[Bug c/105341] New: Load introduction when writing a global variable

MF21330112 at smail dot nju.edu.cn gcc-bugzilla@gcc.gnu.org
Fri Apr 22 04:27:38 GMT 2022 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105341

            Bug ID: 105341
           Summary: Load introduction when writing a global variable
           Product: gcc
           Version: 9.3.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c
          Assignee: unassigned at gcc dot gnu.org
          Reporter: MF21330112 at smail dot nju.edu.cn
  Target Milestone: ---

Considering the following code:

int g1;
static short g2[3][6] =
{{(-8L),0xD50FL,(-8L),0x6E22L,0xD50FL,0x52F6L},{(-8L),0xECAFL,0x6E22L,0x6E22L,0xECAFL,(-8L)},{(-8L),0xA927L,0x52F6L,0x6E22L,0xA927L,0x6E22L}};

short  func_35(unsigned char  p1, long long  p2)
{ 
    int l1 = 8L;
    if (((unsigned char)p1 + (unsigned char)1L))
    { 
        unsigned short l2[7] = {0xE3C8L,0xE3C8L,0xE3C8L,
0xE3C8L,0xE3C8L,0xE3C8L,0xE3C8L};
        for (p2 = 6; (p2 >= 2); p2 -= 1)
        {
            int *l3 = &g1;
            short l4[4][4] =
{{0L,0x153EL,0x3343L,0xEF57L},{0L,0x3343L,0xCB45L,0x3343L},{0xCB45L,0x3343L,0L,0xEF57L},{0xF2DBL,0xEF57L,0L,(-2L)}};
            if (l2[p2])
                continue;
            (*l3) = (unsigned long long)((l1 != &g2[1][4]) - (unsigned long
long)(l4[1][1] &= p1));
        }
    }

    return p2;
}

int main(){
    func_35(0,0);
    printf("%d\n", g1);
}

g1's value may be modified by writing to its address held by l3. However, after
compiled with -O1 or -O2 on gcc 9.3.0, a redundant load instruction has been
generated and will be executed. This may cause some vulnerabilities of this
program:

func_35:
   ...
   0x000000000000122b <+11>:    mov    0x2de3(%rip),%ecx        # 0x4014 <g1>
   ...
   0x0000000000001274 <+84>:    cmpw   $0x0,0xa(%rax)
   0x0000000000001279 <+89>:    mov    $0x1,%esi
   0x000000000000127e <+94>:    cmove  %edi,%ecx
   0x0000000000001281 <+97>:    cmove  %esi,%edx
   0x0000000000001284 <+100>:   sub    $0x2,%rax
   0x0000000000001288 <+104>:   cmp    %r8,%rax
   0x000000000000128b <+107>:   jne    0x1274 <func_35+84>
   0x000000000000128d <+109>:   test   %dl,%dl
   0x000000000000128f <+111>:   je     0x1297 <func_35+119>
   0x0000000000001291 <+113>:   mov    %ecx,0x2d7d(%rip)        # 0x4014 <g1>

More information about the Gcc-bugs mailing list