Bug#259887: marked as done ([PR 16601] [3.3 regression] miscompilation of automatic dynamic arrays in crypto/IPsec subsystems of the Linux kernel)

[Debian Bug Tracking System]

Your message dated Sat, 17 Jul 2004 19:47:22 +1000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#259887: gcc-3.3: Miscompiles automatic dynamic arrays
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 17 Jul 2004 05:34:17 +0000
>From [EMAIL PROTECTED] Fri Jul 16 22:34:17 2004
Return-path: <[EMAIL PROTECTED]>
Received: from arnor.apana.org.au [203.14.152.115] (mail)
        by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
        id 1Blhpv-0003iw-00; Fri, 16 Jul 2004 22:34:16 -0700
Received: from gondolin.me.apana.org.au ([192.168.0.6] ident=mail)
        by arnor.apana.org.au with esmtp (Exim 3.35 #1 (Debian))
        id 1Blhps-0006FW-00
        for <[EMAIL PROTECTED]>; Sat, 17 Jul 2004 15:34:12 +1000
Received: from herbert by gondolin.me.apana.org.au with local (Exim 3.36 #1 
(Debian))
        id 1Blhpp-0004ge-00
        for <[EMAIL PROTECTED]>; Sat, 17 Jul 2004 15:34:09 +1000
From: <[EMAIL PROTECTED]>
Subject: gcc-3.3: Miscompiles automatic dynamic arrays
To: [EMAIL PROTECTED]
X-Mailer: bug 3.3.10.2
Message-Id: <[EMAIL PROTECTED]>
Date: Sat, 17 Jul 2004 15:34:09 +1000
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.4 required=4.0 tests=BAYES_00,HAS_PACKAGE,
        NO_REAL_NAME autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level: 

Package: gcc-3.3
Version: 1:3.3.4-3
Severity: critical

With the option -mpreferred-stack-boundary=2, gcc 3.3.4 is miscompiling
automatic dynamic arrays.  Unfortunately both are used in the
crypto/IPsec subsystems of the Linux kernel.

Here is a sample program:

#include <string.h>

int bar(char *s);

int foo(char *s, int len, int x)
{
        char buf[x ? len : 0];

        if (x) {
                memcpy(buf, s, len);
                s = buf;
        }

        return bar(s);
}

With gcc 3.3.4, this produces:

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
        .file   "b.c"
        .text
        .p2align 4,,15
.globl foo
        .type   foo, @function
foo:
        pushl   %ebp
        xorl    %eax, %eax
        movl    %esp, %ebp
        subl    $24, %esp
        movl    16(%ebp), %ecx
        movl    %edi, -4(%ebp)
        movl    12(%ebp), %edx
        movl    %esp, %edi
        movl    %ebx, -12(%ebp)
        movl    %esi, -8(%ebp)
        decl    %edx
        movl    8(%ebp), %esi
        testl   %ecx, %ecx
        setne   %al
        decl    %eax
        orl     %eax, %edx
        addl    $19, %edx
        andl    $-4, %edx
---------------------------------------------------------------------
        subl    %edx, %esp
        leal    27(%esp), %ebx
        andl    $-16, %ebx

Note the offset 27.  The same program when compiled with gcc 3.2.3
produces similar output but it uses an offset of 15.

Suppose that len = 16, x != 0, and %esp & 15 = 8 before the subl.

That means %edx = (15 + 19) & ~3 = 32.  So %esp & 15 is still 8
after the subtraction.  That is, %esp = 16x + 8.  Hence
%ebx = (%esp + 27) & ~15 = (16x + 35) & ~15 = 16x + 32 = %esp + 24.

Therefore buf will only contain 8 bytes of space instead of 16
bytes.
---------------------------------------------------------------------
        testl   %ecx, %ecx
        jne     .L5
.L4:
        movl    %esi, (%esp)
        call    bar
        movl    %edi, %esp
        movl    -12(%ebp), %ebx
        movl    -8(%ebp), %esi
        movl    -4(%ebp), %edi
        movl    %ebp, %esp
        popl    %ebp
        ret
        .p2align 4,,7
.L5:
        movl    12(%ebp), %eax
        movl    %esi, 4(%esp)
        movl    %ebx, %esi
        movl    %eax, 8(%esp)
        movl    %ebx, (%esp)
        call    memcpy
        jmp     .L4
        .size   foo, .-foo
        .section        .note.GNU-stack,"",@progbits
        .ident  "GCC: (GNU) 3.3.4 (Debian 1:3.3.4-3)"
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Since this bug can lead to remotely triggered crashes and possibly
exploits I'm rating it as critical.

-- System Information
Debian Release: testing/unstable
Kernel Version: Linux gondolin 2.4.26-1-686-smp #1 SMP Sat May 1 19:17:11 EST 
2004 i686 GNU/Linux

Versions of the packages gcc-3.3 depends on:
ii  binutils       2.14.90.0.7-8  The GNU assembler, linker and binary utiliti
ii  cpp-3.3        3.3.4-1        The GNU C preprocessor
ii  gcc-3.3-base   3.3.4-1        The GNU Compiler Collection (base package)
ii  libc6          2.3.2.ds1-13   GNU C Library: Shared libraries and Timezone
ii  libgcc1        3.3.4-1        GCC support library

---------------------------------------
Received: (at 259887-done) by bugs.debian.org; 17 Jul 2004 09:47:28 +0000
>From [EMAIL PROTECTED] Sat Jul 17 02:47:28 2004
Return-path: <[EMAIL PROTECTED]>
Received: from arnor.apana.org.au [203.14.152.115] (mail)
        by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
        id 1Bllmx-0002HZ-00; Sat, 17 Jul 2004 02:47:28 -0700
Received: from gondolin.me.apana.org.au ([192.168.0.6] ident=mail)
        by arnor.apana.org.au with esmtp (Exim 3.35 #1 (Debian))
        id 1Bllmv-0007zE-00
        for <[EMAIL PROTECTED]>; Sat, 17 Jul 2004 19:47:25 +1000
Received: from herbert by gondolin.me.apana.org.au with local (Exim 3.36 #1 
(Debian))
        id 1Bllms-00058r-00
        for <[EMAIL PROTECTED]>; Sat, 17 Jul 2004 19:47:22 +1000
Date: Sat, 17 Jul 2004 19:47:22 +1000
To: [EMAIL PROTECTED]
Subject: Re: Bug#259887: gcc-3.3: Miscompiles automatic dynamic arrays
Message-ID: <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <[EMAIL PROTECTED]>
User-Agent: Mutt/1.5.6+20040523i
From: Herbert Xu <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
        autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level: 

On Sat, Jul 17, 2004 at 05:36:59PM +1000, herbert wrote:
> On Sat, Jul 17, 2004 at 09:27:13AM +0200, Matthias Klose wrote:
> > 
> > I assume the complete flags are -O2 -mpreferred-stack-boundary=2 ? Can
> 
> Sorry, yes that's what I used.  The kernel adds a few more options like
> -fomit-frame-pointer but it doesn't make any differences to the problem.

I'm sorry but I got it wrong.

gcc 3.3.4 is unconditionally allocating 12 bytes of extra room at
the start of the function.  Since the most it can go over by is
11 bytes (when %esp & ~15 = 5), this is safe.

Sorry for the noise.
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <[EMAIL PROTECTED]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt