[Bug c/112274] New: Bug due to unused expressions on s390x

22s302h0659 at sonline20 dot sen.go.kr via Gcc-bugs Sun, 29 Oct 2023 06:32:26 -0700

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112274


            Bug ID: 112274
           Summary: Bug due to unused expressions on s390x
           Product: gcc
           Version: 11.4.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c
          Assignee: unassigned at gcc dot gnu.org
          Reporter: 22s302h0659 at sonline20 dot sen.go.kr
  Target Milestone: ---

### Environment

- Compiler: s390x-linux-gnu-gcc (64bit)
- Version: gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)
- Platform: Windows 11_5.15.90.1-microsoft-standard-WSL2
- Build Optimization Options: O0, O1, O2, O3

I installed the s390x-linux-gnu toolchain using the 'apt' package manager in
Ubuntu and utilized s390x-linux-gnu-gcc (version 11.4.0) from it.

### build script & excution script

```bash
s390x-linux-gnu-gcc ./bug_Poc.c -o test_O0 -g -O0 -fsanitize=undefined -Wall
-Wextra -fno-strict-aliasing #-fwrapv
s390x-linux-gnu-gcc ./bug_Poc.c -o test_O1 -g -O1 -fsanitize=undefined -Wall
-Wextra -fno-strict-aliasing #-fwrapv
s390x-linux-gnu-gcc ./bug_Poc.c -o test_O2 -g -O2 -fsanitize=undefined -Wall
-Wextra -fno-strict-aliasing #-fwrapv
s390x-linux-gnu-gcc ./bug_Poc.c -o test_O3 -g -O3 -fsanitize=undefined -Wall
-We
gcc ./bug_Poc.c -o gcc_O0 -g -O0 -fsanitize=undefined -Wall -Wextra
-fno-strict-aliasing #-fwrapv
gcc ./bug_Poc.c -o gcc_O1 -g -O1 -fsanitize=undefined -Wall -Wextra
-fno-strict-aliasing #-fwrapv
gcc ./bug_Poc.c -o gcc_O2 -g -O2 -fsanitize=undefined -Wall -Wextra
-fno-strict-aliasing #-fwrapv
gcc ./bug_Poc.c -o gcc_O3 -g -O3 -fsanitize=undefined -Wall -Wextra
-fno-strict-aliasing #-fwrapv

clang ./bug_Poc.c -o clang_O0 -g -O0 -fsanitize=undefined -Wall -Wextra
-fno-strict-aliasing #-fwrapv
clang ./bug_Poc.c -o clang_O1 -g -O1 -fsanitize=undefined -Wall -Wextra
-fno-strict-aliasing #-fwrapv
clang ./bug_Poc.c -o clang_O2 -g -O2 -fsanitize=undefined -Wall -Wextra
-fno-strict-aliasing #-fwrapv
clang ./bug_Poc.c -o clang_O3 -g -O3 -fsanitize=undefined -Wall -Wextra
-fno-strict-aliasing #-fwrapv
```

```bash
qemu-s390x-static -L /usr/s390x-linux-gnu/ ./test_O0
qemu-s390x-static -L /usr/s390x-linux-gnu/ ./test_O1
qemu-s390x-static -L /usr/s390x-linux-gnu/ ./test_O2
qemu-s390x-static -L /usr/s390x-linux-gnu/ ./test_O3

./gcc_O0
./gcc_O1
./gcc_O2
./gcc_O3

./clang_O0
./clang_O1
./clang_O2
./clang_O3
```

### Source Code

```c
0 // bug_Poc.c
1 #include <stdio.h>
2 short g_4 = 2;
3 short g_8 = 1;
4 int main()
5 {
6    printf("bug = %d\n", (g_4 < (((g_8 << 0) / g_4), g_8)));
7     return 0;
8 }
```

The output varies based on optimization options on the 6th line. I've attempted
several approaches to understand the cause. Even though the left expression of
the comma operator is an unused value, removing the expression triggers the
bug.

### Result

```c
bug = 0
bug = 0
bug = 1
bug = 1
bug = 0
bug = 0
bug = 0
bug = 0
bug = 0
bug = 0
bug = 0
bug = 0
```

### Coclusion

I reported a bug on s390x architecture some time ago. Back then, incorrect
values were generated in O0 and O1, but this time incorrect values are produced
in O2 and O3. When such bugs intersect with other vulnerabilities, it could be
exploited as a powerful attack vector.

[Bug c/112274] New: Bug due to unused expressions on s390x

Reply via email to