This is the mail archive of the gcc@gcc.gnu.org mailing list for the GCC project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: US-CERT Vulnerability Note VU#162289

Andrew,

We'll also add:

-Wstrict-overflow=5

As a work around.

You are right, I don't regularly read the GCC mailing lists as GCC is not our only concern. This problem came to our attention because it affected one of your users. We did consult with Mark before publishing.

rCs


On Mon, Apr 7, 2008 at 10:28 AM, Robert C. Seacord <rcs@cert.org> wrote:
I believe the vulnerability is that gcc may *silently* discard the overflow
checks and that this is a recent change in behavior.

No it is not recent, unless you consider 1998 recent :).  I don't know
how many times but we have not changed the behavior of GCC with
respect of signed integer overflow being undefined.  Since the loop
optimizers have said this before, we just added an extra pass which
depends on it more.  I guess you did not read the GCC mailing list
before posting this Vulnerability because we already discussed this
many many times before around the time GCC 4.2.0 came out.

Also try -Wstrict-overflow=5 in GCC 4.2.3 and in GCC 4.3.0, we already
warn about most if not all cases already.

Thanks,
Andrew Pinski


--
Robert C. Seacord
Senior Vulnerability Analyst
CERT/CC 

Work: 412-268-7608
FAX: 412-268-6989

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]