https://gcc.gnu.org/bugzilla/show_bug.cgi?id=77409
Bug ID: 77409 Summary: CVE-2016-4973 Targets using libssp for SSP are missing -D_FORTIFY_SOURCE functionality Product: gcc Version: 6.1.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: other Assignee: unassigned at gcc dot gnu.org Reporter: yselkowi at redhat dot com CC: jon_y at users dot sourceforge.net, ktietz at gcc dot gnu.org Target Milestone: --- Targets that use libssp for SSP (e.g. newlib, Cygwin, RTEMS, MinGW, but not e.g. Glibc, Bionic, NetBSD which provide SSP in libc) are mistakenly missing out on -D_FORTIFY_SOURCE functionality even when explicitly specified. The problem is in gcc libssp/Makefile.am: libsubincludedir = $(libdir)/gcc/$(target_noncanonical)/$(gcc_version)/include nobase_libsubinclude_HEADERS = ssp/ssp.h ssp/string.h ssp/stdio.h ssp/unistd.h Headers are structured so that they should be in $(libsubincludedir), instead of $(libsubincludedir)/ssp where they are currently placed. Demonstration: $ cat fortify_test.c /* example from bug 50460 */ #include <stdio.h> #include <string.h> const char *str1 = "JIHGFEDCBA"; int main () { struct A { char buf1[9]; char buf2[1]; } a; strcpy (a.buf1 + (0 + 4), str1 + 5); printf("%s %s\n", a.buf1, a.buf2); return 0; } $ gcc -D_FORTIFY_SOURCE=2 -fstack-protector-strong -o fortify_test -O2 fortify_test.c $ nm -C fortify_test | grep strcpy U __strcpy_chk@@GLIBC_2.3.4 $ i686-w64-mingw32-gcc -D_FORTIFY_SOURCE=2 -fstack-protector-strong -o fortify_test.exe -O2 fortify_test.c $ i686-w64-mingw32-nm -C fortify_test.exe | grep strcpy 004061e8 I _imp__strcpy 00402624 T strcpy If headers are moved, we can see: $ i686-w64-mingw32-gcc -D_FORTIFY_SOURCE=2 -fstack-protector-strong -o fortify_test.exe -O2 fortify_test.c $ i686-w64-mingw32-nm -C fortify_test.exe | grep strcpy 00406200 I _imp____strcpy_chk 00401590 T __strcpy_chk Red Hat Product Security has assigned CVE-2016-4973 to this issue. Further discussion: https://bugzilla.redhat.com/show_bug.cgi?id=1324759