https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112274
Bug ID: 112274 Summary: Bug due to unused expressions on s390x Product: gcc Version: 11.4.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: c Assignee: unassigned at gcc dot gnu.org Reporter: 22s302h0659 at sonline20 dot sen.go.kr Target Milestone: --- ### Environment - Compiler: s390x-linux-gnu-gcc (64bit) - Version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04) - Platform: Windows 11_5.15.90.1-microsoft-standard-WSL2 - Build Optimization Options: O0, O1, O2, O3 I installed the s390x-linux-gnu toolchain using the 'apt' package manager in Ubuntu and utilized s390x-linux-gnu-gcc (version 11.4.0) from it. ### build script & excution script ```bash s390x-linux-gnu-gcc ./bug_Poc.c -o test_O0 -g -O0 -fsanitize=undefined -Wall -Wextra -fno-strict-aliasing #-fwrapv s390x-linux-gnu-gcc ./bug_Poc.c -o test_O1 -g -O1 -fsanitize=undefined -Wall -Wextra -fno-strict-aliasing #-fwrapv s390x-linux-gnu-gcc ./bug_Poc.c -o test_O2 -g -O2 -fsanitize=undefined -Wall -Wextra -fno-strict-aliasing #-fwrapv s390x-linux-gnu-gcc ./bug_Poc.c -o test_O3 -g -O3 -fsanitize=undefined -Wall -We gcc ./bug_Poc.c -o gcc_O0 -g -O0 -fsanitize=undefined -Wall -Wextra -fno-strict-aliasing #-fwrapv gcc ./bug_Poc.c -o gcc_O1 -g -O1 -fsanitize=undefined -Wall -Wextra -fno-strict-aliasing #-fwrapv gcc ./bug_Poc.c -o gcc_O2 -g -O2 -fsanitize=undefined -Wall -Wextra -fno-strict-aliasing #-fwrapv gcc ./bug_Poc.c -o gcc_O3 -g -O3 -fsanitize=undefined -Wall -Wextra -fno-strict-aliasing #-fwrapv clang ./bug_Poc.c -o clang_O0 -g -O0 -fsanitize=undefined -Wall -Wextra -fno-strict-aliasing #-fwrapv clang ./bug_Poc.c -o clang_O1 -g -O1 -fsanitize=undefined -Wall -Wextra -fno-strict-aliasing #-fwrapv clang ./bug_Poc.c -o clang_O2 -g -O2 -fsanitize=undefined -Wall -Wextra -fno-strict-aliasing #-fwrapv clang ./bug_Poc.c -o clang_O3 -g -O3 -fsanitize=undefined -Wall -Wextra -fno-strict-aliasing #-fwrapv ``` ```bash qemu-s390x-static -L /usr/s390x-linux-gnu/ ./test_O0 qemu-s390x-static -L /usr/s390x-linux-gnu/ ./test_O1 qemu-s390x-static -L /usr/s390x-linux-gnu/ ./test_O2 qemu-s390x-static -L /usr/s390x-linux-gnu/ ./test_O3 ./gcc_O0 ./gcc_O1 ./gcc_O2 ./gcc_O3 ./clang_O0 ./clang_O1 ./clang_O2 ./clang_O3 ``` ### Source Code ```c 0 // bug_Poc.c 1 #include <stdio.h> 2 short g_4 = 2; 3 short g_8 = 1; 4 int main() 5 { 6 printf("bug = %d\n", (g_4 < (((g_8 << 0) / g_4), g_8))); 7 return 0; 8 } ``` The output varies based on optimization options on the 6th line. I've attempted several approaches to understand the cause. Even though the left expression of the comma operator is an unused value, removing the expression triggers the bug. ### Result ```c bug = 0 bug = 0 bug = 1 bug = 1 bug = 0 bug = 0 bug = 0 bug = 0 bug = 0 bug = 0 bug = 0 bug = 0 ``` ### Coclusion I reported a bug on s390x architecture some time ago. Back then, incorrect values were generated in O0 and O1, but this time incorrect values are produced in O2 and O3. When such bugs intersect with other vulnerabilities, it could be exploited as a powerful attack vector.