Package: gcc-3.3
Version: 1:3.3.4-3
Severity: critical
With the option -mpreferred-stack-boundary=2, gcc 3.3.4 is miscompiling
automatic dynamic arrays. Unfortunately both are used in the
crypto/IPsec subsystems of the Linux kernel.
Here is a sample program:
#include <string.h>
int bar(char *s);
int foo(char *s, int len, int x)
{
char buf[x ? len : 0];
if (x) {
memcpy(buf, s, len);
s = buf;
}
return bar(s);
}
With gcc 3.3.4, this produces:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
.file "b.c"
.text
.p2align 4,,15
.globl foo
.type foo, @function
foo:
pushl %ebp
xorl %eax, %eax
movl %esp, %ebp
subl $24, %esp
movl 16(%ebp), %ecx
movl %edi, -4(%ebp)
movl 12(%ebp), %edx
movl %esp, %edi
movl %ebx, -12(%ebp)
movl %esi, -8(%ebp)
decl %edx
movl 8(%ebp), %esi
testl %ecx, %ecx
setne %al
decl %eax
orl %eax, %edx
addl $19, %edx
andl $-4, %edx
---------------------------------------------------------------------
subl %edx, %esp
leal 27(%esp), %ebx
andl $-16, %ebx
Note the offset 27. The same program when compiled with gcc 3.2.3
produces similar output but it uses an offset of 15.
Suppose that len = 16, x != 0, and %esp & 15 = 8 before the subl.
That means %edx = (15 + 19) & ~3 = 32. So %esp & 15 is still 8
after the subtraction. That is, %esp = 16x + 8. Hence
%ebx = (%esp + 27) & ~15 = (16x + 35) & ~15 = 16x + 32 = %esp + 24.
Therefore buf will only contain 8 bytes of space instead of 16
bytes.
---------------------------------------------------------------------
testl %ecx, %ecx
jne .L5
.L4:
movl %esi, (%esp)
call bar
movl %edi, %esp
movl -12(%ebp), %ebx
movl -8(%ebp), %esi
movl -4(%ebp), %edi
movl %ebp, %esp
popl %ebp
ret
.p2align 4,,7
.L5:
movl 12(%ebp), %eax
movl %esi, 4(%esp)
movl %ebx, %esi
movl %eax, 8(%esp)
movl %ebx, (%esp)
call memcpy
jmp .L4
.size foo, .-foo
.section .note.GNU-stack,"",@progbits
.ident "GCC: (GNU) 3.3.4 (Debian 1:3.3.4-3)"
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Since this bug can lead to remotely triggered crashes and possibly
exploits I'm rating it as critical.
-- System Information
Debian Release: testing/unstable
Kernel Version: Linux gondolin 2.4.26-1-686-smp #1 SMP Sat May 1 19:17:11 EST
2004 i686 GNU/Linux
Versions of the packages gcc-3.3 depends on:
ii binutils 2.14.90.0.7-8 The GNU assembler, linker and binary utiliti
ii cpp-3.3 3.3.4-1 The GNU C preprocessor
ii gcc-3.3-base 3.3.4-1 The GNU Compiler Collection (base package)
ii libc6 2.3.2.ds1-13 GNU C Library: Shared libraries and Timezone
ii libgcc1 3.3.4-1 GCC support library
