This is the mail archive of the
gcc@gcc.gnu.org
mailing list for the GCC project.
Re: Security vulernarability or security feature?
- From: Ralph Loader <suckfish at ihug dot co dot nz>
- To: "Robert C. Seacord" <rcs at cert dot org>
- Cc: cert at cert dot org, crd at cert dot org, gcc at gnu dot org
- Date: Fri, 25 Apr 2008 09:20:59 +1200
- Subject: Re: Security vulernarability or security feature?
- Ironport-content-filter: send-to-smtp
- Ironport-ocf: send-to-smtp
- References: <20080425085640.707e9a56@ihug.co.nz> <4810F65C.3090705@cert.org>
> I am very interested in seeing how this optimization can remove
> arithmetic overflows.
int foo (char * buf, int n)
{
// buf+n may overflow of the programmer incorrectly passes
// a large value of n. But recent versions of gcc optimise
// to 'n < 100', removing the overflow.
return buf + n < buf + 100;
}
Compiled on i386, gcc-4.3.0 with -O2 gives:
foo:
xorl %eax, %eax
cmpl $99, 8(%esp)
setle %al
ret
E.g., calling foo with:
#include <stdio.h>
int main()
{
char buf[100];
printf ("%d\n", foo (buf, 1500000000));
return 0;
}
on my PC (where the stack is just below the 3Gig position).
> > Why is Cert advising people to avoid an optimisation that can ---
> > realistically, although probably rarely --- remove security
> > vulnerabilities?
> >
> If you are referring to VU#694123, this refers to an optimization
I'm talking about 162289.
Ralph.
> that removes checks pointer arithmetic wrapping. The optimization
> doesn't actually eliminate the wrapping behavior; this still occurs.
> It does, however, eliminate certain kinds of checks (that depend upon
> undefined behavior).
>
> Thanks,
> rCs