Bug#259887: marked as done ([PR 16601] [3.3 regression] miscompilation of automatic dynamic arrays in crypto/IPsec subsystems of the Linux kernel)
Your message dated Sat, 17 Jul 2004 19:47:22 +1000
with message-id <20040717094722.GA19734@gondor.apana.org.au>
and subject line Bug#259887: gcc-3.3: Miscompiles automatic dynamic arrays
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 17 Jul 2004 05:34:17 +0000
>From herbert@gondor.apana.org.au Fri Jul 16 22:34:17 2004
Return-path: <herbert@gondor.apana.org.au>
Received: from arnor.apana.org.au [203.14.152.115] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1Blhpv-0003iw-00; Fri, 16 Jul 2004 22:34:16 -0700
Received: from gondolin.me.apana.org.au ([192.168.0.6] ident=mail)
by arnor.apana.org.au with esmtp (Exim 3.35 #1 (Debian))
id 1Blhps-0006FW-00
for <submit@bugs.debian.org>; Sat, 17 Jul 2004 15:34:12 +1000
Received: from herbert by gondolin.me.apana.org.au with local (Exim 3.36 #1 (Debian))
id 1Blhpp-0004ge-00
for <submit@bugs.debian.org>; Sat, 17 Jul 2004 15:34:09 +1000
From: <herbert@gondor.apana.org.au>
Subject: gcc-3.3: Miscompiles automatic dynamic arrays
To: submit@bugs.debian.org
X-Mailer: bug 3.3.10.2
Message-Id: <[🔎] E1Blhpp-0004ge-00@gondolin.me.apana.org.au>
Date: Sat, 17 Jul 2004 15:34:09 +1000
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.4 required=4.0 tests=BAYES_00,HAS_PACKAGE,
NO_REAL_NAME autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
Package: gcc-3.3
Version: 1:3.3.4-3
Severity: critical
With the option -mpreferred-stack-boundary=2, gcc 3.3.4 is miscompiling
automatic dynamic arrays. Unfortunately both are used in the
crypto/IPsec subsystems of the Linux kernel.
Here is a sample program:
#include <string.h>
int bar(char *s);
int foo(char *s, int len, int x)
{
char buf[x ? len : 0];
if (x) {
memcpy(buf, s, len);
s = buf;
}
return bar(s);
}
With gcc 3.3.4, this produces:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
.file "b.c"
.text
.p2align 4,,15
.globl foo
.type foo, @function
foo:
pushl %ebp
xorl %eax, %eax
movl %esp, %ebp
subl $24, %esp
movl 16(%ebp), %ecx
movl %edi, -4(%ebp)
movl 12(%ebp), %edx
movl %esp, %edi
movl %ebx, -12(%ebp)
movl %esi, -8(%ebp)
decl %edx
movl 8(%ebp), %esi
testl %ecx, %ecx
setne %al
decl %eax
orl %eax, %edx
addl $19, %edx
andl $-4, %edx
---------------------------------------------------------------------
subl %edx, %esp
leal 27(%esp), %ebx
andl $-16, %ebx
Note the offset 27. The same program when compiled with gcc 3.2.3
produces similar output but it uses an offset of 15.
Suppose that len = 16, x != 0, and %esp & 15 = 8 before the subl.
That means %edx = (15 + 19) & ~3 = 32. So %esp & 15 is still 8
after the subtraction. That is, %esp = 16x + 8. Hence
%ebx = (%esp + 27) & ~15 = (16x + 35) & ~15 = 16x + 32 = %esp + 24.
Therefore buf will only contain 8 bytes of space instead of 16
bytes.
---------------------------------------------------------------------
testl %ecx, %ecx
jne .L5
.L4:
movl %esi, (%esp)
call bar
movl %edi, %esp
movl -12(%ebp), %ebx
movl -8(%ebp), %esi
movl -4(%ebp), %edi
movl %ebp, %esp
popl %ebp
ret
.p2align 4,,7
.L5:
movl 12(%ebp), %eax
movl %esi, 4(%esp)
movl %ebx, %esi
movl %eax, 8(%esp)
movl %ebx, (%esp)
call memcpy
jmp .L4
.size foo, .-foo
.section .note.GNU-stack,"",@progbits
.ident "GCC: (GNU) 3.3.4 (Debian 1:3.3.4-3)"
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Since this bug can lead to remotely triggered crashes and possibly
exploits I'm rating it as critical.
-- System Information
Debian Release: testing/unstable
Kernel Version: Linux gondolin 2.4.26-1-686-smp #1 SMP Sat May 1 19:17:11 EST 2004 i686 GNU/Linux
Versions of the packages gcc-3.3 depends on:
ii binutils 2.14.90.0.7-8 The GNU assembler, linker and binary utiliti
ii cpp-3.3 3.3.4-1 The GNU C preprocessor
ii gcc-3.3-base 3.3.4-1 The GNU Compiler Collection (base package)
ii libc6 2.3.2.ds1-13 GNU C Library: Shared libraries and Timezone
ii libgcc1 3.3.4-1 GCC support library
---------------------------------------
Received: (at 259887-done) by bugs.debian.org; 17 Jul 2004 09:47:28 +0000
>From herbert@gondor.apana.org.au Sat Jul 17 02:47:28 2004
Return-path: <herbert@gondor.apana.org.au>
Received: from arnor.apana.org.au [203.14.152.115] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1Bllmx-0002HZ-00; Sat, 17 Jul 2004 02:47:28 -0700
Received: from gondolin.me.apana.org.au ([192.168.0.6] ident=mail)
by arnor.apana.org.au with esmtp (Exim 3.35 #1 (Debian))
id 1Bllmv-0007zE-00
for <259887-done@bugs.debian.org>; Sat, 17 Jul 2004 19:47:25 +1000
Received: from herbert by gondolin.me.apana.org.au with local (Exim 3.36 #1 (Debian))
id 1Bllms-00058r-00
for <259887-done@bugs.debian.org>; Sat, 17 Jul 2004 19:47:22 +1000
Date: Sat, 17 Jul 2004 19:47:22 +1000
To: 259887-done@bugs.debian.org
Subject: Re: Bug#259887: gcc-3.3: Miscompiles automatic dynamic arrays
Message-ID: <20040717094722.GA19734@gondor.apana.org.au>
References: <[🔎] E1Blhpp-0004ge-00@gondolin.me.apana.org.au> <[🔎] 16632.54481.550065.11819@gargle.gargle.HOWL> <[🔎] 20040717073659.GA18793@gondor.apana.org.au>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <[🔎] 20040717073659.GA18793@gondor.apana.org.au>
User-Agent: Mutt/1.5.6+20040523i
From: Herbert Xu <herbert@gondor.apana.org.au>
Delivered-To: 259887-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
On Sat, Jul 17, 2004 at 05:36:59PM +1000, herbert wrote:
> On Sat, Jul 17, 2004 at 09:27:13AM +0200, Matthias Klose wrote:
> >
> > I assume the complete flags are -O2 -mpreferred-stack-boundary=2 ? Can
>
> Sorry, yes that's what I used. The kernel adds a few more options like
> -fomit-frame-pointer but it doesn't make any differences to the problem.
I'm sorry but I got it wrong.
gcc 3.3.4 is unconditionally allocating 12 bytes of extra room at
the start of the function. Since the most it can go over by is
11 bytes (when %esp & ~15 = 5), this is safe.
Sorry for the noise.
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
Reply to: