From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686) Gecko/20030313 Galeon/1.3.4 Description of problem: gcc-3.2.2 corrupts structs if several struct-copy operations are performed in sequence. This is a pretty rare occurrence (most people don't use implicit struct copying), but it meant lately that I had to make some pretty substantial changes to an analysis program I wrote to get it to run fine on RH8 and RH9. (The problem is present in both RH8 and RH9.) It looks like it is fixed now in GCC: http://gcc.gnu.org/cgi-bin/gnatsweb.pl?cmd=view%20audit-trail&pr=9492 However, I am reporting this as a bug, because it seems to be a serious enough bug that it could be reported as a security advisory IMHO, so that people are encouraged to upgrade to gcc-3.2.3. (You get results in one struct copy that were contained in the previous copy operation -- a possible security hazard.) I'm assuming the problem doesn't occur very often, or it would have been fixed between the GCC versions in RH8 and RH9. Here's some short code that illustrates the problem. Thanks! -- /* Compile with: gcc -Wall prog.c -o prog && ./prog I'm using gcc version 3.2 20020903 (Red Hat Linux 8.0 3.2-7) Also tested on gcc version 3.2.2 20030222 (Red Hat Linux 3.2.2-5) [RH9] Actual output: 0.0 1.0 0.0 1.0 0.0 0.0 1.0 2.0 1.0 2.0 3.0 4.0 Expected output: 2.0 2.0 3.0 1.0 3.0 3.0 1.0 2.0 4.0 2.0 3.0 4.0 */ #include <stdio.h> typedef struct { double _0, _1, _2; } POINT; POINT xform(POINT p) { asm(""); return (POINT) { p._0 + 1.0, p._1 + 2.0, p._2 + 3.0 }; } int main(void) { int i; POINT p[4] = { xform((POINT) { 1.0, 0.0, 0.0 }), xform((POINT) { 0.0, 1.0, 0.0 }), xform((POINT) { 0.0, 0.0, 1.0 }), xform((POINT) { 1.0, 1.0, 1.0 }) }; for (i = 0; i < 4; i++) printf(" %.1f %.1f %.1f\n", p[i]._0, p[i]._1, p[i]._2); return 0; } Version-Release number of selected component (if applicable): gcc-3.2.2-5 How reproducible: Always Steps to Reproduce: As above Additional info:
Sorry, ignore the 'asm("");' line in the code -- that was listed on the gcc.gnu.org issue link as a possible workaround.
Just a suggestion: You could find the place in GCC which deals with struct copy operations, then get it to write out to a special logfile (detailing the source filename/path/line number), and build all of the RH packages with this modified compiler. Then you'd only have a small candidate list of source files to look through for possible security hazards.
I doubt the PR you mentioned has anything to do this, since the relevant patches are in gcc-3.2.2-5. Nevertheless, I cannot reproduce this with gcc-3.2.3-3 (rawhide has 3.2.3-4 ATM), so I assume some other patch fixed it. (the PR is a HPPA bug, not IA-32 as well).
Just tried gcc-3.2.3-4 from RawHide. It does fix the problem. Also tried gcc-3.2-7 on a RH8.x machine. It is broken. Also tried gcc-3.2.2-5 on a fresh RH9 install, on a totally different machine than I have previously tried it on. It is broken. I guess that PR has nothing to do with it. My main concern is that people will be running RH8 and RH9 for some time. I should probably report this to BugTraq.. Thanks for your time!