Bug 90131

Summary: gcc-3.2.2 contains severe bug with struct copy -- fixed in gcc-3.2.3
Product: [Retired] Red Hat Linux Reporter: Luke Hutchison <luke.hutch>
Component: gccAssignee: Jakub Jelinek <jakub>
Status: CLOSED RAWHIDE QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 9Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://gcc.gnu.org/cgi-bin/gnatsweb.pl?cmd=view%20audit-trail&pr=9492
Whiteboard:
Fixed In Version: 3.2.3-3 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2003-05-28 21:38:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Luke Hutchison 2003-05-03 02:22:51 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686) Gecko/20030313 Galeon/1.3.4

Description of problem:
gcc-3.2.2 corrupts structs if several struct-copy operations are performed in
sequence.  This is a pretty rare occurrence (most people don't use implicit
struct copying), but it meant lately that I had to make some pretty substantial
changes to an analysis program I wrote to get it to run fine on RH8 and RH9. 
(The problem is present in both RH8 and RH9.)  It looks like it is fixed now in GCC:

http://gcc.gnu.org/cgi-bin/gnatsweb.pl?cmd=view%20audit-trail&pr=9492

However, I am reporting this as a bug, because it seems to be a serious enough
bug that it could be reported as a security advisory IMHO, so that people are
encouraged to upgrade to gcc-3.2.3.  (You get results in one struct copy that
were contained in the previous copy operation -- a possible security hazard.)

I'm assuming the problem doesn't occur very often, or it would have been fixed
between the GCC versions in RH8 and RH9.

Here's some short code that illustrates the problem.

Thanks!

--


/*

 Compile with: gcc -Wall prog.c -o prog && ./prog

 I'm using gcc version 3.2 20020903 (Red Hat Linux 8.0 3.2-7)
 Also tested on gcc version 3.2.2 20030222 (Red Hat Linux 3.2.2-5) [RH9]

   Actual output:

    0.0 1.0 0.0
    1.0 0.0 0.0
    1.0 2.0 1.0
    2.0 3.0 4.0

   Expected output:

    2.0 2.0 3.0
    1.0 3.0 3.0
    1.0 2.0 4.0
    2.0 3.0 4.0

*/


#include <stdio.h>


typedef struct {
  double _0, _1, _2;
} POINT;


POINT xform(POINT p) {
  asm("");
  return (POINT) { p._0 + 1.0, p._1 + 2.0, p._2 + 3.0 };
}


int main(void) {
  int i;
  POINT p[4] =
    { xform((POINT) { 1.0, 0.0, 0.0 }),
      xform((POINT) { 0.0, 1.0, 0.0 }),
      xform((POINT) { 0.0, 0.0, 1.0 }),
      xform((POINT) { 1.0, 1.0, 1.0 }) };

  for (i = 0; i < 4; i++)
    printf("    %.1f %.1f %.1f\n", p[i]._0, p[i]._1, p[i]._2);

  return 0;
}




Version-Release number of selected component (if applicable):
gcc-3.2.2-5

How reproducible:
Always

Steps to Reproduce:
As above

Additional info:
Comment 1 Luke Hutchison 2003-05-03 02:24:53 UTC 
Sorry, ignore the 'asm("");' line in the code -- that was listed on the
gcc.gnu.org issue link as a possible workaround.
Comment 2 Luke Hutchison 2003-05-28 21:12:43 UTC 
Just a suggestion: You could find the place in GCC which deals with struct copy
operations, then get it to write out to a special logfile (detailing the source
filename/path/line number), and build all of the RH packages with this modified
compiler.  Then you'd only have a small candidate list of source files to look
through for possible security hazards.
Comment 3 Jakub Jelinek 2003-05-28 21:38:29 UTC 
I doubt the PR you mentioned has anything to do this, since the relevant patches
are in gcc-3.2.2-5.
Nevertheless, I cannot reproduce this with gcc-3.2.3-3 (rawhide has 3.2.3-4 ATM),
so I assume some other patch fixed it.
(the PR is a HPPA bug, not IA-32 as well).
Comment 4 Luke Hutchison 2003-05-28 22:16:42 UTC 
Just tried gcc-3.2.3-4 from RawHide.  It does fix the problem.

Also tried gcc-3.2-7 on a RH8.x machine.  It is broken.

Also tried gcc-3.2.2-5 on a fresh RH9 install, on a totally different machine
than I have previously tried it on.  It is broken.  I guess that PR has nothing
to do with it.

My main concern is that people will be running RH8 and RH9 for some time.  I
should probably report this to BugTraq..

Thanks for your time!