php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81233 gcc catches number of memory issues by -Werror
Submitted: 2021-07-08 01:24 UTC Modified: 2021-07-19 08:02 UTC
From: yohgaki at ohgaki dot net Assigned:
Status: Open Package: Compile Failure
PHP Version: Irrelevant OS: Fedora 34
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2021-07-08 01:24 UTC] yohgaki at ohgaki dot net
Description:
------------
Newer gcc catches memory issues during compile time and raise warnings. Since 7.4, -Werror compile flag that makes warning to error, PHP cannot be compiled. Therefore, Fedora 34 cannot compile PHP from 7.4 to master.

$ uname -a
Linux dev 5.12.13-300.fc34.x86_64 #1 SMP Wed Jun 23 16:18:11 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
$ gcc --version
gcc (GCC) 11.1.1 20210531 (Red Hat 11.1.1-3)



There are number of issues catched by gcc. Followings are examples.

hash_gost has wrong prototype or wrong definition for 1st param. Clearly a bug.
------------------
/home/yohgaki/git/oss/php.net/PHP-7.4/ext/hash/hash_gost.c:286:47: error: argument 1 of type 'unsigned char[32]' with mismatched bound [-Werror=array-parameter=]
  286 | PHP_HASH_API void PHP_GOSTFinal(unsigned char digest[32], PHP_GOST_CTX *context)
      |                                 ~~~~~~~~~~~~~~^~~~~~~~~~
In file included from /home/yohgaki/git/oss/php.net/PHP-7.4/ext/hash/hash_gost.c:21:
/home/yohgaki/git/oss/php.net/PHP-7.4/ext/hash/php_hash_gost.h:35:33: note: previously declared as 'unsigned char[64]'
   35 | PHP_HASH_API void PHP_GOSTFinal(unsigned char[64], PHP_GOST_CTX *);
      |                                 ^~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
make: *** [Makefile:1119: ext/hash/hash_gost.lo] Error 1
make: *** Waiting for unfinished jobs....
----------------------


It seems this strncpy does not consider null char.
----------------------
/home/yohgaki/git/oss/php.net/PHP-master/ext/pdo/pdo_dbh.c:85:9: error: 'strncpy' specified bound 6 equals destination size [-Werror=stringop-truncation]
   85 |         strncpy(*pdo_err, sqlstate, 6);
      |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
----------------------


This may be false-positive, but out of bound access possibly. It doesn't compile with -Werror anyway.
----------------------
/home/yohgaki/git/oss/php.net/PHP-master/ext/opcache/jit/dynasm/dasm_x86.h:127:19: error: array subscript -10 is outside array bounds of 'void *[36]' [-Werror=array-bounds]
  127 |   D->globals = gl - 10;  /* Negative bias to compensate for locals. */
      |                ~~~^~~~
In file included from /home/yohgaki/git/oss/php.net/PHP-master/ext/opcache/jit/zend_jit.c:729:
/home/yohgaki/git/oss/php.net/PHP-master/ext/opcache/jit/zend_jit_x86.dasc:143:14: note: while referencing 'dasm_labels'
  143 | static void* dasm_labels[zend_lb_MAX];
      |              ^~~~~~~~~~~
cc1: all warnings being treated as errors
----------------------



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-07-08 10:46 UTC] cmb@php.net
> hash_gost has wrong prototype or wrong definition for 1st param.
> Clearly a bug.

Well, it might hint at a bug, but isn't a bug per se, since array
parameters are degraded to pointers anway.  This has been fixed a
while ago in master[1], since apparently there is no actual bug.

> It seems this strncpy does not consider null char.

Certainly not clean (should probably be a memcpy()), but doesn't
look like a real bug.

> This may be false-positive, but out of bound access possibly.

That would be something Dmitry should have a look at.

[1] <https://github.com/php/php-src/commit/e0e3d9851ae517429d1bfc7eb2df9df917406d2c>
 [2021-07-08 22:19 UTC] yohgaki@php.net
Compile errors are examples. I didn't try to find all of them and there may be real memory issues. It would be nice to use newer gcc for CI if it is possible.
 [2021-07-12 08:29 UTC] nikic@php.net
-Type: Security +Type: Bug
 [2021-07-19 08:02 UTC] dmitry@php.net
The array bounds warning in JIT is definitely a false positive.

I won't like to fix this in any way, because the warnings occurs in DynAsm header, borrowed from LuaJIT project.
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Mon Sep 27 08:03:38 2021 UTC