Re: US-CERT Vulnerability Note VU#162289

["Robert C. Seacord" <rcs at cert dot org>]

Mark,

I will update the CERT C Secure Coding rule with a list of compilers, 
once we complete a fact check.  Chad is responsible for updating the vul 
note, so I'll need to discuss this with him.

Specifically with regards to MSVC 2005, I thought Chad had already 
checked this and found that it did not exhibit this behavior.  I just 
tested the following program.

#include <stdio.h>

void f(char *buf)  {
 unsigned int len = len = 0xFFFFFF00;

 if (buf+len < buf) puts("true");

}

int main(void)
{
   char buffer[100];
   f(buffer);
   return 0;
}

and compiled it with Microsoft Visual Studio 2005 Version 8.0.50727.42 
with the following flags:

/Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_UNICODE" /D "UNICODE" /Gm 
/EHsc /RTC1 /MDd /Fo"Debug\\" /Fd"Debug\vc80.pdb" /W4 /nologo /c /Wp64 
/ZI /TC /errorReport:prompt

And on the dissembly view I see:

 if (buf+len < buf) puts("true");
004113CB  mov         eax,dword ptr [buf]
004113CE  add         eax,dword ptr [len]
004113D1  cmp         eax,dword ptr [buf]
004113D4  jae         f+4Dh (4113EDh)
004113D6  mov         esi,esp
004113D8  push        offset string "true" (41563Ch)
004113DD  call        dword ptr [__imp__puts (4182B8h)]
004113E3  add         esp,4
004113E6  cmp         esi,esp
004113E8  call        @ILT+305(__RTC_CheckEsp) (411136h)

And the program prints out "true".

Any explanation why I am getting different behavior? 

If I change the flags to

/O2 /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_UNICODE" /D "UNICODE" /Gm 
/EHsc /MDd /Fo"Debug\\" /Fd"Debug\vc80.pdb" /W4 /nologo /c /Wp64 /TC 
/errorReport:prompt

with /O2 optimization, "true" is still printed although it is harder to 
examine the dissembly .

rCs


> Mark Mitchell wrote:
> > Mark Mitchell wrote:
> >
> > > I've been told that Intel's ICC compiler also does this optimization:
> >
> > Apparently, IAR's Atmel AVR compiler does this optimization as well. 
> > That CPU has 16-bit addresses, so the tester changed the test case to 
> > use "1 << 14" instead of "1 << 30".
>
> I've also been told that Microsoft Visual C++ 2005 compiler does this 
> optimization.
>
> Chad, Robert, are you going to update the CERT notice to reflect all 
> of this additional information about other compilers that also do this 
> optimization?
>
> Here is the code generated:
>
> ; Listing generated by Microsoft (R) Optimizing Compiler Version 
> 14.00.50727.762
> ...
> ; Function compile flags: /Ogtpy
>
> ...
> ; 2    :   len = 1 << 30;
> ; 3    :   if (buf + len < buf)
> ; 4    :     return 1;
> ; 5    :
> ; 6    :
> ; 7    :   return 0;
>
>     xor    eax, eax
>
> ; 8    : }