Bug 90131 - gcc-3.2.2 contains severe bug with struct copy -- fixed in gcc-3.2.3
gcc-3.2.2 contains severe bug with struct copy -- fixed in gcc-3.2.3
Status: CLOSED RAWHIDE
Product: Red Hat Linux
Classification: Retired
Component: gcc (Show other bugs)
9
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jakub Jelinek
Brian Brock
http://gcc.gnu.org/cgi-bin/gnatsweb.p...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-05-02 22:22 EDT by Luke Hutchison
Modified: 2007-04-18 12:53 EDT (History)
0 users

See Also:
Fixed In Version: 3.2.3-3
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-05-28 17:38:29 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Luke Hutchison 2003-05-02 22:22:51 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686) Gecko/20030313 Galeon/1.3.4

Description of problem:
gcc-3.2.2 corrupts structs if several struct-copy operations are performed in
sequence.  This is a pretty rare occurrence (most people don't use implicit
struct copying), but it meant lately that I had to make some pretty substantial
changes to an analysis program I wrote to get it to run fine on RH8 and RH9. 
(The problem is present in both RH8 and RH9.)  It looks like it is fixed now in GCC:

http://gcc.gnu.org/cgi-bin/gnatsweb.pl?cmd=view%20audit-trail&pr=9492

However, I am reporting this as a bug, because it seems to be a serious enough
bug that it could be reported as a security advisory IMHO, so that people are
encouraged to upgrade to gcc-3.2.3.  (You get results in one struct copy that
were contained in the previous copy operation -- a possible security hazard.)

I'm assuming the problem doesn't occur very often, or it would have been fixed
between the GCC versions in RH8 and RH9.

Here's some short code that illustrates the problem.

Thanks!

--


/*

 Compile with: gcc -Wall prog.c -o prog && ./prog

 I'm using gcc version 3.2 20020903 (Red Hat Linux 8.0 3.2-7)
 Also tested on gcc version 3.2.2 20030222 (Red Hat Linux 3.2.2-5) [RH9]

   Actual output:

    0.0 1.0 0.0
    1.0 0.0 0.0
    1.0 2.0 1.0
    2.0 3.0 4.0

   Expected output:

    2.0 2.0 3.0
    1.0 3.0 3.0
    1.0 2.0 4.0
    2.0 3.0 4.0

*/


#include <stdio.h>


typedef struct {
  double _0, _1, _2;
} POINT;


POINT xform(POINT p) {
  asm("");
  return (POINT) { p._0 + 1.0, p._1 + 2.0, p._2 + 3.0 };
}


int main(void) {
  int i;
  POINT p[4] =
    { xform((POINT) { 1.0, 0.0, 0.0 }),
      xform((POINT) { 0.0, 1.0, 0.0 }),
      xform((POINT) { 0.0, 0.0, 1.0 }),
      xform((POINT) { 1.0, 1.0, 1.0 }) };

  for (i = 0; i < 4; i++)
    printf("    %.1f %.1f %.1f\n", p[i]._0, p[i]._1, p[i]._2);

  return 0;
}




Version-Release number of selected component (if applicable):
gcc-3.2.2-5

How reproducible:
Always

Steps to Reproduce:
As above

Additional info:
Comment 1 Luke Hutchison 2003-05-02 22:24:53 EDT
Sorry, ignore the 'asm("");' line in the code -- that was listed on the
gcc.gnu.org issue link as a possible workaround.
Comment 2 Luke Hutchison 2003-05-28 17:12:43 EDT
Just a suggestion: You could find the place in GCC which deals with struct copy
operations, then get it to write out to a special logfile (detailing the source
filename/path/line number), and build all of the RH packages with this modified
compiler.  Then you'd only have a small candidate list of source files to look
through for possible security hazards.
Comment 3 Jakub Jelinek 2003-05-28 17:38:29 EDT
I doubt the PR you mentioned has anything to do this, since the relevant patches
are in gcc-3.2.2-5.
Nevertheless, I cannot reproduce this with gcc-3.2.3-3 (rawhide has 3.2.3-4 ATM),
so I assume some other patch fixed it.
(the PR is a HPPA bug, not IA-32 as well).
Comment 4 Luke Hutchison 2003-05-28 18:16:42 EDT
Just tried gcc-3.2.3-4 from RawHide.  It does fix the problem.

Also tried gcc-3.2-7 on a RH8.x machine.  It is broken.

Also tried gcc-3.2.2-5 on a fresh RH9 install, on a totally different machine
than I have previously tried it on.  It is broken.  I guess that PR has nothing
to do with it.

My main concern is that people will be running RH8 and RH9 for some time.  I
should probably report this to BugTraq..

Thanks for your time!

Note You need to log in before you can comment on or make changes to this bug.