[openssl.org #375] Gcc bug triggered in PEM_get_EVP_CIPHER_INFO()

Tue, 03 Dec 2002 05:20:20 -0800 

Seeing the "bugs" directory in the openssl tarball, I thought you
might be interested to know that gcc-3.0 contains a bug that is
triggered in the PEM_get_EVP_CIPHER_INFO() function...

Here is the problem:

        $ ssh-keygen -t rsa -N abcde
then
        $ ssh-keygen -t rsa -P abcde -p

should works, but it didn't on my system (gcc-3.0, OpenSSH_3.4p1,
OpenSSL 0x00907004).

I have traced down the problem to PEM_get_EVP_CIPHER_INFO(): gcc-3.0
generates invalid assembler for this function. Just look at the machine
code that corresponds to this C code:

        header+=11;
        if (*header != '4') return(0); header++;
        if (*header != ',') return(0); header++;

And you will notice that %eax (that represents "header") is incremented
too many times...

A more insightful demonstration of this bug is also available in the
`gcc-3.0-bug-demo.c' file.

----------------------------------------------------------------------
/*
** Gcc-3.0 bug -- noticed by Marc Bevand <bevand_m (at) epita.fr>
** on Tue Dec  3 14:06:02 CET 2002
**
** All is right with "-fPIC -O1", the bug only occurs with "-fPIC
** -O[23]":
**
**      $ gcc -fPIC -O1 gcc-3.0-bug-demo.c
**      $ ./a.out 
**      all is right
**      $ gcc -fPIC -O2 gcc-3.0-bug-demo.c
**      $ ./a.out 
**      there is a *bug*
**
** Look at the assembler generated for the 2 lines marked with XXX in
** foobar():
**
** 80484e3:       8b 45 08                mov    0x8(%ebp),%eax
** 80484e6:       83 c0 02                add    $0x2,%eax
** 80484e9:       89 45 08                mov    %eax,0x8(%ebp)
** 80484ec:       80 78 02 63             cmpb   $0x63,0x2(%eax)
**
** The value of "header", contained in 0x8(%ebp), should be incremented
** only 1 time, but actually it is incremented 2 times (in add and
** cmpb).
*/

int hello(char **notused)
{
    return 0;
}

int foobar(char *header)
{
    if (strncmp(header, "ab", 2))
        return 0;
    header += 2;                /* XXX */
    if (*header != 'c')         /* XXX */
        return 0;
    if (hello(&header))
        return 0;
    return 1;
}

int main(void)
{
    if (foobar("abc__"))
        puts("all is right");
    else
        puts("there is a *bug*");
    return 0;
}
----------------------------------------------------------------------

-- 
Marc Bevand                          http://www.epita.fr/~bevand_m
Computer Science School EPITA - System, Network and Security Dept.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to