Your message dated Sat, 17 Jul 2004 19:47:22 +1000 with message-id <[EMAIL PROTECTED]> and subject line Bug#259887: gcc-3.3: Miscompiles automatic dynamic arrays has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 17 Jul 2004 05:34:17 +0000 >From [EMAIL PROTECTED] Fri Jul 16 22:34:17 2004 Return-path: <[EMAIL PROTECTED]> Received: from arnor.apana.org.au [203.14.152.115] (mail) by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1Blhpv-0003iw-00; Fri, 16 Jul 2004 22:34:16 -0700 Received: from gondolin.me.apana.org.au ([192.168.0.6] ident=mail) by arnor.apana.org.au with esmtp (Exim 3.35 #1 (Debian)) id 1Blhps-0006FW-00 for <[EMAIL PROTECTED]>; Sat, 17 Jul 2004 15:34:12 +1000 Received: from herbert by gondolin.me.apana.org.au with local (Exim 3.36 #1 (Debian)) id 1Blhpp-0004ge-00 for <[EMAIL PROTECTED]>; Sat, 17 Jul 2004 15:34:09 +1000 From: <[EMAIL PROTECTED]> Subject: gcc-3.3: Miscompiles automatic dynamic arrays To: [EMAIL PROTECTED] X-Mailer: bug 3.3.10.2 Message-Id: <[EMAIL PROTECTED]> Date: Sat, 17 Jul 2004 15:34:09 +1000 Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-6.4 required=4.0 tests=BAYES_00,HAS_PACKAGE, NO_REAL_NAME autolearn=no version=2.60-bugs.debian.org_2004_03_25 X-Spam-Level: Package: gcc-3.3 Version: 1:3.3.4-3 Severity: critical With the option -mpreferred-stack-boundary=2, gcc 3.3.4 is miscompiling automatic dynamic arrays. Unfortunately both are used in the crypto/IPsec subsystems of the Linux kernel. Here is a sample program: #include <string.h> int bar(char *s); int foo(char *s, int len, int x) { char buf[x ? len : 0]; if (x) { memcpy(buf, s, len); s = buf; } return bar(s); } With gcc 3.3.4, this produces: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ .file "b.c" .text .p2align 4,,15 .globl foo .type foo, @function foo: pushl %ebp xorl %eax, %eax movl %esp, %ebp subl $24, %esp movl 16(%ebp), %ecx movl %edi, -4(%ebp) movl 12(%ebp), %edx movl %esp, %edi movl %ebx, -12(%ebp) movl %esi, -8(%ebp) decl %edx movl 8(%ebp), %esi testl %ecx, %ecx setne %al decl %eax orl %eax, %edx addl $19, %edx andl $-4, %edx --------------------------------------------------------------------- subl %edx, %esp leal 27(%esp), %ebx andl $-16, %ebx Note the offset 27. The same program when compiled with gcc 3.2.3 produces similar output but it uses an offset of 15. Suppose that len = 16, x != 0, and %esp & 15 = 8 before the subl. That means %edx = (15 + 19) & ~3 = 32. So %esp & 15 is still 8 after the subtraction. That is, %esp = 16x + 8. Hence %ebx = (%esp + 27) & ~15 = (16x + 35) & ~15 = 16x + 32 = %esp + 24. Therefore buf will only contain 8 bytes of space instead of 16 bytes. --------------------------------------------------------------------- testl %ecx, %ecx jne .L5 .L4: movl %esi, (%esp) call bar movl %edi, %esp movl -12(%ebp), %ebx movl -8(%ebp), %esi movl -4(%ebp), %edi movl %ebp, %esp popl %ebp ret .p2align 4,,7 .L5: movl 12(%ebp), %eax movl %esi, 4(%esp) movl %ebx, %esi movl %eax, 8(%esp) movl %ebx, (%esp) call memcpy jmp .L4 .size foo, .-foo .section .note.GNU-stack,"",@progbits .ident "GCC: (GNU) 3.3.4 (Debian 1:3.3.4-3)" ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Since this bug can lead to remotely triggered crashes and possibly exploits I'm rating it as critical. -- System Information Debian Release: testing/unstable Kernel Version: Linux gondolin 2.4.26-1-686-smp #1 SMP Sat May 1 19:17:11 EST 2004 i686 GNU/Linux Versions of the packages gcc-3.3 depends on: ii binutils 2.14.90.0.7-8 The GNU assembler, linker and binary utiliti ii cpp-3.3 3.3.4-1 The GNU C preprocessor ii gcc-3.3-base 3.3.4-1 The GNU Compiler Collection (base package) ii libc6 2.3.2.ds1-13 GNU C Library: Shared libraries and Timezone ii libgcc1 3.3.4-1 GCC support library --------------------------------------- Received: (at 259887-done) by bugs.debian.org; 17 Jul 2004 09:47:28 +0000 >From [EMAIL PROTECTED] Sat Jul 17 02:47:28 2004 Return-path: <[EMAIL PROTECTED]> Received: from arnor.apana.org.au [203.14.152.115] (mail) by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1Bllmx-0002HZ-00; Sat, 17 Jul 2004 02:47:28 -0700 Received: from gondolin.me.apana.org.au ([192.168.0.6] ident=mail) by arnor.apana.org.au with esmtp (Exim 3.35 #1 (Debian)) id 1Bllmv-0007zE-00 for <[EMAIL PROTECTED]>; Sat, 17 Jul 2004 19:47:25 +1000 Received: from herbert by gondolin.me.apana.org.au with local (Exim 3.36 #1 (Debian)) id 1Bllms-00058r-00 for <[EMAIL PROTECTED]>; Sat, 17 Jul 2004 19:47:22 +1000 Date: Sat, 17 Jul 2004 19:47:22 +1000 To: [EMAIL PROTECTED] Subject: Re: Bug#259887: gcc-3.3: Miscompiles automatic dynamic arrays Message-ID: <[EMAIL PROTECTED]> References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <[EMAIL PROTECTED]> User-Agent: Mutt/1.5.6+20040523i From: Herbert Xu <[EMAIL PROTECTED]> Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2004_03_25 X-Spam-Level: On Sat, Jul 17, 2004 at 05:36:59PM +1000, herbert wrote: > On Sat, Jul 17, 2004 at 09:27:13AM +0200, Matthias Klose wrote: > > > > I assume the complete flags are -O2 -mpreferred-stack-boundary=2 ? Can > > Sorry, yes that's what I used. The kernel adds a few more options like > -fomit-frame-pointer but it doesn't make any differences to the problem. I'm sorry but I got it wrong. gcc 3.3.4 is unconditionally allocating 12 bytes of extra room at the start of the function. Since the most it can go over by is 11 bytes (when %esp & ~15 = 5), this is safe. Sorry for the noise. -- Visit Openswan at http://www.openswan.org/ Email: Herbert Xu ~{PmV>HI~} <[EMAIL PROTECTED]> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt