This is the mail archive of the
gcc@gcc.gnu.org
mailing list for the GCC project.
Re: [RFC] Detect most integer overflows.
- From: Florian Weimer <fweimer at redhat dot com>
- To: OndÅej BÃlka <neleai at seznam dot cz>, gcc at gnu dot org
- Date: Wed, 30 Oct 2013 12:54:12 +0100
- Subject: Re: [RFC] Detect most integer overflows.
- Authentication-results: sourceware.org; auth=none
- References: <20131026192912 dot GA25428 at domone dot podge>
On 10/26/2013 09:29 PM, OndÅej BÃlka wrote:
Hi, as I brainstormed how prevent possible overflows in memory allocation I
came with heretic idea:
For gcc -D_FORTIFY_SOURCE=2 we expand all multiplication with size_t
type by one that checks for integer overflow and aborts on it. This
would prevent most overflow at cost of breaking some legitimate
applications that use multiplication in clever way.
Many of the critical multiplications are of the for n * sizeof(T), where
n is of type int or unsigned (or derived from input of that type), so
just switching to a 64 bit architecture papers over many issues.
Obviously, there are some remaining issues (computation in int/unsigned
and implicit cast to size_t at the end), but those won't be caught by
trapping size_t arithmetic, either. Aborting on a
negative-value-to-size_t cast doesn't help because those are precisely
the cases that are not exploitable (beyond DoS).
But do we actually care about integer overflows? Java suggests that
it's possible to have memory safety without integer overflows, and I
think improved memory safety is ultimately the goal.
It would still be nice to have a way to write code like
if (a + b < c) {
and get an infinite-precision result (GNAT already has a mode for that).
But only very low-level code should have to use that, and supporting
shifts without memory allocation might be difficult. Aborting on
overflow will not help the programmer with writing such checks.
--
Florian Weimer / Red Hat Product Security Team