This is the mail archive of the gcc@gcc.gnu.org mailing list for the GCC project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: US-CERT Vulnerability Note VU#162289


* Robert C. Seacord:

> I agree with you that the behavior that gcc exhibits in this case is
> permitted by the ISO/IEC 9899:1999 C specification
> <http://www.open-std.org/JTC1/SC22/WG14/www/docs/n1124.pdf>
> (§6.5.6p8).   I believe the vulnerability is that gcc may *silently*
> discard the overflow checks and that this is a recent change in
> behavior. 

The problem is that there is no overflow check in the code.  At a purely
syntactic level, it appears that there is an overflow check.  But this
is true for integer overflows, too.

There are some issues that are debatable, like non-two's-complement
arithmetic for signed integers (also a feature of GCC and other
compilers)--or operator new[] overflows, for which I'd really like to
see run-time checks.

But treating C pointers as machine addresses is pretty clearly flawed
code.  For instance, are pointers compared as signed or unsigned
integers at the instruction level?  Which behavior do you need so that
your checks actually work as expected?


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]