-src-5.15.4/src/corelib/time/qtimezone.cpp:109
      #19 Holder::Holder (this=0x7f06b07eb6a8 <(anonymous namespace)::Q_QGS_global_tz::innerFunction()::holder>) at /usr/src/debug/dev-qt/qtcore-5.15.4/qtbase-everywhere-src-5.15.4/src/corelib/time/qtimezone.cpp:118
      #20 (anonymous namespace)::Q_QGS_global_tz::innerFunction () at /usr/src/debug/dev-qt/qtcore-5.15.4/qtbase-everywhere-src-5.15.4/src/corelib/time/qtimezone.cpp:118
      #21 QGlobalStatic<QTimeZoneSingleton, (anonymous namespace)::Q_QGS_global_tz::innerFunction, (anonymous namespace)::Q_QGS_global_tz::guard>::operator-> (this=<optimized out>) at /usr/src/debug/dev-qt/qtcore-5.15.4/qtbase-everywhere-src-5.15.4/include/QtCore/../../src/corelib/global/qglobalstatic.h:140
      #22 QTimeZone::systemTimeZone() () at /usr/src/debug/dev-qt/qtcore-5.15.4/qtbase-everywhere-src-5.15.4/src/corelib/time/qtimezone.cpp:819
      #23 0x00007f06b15ee3b3 in getLocalTZA () at /usr/src/debug/dev-qt/qtdeclarative-5.15.4/qtdeclarative-everywhere-src-5.15.4/src/qml/jsruntime/qv4dateobject.cpp:723
      #24 QV4::DatePrototype::init(QV4::ExecutionEngine*, QV4::Object*) (this=0x7f06ab16d068, engine=engine@entry=0x559554421360, ctor=0x7f06ab16d198) at /usr/src/debug/dev-qt/qtdeclarative-5.15.4/qtdeclarative-everywhere-src-5.15.4/src/qml/jsruntime/qv4dateobject.cpp:848
      #25 0x00007f06b15b777d in QV4::ExecutionEngine::ExecutionEngine(QJSEngine*) (this=this@entry=0x559554421360, jsEngine=jsEngine@entry=0x7fff00632a50) at /usr/src/debug/dev-qt/qtdeclarative-5.15.4/qtdeclarative-everywhere-src-5.15.4/src/qml/jsruntime/qv4engine.cpp:630
      #26 0x00007f06b15abdd4 in QJSEngine::QJSEngine(QJSEnginePrivate&, QObject*) (this=this@entry=0x7fff00632a50, dd=..., parent=parent@entry=0x0) at /usr/src/debug/dev-qt/qtdeclarative-5.15.4/qtdeclarative-everywhere-src-5.15.4/src/qml/jsapi/qjsengine.cpp:355
      #27 0x00007f06b1713be0 in QQmlEngine::QQmlEngine(QObject*) (this=0x7fff00632a50, parent=0x0) at /usr/src/debug/dev-qt/qtdeclarative-5.15.4/qtdeclarative-everywhere-src-5.15.4/src/qml/qml/qqmlengine.cpp:982
      #28 0x0000559552a57598 in main(int, char**) (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/dev-qt/qtdeclarative-5.15.4/qtdeclarative-everywhere-src-5.15.4/tools/qmlplugindump/main.cpp:1185
      

      Attachments

        1. fortify.cxx
          1.0 kB
          Sam James
        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            Eddy Edward Welbourne
            thesamesam Sam James
            Vladimir Minenko Vladimir Minenko
            Alex Blasche Alex Blasche
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes